Add issuanceConfig property to managed certificates (#8276) (#15101)

* Add issuanceConfig property to managed certificates

* Remove trailing spaces in Certificate.yaml

---------

Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: Hamza Hassan <[email protected]>

.changelog/8276.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+certificatemanager: added `issuance_config` field to `google_certificate_manager_certificate` resource
+```

google/resource_certificate_manager_certificate_generated_test.go

@@ -30,7 +30,7 @@ import (
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
 )
 
-func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateExample(t *testing.T) {
+func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateDnsExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
@@ -43,7 +43,7 @@ func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedCertifi
 		CheckDestroy:             testAccCheckCertificateManagerCertificateDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateExample(context),
+				Config: testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateDnsExample(context),
 			},
 			{
 				ResourceName:            "google_certificate_manager_certificate.default",
@@ -55,7 +55,7 @@ func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedCertifi
 	})
 }
 
-func testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateExample(context map[string]interface{}) string {
+func testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateDnsExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_certificate_manager_certificate" "default" {
   name        = "tf-test-dns-cert%{random_suffix}"
@@ -88,6 +88,109 @@ resource "google_certificate_manager_dns_authorization" "instance2" {
 `, context)
 }
 
+func TestAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateIssuanceConfigExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckCertificateManagerCertificateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateIssuanceConfigExample(context),
+			},
+			{
+				ResourceName:            "google_certificate_manager_certificate.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"self_managed", "name", "location"},
+			},
+		},
+	})
+}
+
+func testAccCertificateManagerCertificate_certificateManagerGoogleManagedCertificateIssuanceConfigExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_certificate_manager_certificate" "default" {
+  name        = "tf-test-issuance-config-cert%{random_suffix}"
+  description = "The default cert"
+  scope       = "EDGE_CACHE"
+  managed {
+    domains = [
+        "terraform.subdomain1.com"
+      ]
+    issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
+  }
+}
+
+
+
+# creating certificate_issuance_config to use it in the managed certificate
+resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
+  name    = "issuanceconfigtestterraform"
+  description = "sample description for the certificate issuanceConfigs"
+  certificate_authority_config {
+    certificate_authority_service_config {
+        ca_pool = google_privateca_ca_pool.pool.id
+    }
+  }
+  lifetime = "1814400s"
+  rotation_window_percentage = 34
+  key_algorithm = "ECDSA_P256"
+  depends_on=[google_privateca_certificate_authority.ca_authority]
+}
+  
+resource "google_privateca_ca_pool" "pool" {
+  name     = "tf-test-my-ca-pool%{random_suffix}"
+  location = "us-central1"
+  tier     = "ENTERPRISE"
+}
+
+resource "google_privateca_certificate_authority" "ca_authority" {
+  location = "us-central1"
+  pool = google_privateca_ca_pool.pool.name
+  certificate_authority_id = "tf-test-my-ca%{random_suffix}"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+
+  // Disable CA deletion related safe checks for easier cleanup.
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+}
+`, context)
+}
+
 func TestAccCertificateManagerCertificate_certificateManagerSelfManagedCertificateExample(t *testing.T) {
 	t.Parallel()
 

google/services/certificatemanager/resource_certificate_manager_certificate.go

@@ -106,7 +106,7 @@ automatically, for as long as it's authorized to do so.`,
 							Optional:         true,
 							ForceNew:         true,
 							DiffSuppressFunc: tpgresource.ProjectNumberDiffSuppress,
-							Description:      `Authorizations that will be used for performing domain authorization`,
+							Description:      `Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specificed, but not both.`,
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 							},
@@ -121,6 +121,15 @@ Wildcard domains are only supported with DNS challenge resolution`,
 								Type: schema.TypeString,
 							},
 						},
+						"issuance_config": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							ForceNew:         true,
+							DiffSuppressFunc: tpgresource.CompareResourceNames,
+							Description: `The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects/*/locations/*/certificateIssuanceConfigs/*.
+If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
+Either issuanceConfig or dnsAuthorizations should be specificed, but not both.`,
+						},
 						"authorization_attempt_info": {
 							Type:     schema.TypeList,
 							Computed: true,
@@ -590,6 +599,8 @@ func flattenCertificateManagerCertificateManaged(v interface{}, d *schema.Resour
 		flattenCertificateManagerCertificateManagedDomains(original["domains"], d, config)
 	transformed["dns_authorizations"] =
 		flattenCertificateManagerCertificateManagedDnsAuthorizations(original["dnsAuthorizations"], d, config)
+	transformed["issuance_config"] =
+		flattenCertificateManagerCertificateManagedIssuanceConfig(original["issuanceConfig"], d, config)
 	transformed["state"] =
 		flattenCertificateManagerCertificateManagedState(original["state"], d, config)
 	transformed["provisioning_issue"] =
@@ -606,6 +617,10 @@ func flattenCertificateManagerCertificateManagedDnsAuthorizations(v interface{},
 	return v
 }
 
