Skip to content

Commit

Permalink
ready for review
Browse files Browse the repository at this point in the history
  • Loading branch information
gfxcc committed Mar 3, 2023
1 parent e736b23 commit eca8f43
Show file tree
Hide file tree
Showing 6 changed files with 91 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,10 @@ func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d T
}
transformed["additionalExtensions"] = addExts

nameConstraints, err := expandPrivatecaCertificateConfigX509ConfigNameConstraints(original["name_constraints"], d, config)
if err != nil {
return nil, err
}
transformed["nameConstraints"] = nameConstraints
return transformed, nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,7 @@ func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d
flattenPrivatecaCertificateConfigX509ConfigCaOptions(original["caOptions"], d, config)
transformed["key_usage"] =
flattenPrivatecaCertificateConfigX509ConfigKeyUsage(original["keyUsage"], d, config)
transformed["name_constraints"] =
flattenPrivatecaCertificateConfigX509ConfigNameConstraints(original["nameConstraints"], d, config)
return []interface{}{transformed}
}
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,17 @@ resource "google_privateca_ca_pool" "<%= ctx[:primary_resource_id] %>" {
time_stamping = true
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.example.com"]
excluded_dns_names = ["*.deny.example.com"]
permitted_ip_ranges = ["10.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24"]
permitted_email_addresses = [".example.com"]
excluded_email_addresses = [".deny.example.com"]
permitted_uris = [".example.com"]
excluded_uris = [".deny.example.com"]
}
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,15 @@ resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id]
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.test.com"]
excluded_dns_names = ["*.deny.test.com"]
permitted_ip_ranges = ["10.0.0.0/8"]
excluded_ip_ranges = ["10.0.0.255/3"]
permitted_email_addresses = []
excluded_email_addresses = []
permitted_uris = []
excluded_uris = []
critical = true
permitted_dns_names = ["*.example.com"]
excluded_dns_names = ["*.deny.example.com"]
permitted_ip_ranges = ["10.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24"]
permitted_email_addresses = [".example.com"]
excluded_email_addresses = [".deny.example.com"]
permitted_uris = [".example.com"]
excluded_uris = [".deny.example.com"]
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" {
location = "us-central1"
pool = google_privateca_ca_pool.default.name
certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
lifetime = "860s"
lifetime = "86000s"
name = "<%= ctx[:vars]["certificate_name"] %>"
config {
subject_config {
Expand All @@ -69,7 +69,7 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" {
}
x509_config {
ca_options {
is_ca = false
is_ca = true
}
key_usage {
base_key_usage {
Expand All @@ -80,6 +80,17 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" {
server_auth = false
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.example.com"]
excluded_dns_names = ["*.deny.example.com"]
permitted_ip_ranges = ["10.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24"]
permitted_email_addresses = [".example.com"]
excluded_email_addresses = [".deny.example.com"]
permitted_uris = [".example.com"]
excluded_uris = [".deny.example.com"]
}
}
public_key {
format = "PEM"
Expand Down
51 changes: 51 additions & 0 deletions mmv1/third_party/terraform/utils/privateca_utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,37 @@ func expandPrivatecaCertificateConfigX509ConfigAiaOcspServers(v interface{}, d T
return v, nil
}

func expandPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
if v == nil {
return nil, nil
}

l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil, nil
}

raw := l[0]
original := raw.(map[string]interface{})
if len(original) == 0 {
// Ignore empty name constraints
return nil, nil
}

transformed := make(map[string]interface{})
transformed["critical"] = original["critical"]
transformed["permittedDnsNames"] = original["permitted_dns_names"]
transformed["excludedDnsNames"] = original["excluded_dns_names"]
transformed["permittedIpRanges"] = original["permitted_ip_ranges"]
transformed["excludedIpRanges"] = original["excluded_ip_ranges"]
transformed["permittedEmailAddresses"] = original["permitted_email_addresses"]
transformed["excludedEmailAddresses"] = original["excluded_email_addresses"]
transformed["permittedUris"] = original["permitted_uris"]
transformed["excludedUris"] = original["excluded_uris"]

return transformed, nil
}

// Flattener utilities

func flattenPrivatecaCertificateConfigX509ConfigAdditionalExtensions(v interface{}, d *schema.ResourceData, config *Config) interface{} {
Expand Down Expand Up @@ -490,3 +521,23 @@ func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsages
func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesObjectIdPath(v interface{}, d *schema.ResourceData, config *Config) interface{} {
return v
}

func flattenPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d *schema.ResourceData, config *Config) interface{} {
if v == nil {
return nil
}
original := v.(map[string]interface{})
transformed := make(map[string]interface{})

transformed["critical"] = original["critical"]
transformed["permitted_dns_names"] = original["permittedDnsNames"]
transformed["excluded_dns_names"] = original["excludedDnsNames"]
transformed["permitted_ip_ranges"] = original["permittedIpRanges"]
transformed["excluded_ip_ranges"] = original["excludedIpRanges"]
transformed["permitted_email_addresses"] = original["permittedEmailAddresses"]
transformed["excluded_email_addresses"] = original["excludedEmailAddresses"]
transformed["permitted_uris"] = original["permittedUris"]
transformed["excluded_uris"] = original["excludedUris"]

return []interface{}{transformed}
}

0 comments on commit eca8f43

Please sign in to comment.