feat(cloud_sql): improve the samples for customer-managed CAS CA instances.

feng-zhe · feng-zhe · commit 50c65d72f314 · 2025-04-15T15:16:15.000-07:00
diff --git a/cloud_sql/mysql_instance_customer_managed_cas_ca/main.tf b/cloud_sql/mysql_instance_customer_managed_cas_ca/main.tf
@@ -13,6 +13,71 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+# [START cloud_sql_instance_service_identity]
+resource "google_project_service_identity" "gcp_sa_cloud_sql" {
+  provider = google-beta
+  service  = "sqladmin.googleapis.com"
+}
+# [END cloud_sql_instance_service_identity]
+
+# [START cloud_sql_mysql_instance_ca_pool]
+resource "google_privateca_ca_pool" "customer_ca_pool" {
+  name     = "tf-test-cap"
+  location = "asia-northeast1"
+  tier     = "DEVOPS"
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl     = false
+  }
+}
+# [END cloud_sql_mysql_instance_ca_pool]
+
+# [START cloud_sql_mysql_instance_ca]
+resource "google_privateca_certificate_authority" "customer_ca" {
+  pool                                   = google_privateca_ca_pool.customer_ca_pool.name
+  certificate_authority_id               = "tf-test-ca"
+  location                               = "asia-northeast1"
+  lifetime                               = "86400s"
+  type                                   = "SELF_SIGNED"
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+# [END cloud_sql_mysql_instance_ca]
+
+# [START cloud_sql_mysql_instance_iam_granting]
+resource "google_privateca_ca_pool_iam_member" "granting" {
+  ca_pool = google_privateca_ca_pool.customer_ca_pool.id
+  role    = "roles/privateca.certificateRequester"
+
+  member = "serviceAccount:${google_project_service_identity.gcp_sa_cloud_sql.email}"
+}
+# [END cloud_sql_mysql_instance_iam_granting]
 
 # [START cloud_sql_mysql_instance_customer_managed_cas_ca]
 resource "google_sql_database_instance" "mysql_instance" {
@@ -26,7 +91,7 @@ resource "google_sql_database_instance" "mysql_instance" {
       # https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances#ipconfiguration
       server_ca_mode = "CUSTOMER_MANAGED_CAS_CA"
       # This is the name of the customer-owned CAS CA pool.
-      server_ca_pool = "projects/my-project/locations/asia-northeast1/caPools/my-pool"
+      server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id
     }
   }
   # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
diff --git a/cloud_sql/postgres_instance_customer_managed_cas_ca/main.tf b/cloud_sql/postgres_instance_customer_managed_cas_ca/main.tf
@@ -13,6 +13,71 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+# [START cloud_sql_instance_service_identity]
+resource "google_project_service_identity" "gcp_sa_cloud_sql" {
+  provider = google-beta
+  service  = "sqladmin.googleapis.com"
+}
+# [END cloud_sql_instance_service_identity]
+
+# [START cloud_sql_postgres_instance_ca_pool]
+resource "google_privateca_ca_pool" "customer_ca_pool" {
+  name     = "tf-test-cap"
+  location = "asia-northeast1"
+  tier     = "DEVOPS"
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl     = false
+  }
+}
+# [END cloud_sql_postgres_instance_ca_pool]
+
+# [START cloud_sql_postgres_instance_ca]
+resource "google_privateca_certificate_authority" "customer_ca" {
+  pool                                   = google_privateca_ca_pool.customer_ca_pool.name
+  certificate_authority_id               = "tf-test-ca"
+  location                               = "asia-northeast1"
+  lifetime                               = "86400s"
+  type                                   = "SELF_SIGNED"
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+# [END cloud_sql_postgres_instance_ca]
+
+# [START cloud_sql_postgres_instance_iam_granting]
+resource "google_privateca_ca_pool_iam_member" "granting" {
+  ca_pool = google_privateca_ca_pool.customer_ca_pool.id
+  role    = "roles/privateca.certificateRequester"
+
+  member = "serviceAccount:${google_project_service_identity.gcp_sa_cloud_sql.email}"
+}
+# [END cloud_sql_postgres_instance_iam_granting]
 
 # [START cloud_sql_postgres_instance_google_managed_cas_ca]
 resource "google_sql_database_instance" "postgres_instance" {
@@ -26,7 +91,7 @@ resource "google_sql_database_instance" "postgres_instance" {
       # https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
       server_ca_mode = "CUSTOMER_MANAGED_CAS_CA"
       # This is the name of the customer-owned CAS CA pool.
-      server_ca_pool = "projects/my-project/locations/asia-northeast1/caPools/my-pool"
+      server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id
     }
   }
   # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
diff --git a/cloud_sql/sqlserver_instance_customer_managed_cas_ca/main.tf b/cloud_sql/sqlserver_instance_customer_managed_cas_ca/main.tf
@@ -13,6 +13,71 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+# [START cloud_sql_instance_service_identity]
+resource "google_project_service_identity" "gcp_sa_cloud_sql" {
+  provider = google-beta
+  service  = "sqladmin.googleapis.com"
+}
+# [END cloud_sql_instance_service_identity]
+
+# [START cloud_sql_sqlserver_instance_ca_pool]
+resource "google_privateca_ca_pool" "customer_ca_pool" {
+  name     = "tf-test-cap"
+  location = "asia-northeast1"
+  tier     = "DEVOPS"
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl     = false
+  }
+}
+# [END cloud_sql_sqlserver_instance_ca_pool]
+
+# [START cloud_sql_sqlserver_instance_ca]
+resource "google_privateca_certificate_authority" "customer_ca" {
+  pool                                   = google_privateca_ca_pool.customer_ca_pool.name
+  certificate_authority_id               = "tf-test-ca"
+  location                               = "asia-northeast1"
+  lifetime                               = "86400s"
+  type                                   = "SELF_SIGNED"
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+  config {
+    subject_config {
+      subject {
+        organization = "Test LLC"
+        common_name  = "my-ca"
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign  = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+# [END cloud_sql_sqlserver_instance_ca]
+
+# [START cloud_sql_sqlserver_instance_iam_granting]
+resource "google_privateca_ca_pool_iam_member" "granting" {
+  ca_pool = google_privateca_ca_pool.customer_ca_pool.id
+  role    = "roles/privateca.certificateRequester"
+
+  member = "serviceAccount:${google_project_service_identity.gcp_sa_cloud_sql.email}"
+}
+# [END cloud_sql_sqlserver_instance_iam_granting]
 
 # [START cloud_sql_sqlserver_instance_require_ssl]
 resource "google_sql_database_instance" "sqlserver_instance" {
@@ -27,7 +92,7 @@ resource "google_sql_database_instance" "sqlserver_instance" {
       # https://cloud.google.com/sql/docs/sqlserver/admin-api/rest/v1beta4/instances#ipconfiguration
       server_ca_mode = "CUSTOMER_MANAGED_CAS_CA"
       # This is the name of the customer-owned CAS CA pool.
-      server_ca_pool = "projects/my-project/locations/asia-northeast1/caPools/my-pool"
+      server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id
     }
   }
   # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
