docs(samples): added region tags for PrivateCa samples for inclusion …

…in cgc (#5591) (#24) Signed-off-by: Modular Magician <magic-modules@google.com>
terraform-google-modules · Jan 7, 2022 · 5ddce47 · 5ddce47
1 parent 1c39932
commit 5ddce47
Show file tree

Hide file tree

Showing 10 changed files with 685 additions and 0 deletions.
diff --git a/privateca_capool_all_fields/main.tf b/privateca_capool_all_fields/main.tf
@@ -0,0 +1,79 @@
+# [START privateca_create_ca_pool_all_fields]
+resource "google_privateca_ca_pool" "default" {
+  name = "my-pool"
+  location = "us-central1"
+  tier = "ENTERPRISE"
+  publishing_options {
+    publish_ca_cert = false
+    publish_crl = true
+  }
+  labels = {
+    foo = "bar"
+  }
+  issuance_policy {
+    allowed_key_types {
+      elliptic_curve {
+        signature_algorithm = "ECDSA_P256"
+      }
+    }
+    allowed_key_types {
+      rsa {
+        min_modulus_size = 5
+        max_modulus_size = 10
+      }
+    }
+    maximum_lifetime = "50000s"
+    allowed_issuance_modes {
+      allow_csr_based_issuance = true
+      allow_config_based_issuance = true
+    }
+    identity_constraints {
+      allow_subject_passthrough = true
+      allow_subject_alt_names_passthrough = true
+      cel_expression {
+        expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"
+        title = "My title"
+      }
+    }
+    baseline_values {
+      aia_ocsp_servers = ["example.com"]
+      additional_extensions {
+        critical = true
+        value = "asdf"
+        object_id {
+          object_id_path = [1, 7]
+        }
+      }
+      policy_ids {
+        object_id_path = [1, 5]
+      }
+      policy_ids {
+        object_id_path = [1, 5, 7]
+      }
+      ca_options {
+        is_ca = true
+        max_issuer_path_length = 10
+      }
+      key_usage {
+        base_key_usage {
+          digital_signature = true
+          content_commitment = true
+          key_encipherment = false
+          data_encipherment = true
+          key_agreement = true
+          cert_sign = false
+          crl_sign = true
+          decipher_only = true
+        }
+        extended_key_usage {
+          server_auth = true
+          client_auth = false
+          email_protection = true
+          code_signing = true
+          time_stamping = true
+        }
+      }
+    }
+  }
+}
+# [END privateca_create_ca_pool_all_fields]
diff --git a/privateca_capool_basic/main.tf b/privateca_capool_basic/main.tf
@@ -0,0 +1,14 @@
+# [START privateca_create_ca_pool]
+resource "google_privateca_ca_pool" "default" {
+  name = "my-pool"
+  location = "us-central1"
+  tier = "ENTERPRISE"
+  publishing_options {
+    publish_ca_cert = true
+    publish_crl = true
+  }
+  labels = {
+    foo = "bar"
+  }
+}
+# [END privateca_create_ca_pool]
diff --git a/privateca_certificate_authority_basic/main.tf b/privateca_certificate_authority_basic/main.tf
@@ -0,0 +1,49 @@
+# [START privateca_create_ca]
+resource "google_privateca_certificate_authority" "default" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+  pool = "ca-pool"
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+        max_issuer_path_length = 10
+      }
+      key_usage {
+        base_key_usage {
+          digital_signature = true
+          content_commitment = true
+          key_encipherment = false
+          data_encipherment = true
+          key_agreement = true
+          cert_sign = true
+          crl_sign = true
+          decipher_only = true
+        }
+        extended_key_usage {
+          server_auth = true
+          client_auth = false
+          email_protection = true
+          code_signing = true
+          time_stamping = true
+        }
+      }
+    }
+  }
+  lifetime = "86400s"
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+# [END privateca_create_ca]
diff --git a/privateca_certificate_authority_byo_key/main.tf b/privateca_certificate_authority_byo_key/main.tf
@@ -0,0 +1,64 @@
+# [START privateca_create_ca_byo_key]
+resource "google_project_service_identity" "privateca_sa" {
+  service = "privateca.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
+  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
+  role          = "roles/cloudkms.signerVerifier"
+
+  members = [
+    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
+  ]
+}
+
+resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
