diff --git a/.changelog/10354.txt b/.changelog/10354.txt deleted file mode 100644 index 5d058939296..00000000000 --- a/.changelog/10354.txt +++ /dev/null @@ -1,3 +0,0 @@ -```release-note:bug -privateca: fixed permission issues when activating a sub-CA in a different region -``` \ No newline at end of file diff --git a/google/services/privateca/privateca_ca_utils.go b/google/services/privateca/privateca_ca_utils.go index 4c031c081c3..2c15662b6a8 100644 --- a/google/services/privateca/privateca_ca_utils.go +++ b/google/services/privateca/privateca_ca_utils.go @@ -230,14 +230,12 @@ func activateSubCAWithFirstPartyIssuer(config *transport_tpg.Config, d *schema.R return fmt.Errorf("Error creating Certificate: %s", err) } signedCACert := res["pemCertificate"] - signerCertChain := res["pemCertificateChain"] // 4. activate sub CA with the signed CA cert. activateObj := make(map[string]interface{}) activateObj["pemCaCertificate"] = signedCACert activateObj["subordinateConfig"] = make(map[string]interface{}) - activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"] = make(map[string]interface{}) - activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"].(map[string]interface{})["pemCertificates"] = signerCertChain + activateObj["subordinateConfig"].(map[string]interface{})["certificateAuthority"] = issuer activateUrl, err := tpgresource.ReplaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:activate") if err != nil { diff --git a/google/services/privateca/resource_privateca_certificate_authority.go b/google/services/privateca/resource_privateca_certificate_authority.go index 00800156895..00f4b52d83f 100644 --- a/google/services/privateca/resource_privateca_certificate_authority.go +++ b/google/services/privateca/resource_privateca_certificate_authority.go @@ -709,7 +709,6 @@ and usability purposes only. The resource name is in the format }, "pem_issuer_chain": { Type: schema.TypeList, - Computed: true, Optional: true, Description: `Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself.`, @@ -1539,7 +1538,7 @@ func flattenPrivatecaCertificateAuthoritySubordinateConfig(v interface{}, d *sch return []interface{}{transformed} } func flattenPrivatecaCertificateAuthoritySubordinateConfigCertificateAuthority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return d.Get("subordinate_config.0.certificate_authority") + return v } func flattenPrivatecaCertificateAuthoritySubordinateConfigPemIssuerChain(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { diff --git a/google/services/privateca/resource_privateca_certificate_authority_test.go b/google/services/privateca/resource_privateca_certificate_authority_test.go index de1bf797178..de90fa7a245 100644 --- a/google/services/privateca/resource_privateca_certificate_authority_test.go +++ b/google/services/privateca/resource_privateca_certificate_authority_test.go @@ -122,33 +122,6 @@ func TestAccPrivatecaCertificateAuthority_rootCaManageDesiredState(t *testing.T) }) } -func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssuerOnCreation(t *testing.T) { - t.Parallel() - acctest.SkipIfVcr(t) - - random_suffix := acctest.RandString(t, 10) - context := map[string]interface{}{ - "root_location": "us-central1", - "sub_location": "australia-southeast1", - "random_suffix": random_suffix, - } - - resourceName := "google_privateca_certificate_authority.sub-1" - acctest.VcrTest(t, resource.TestCase{ - PreCheck: func() { acctest.AccTestPreCheck(t) }, - ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), - CheckDestroy: testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t), - Steps: []resource.TestStep{ - { - Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(resourceName, "state", "ENABLED"), - ), - }, - }, - }) -} - func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string { return acctest.Nprintf(` resource "google_privateca_certificate_authority" "default" { @@ -314,139 +287,3 @@ resource "google_privateca_certificate_authority" "default" { } `, context) } - -// testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer provides a config -// which contains -// * A CaPool for root CA -// * A root CA -// * A CaPool for sub CA -// * A subordinate CA which should be activated by the above root CA -func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context map[string]interface{}) string { - return acctest.Nprintf(` -resource "google_privateca_ca_pool" "root-pool" { - name = "root-pool-%{random_suffix}" - location = "%{root_location}" - tier = "ENTERPRISE" - publishing_options { - publish_ca_cert = true - publish_crl = true - } -} - -resource "google_privateca_certificate_authority" "root-1" { - pool = google_privateca_ca_pool.root-pool.name - certificate_authority_id = "tf-test-my-certificate-authority-root-%{random_suffix}" - location = "%{root_location}" - config { - subject_config { - subject { - organization = "HashiCorp" - common_name = "my-certificate-authority" - } - subject_alt_name { - dns_names = ["hashicorp.com"] - } - } - x509_config { - ca_options { - is_ca = true - max_issuer_path_length = 10 - } - key_usage { - base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true - cert_sign = true - crl_sign = true - decipher_only = true - } - extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true - } - } - } - } - lifetime = "86400s" - key_spec { - algorithm = "RSA_PKCS1_4096_SHA256" - } - - // Disable CA deletion related safe checks for easier cleanup. - deletion_protection = false - skip_grace_period = true - ignore_active_certificates_on_deletion = true -} - -resource "google_privateca_ca_pool" "sub-pool" { - name = "sub-pool-%{random_suffix}" - location = "%{sub_location}" - tier = "ENTERPRISE" - publishing_options { - publish_ca_cert = true - publish_crl = true - } -} - -resource "google_privateca_certificate_authority" "sub-1" { - pool = google_privateca_ca_pool.sub-pool.name - certificate_authority_id = "tf-test-my-certificate-authority-sub-%{random_suffix}" - location = "%{sub_location}" - subordinate_config { - certificate_authority = google_privateca_certificate_authority.root-1.name - } - config { - subject_config { - subject { - organization = "HashiCorp" - common_name = "my-certificate-authority" - } - subject_alt_name { - dns_names = ["hashicorp.com"] - } - } - x509_config { - ca_options { - is_ca = true - max_issuer_path_length = 10 - } - key_usage { - base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true - cert_sign = true - crl_sign = true - decipher_only = true - } - extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true - } - } - } - } - lifetime = "86400s" - key_spec { - algorithm = "RSA_PKCS1_4096_SHA256" - } - type = "SUBORDINATE" - - // Disable CA deletion related safe checks for easier cleanup. - deletion_protection = false - skip_grace_period = true - ignore_active_certificates_on_deletion = true -} -`, context) -}