hashicorp · modular-magician · Mar 10, 2023 · Mar 10, 2023
diff --git a/.changelog/7400.txt b/.changelog/7400.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: added support for X.509 name constraints
+```
diff --git a/google/privateca_utils.go b/google/privateca_utils.go
@@ -230,6 +230,37 @@ func expandPrivatecaCertificateConfigX509ConfigAiaOcspServers(v interface{}, d T
 	return v, nil
 }
 
+func expandPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	if v == nil {
+		return nil, nil
+	}
+
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	if len(original) == 0 {
+		// Ignore empty name constraints
+		return nil, nil
+	}
+
+	transformed := make(map[string]interface{})
+	transformed["critical"] = original["critical"]
+	transformed["permittedDnsNames"] = original["permitted_dns_names"]
+	transformed["excludedDnsNames"] = original["excluded_dns_names"]
+	transformed["permittedIpRanges"] = original["permitted_ip_ranges"]
+	transformed["excludedIpRanges"] = original["excluded_ip_ranges"]
+	transformed["permittedEmailAddresses"] = original["permitted_email_addresses"]
+	transformed["excludedEmailAddresses"] = original["excluded_email_addresses"]
+	transformed["permittedUris"] = original["permitted_uris"]
+	transformed["excludedUris"] = original["excluded_uris"]
+
+	return transformed, nil
+}
+
 // Flattener utilities
 
 func flattenPrivatecaCertificateConfigX509ConfigAdditionalExtensions(v interface{}, d *schema.ResourceData, config *Config) interface{} {
@@ -490,3 +521,23 @@ func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsages
 func flattenPrivatecaCertificateConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesObjectIdPath(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	return v
 }
+
+func flattenPrivatecaCertificateConfigX509ConfigNameConstraints(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformed["critical"] = original["critical"]
+	transformed["permitted_dns_names"] = original["permittedDnsNames"]
+	transformed["excluded_dns_names"] = original["excludedDnsNames"]
+	transformed["permitted_ip_ranges"] = original["permittedIpRanges"]
+	transformed["excluded_ip_ranges"] = original["excludedIpRanges"]
+	transformed["permitted_email_addresses"] = original["permittedEmailAddresses"]
+	transformed["excluded_email_addresses"] = original["excludedEmailAddresses"]
+	transformed["permitted_uris"] = original["permittedUris"]
+	transformed["excluded_uris"] = original["excludedUris"]
+
+	return []interface{}{transformed}
+}
diff --git a/google/resource_privateca_ca_pool.go b/google/resource_privateca_ca_pool.go
@@ -350,6 +350,109 @@ handle this extension, the client should consider this to be an error).`,
 											Type: schema.TypeString,
 										},
 									},
+									"name_constraints": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `Describes the X.509 name constraints extension.`,
+										MaxItems:    1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"critical": {
+													Type:        schema.TypeBool,
+													Required:    true,
+													Description: `Indicates whether or not the name constraints are marked critical.`,
+												},
+												"excluded_dns_names": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains excluded DNS names. Any DNS name that can be
+constructed by simply adding zero or more labels to
+the left-hand side of the name satisfies the name constraint.
+For example, 'example.com', 'www.example.com', 'www.sub.example.com'
+would satisfy 'example.com' while 'example1.com' does not.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"excluded_email_addresses": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the excluded email addresses. The value can be a particular
+email address, a hostname to indicate all email addresses on that host or
+a domain with a leading period (e.g. '.example.com') to indicate
+all email addresses in that domain.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"excluded_ip_ranges": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the excluded IP ranges. For IPv4 addresses, the ranges
+are expressed using CIDR notation as specified in RFC 4632.
+For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
+addresses.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"excluded_uris": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the excluded URIs that apply to the host part of the name.
+The value can be a hostname or a domain with a
+leading period (like '.example.com')`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"permitted_dns_names": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains permitted DNS names. Any DNS name that can be
+constructed by simply adding zero or more labels to
+the left-hand side of the name satisfies the name constraint.
+For example, 'example.com', 'www.example.com', 'www.sub.example.com'
+would satisfy 'example.com' while 'example1.com' does not.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"permitted_email_addresses": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the permitted email addresses. The value can be a particular
+email address, a hostname to indicate all email addresses on that host or
+a domain with a leading period (e.g. '.example.com') to indicate
+all email addresses in that domain.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"permitted_ip_ranges": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the permitted IP ranges. For IPv4 addresses, the ranges
+are expressed using CIDR notation as specified in RFC 4632.
+For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
+addresses.`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"permitted_uris": {
+													Type:     schema.TypeList,
+													Optional: true,
+													Description: `Contains the permitted URIs that apply to the host part of the name.
+The value can be a hostname or a domain with a
+leading period (like '.example.com')`,
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+											},
+										},
+									},
 									"policy_ids": {
 										Type:        schema.TypeList,
 										Optional:    true,
@@ -955,6 +1058,8 @@ func flattenPrivatecaCaPoolIssuancePolicyBaselineValues(v interface{}, d *schema
 		flattenPrivatecaCertificateConfigX509ConfigCaOptions(original["caOptions"], d, config)
 	transformed["key_usage"] =
 		flattenPrivatecaCertificateConfigX509ConfigKeyUsage(original["keyUsage"], d, config)
+	transformed["name_constraints"] =
+		flattenPrivatecaCertificateConfigX509ConfigNameConstraints(original["nameConstraints"], d, config)
 	return []interface{}{transformed}
 }
 
@@ -1302,6 +1407,11 @@ func expandPrivatecaCaPoolIssuancePolicyBaselineValues(v interface{}, d Terrafor
 	}
 	transformed["additionalExtensions"] = addExts
 
+	nameConstraints, err := expandPrivatecaCertificateConfigX509ConfigNameConstraints(original["name_constraints"], d, config)
+	if err != nil {
+		return nil, err
+	}
+	transformed["nameConstraints"] = nameConstraints
 	return transformed, nil
 }
 

diff --git a/google/resource_privateca_ca_pool_generated_test.go b/google/resource_privateca_ca_pool_generated_test.go
@@ -166,6 +166,17 @@ resource "google_privateca_ca_pool" "default" {
           time_stamping = true
         }
       }
+      name_constraints {
+        critical                  = true
+        permitted_dns_names       = ["*.example1.com", "*.example2.com"]
+        excluded_dns_names        = ["*.deny.example1.com", "*.deny.example2.com"]
+        permitted_ip_ranges       = ["10.0.0.0/8", "11.0.0.0/8"]
+        excluded_ip_ranges        = ["10.1.1.0/24", "11.1.1.0/24"]
+        permitted_email_addresses = [".example1.com", ".example2.com"]
+        excluded_email_addresses  = [".deny.example1.com", ".deny.example2.com"]
+        permitted_uris            = [".example1.com", ".example2.com"]
+        excluded_uris             = [".deny.example1.com", ".deny.example2.com"]
+      }
     }
   }
 }