Private ca ga #4919
Private ca ga #4919
Conversation
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 17 files changed, 9137 insertions(+), 234 deletions(-)) |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 18 files changed, 9376 insertions(+), 234 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccPrivatecaCaPoolIamBindingGenerated|TestAccPrivatecaCaPoolIamMemberGenerated|TestAccPrivatecaCaPoolIamPolicyGenerated|TestAccPrivatecaCaPool_privatecaCapoolUpdate|TestAccCloudbuildWorkerPool_withNetwork|TestAccContainerNodePool_withGPU|TestAccEventarcTrigger_basic|TestAccEventarcTrigger_transport You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=193745 |
|
Tests failed during RECORDING mode: TestAccPrivatecaCaPoolIamPolicyGenerated|TestAccPrivatecaCaPoolIamMemberGenerated|TestAccPrivatecaCaPoolIamBindingGenerated|TestAccCloudbuildWorkerPool_withNetwork|TestAccContainerNodePool_withGPU Please fix these to complete your PR |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 18 files changed, 9376 insertions(+), 234 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccPrivatecaCaPoolIamBindingGenerated|TestAccPrivatecaCaPoolIamMemberGenerated|TestAccPrivatecaCaPoolIamPolicyGenerated|TestAccCloudbuildWorkerPool_withNetwork|TestAccContainerNodePool_withGPU|TestAccPrivatecaCaPool_privatecaCapoolAllFieldsExample|TestAccPrivatecaCaPool_privatecaCapoolBasicExample|TestAccTags You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=194075 |
|
Tests failed during RECORDING mode: TestAccContainerNodePool_withGPU Please fix these to complete your PR |
| description: | | ||
| Describes values that are relevant in a CA certificate. | ||
| properties: | ||
| - !ruby/object:Api::Type::Boolean |
There was a problem hiding this comment.
We can't AtLeastOneOf these, right? Both expect to be able to be omitted?
There was a problem hiding this comment.
We could add Required on is_ca in all cases I think. It would only be settable to false in most cases, except when creating a CertificateAuthority, but that is due to API validation
There was a problem hiding this comment.
And setting false explicitly is the same to the API as not sending the value at all
mmv1/products/privateca/api.yaml
Outdated
| - !ruby/object:Api::Type::NestedObject | ||
| name: 'keyUsage' | ||
| description: | | ||
| Optional. Indicates the intended use for keys that correspond to a certificate. |
There was a problem hiding this comment.
| Optional. Indicates the intended use for keys that correspond to a certificate. | |
| Indicates the intended use for keys that correspond to a certificate. |
nit: Implied by the field being optional
| name: 'keyUsage' | ||
| description: | | ||
| Optional. Indicates the intended use for keys that correspond to a certificate. | ||
| properties: |
There was a problem hiding this comment.
Are these subobjects not required when the parent is set? Same w/ their subfields
There was a problem hiding this comment.
Not technically, but due to API behavior not returning these when all sub-values are set to false I have added a custom flattener & marked all of these subobjects as required.
I think this is a reasonable way to handle the tricky situation where these fields have slightly different behaviors between the 3 PrivateCA resources although the structure of the objects is almost exactly identical. We could also look into customizediffs, or not allowing objects with all-false values to prevent this in the future without marking these as required
There was a problem hiding this comment.
Well, some of them are actually required depending on the resource.
For example, caOptions.isCa must be set to true for a CertificateAuthority resource.
