Fix subordinate CA creation with max_issuer_path_legth = 0 (#5107) (#3540)

modular-magician · web-flow · commit 66c44fbdd6ac · 2021-08-18T19:13:05.000-05:00
* fix max_issuer_path_legth = 0 issue

* fix maxIssuerPathLength for pools too

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/5107.txt b/.changelog/5107.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+privateca: fixed the creation of subordinate `google_privateca_certificate_authority` with `max_issuer_path_length = 0`.
+```
diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go
@@ -13,9 +13,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
-	"google.golang.org/api/googleapi"
-
 	dataproc "google.golang.org/api/dataproc/v1beta2"
+	"google.golang.org/api/googleapi"
 )
 
 func TestDataprocExtractInitTimeout(t *testing.T) {
diff --git a/google-beta/resource_privateca_ca_pool.go b/google-beta/resource_privateca_ca_pool.go
@@ -1408,7 +1408,7 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptions(v interface{}, d
 	transformedMaxIssuerPathLength, err := expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 
diff --git a/google-beta/resource_privateca_certificate_authority.go b/google-beta/resource_privateca_certificate_authority.go
@@ -1318,7 +1318,7 @@ func expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptions(v interface{},
 	transformedMaxIssuerPathLength, err := expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)
 	if err != nil {
 		return nil, err
-	} else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {
+	} else {
 		transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength
 	}
 
diff --git a/google-beta/resource_privateca_certificate_authority_generated_test.go b/google-beta/resource_privateca_certificate_authority_generated_test.go
@@ -150,7 +150,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {
diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown
@@ -117,7 +117,8 @@ resource "google_privateca_certificate_authority" "default" {
     x509_config {
       ca_options {
         is_ca = true
-        max_issuer_path_length = 10
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+privateca: fixed the creation of subordinate `google_privateca_certificate_authority` with `max_issuer_path_length = 0`.
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,8 @@ import (`
`13`	`13`	`"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"`
`14`	`14`	`"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"`
`15`	`15`
`16`		`- "google.golang.org/api/googleapi"`
`17`		`-`
`18`	`16`	`dataproc "google.golang.org/api/dataproc/v1beta2"`
	`17`	`+ "google.golang.org/api/googleapi"`
`19`	`18`	`)`
`20`	`19`
`21`	`20`	`func TestDataprocExtractInitTimeout(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -1408,7 +1408,7 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptions(v interface{}, d`
`1408`	`1408`	`transformedMaxIssuerPathLength, err := expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)`
`1409`	`1409`	`if err != nil {`
`1410`	`1410`	`return nil, err`
`1411`		`- } else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {`
	`1411`	`+ } else {`
`1412`	`1412`	`transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength`
`1413`	`1413`	`}`
`1414`	`1414`
Original file line number	Diff line number	Diff line change
`@@ -1318,7 +1318,7 @@ func expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptions(v interface{},`
`1318`	`1318`	`transformedMaxIssuerPathLength, err := expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config)`
`1319`	`1319`	`if err != nil {`
`1320`	`1320`	`return nil, err`
`1321`		`- } else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) {`
	`1321`	`+ } else {`
`1322`	`1322`	`transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength`
`1323`	`1323`	`}`
`1324`	`1324`