docs: update code sample to use a sub-CA to issue leaf certificates (terraform-google-modules#819)

gfxcc · niharika-98 · commit 2f8bad29e756 · 2025-09-07T14:29:47.000Z
diff --git a/privateca/quickstart/main.tf b/privateca/quickstart/main.tf
@@ -23,30 +23,66 @@ resource "google_project_service" "privateca_api" {
   disable_on_destroy = false
 }
 
-resource "tls_private_key" "example" {
-  algorithm = "RSA"
-}
+# Root CaPool & CA
 
-resource "tls_cert_request" "example" {
-  private_key_pem = tls_private_key.example.private_key_pem
+resource "google_privateca_ca_pool" "root" {
+  name     = "root-pool"
+  location = "us-central1"
+  tier     = "ENTERPRISE"
+  publishing_options {
+    publish_ca_cert = true
+    publish_crl     = true
+  }
+}
 
-  subject {
-    common_name  = "example.com"
-    organization = "ACME Examples, Inc"
+resource "google_privateca_certificate_authority" "root-ca" {
+  certificate_authority_id = "my-root-ca"
+  location                 = "us-central1"
+  pool                     = google_privateca_ca_pool.root.name
+  config {
+    subject_config {
+      subject {
+        organization = "google"
+        common_name  = "my-certificate-authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+  type = "SELF_SIGNED"
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
   }
+
+  // Disable CA deletion related safe checks for easier cleanup.
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
 }
 
-resource "google_privateca_ca_pool" "default" {
-  name     = "my-ca-pool"
+# Sub CaPool & CA
+
+resource "google_privateca_ca_pool" "subordinate" {
+  name     = "sub-pool"
   location = "us-central1"
   tier     = "ENTERPRISE"
   publishing_options {
     publish_ca_cert = true
     publish_crl     = true
   }
-  labels = {
-    foo = "bar"
-  }
+
   issuance_policy {
     baseline_values {
       ca_options {
@@ -65,26 +101,28 @@ resource "google_privateca_ca_pool" "default" {
   }
 }
 
-resource "google_privateca_certificate_authority" "test_ca" {
-  certificate_authority_id = "my-authority"
+resource "google_privateca_certificate_authority" "sub-ca" {
+  pool                     = google_privateca_ca_pool.subordinate.name
+  certificate_authority_id = "my-sub-ca"
   location                 = "us-central1"
-  pool                     = google_privateca_ca_pool.default.name
+  subordinate_config {
+    certificate_authority = google_privateca_certificate_authority.root-ca.name
+  }
   config {
     subject_config {
       subject {
-        country_code        = "us"
-        organization        = "google"
-        organizational_unit = "enterprise"
-        locality            = "mountain view"
-        province            = "california"
-        street_address      = "1600 amphitheatre parkway"
-        postal_code         = "94109"
-        common_name         = "my-certificate-authority"
+        organization = "HashiCorp"
+        common_name  = "my-subordinate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
       }
     }
     x509_config {
       ca_options {
         is_ca = true
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
       }
       key_usage {
         base_key_usage {
@@ -97,20 +135,37 @@ resource "google_privateca_certificate_authority" "test_ca" {
       }
     }
   }
-  type = "SELF_SIGNED"
+  lifetime = "31536000s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
+  type = "SUBORDINATE"
 
   // Disable CA deletion related safe checks for easier cleanup.
   deletion_protection                    = false
   skip_grace_period                      = true
   ignore_active_certificates_on_deletion = true
 }
 
+# Leaf cert
+
+resource "tls_private_key" "example" {
+  algorithm = "RSA"
+}
+
+resource "tls_cert_request" "example" {
+  private_key_pem = tls_private_key.example.private_key_pem
+
+  subject {
+    common_name  = "example.com"
+    organization = "ACME Examples, Inc"
+  }
+}
+
 resource "google_privateca_certificate" "default" {
-  pool                  = google_privateca_ca_pool.default.name
-  certificate_authority = google_privateca_certificate_authority.test_ca.certificate_authority_id
+  pool = google_privateca_ca_pool.subordinate.name
+  # Explicitly refer the sub-CA so that the certificate creation will wait for the CA creation.
+  certificate_authority = google_privateca_certificate_authority.sub-ca.certificate_authority_id
   location              = "us-central1"
   lifetime              = "860s"
   name                  = "my-certificate"