+func flattenCertificateManagerCertificateManagedIssuanceConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenCertificateManagerCertificateManagedState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -768,6 +783,13 @@ func expandCertificateManagerCertificateManaged(v interface{}, d tpgresource.Ter
 		transformed["dnsAuthorizations"] = transformedDnsAuthorizations
 	}
 
+	transformedIssuanceConfig, err := expandCertificateManagerCertificateManagedIssuanceConfig(original["issuance_config"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedIssuanceConfig); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["issuanceConfig"] = transformedIssuanceConfig
+	}
+
 	transformedState, err := expandCertificateManagerCertificateManagedState(original["state"], d, config)
 	if err != nil {
 		return nil, err
@@ -800,6 +822,10 @@ func expandCertificateManagerCertificateManagedDnsAuthorizations(v interface{},
 	return v, nil
 }
 
+func expandCertificateManagerCertificateManagedIssuanceConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandCertificateManagerCertificateManagedState(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

website/docs/r/certificate_manager_certificate.html.markdown

@@ -28,11 +28,11 @@ values will be stored in the raw state as plain text: `self_managed.certificate_
 [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
 
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
-  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_google_managed_certificate&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_google_managed_certificate_dns&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
-## Example Usage - Certificate Manager Google Managed Certificate
+## Example Usage - Certificate Manager Google Managed Certificate Dns
 
 
 ```hcl
@@ -65,6 +65,89 @@ resource "google_certificate_manager_dns_authorization" "instance2" {
   domain      = "subdomain2.hashicorptest.com"
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_google_managed_certificate_issuance_config&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Certificate Manager Google Managed Certificate Issuance Config
+
+
+```hcl
+resource "google_certificate_manager_certificate" "default" {
+  name        = "issuance-config-cert"
+  description = "The default cert"
+  scope       = "EDGE_CACHE"
+  managed {
+    domains = [
+        "terraform.subdomain1.com"
+      ]
+    issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
+  }
+}
+
+
+
+# creating certificate_issuance_config to use it in the managed certificate
+resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
+  name    = "issuanceconfigtestterraform"
+  description = "sample description for the certificate issuanceConfigs"
+  certificate_authority_config {
+    certificate_authority_service_config {
+        ca_pool = google_privateca_ca_pool.pool.id
+    }
+  }
+  lifetime = "1814400s"
+  rotation_window_percentage = 34
+  key_algorithm = "ECDSA_P256"
+  depends_on=[google_privateca_certificate_authority.ca_authority]
+}
+  
+resource "google_privateca_ca_pool" "pool" {
+  name     = "my-ca-pool"
+  location = "us-central1"
+  tier     = "ENTERPRISE"
+}
+
+resource "google_privateca_certificate_authority" "ca_authority" {
+  location = "us-central1"
+  pool = google_privateca_ca_pool.pool.name
+  certificate_authority_id = "my-ca"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+
+  // Disable CA deletion related safe checks for easier cleanup.
+  deletion_protection                    = false
+  skip_grace_period                      = true
+  ignore_active_certificates_on_deletion = true
+}
+```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_self_managed_certificate&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
@@ -190,7 +273,13 @@ The following arguments are supported:
 
 * `dns_authorizations` -
   (Optional)
-  Authorizations that will be used for performing domain authorization
+  Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specificed, but not both.
+
+* `issuance_config` -
+  (Optional)
+  The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects/*/locations/*/certificateIssuanceConfigs/*.
+  If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
+  Either issuanceConfig or dnsAuthorizations should be specificed, but not both.
 
 * `state` -
   (Output)