@@ -2867,6 +2867,122 @@ func TestAccSqlDatabaseInstance_useCasBasedServerCa(t *testing.T) {
2867
2867
})
2868
2868
}
2869
2869
2870
+ func TestAccSqlDatabaseInstance_useCustomerManagedServerCa (t * testing.T ) {
2871
+ t .Parallel ()
2872
+
2873
+ resourceName := "google_sql_database_instance.instance"
2874
+
2875
+ context := map [string ]interface {}{
2876
+ "projectID" : envvar .GetTestProjectFromEnv (),
2877
+ "databaseName" : "tf-test-" + acctest .RandString (t , 10 ),
2878
+ "casRandomSuffix" : acctest .RandString (t , 10 ),
2879
+ }
2880
+
2881
+ acctest .VcrTest (t , resource.TestCase {
2882
+ PreCheck : func () { acctest .AccTestPreCheck (t ) },
2883
+ ProtoV5ProviderFactories : acctest .ProtoV5ProviderFactories (t ),
2884
+ CheckDestroy : testAccSqlDatabaseInstanceDestroyProducer (t ),
2885
+
2886
+ Steps : []resource.TestStep {
2887
+ {
2888
+ Config : testGoogleSqlDatabaseInstance_setCustomerManagedServerCa (context ),
2889
+ Check : resource .ComposeTestCheckFunc (
2890
+ resource .TestCheckResourceAttr (resourceName , "settings.0.ip_configuration.0.server_ca_mode" , "CUSTOMER_MANAGED_CAS_CA" ),
2891
+ ),
2892
+ },
2893
+ {
2894
+ ResourceName : resourceName ,
2895
+ ImportState : true ,
2896
+ ImportStateVerify : true ,
2897
+ ImportStateVerifyIgnore : []string {"deletion_protection" },
2898
+ },
2899
+ },
2900
+ })
2901
+ }
2902
+
2903
+ func testGoogleSqlDatabaseInstance_setCustomerManagedServerCa (context map [string ]interface {}) string {
2904
+ return acctest .Nprintf (`
2905
+ data "google_project" "project" {
2906
+ project_id = "%{projectID}"
2907
+ }
2908
+
2909
+ resource "google_privateca_ca_pool" "customer_ca_pool" {
2910
+ name = "tf-test-cap-%{casRandomSuffix}"
2911
+ location = "us-central1"
2912
+ tier = "DEVOPS"
2913
+
2914
+ publishing_options {
2915
+ publish_ca_cert = false
2916
+ publish_crl = false
2917
+ }
2918
+ }
2919
+
2920
+ resource "google_privateca_certificate_authority" "customer_ca" {
2921
+ pool = google_privateca_ca_pool.customer_ca_pool.name
2922
+ certificate_authority_id = "tf-test-ca-%{casRandomSuffix}"
2923
+ location = "us-central1"
2924
+ lifetime = "86400s"
2925
+ type = "SELF_SIGNED"
2926
+ deletion_protection = false
2927
+ skip_grace_period = true
2928
+ ignore_active_certificates_on_deletion = true
2929
+
2930
+ config {
2931
+ subject_config {
2932
+ subject {
2933
+ organization = "Test LLC"
2934
+ common_name = "my-ca"
2935
+ }
2936
+ }
2937
+ x509_config {
2938
+ ca_options {
2939
+ is_ca = true
2940
+ }
2941
+ key_usage {
2942
+ base_key_usage {
2943
+ cert_sign = true
2944
+ crl_sign = true
2945
+ }
2946
+ extended_key_usage {
2947
+ server_auth = false
2948
+ }
2949
+ }
2950
+ }
2951
+ }
2952
+
2953
+ key_spec {
2954
+ algorithm = "RSA_PKCS1_4096_SHA256"
2955
+ }
2956
+ }
2957
+
2958
+ resource "google_privateca_ca_pool_iam_member" "granting" {
2959
+ ca_pool = google_privateca_ca_pool.customer_ca_pool.id
2960
+ role = "roles/privateca.certificateRequester"
2961
+ member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com"
2962
+ }
2963
+
2964
+ resource "google_sql_database_instance" "instance" {
2965
+ name = "%{databaseName}"
2966
+ region = "us-central1"
2967
+ database_version = "POSTGRES_15"
2968
+ deletion_protection = false
2969
+ settings {
2970
+ tier = "db-f1-micro"
2971
+ ip_configuration {
2972
+ ipv4_enabled = "true"
2973
+ server_ca_mode = "CUSTOMER_MANAGED_CAS_CA"
2974
+ server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id
2975
+ }
2976
+ }
2977
+
2978
+ depends_on = [
2979
+ google_privateca_certificate_authority.customer_ca,
2980
+ google_privateca_ca_pool_iam_member.granting
2981
+ ]
2982
+ }
2983
+ ` , context )
2984
+ }
2985
+
2870
2986
func testGoogleSqlDatabaseInstance_setCasServerCa (databaseName , serverCaMode string ) string {
2871
2987
return fmt .Sprintf (`
2872
2988
resource "google_sql_database_instance" "instance" {
0 commit comments