diff --git a/.changelog/5107.txt b/.changelog/5107.txt new file mode 100644 index 0000000000..5a61a459be --- /dev/null +++ b/.changelog/5107.txt @@ -0,0 +1,3 @@ +```release-note:bug +privateca: fixed the creation of subordinate `google_privateca_certificate_authority` with `max_issuer_path_length = 0`. +``` diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go index 79b887900b..8f3596cc80 100644 --- a/google-beta/resource_dataproc_cluster_test.go +++ b/google-beta/resource_dataproc_cluster_test.go @@ -13,9 +13,8 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "google.golang.org/api/googleapi" - dataproc "google.golang.org/api/dataproc/v1beta2" + "google.golang.org/api/googleapi" ) func TestDataprocExtractInitTimeout(t *testing.T) { diff --git a/google-beta/resource_privateca_ca_pool.go b/google-beta/resource_privateca_ca_pool.go index c6725ed3fc..fc35846359 100644 --- a/google-beta/resource_privateca_ca_pool.go +++ b/google-beta/resource_privateca_ca_pool.go @@ -1408,7 +1408,7 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptions(v interface{}, d transformedMaxIssuerPathLength, err := expandPrivatecaCaPoolIssuancePolicyBaselineValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) { + } else { transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength } diff --git a/google-beta/resource_privateca_certificate_authority.go b/google-beta/resource_privateca_certificate_authority.go index 559c616e84..9c3dc72656 100644 --- a/google-beta/resource_privateca_certificate_authority.go +++ b/google-beta/resource_privateca_certificate_authority.go @@ -1318,7 +1318,7 @@ func expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptions(v interface{}, transformedMaxIssuerPathLength, err := expandPrivatecaCertificateAuthorityConfigX509ConfigCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config) if err != nil { return nil, err - } else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !isEmptyValue(val) { + } else { transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength } diff --git a/google-beta/resource_privateca_certificate_authority_generated_test.go b/google-beta/resource_privateca_certificate_authority_generated_test.go index a1348e206b..a91f6860c2 100644 --- a/google-beta/resource_privateca_certificate_authority_generated_test.go +++ b/google-beta/resource_privateca_certificate_authority_generated_test.go @@ -150,7 +150,8 @@ resource "google_privateca_certificate_authority" "default" { x509_config { ca_options { is_ca = true - max_issuer_path_length = 10 + # Force the sub CA to only issue leaf certs + max_issuer_path_length = 0 } key_usage { base_key_usage { diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown index 65eea49008..6c703ad073 100644 --- a/website/docs/r/privateca_certificate_authority.html.markdown +++ b/website/docs/r/privateca_certificate_authority.html.markdown @@ -117,7 +117,8 @@ resource "google_privateca_certificate_authority" "default" { x509_config { ca_options { is_ca = true - max_issuer_path_length = 10 + # Force the sub CA to only issue leaf certs + max_issuer_path_length = 0 } key_usage { base_key_usage {