fix: provide a sensible example for a privateca Root CA example

hoexter · hoexter · commit ec4e7a0d0443 · 2024-04-02T12:13:20.000+02:00
This one looks a lot like someone copied by accident the subordinate
example out of `certificate_authority_subordinate/main.tf` as a root
CA. Thus it contains a lot of values set which are outright invalid
or not recommend for Root CA certficates if you consider RFC 5280
and CA/B Baseline Requirements as the standard to follow.

Also the subordinate example is a bit odd, e.g. configuring SAN
on any kind of CA certificate doesn't make sense. And the resources
examples there make use of the same pool name.

I tried to keep the lifetime setting, but set it to 99 years.
That is probably a sensible value for a P(rivate)KI setup. For
something public 10y or 15y are probably more sensible.

Signed-off-by: Sven Höxter &lt;sven@stormbind.net&gt;
diff --git a/privateca/certificate_authority_basic/main.tf b/privateca/certificate_authority_basic/main.tf
@@ -15,52 +15,42 @@
  */
 
 # [START privateca_create_ca]
-resource "google_privateca_certificate_authority" "default" {
+resource "google_privateca_certificate_authority" "root_ca" {
   // This example assumes this pool already exists.
   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
-  pool                     = "my-pool"
-  certificate_authority_id = "my-certificate-authority-hashicorp"
-  location                 = "us-central1"
-  deletion_protection      = false # set to true to prevent destruction of the resource
+  pool                                   = "my-pool"
+  certificate_authority_id               = "my-certificate-authority-root"
+  location                               = "us-central1"
+  deletion_protection                    = false # set to true to prevent destruction of the resource
+  ignore_active_certificates_on_deletion = true
   config {
     subject_config {
       subject {
         organization = "HashiCorp"
         common_name  = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
-        is_ca                  = true
-        max_issuer_path_length = 10
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
       }
       key_usage {
         base_key_usage {
-          digital_signature  = true
-          content_commitment = true
-          key_encipherment   = false
-          data_encipherment  = true
-          key_agreement      = true
-          cert_sign          = true
-          crl_sign           = true
-          decipher_only      = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign  = true
         }
         extended_key_usage {
-          server_auth      = true
-          client_auth      = false
-          email_protection = true
-          code_signing     = true
-          time_stamping    = true
+          server_auth = false
         }
       }
     }
   }
-  lifetime = "86400s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
+  // Root CA should be valid indefinetly e.g. 99 years
+  lifetime = "${99 * 365 * 24 * 3600}s"
 }
 # [END privateca_create_ca]
diff --git a/privateca/certificate_authority_subordinate/main.tf b/privateca/certificate_authority_subordinate/main.tf
@@ -16,6 +16,8 @@
 
 # [START privateca_create_subordinateca]
 resource "google_privateca_certificate_authority" "root_ca" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
   pool                                   = "my-pool"
   certificate_authority_id               = "my-certificate-authority-root"
   location                               = "us-central1"
@@ -27,9 +29,6 @@ resource "google_privateca_certificate_authority" "root_ca" {
         organization = "HashiCorp"
         common_name  = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -51,12 +50,14 @@ resource "google_privateca_certificate_authority" "root_ca" {
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
+  // Root CA should be valid indefinetly e.g. 99 years
+  lifetime = "${99 * 365 * 24 * 3600}s"
 }
 
 resource "google_privateca_certificate_authority" "default" {
   // This example assumes this pool already exists.
   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
-  pool                     = "my-pool"
+  pool                     = "my-sub-pool"
   certificate_authority_id = "my-certificate-authority-sub"
   location                 = "us-central1"
   deletion_protection      = false # set to true to prevent destruction of the resource