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 19 files changed, 9119 insertions(+), 233 deletions(-)) |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 19 files changed, 9127 insertions(+), 233 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccContainerNodePool_withGPU|TestAccPrivatecaCaPool_privatecaCapoolEmptyBaseline|TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccPrivatecaCertificate_privatecaCertificateConfigExample|TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicExample|TestAccPrivatecaCertificate_privatecaCertificateCsrExample You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=194301 |
|
Tests failed during RECORDING mode: TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccContainerNodePool_withGPU Please fix these to complete your PR |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 19 files changed, 9207 insertions(+), 233 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccContainerNodePool_withGPU|TestAccPrivatecaCaPool_privatecaCapoolEmptyBaseline|TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccPrivatecaCertificate_privatecaCertificateConfigExample|TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicExample|TestAccPrivatecaCaPool_privatecaCapoolUpdate|TestAccPrivatecaCertificate_privatecaCertificateCsrExample You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=194303 |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 19 files changed, 9211 insertions(+), 233 deletions(-)) |
|
Tests failed during RECORDING mode: TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccContainerNodePool_withGPU Please fix these to complete your PR |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 19 files changed, 9226 insertions(+), 314 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccContainerNodePool_withGPU|TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccPrivatecaCaPool_privatecaCapoolUpdate You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=194306 |
|
Tests failed during RECORDING mode: TestAccContainerNodePool_withGPU Please fix these to complete your PR |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccContainerNodePool_withGPU|TestAccPrivatecaCertificate_privatecaCertificateNoAuthorityExample|TestAccPrivatecaCaPool_privatecaCapoolUpdate You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=194399 |
|
PrivateCA tests pass in VCR! |
| encoder: templates/terraform/encoders/certificate_authority.go.erb | ||
| pre_delete: templates/terraform/pre_delete/privateca_certificate_authority.go.erb | ||
| decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb | ||
| post_create: templates/terraform/post_create/privateca_authority_enable.go.erb |
There was a problem hiding this comment.
not sure if this is always going to be a good thing, since CAs are (by default) created in the STAGED state to allow for pre-production validation, and it's not possible to get back to this state after enabling a CA.
Can this auto-enablement behavior be gated by a flag, so that customers who want to keep it STAGED can do so?
There was a problem hiding this comment.
That is a little complicated as it would require manual steps outside of Terraform to enable the CA, or somewhat complicated state management within Terraform itself. It should be possible in the future to enable this via Terraform, but I believe this is a reasonable default behavior at the moment
| examples: | ||
| - !ruby/object:Provider::Terraform::Examples | ||
| name: "privateca_certificate_config" | ||
| min_version: "beta" | ||
| primary_resource_id: "default" | ||
| vars: | ||
| certificate_authority_id: "my-certificate-authority" |
There was a problem hiding this comment.
in the new v1 resource model it's uncommon to require a CA ID for a certificate, since certificates are nested directly under CaPool resources (not CAs) and the idea is to decouple certs from their specific issuing CAs.
There was a problem hiding this comment.
This field isn't required, and there is a test that tests this behavior. I think this fits with the new model by allowing the option
| description: The name of the CaPool this Certificate Authority belongs to. | ||
| required: true | ||
| input: true | ||
| url_param_only: true | ||
| - !ruby/object:Api::Type::String | ||
| name: 'name' | ||
| description: | |
There was a problem hiding this comment.
(misplaced comment, should be on line 110)
'tier' is no longer an input field on a CA. it gets set on the CaPool resource and the service copies it to an OUTPUT_ONLY field on each CA within that pool.
| description: | | ||
| Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms | ||
| Types of public keys that are supported. At a minimum, we support RSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms |
There was a problem hiding this comment.
perhaps a more accurate description is "the key formats that are supported".
also, FWIW, we still support ECDSA keys. do you know if the "ECDSA" part was dropped from the API or here?
(and same for publicKey.format below)
There was a problem hiding this comment.
It doesn't look present in the REST API docs, which is why I removed it here
|
|
||
| log.Printf("[DEBUG] Enabling CertificateAuthority: %#v", obj) | ||
|
|
||
| res, err = sendRequest(config, "POST", billingProject, url, userAgent, nil) |
There was a problem hiding this comment.
this returns a LongRunningOperation object and doesn't always finish immediately. Do you need to await these operations anywhere before doing something else?
Fixes: hashicorp/terraform-provider-google#8979
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintto ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)