+  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
+  role          = "roles/viewer"
+  members = [
+    "serviceAccount:${google_project_service_identity.privateca_sa.email}",
+  ]
+}
+
+resource "google_privateca_certificate_authority" "default" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+  pool = "ca-pool"
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  key_spec {
+    cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
+  }
+
+  config  {
+    subject_config  {
+      subject {
+        organization = "Example, Org."
+        common_name  = "Example Authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
+        max_issuer_path_length = 10
+      }
+      key_usage {
+        base_key_usage {
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+
+  depends_on = [
+    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
+    google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
+  ]
+}
+# [END privateca_create_ca_byo_key]
diff --git a/privateca_certificate_authority_subordinate/main.tf b/privateca_certificate_authority_subordinate/main.tf
@@ -0,0 +1,51 @@
+# [START privateca_create_subordinateca]
+resource "google_privateca_certificate_authority" "default" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+  pool = "ca-pool"
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-subordinate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+        # Force the sub CA to only issue leaf certs
+        max_issuer_path_length = 0
+      }
+      key_usage {
+        base_key_usage {
+          digital_signature = true
+          content_commitment = true
+          key_encipherment = false
+          data_encipherment = true
+          key_agreement = true
+          cert_sign = true
+          crl_sign = true
+          decipher_only = true
+        }
+        extended_key_usage {
+          server_auth = true
+          client_auth = false
+          email_protection = true
+          code_signing = true
+          time_stamping = true
+        }
+      }
+    }
+  }
+  lifetime = "86400s"
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+  type = "SUBORDINATE"
+}
+# [END privateca_create_subordinateca]
diff --git a/privateca_certificate_config/main.tf b/privateca_certificate_config/main.tf
@@ -0,0 +1,80 @@
+# [START privateca_create_certificate_config]
+resource "google_privateca_certificate_authority" "test-ca" {
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  pool = ""
+  ignore_active_certificates_on_deletion = true
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = true
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+resource "google_privateca_certificate" "default" {
+  pool = ""
+  location = "us-central1"
+  certificate_authority = google_privateca_certificate_authority.test-ca.certificate_authority_id
+  lifetime = "860s"
+  name = "my-certificate"
+  config {
+    subject_config  {
+      subject {
+        common_name = "san1.example.com"
+        country_code = "us"
+        organization = "google"
+        organizational_unit = "enterprise"
+        locality = "mountain view"
+        province = "california"
+        street_address = "1600 amphitheatre parkway"
+      } 
+      subject_alt_name {
+        email_addresses = ["email@example.com"]
+        ip_addresses = ["127.0.0.1"]
+        uris = ["http://www.ietf.org/rfc/rfc3986.txt"]
+      }
+    }
+    x509_config {
+      ca_options {
+        is_ca = false
+      }
+      key_usage {
+        base_key_usage {
+          crl_sign = false
+          decipher_only = false
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+    public_key {
+      format = "PEM"
+      key = filebase64("test-fixtures/rsa_public.pem")
+    }
+  }
+}
+# [END privateca_create_certificate_config]
diff --git a/privateca_certificate_csr/main.tf b/privateca_certificate_csr/main.tf
@@ -0,0 +1,47 @@
+# [START privateca_create_certificate_csr]
+resource "google_privateca_certificate_authority" "test-ca" {
+  pool = ""
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+
+resource "google_privateca_certificate" "default" {
+  pool = ""
+  location = "us-central1"
+  certificate_authority = google_privateca_certificate_authority.test-ca.certificate_authority_id
+  lifetime = "860s"
+  name = "my-certificate"
+  pem_csr = file("test-fixtures/rsa_csr.pem")
+}
+# [END privateca_create_certificate_csr]