Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

max_issuer_path_length defaults to 0 instead of being omitted #10108

Closed
wilsonsit opened this issue Sep 20, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#5368, terraform-google-modules/docs-examples#184, GoogleCloudPlatform/terraform-validator#421, hashicorp/terraform-provider-google-beta#3902 or #10702
Closed

max_issuer_path_length defaults to 0 instead of being omitted #10108

wilsonsit opened this issue Sep 20, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#5368, terraform-google-modules/docs-examples#184, GoogleCloudPlatform/terraform-validator#421, hashicorp/terraform-provider-google-beta#3902 or #10702
Labels
bug

Comments

@wilsonsit
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.10
terraform-provider-google v3.84.0

Affected Resource(s)

  • google_privateca_certificate_authority

Terraform Configuration Files

resource "google_privateca_ca_pool" "nopathlen" {
  project = "no-path-len"
  name = "no-path-len"
  location = "us-central1"
  tier = "DEVOPS"
  publishing_options {
    publish_ca_cert = false
    publish_crl = false
  }
  labels = {
    foo = "bar"
  }
}

resource "google_privateca_certificate_authority" "nopathlen" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools

  depends_on = [
    google_privateca_ca_pool.nopathlen
  ]

  project = "no-path-len"
  pool = "no-path-len"
  certificate_authority_id = "no-path-len"
  location = "us-central1"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "no-path-len"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          content_commitment = true
          key_encipherment = false
          data_encipherment = true
          key_agreement = true
          cert_sign = true
          crl_sign = true
          decipher_only = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = false
          email_protection = true
          code_signing = true
          time_stamping = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}

Debug Output

Terraform will perform the following actions:

  # google_privateca_ca_pool.nopathlen will be created
  + resource "google_privateca_ca_pool" "nopathlen" {
      + id       = (known after apply)
      + labels   = {
          + "foo" = "bar"
        }
      + location = "us-central1"
      + name     = "no-path-len"
      + project  = "no-path-len"
      + tier     = "DEVOPS"

      + publishing_options {
          + publish_ca_cert = false
          + publish_crl     = false
        }
    }

  # google_privateca_certificate_authority.nopathlen will be created
  + resource "google_privateca_certificate_authority" "nopathlen" {
      + access_urls                            = (known after apply)
      + certificate_authority_id               = "no-path-len"
      + create_time                            = (known after apply)
      + id                                     = (known after apply)
      + ignore_active_certificates_on_deletion = false
      + lifetime                               = "86400s"
      + location                               = "us-central1"
      + name                                   = (known after apply)
      + pem_ca_certificates                    = (known after apply)
      + pool                                   = "no-path-len"
      + project                                = "no-path-len"
      + state                                  = (known after apply)
      + type                                   = "SELF_SIGNED"
      + update_time                            = (known after apply)

      + config {
          + subject_config {
              + subject {
                  + common_name  = "no-path-len"
                  + organization = "HashiCorp"
                }

              + subject_alt_name {
                  + dns_names = [
                      + "hashicorp.com",
                    ]
                }
            }

          + x509_config {
              + ca_options {
                  + is_ca = true
                }

              + key_usage {
                  + base_key_usage {
                      + cert_sign          = true
                      + content_commitment = true
                      + crl_sign           = true
                      + data_encipherment  = true
                      + decipher_only      = true
                      + digital_signature  = true
                      + key_agreement      = true
                      + key_encipherment   = false
                    }

                  + extended_key_usage {
                      + client_auth      = false
                      + code_signing     = true
                      + email_protection = true
                      + server_auth      = true
                      + time_stamping    = true
                    }
                }
            }
        }

      + key_spec {
          + algorithm = "RSA_PKCS1_4096_SHA256"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Panic Output

Expected Behavior

max_issuer_path_length should be omitted based on the documentation and what is shown in the terraform apply.

Actual Behavior

When max_issuer_path_length is not specified, it is set to 0.

Steps to Reproduce

  1. terraform apply
  2. View the CA Certificate in Certificate Authority Service. It says pathLenConstraint : 0

Important Factoids

References
@wilsonsit wilsonsit added the bug label Sep 20, 2021
@haydentherapper haydentherapper mentioned this issue Oct 25, 2021
Merged
5 tasks
This was referenced Dec 8, 2021
Merged
Merged
Merged
Merged
@github-actions
Copy link

github-actions bot commented Jan 7, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
1 participant
@wilsonsit