From eca8f43ae87bc97c4e3ebeedda10fdfb37ecf7c7 Mon Sep 17 00:00:00 2001 From: Yong Cao Date: Fri, 3 Mar 2023 00:47:44 -0500 Subject: [PATCH] ready for review --- .../privateca_certificate_509_config.go.erb | 5 ++ .../privateca_certificate_509_config.go.erb | 2 + .../privateca_capool_all_fields.tf.erb | 11 ++++ ...ivateca_certificate_authority_basic.tf.erb | 18 +++---- .../privateca_certificate_config.tf.erb | 15 +++++- .../terraform/utils/privateca_utils.go | 51 +++++++++++++++++++ 6 files changed, 91 insertions(+), 11 deletions(-) diff --git a/mmv1/templates/terraform/custom_expand/privateca_certificate_509_config.go.erb b/mmv1/templates/terraform/custom_expand/privateca_certificate_509_config.go.erb index 4082eb6e0e68..ae5c0fbfce3a 100644 --- a/mmv1/templates/terraform/custom_expand/privateca_certificate_509_config.go.erb +++ b/mmv1/templates/terraform/custom_expand/privateca_certificate_509_config.go.erb @@ -44,5 +44,10 @@ func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d T } transformed["additionalExtensions"] = addExts + nameConstraints, err := expandPrivatecaCertificateConfigX509ConfigNameConstraints(original["name_constraints"], d, config) + if err != nil { + return nil, err + } + transformed["nameConstraints"] = nameConstraints return transformed, nil } diff --git a/mmv1/templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb b/mmv1/templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb index 81ccb1a33dda..eeee33e9eff9 100644 --- a/mmv1/templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb +++ b/mmv1/templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb @@ -14,5 +14,7 @@ func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d flattenPrivatecaCertificateConfigX509ConfigCaOptions(original["caOptions"], d, config) transformed["key_usage"] = flattenPrivatecaCertificateConfigX509ConfigKeyUsage(original["keyUsage"], d, config) + transformed["name_constraints"] = + flattenPrivatecaCertificateConfigX509ConfigNameConstraints(original["nameConstraints"], d, config) return []interface{}{transformed} } diff --git a/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.erb b/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.erb index bb2312c26d9a..634e4ef946c3 100644 --- a/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.erb +++ b/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.erb @@ -73,6 +73,17 @@ resource "google_privateca_ca_pool" "<%= ctx[:primary_resource_id] %>" { time_stamping = true } } + name_constraints { + critical = true + permitted_dns_names = ["*.example.com"] + excluded_dns_names = ["*.deny.example.com"] + permitted_ip_ranges = ["10.0.0.0/8"] + excluded_ip_ranges = ["10.1.1.0/24"] + permitted_email_addresses = [".example.com"] + excluded_email_addresses = [".deny.example.com"] + permitted_uris = [".example.com"] + excluded_uris = [".deny.example.com"] + } } } } diff --git a/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.erb b/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.erb index 125a385412cd..9c4725a6400a 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.erb +++ b/mmv1/templates/terraform/examples/privateca_certificate_authority_basic.tf.erb @@ -41,15 +41,15 @@ resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id] } } name_constraints { - critical = true - permitted_dns_names = ["*.test.com"] - excluded_dns_names = ["*.deny.test.com"] - permitted_ip_ranges = ["10.0.0.0/8"] - excluded_ip_ranges = ["10.0.0.255/3"] - permitted_email_addresses = [] - excluded_email_addresses = [] - permitted_uris = [] - excluded_uris = [] + critical = true + permitted_dns_names = ["*.example.com"] + excluded_dns_names = ["*.deny.example.com"] + permitted_ip_ranges = ["10.0.0.0/8"] + excluded_ip_ranges = ["10.1.1.0/24"] + permitted_email_addresses = [".example.com"] + excluded_email_addresses = [".deny.example.com"] + permitted_uris = [".example.com"] + excluded_uris = [".deny.example.com"] } } } diff --git a/mmv1/templates/terraform/examples/privateca_certificate_config.tf.erb b/mmv1/templates/terraform/examples/privateca_certificate_config.tf.erb index c8dabc5c4ea4..f01870f48b34 100644 --- a/mmv1/templates/terraform/examples/privateca_certificate_config.tf.erb +++ b/mmv1/templates/terraform/examples/privateca_certificate_config.tf.erb @@ -48,7 +48,7 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" { location = "us-central1" pool = google_privateca_ca_pool.default.name certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id - lifetime = "860s" + lifetime = "86000s" name = "<%= ctx[:vars]["certificate_name"] %>" config { subject_config { @@ -69,7 +69,7 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" { } x509_config { ca_options { - is_ca = false + is_ca = true } key_usage { base_key_usage { @@ -80,6 +80,17 @@ resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" { server_auth = false } } + name_constraints { + critical = true + permitted_dns_names = ["*.example.com"] + excluded_dns_names = ["*.deny.example.com"] + permitted_ip_ranges = ["10.0.0.0/8"] + excluded_ip_ranges = ["10.1.1.0/24"] + permitted_email_addresses = [".example.com"] + excluded_email_addresses = [".deny.example.com"] + permitted_uris = [".example.com"] + excluded_uris = [".deny.example.com"] + } } public_key { format = "PEM" diff --git a/mmv1/third_party/terraform/utils/privateca_utils.go b/mmv1/third_party/terraform/utils/privateca_utils.go index db3728965dd1..f8c84aac36fd 100644 --- a/mmv1/third_party/terraform/utils/privateca_utils.go +++ b/mmv1/third_party/terraform/utils/privateca_utils.go @@ -230,6 +230,37 @@ func expandPrivatecaCertificateConfigX509ConfigAiaOcspServers(v interface{}, d T return v, nil } +func expandPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + if v == nil { + return nil, nil + } + + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + + raw := l[0] + original := raw.(map[string]interface{}) + if len(original) == 0 { + // Ignore empty name constraints + return nil, nil + } + + transformed := make(map[string]interface{}) + transformed["critical"] = original["critical"] + transformed["permittedDnsNames"] = original["permitted_dns_names"] + transformed["excludedDnsNames"] = original["excluded_dns_names"] + transformed["permittedIpRanges"] = original["permitted_ip_ranges"] + transformed["excludedIpRanges"] = original["excluded_ip_ranges"] + transformed["permittedEmailAddresses"] = original["permitted_email_addresses"] + transformed["excludedEmailAddresses"] = original["excluded_email_addresses"] + transformed["permittedUris"] = original["permitted_uris"] + transformed["excludedUris"] = original["excluded_uris"] + + return transformed, nil +} + // Flattener utilities func flattenPrivatecaCertificateConfigX509ConfigAdditionalExtensions(v interface{}, d *schema.ResourceData, config *Config) interface{} { @@ -490,3 +521,23 @@ func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsages func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesObjectIdPath(v interface{}, d *schema.ResourceData, config *Config) interface{} { return v } + +func flattenPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d *schema.ResourceData, config *Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformed["critical"] = original["critical"] + transformed["permitted_dns_names"] = original["permittedDnsNames"] + transformed["excluded_dns_names"] = original["excludedDnsNames"] + transformed["permitted_ip_ranges"] = original["permittedIpRanges"] + transformed["excluded_ip_ranges"] = original["excludedIpRanges"] + transformed["permitted_email_addresses"] = original["permittedEmailAddresses"] + transformed["excluded_email_addresses"] = original["excludedEmailAddresses"] + transformed["permitted_uris"] = original["permittedUris"] + transformed["excluded_uris"] = original["excludedUris"] + + return []interface{}{transformed} +}