Fix subordinate CA creation with max_issuer_path_legth = 0 (#5107) (#…

…9856) * fix max_issuer_path_legth = 0 issue * fix maxIssuerPathLength for pools too Signed-off-by: Modular Magician <[email protected]>
hashicorp · Aug 19, 2021 · 4f10f86 · 4f10f86
1 parent b3202d4
commit 4f10f86
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 4 deletions.
diff --git a/.changelog/5107.txt b/.changelog/5107.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+privateca: fixed the creation of subordinate `google_privateca_certificate_authority` with `max_issuer_path_length = 0`.
+```
diff --git a/google/resource_privateca_ca_pool.go b/google/resource_privateca_ca_pool.go
@@ -1408,7 +1408,7 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptions(v interface{}, d
 	transformedMaxIssuerPathLength, err := expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 

diff --git a/google/resource_privateca_certificate_authority.go b/google/resource_privateca_certificate_authority.go
@@ -1318,7 +1318,7 @@ func expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptions(v interface{},
 	transformedMaxIssuerPathLength, err := expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 

diff --git a/google/resource_privateca_certificate_authority_generated_test.go b/google/resource_privateca_certificate_authority_generated_test.go
@@ -150,7 +150,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {

diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown
@@ -117,7 +117,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {