Private CA - Differentiate unset and default values for is_ca/max_issuer_path_length in Certificate Templates (#14070) (#22981)

[upstream:894dcc3caac54d3cffcc9192ee06bce929409db2]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14070.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: added support for setting default values for basic constraints for `google_privateca_certificate_template` via the `null_ca` and `zero_max_issuer_path_length` fields. also added `name_constraints` field for `google_privateca_certificate_template`.
+```

google/services/privateca/privateca_utils.go

@@ -24,8 +24,12 @@ import (
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
 )
 
-// This file contains shared flatteners between PrivateCA Certificate, CaPool and CertificateAuthority.
-// These resources share the x509Config (Certificate, CertificateAuthorty)/baselineValues (CaPool) object.
+// This file contains shared flatteners between PrivateCA Certificate, CaPool, CertificateTemplate and
+// CertificateAuthority. These resources share the x509Config (Certificate, CertificateAuthority)/
+// baselineValues (CaPool) object. CertificateTemplate contains the predefinedValues object, which is slightly
+// different from the other two, and so requires its own functions to process. These functions are also contained
+// in this file.
+//
 // The API does not return this object if it only contains booleans with the default (false) value. This
 // causes problems if a user specifies only default values, as Terraform detects that the object has been
 // deleted on the API-side. This flattener creates default objects for sub-objects that match this pattern
@@ -80,6 +84,50 @@ func expandPrivatecaCertificateConfigX509ConfigCaOptions(v interface{}, d tpgres
 	return transformed, nil
 }
 
+func expandPrivatecaCertificateTemplateConfigX509ConfigCaOptions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	// Similar to expandPrivatecaCertificateConfigX509ConfigCaOptions, but only for use in
+	// Certificate Templates, which use a null_ca field instead of the non_ca field.
+	// Fields null_ca, zero_max_issuer_path_length are used to distinguish between
+	// unset booleans and booleans set with a default value.
+	// Unset is_ca or unset max_issuer_path_length either allow any values for these fields when
+	// used in an issuance policy, or allow the API to use default values when used in a
+	// certificate config. A default value of is_ca=false means that issued certificates cannot
+	// be CA certificates. A default value of max_issuer_path_length=0 means that the CA cannot
+	// issue CA certificates.
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+
+	nullCa := original["null_ca"].(bool)
+	isCa := original["is_ca"].(bool)
+
+	zeroPathLength := original["zero_max_issuer_path_length"].(bool)
+	maxIssuerPathLength := original["max_issuer_path_length"].(int)
+
+	transformed := make(map[string]interface{})
+
+	if nullCa && isCa {
+		return nil, fmt.Errorf("null_ca, is_ca can not be set to true at the same time.")
+	}
+	if zeroPathLength && maxIssuerPathLength > 0 {
+		return nil, fmt.Errorf("zero_max_issuer_path_length can not be set to true while max_issuer_path_length being set to a positive integer.")
+	}
+
+	if !nullCa {
+		transformed["isCa"] = original["is_ca"]
+	}
+	if maxIssuerPathLength > 0 || zeroPathLength {
+		transformed["maxIssuerPathLength"] = original["max_issuer_path_length"]
+	}
+	return transformed, nil
+}
+
 func expandPrivatecaCertificateConfigX509ConfigKeyUsage(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	if v == nil {
 		return v, nil
@@ -377,6 +425,33 @@ func flattenPrivatecaCertificateConfigX509ConfigCaOptions(v interface{}, d *sche
 
 	return []interface{}{transformed}
 }
+
+func flattenPrivatecaCertificateTemplateConfigX509ConfigCaOptions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	// Special case here as the CaPool API returns an empty object rather than nil unlike the Certificate
+	// and CertificateAuthority APIs.
+	if v == nil || len(v.(map[string]interface{})) == 0 {
+		v = make(map[string]interface{})
+	}
+	original := v.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	val, exists := original["isCa"]
+	transformed["is_ca"] =
+		flattenPrivatecaCertificateConfigX509ConfigCaOptionsIsCa(val, d, config)
+	if !exists {
+		transformed["null_ca"] = true
+	}
+
+	val, exists = original["maxIssuerPathLength"]
+	transformed["max_issuer_path_length"] =
+		flattenPrivatecaCertificateConfigX509ConfigCaOptionsMaxIssuerPathLength(val, d, config)
+	if exists && int(val.(float64)) == 0 {
+		transformed["zero_max_issuer_path_length"] = true
+	}
+
+	return []interface{}{transformed}
+}
+
 func flattenPrivatecaCertificateConfigX509ConfigCaOptionsIsCa(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }