Skip to content

Commit

Permalink
Allow the creation of subordinate CAs (GoogleCloudPlatform#5055)
Browse files Browse the repository at this point in the history
* Bootstrap CA pool for CA tests

* Add subordinate CA example/test

* fix creation of subordinate CAs
  • Loading branch information
drebes authored and khajduczenia committed Oct 12, 2021
1 parent 155265b commit 327f4d2
Show file tree
Hide file tree
Showing 7 changed files with 115 additions and 8 deletions.
20 changes: 18 additions & 2 deletions mmv1/products/privateca/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,21 @@ overrides: !ruby/object:Overrides::ResourceOverrides
primary_resource_id: "default"
vars:
certificate_authority_id: "my-certificate-authority"
pool_name: "ca-pool"
pool_location: "us-central1"
test_vars_overrides:
pool: "\"static-ca-pool\""
pool_name: 'BootstrapSharedCaPoolInLocation(t, "us-central1")'
pool_location: "\"us-central1\""
- !ruby/object:Provider::Terraform::Examples
name: "privateca_certificate_authority_subordinate"
primary_resource_id: "default"
vars:
certificate_authority_id: "my-certificate-authority"
pool_name: "ca-pool"
pool_location: "us-central1"
test_vars_overrides:
pool_name: 'BootstrapSharedCaPoolInLocation(t, "us-central1")'
pool_location: "\"us-central1\""
- !ruby/object:Provider::Terraform::Examples
name: "privateca_certificate_authority_byo_key"
primary_resource_id: "default"
Expand All @@ -34,9 +47,12 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
kms_key_name: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
certificate_authority_id: "my-certificate-authority"
pool_name: "ca-pool"
pool_location: "us-central1"
test_vars_overrides:
kms_key_name: 'BootstrapKMSKeyWithPurposeInLocation(t, "ASYMMETRIC_SIGN", "us-central1").CryptoKey.Name'
pool: "\"static-ca-pool\""
pool_name: 'BootstrapSharedCaPoolInLocation(t, "us-central1")'
pool_location: "\"us-central1\""
properties:
type: !ruby/object:Overrides::Terraform::PropertyOverride
description: |
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id] %>" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "<%= ctx[:vars]["pool"] %>"
pool = "<%= ctx[:vars]["pool_name"] %>"
certificate_authority_id = "<%= ctx[:vars]["certificate_authority_id"] %>"
location = "us-central1"
location = "<%= ctx[:vars]["pool_location"] %>"
config {
subject_config {
subject {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id] %>" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "<%= ctx[:vars]["pool"] %>"
pool = "<%= ctx[:vars]["pool_name"] %>"
certificate_authority_id = "<%= ctx[:vars]["certificate_authority_id"] %>"
location = "us-central1"
location = "<%= ctx[:vars]["pool_location"] %>"
key_spec {
cloud_kms_key_version = "<%= ctx[:vars]['kms_key_name'] %>/cryptoKeyVersions/1"
}
Expand Down Expand Up @@ -59,4 +59,4 @@ resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id]
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
]
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
resource "google_privateca_certificate_authority" "<%= ctx[:primary_resource_id] %>" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "<%= ctx[:vars]["pool_name"] %>"
certificate_authority_id = "<%= ctx[:vars]["certificate_authority_id"] %>"
location = "<%= ctx[:vars]["pool_location"] %>"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
if d.Get("type").(string) != "SUBORDINATE" {
url, err = replaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:enable")
if err != nil {
return err
Expand All @@ -15,4 +16,5 @@
d.Timeout(schema.TimeoutCreate))
if err != nil {
return fmt.Errorf("Error waiting to enable CertificateAuthority: %s", err)
}
}
}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
if d.Get("state").(string) == "ENABLED" {
disableUrl, err := replaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:disable")
if err != nil {
return err
Expand All @@ -17,3 +18,4 @@
if err != nil {
return fmt.Errorf("Error waiting to disable CertificateAuthority: %s", err)
}
}
39 changes: 39 additions & 0 deletions mmv1/third_party/terraform/utils/bootstrap_utils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -429,3 +429,42 @@ func BootstrapSharedSQLInstanceBackupRun(t *testing.T) string {

return bootstrapInstance.Name
}

func BootstrapSharedCaPoolInLocation(t *testing.T, location string) string {
project := getTestProjectFromEnv()
poolName := "static-ca-pool"

config := BootstrapConfig(t)
if config == nil {
return ""
}

log.Printf("[DEBUG] Getting shared CA pool %q", poolName)
url := fmt.Sprintf("%sprojects/%s/locations/%s/caPools/%s", config.PrivatecaBasePath, project, location, poolName)
_, err := sendRequest(config, "GET", project, url, config.userAgent, nil)
if err != nil {
log.Printf("[DEBUG] CA pool %q not found, bootstrapping", poolName)
poolObj := map[string]interface{}{
"tier": "ENTERPRISE",
}
createUrl := fmt.Sprintf("%sprojects/%s/locations/%s/caPools?caPoolId=%s", config.PrivatecaBasePath, project, location, poolName)
res, err := sendRequestWithTimeout(config, "POST", project, createUrl, config.userAgent, poolObj, 4*time.Minute)
if err != nil {
t.Fatalf("Error bootstrapping shared CA pool %q: %s", poolName, err)
}

log.Printf("[DEBUG] Waiting for CA pool creation to finish")
var opRes map[string]interface{}
err = privatecaOperationWaitTimeWithResponse(
config, res, &opRes, project, "Creating CA pool", config.userAgent,
4*time.Minute)
if err != nil {
t.Errorf("Error getting shared CA pool %q: %s", poolName, err)
}
res, err = sendRequest(config, "GET", project, url, config.userAgent, nil)
if err != nil {
t.Errorf("Error getting shared CA pool %q: %s", poolName, err)
}
}
return poolName
}

0 comments on commit 327f4d2

Please sign in to comment.