Support updat on CA and Certificate (#5906) (#4207)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5906.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: support update on CertificateAuthority and Certificate 
+```

google-beta/resource_privateca_certificate.go

@@ -0,0 +1,160 @@
+package google
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityUpdate(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"pool_name":           BootstrapSharedCaPoolInLocation(t, "us-central1"),
+		"pool_location":       "us-central1",
+		"deletion_protection": false,
+		"random_suffix":       randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityStart(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate_authority.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+			},
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityEnd(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate_authority.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+			},
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityStart(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate_authority.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+			},
+		},
+	})
+}
+
+func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityStart(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_privateca_certificate_authority" "default" {
+	// This example assumes this pool already exists.
+	// Pools cannot be deleted in normal test circumstances, so we depend on static pools
+	pool = "%{pool_name}"
+	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
+	location = "%{pool_location}"
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+}
+`, context)
+}
+
+func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityEnd(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_privateca_certificate_authority" "default" {
+	// This example assumes this pool already exists.
+	// Pools cannot be deleted in normal test circumstances, so we depend on static pools
+	pool = "%{pool_name}"
+	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
+	location = "%{pool_location}"
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+	labels = {
+		foo = "bar"
+	}
+}
+`, context)
+}

google-beta/resource_privateca_certificate_authority.go

@@ -0,0 +1,210 @@
+package google
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccPrivatecaCertificate_privatecaCertificateUpdate(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"pool_name":           BootstrapSharedCaPoolInLocation(t, "us-central1"),
+		"pool_location":       "us-central1",
+		"deletion_protection": false,
+		"random_suffix":       randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckPrivatecaCertificateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificate_privatecaCertificateStart(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"pool", "name", "location", "certificate_authority"},
+			},
+			{
+				Config: testAccPrivatecaCertificate_privatecaCertificateEnd(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"pool", "name", "location", "certificate_authority"},
+			},
+			{
+				Config: testAccPrivatecaCertificate_privatecaCertificateStart(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"pool", "name", "location", "certificate_authority"},
+			},
+		},
+	})
+}
+
+func testAccPrivatecaCertificate_privatecaCertificateStart(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_privateca_certificate_authority" "default" {
+	// This example assumes this pool already exists.
+	// Pools cannot be deleted in normal test circumstances, so we depend on static pools
+	pool = "%{pool_name}"
+	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
+	location = "%{pool_location}"
+	config {
+		subject_config {
+			subject {
+				organization = "HashiCorp"
+				common_name = "my-certificate-authority"
+			}
+			subject_alt_name {
+				dns_names = ["hashicorp.com"]
+			}
+		}
+		x509_config {
+			ca_options {
+				is_ca = true
+				max_issuer_path_length = 10
+			}
+			key_usage {
+				base_key_usage {
+					cert_sign = true
+					crl_sign = true
+				}
+				extended_key_usage {}
+			}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+}
+
+resource "google_privateca_certificate" "default" {
+	pool = "%{pool_name}"
+	location = "%{pool_location}"
+	certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
+	lifetime = "860s"
+	name = "my-certificate-%{random_suffix}"
+	config {
+	  subject_config  {
+		subject {
+			common_name = "san1.example.com"
+			organization = "HashiCorp"
+		} 
+		subject_alt_name {
+		  email_addresses = ["[email protected]"]
+		}
+	  }
+	  x509_config {
+		ca_options {
+		  is_ca = false
+		}
+		key_usage {
+		  base_key_usage {
+			crl_sign = false
+			decipher_only = false
+		  }
+		  extended_key_usage {
+			server_auth = false
+		  }
+		}
+	  }
+	  public_key {
+		format = "PEM"
+		key = filebase64("test-fixtures/rsa_public.pem")
+	  }
+	}
+}
+`, context)
+}
+
+func testAccPrivatecaCertificate_privatecaCertificateEnd(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_privateca_certificate_authority" "default" {
+	// This example assumes this pool already exists.
+	// Pools cannot be deleted in normal test circumstances, so we depend on static pools
+	pool = "%{pool_name}"
+	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
+	location = "%{pool_location}"
+	config {
+		subject_config {
+			subject {
+				organization = "HashiCorp"
+				common_name = "my-certificate-authority"
+			}
+			subject_alt_name {
+				dns_names = ["hashicorp.com"]
+			}
+		}
+		x509_config {
+			ca_options {
+				is_ca = true
+				max_issuer_path_length = 10
+			}
+			key_usage {
+				base_key_usage {
+					cert_sign = true
+					crl_sign = true
+				}
+				extended_key_usage {}
+			}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+}
+
+resource "google_privateca_certificate" "default" {
+	pool = "%{pool_name}"
+	location = "%{pool_location}"
+	certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
+	lifetime = "860s"
+	name = "my-certificate-%{random_suffix}"
+	config {
+	  subject_config  {
+		subject {
+			common_name = "san1.example.com"
+			organization = "HashiCorp"
+		} 
+		subject_alt_name {
+		  email_addresses = ["[email protected]"]
+		}
+	  }
+	  x509_config {
+		ca_options {
+		  is_ca = false
+		}
+		key_usage {
+		  base_key_usage {
+			crl_sign = false
+			decipher_only = false
+		  }
+		  extended_key_usage {
+			server_auth = false
+		  }
+		}
+	  }
+	  public_key {
+		format = "PEM"
+		key = filebase64("test-fixtures/rsa_public.pem")
+	  }
+	}
+	labels = {
+		foo = "bar"
+	}
+}
+`, context)
+}

google-beta/resource_privateca_certificate_authority_test.go

@@ -968,6 +968,7 @@ This resource provides the following
 [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
 
 - `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.
 
 ## Import

google-beta/resource_privateca_certificate_test.go

@@ -596,6 +596,7 @@ This resource provides the following
 [Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
 
 - `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.
 
 ## Import