From 22607becea91c603e70c4629e03912a516a747fe Mon Sep 17 00:00:00 2001 From: The Magician Date: Wed, 22 May 2024 13:53:28 -0700 Subject: [PATCH] Migrate certificate template to mmv1 (#10527) (#18224) [upstream:46c39dc960b4268bcb4912b0242d0f1769dab0df] Signed-off-by: Modular Magician --- google/provider/provider_dcl_resources.go | 2 - google/provider/provider_mmv1_resources.go | 5 +- ...eca_certificate_template_generated_test.go | 560 ++++ ...resource_privateca_certificate_template.go | 2420 ++++++++++------- ...eca_certificate_template_generated_test.go | 181 +- ..._privateca_certificate_template_sweeper.go | 110 +- ...rce_privateca_certificate_template_test.go | 434 +++ .../transport/provider_dcl_client_creation.go | 24 - ...gistry_repository_iam_policy.html.markdown | 6 +- ...hub_data_exchange_iam_policy.html.markdown | 6 +- ...ytics_hub_listing_iam_policy.html.markdown | 6 +- ...gquery_connection_iam_policy.html.markdown | 6 +- ...olicy_data_policy_iam_policy.html.markdown | 6 +- ...cloud_run_service_iam_policy.html.markdown | 4 +- .../cloud_run_v2_job_iam_policy.html.markdown | 4 +- ...ud_run_v2_service_iam_policy.html.markdown | 4 +- ...cloud_tasks_queue_iam_policy.html.markdown | 4 +- ...uildv2_connection_iam_policy.html.markdown | 4 +- ...ustom_target_type_iam_policy.html.markdown | 4 +- ...nctions2_function_iam_policy.html.markdown | 4 +- ...aplex_aspect_type_iam_policy.html.markdown | 6 +- ...dataplex_datascan_iam_policy.html.markdown | 6 +- ...aplex_entry_group_iam_policy.html.markdown | 6 +- .../d/dataplex_task_iam_policy.html.markdown | 6 +- ...utoscaling_policy_iam_policy.html.markdown | 6 +- ...astore_federation_iam_policy.html.markdown | 6 +- ...metastore_service_iam_policy.html.markdown | 6 +- ...ackup_backup_plan_iam_policy.html.markdown | 6 +- ...ckup_restore_plan_iam_policy.html.markdown | 6 +- .../gke_hub_feature_iam_policy.html.markdown | 4 +- ...ke_hub_membership_iam_policy.html.markdown | 6 +- ...ity_address_group_iam_policy.html.markdown | 6 +- ...otebooks_instance_iam_policy.html.markdown | 4 +- ...notebooks_runtime_iam_policy.html.markdown | 4 +- ...privateca_ca_pool_iam_policy.html.markdown | 6 +- ...tificate_template_iam_policy.html.markdown | 3 + ..._manager_instance_iam_policy.html.markdown | 6 +- ...ertex_ai_endpoint_iam_policy.html.markdown | 4 +- ...orkbench_instance_iam_policy.html.markdown | 4 +- ...orkstation_config_iam_policy.html.markdown | 6 +- ...tions_workstation_iam_policy.html.markdown | 6 +- ...fact_registry_repository_iam.html.markdown | 6 +- ...lytics_hub_data_exchange_iam.html.markdown | 6 +- ...ry_analytics_hub_listing_iam.html.markdown | 6 +- .../r/bigquery_connection_iam.html.markdown | 6 +- ...y_datapolicy_data_policy_iam.html.markdown | 6 +- .../r/cloud_run_service_iam.html.markdown | 4 +- .../docs/r/cloud_run_v2_job_iam.html.markdown | 4 +- .../r/cloud_run_v2_service_iam.html.markdown | 4 +- .../r/cloud_tasks_queue_iam.html.markdown | 4 +- .../cloudbuildv2_connection_iam.html.markdown | 4 +- ...eploy_custom_target_type_iam.html.markdown | 4 +- ...cloudfunctions2_function_iam.html.markdown | 4 +- .../r/dataplex_aspect_type_iam.html.markdown | 6 +- .../r/dataplex_datascan_iam.html.markdown | 6 +- .../r/dataplex_entry_group_iam.html.markdown | 6 +- .../docs/r/dataplex_task_iam.html.markdown | 6 +- ...aproc_autoscaling_policy_iam.html.markdown | 6 +- ...roc_metastore_federation_iam.html.markdown | 6 +- ...taproc_metastore_service_iam.html.markdown | 6 +- .../gke_backup_backup_plan_iam.html.markdown | 6 +- .../gke_backup_restore_plan_iam.html.markdown | 6 +- .../docs/r/gke_hub_feature_iam.html.markdown | 4 +- .../r/gke_hub_membership_iam.html.markdown | 6 +- ...k_security_address_group_iam.html.markdown | 6 +- .../r/notebooks_instance_iam.html.markdown | 4 +- .../r/notebooks_runtime_iam.html.markdown | 4 +- .../r/privateca_ca_pool_iam.html.markdown | 6 +- ...ivateca_certificate_template.html.markdown | 424 +-- ...eca_certificate_template_iam.html.markdown | 3 + ..._source_manager_instance_iam.html.markdown | 6 +- .../r/vertex_ai_endpoint_iam.html.markdown | 4 +- .../r/workbench_instance_iam.html.markdown | 4 +- ...tions_workstation_config_iam.html.markdown | 6 +- ...workstations_workstation_iam.html.markdown | 6 +- 75 files changed, 3061 insertions(+), 1441 deletions(-) create mode 100644 google/services/privateca/resource_privateca_certificate_template_test.go diff --git a/google/provider/provider_dcl_resources.go b/google/provider/provider_dcl_resources.go index a64fd0a3825..d1c1a3f238a 100644 --- a/google/provider/provider_dcl_resources.go +++ b/google/provider/provider_dcl_resources.go @@ -35,7 +35,6 @@ import ( "github.com/hashicorp/terraform-provider-google/google/services/gkehub" "github.com/hashicorp/terraform-provider-google/google/services/networkconnectivity" "github.com/hashicorp/terraform-provider-google/google/services/orgpolicy" - "github.com/hashicorp/terraform-provider-google/google/services/privateca" "github.com/hashicorp/terraform-provider-google/google/services/recaptchaenterprise" ) @@ -71,6 +70,5 @@ var dclResources = map[string]*schema.Resource{ "google_network_connectivity_hub": networkconnectivity.ResourceNetworkConnectivityHub(), "google_network_connectivity_spoke": networkconnectivity.ResourceNetworkConnectivitySpoke(), "google_org_policy_policy": orgpolicy.ResourceOrgPolicyPolicy(), - "google_privateca_certificate_template": privateca.ResourcePrivatecaCertificateTemplate(), "google_recaptcha_enterprise_key": recaptchaenterprise.ResourceRecaptchaEnterpriseKey(), } diff --git a/google/provider/provider_mmv1_resources.go b/google/provider/provider_mmv1_resources.go index 841cdbb35bd..a8be37a6929 100644 --- a/google/provider/provider_mmv1_resources.go +++ b/google/provider/provider_mmv1_resources.go @@ -410,9 +410,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{ } // Resources -// Generated resources: 416 +// Generated resources: 417 // Generated IAM resources: 243 -// Total generated resources: 659 +// Total generated resources: 660 var generatedResources = map[string]*schema.Resource{ "google_folder_access_approval_settings": accessapproval.ResourceAccessApprovalFolderSettings(), "google_organization_access_approval_settings": accessapproval.ResourceAccessApprovalOrganizationSettings(), @@ -955,6 +955,7 @@ var generatedResources = map[string]*schema.Resource{ "google_privateca_ca_pool_iam_policy": tpgiamresource.ResourceIamPolicy(privateca.PrivatecaCaPoolIamSchema, privateca.PrivatecaCaPoolIamUpdaterProducer, privateca.PrivatecaCaPoolIdParseFunc), "google_privateca_certificate": privateca.ResourcePrivatecaCertificate(), "google_privateca_certificate_authority": privateca.ResourcePrivatecaCertificateAuthority(), + "google_privateca_certificate_template": privateca.ResourcePrivatecaCertificateTemplate(), "google_privateca_certificate_template_iam_binding": tpgiamresource.ResourceIamBinding(privateca.PrivatecaCertificateTemplateIamSchema, privateca.PrivatecaCertificateTemplateIamUpdaterProducer, privateca.PrivatecaCertificateTemplateIdParseFunc), "google_privateca_certificate_template_iam_member": tpgiamresource.ResourceIamMember(privateca.PrivatecaCertificateTemplateIamSchema, privateca.PrivatecaCertificateTemplateIamUpdaterProducer, privateca.PrivatecaCertificateTemplateIdParseFunc), "google_privateca_certificate_template_iam_policy": tpgiamresource.ResourceIamPolicy(privateca.PrivatecaCertificateTemplateIamSchema, privateca.PrivatecaCertificateTemplateIamUpdaterProducer, privateca.PrivatecaCertificateTemplateIdParseFunc), diff --git a/google/services/privateca/iam_privateca_certificate_template_generated_test.go b/google/services/privateca/iam_privateca_certificate_template_generated_test.go index 669f70ba7bb..172ede105b6 100644 --- a/google/services/privateca/iam_privateca_certificate_template_generated_test.go +++ b/google/services/privateca/iam_privateca_certificate_template_generated_test.go @@ -333,6 +333,7 @@ func testAccPrivatecaCertificateTemplateIamMember_basicGenerated(context map[str resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -345,6 +346,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_member" "foo" { @@ -360,6 +416,7 @@ func testAccPrivatecaCertificateTemplateIamPolicy_basicGenerated(context map[str resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -372,6 +429,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } data "google_iam_policy" "foo" { @@ -400,6 +512,7 @@ func testAccPrivatecaCertificateTemplateIamPolicy_emptyBinding(context map[strin resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -412,6 +525,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } data "google_iam_policy" "foo" { @@ -429,6 +597,7 @@ func testAccPrivatecaCertificateTemplateIamBinding_basicGenerated(context map[st resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -441,6 +610,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_binding" "foo" { @@ -456,6 +680,7 @@ func testAccPrivatecaCertificateTemplateIamBinding_updateGenerated(context map[s resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -468,6 +693,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_binding" "foo" { @@ -483,6 +763,7 @@ func testAccPrivatecaCertificateTemplateIamBinding_withConditionGenerated(contex resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -495,6 +776,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_binding" "foo" { @@ -515,6 +851,7 @@ func testAccPrivatecaCertificateTemplateIamBinding_withAndWithoutConditionGenera resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -527,6 +864,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_binding" "foo" { @@ -565,6 +957,7 @@ func testAccPrivatecaCertificateTemplateIamMember_withConditionGenerated(context resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -577,6 +970,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_member" "foo" { @@ -597,6 +1045,7 @@ func testAccPrivatecaCertificateTemplateIamMember_withAndWithoutConditionGenerat resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -609,6 +1058,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } resource "google_privateca_certificate_template_iam_member" "foo" { @@ -647,6 +1151,7 @@ func testAccPrivatecaCertificateTemplateIamPolicy_withConditionGenerated(context resource "google_privateca_certificate_template" "default" { name = "tf-test-my-template%{random_suffix}" location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -659,6 +1164,61 @@ resource "google_privateca_certificate_template" "default" { title = "Sample expression" } } + + maximum_lifetime = "86400s" + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + value = "c3RyaW5nCg==" + critical = true + } + aia_ocsp_servers = ["string"] + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + policy_ids { + object_id_path = [1, 6] + } + } + + labels = { + label-one = "value-one" + } } data "google_iam_policy" "foo" { diff --git a/google/services/privateca/resource_privateca_certificate_template.go b/google/services/privateca/resource_privateca_certificate_template.go index 4467a025774..2a2f57c7029 100644 --- a/google/services/privateca/resource_privateca_certificate_template.go +++ b/google/services/privateca/resource_privateca_certificate_template.go @@ -3,34 +3,31 @@ // ---------------------------------------------------------------------------- // -// *** AUTO GENERATED CODE *** Type: DCL *** +// *** AUTO GENERATED CODE *** Type: MMv1 *** // // ---------------------------------------------------------------------------- // -// This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules) -// and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library). -// Changes will need to be made to the DCL or Magic Modules instead of here. +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. // -// We are not currently able to accept contributions to this file. If changes -// are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. // // ---------------------------------------------------------------------------- package privateca import ( - "context" "fmt" "log" + "net/http" + "reflect" + "strings" "time" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl" - privateca "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/privateca" - - "github.com/hashicorp/terraform-provider-google/google/tpgdclresource" "github.com/hashicorp/terraform-provider-google/google/tpgresource" transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" ) @@ -51,9 +48,10 @@ func ResourcePrivatecaCertificateTemplate() *schema.Resource { Update: schema.DefaultTimeout(20 * time.Minute), Delete: schema.DefaultTimeout(20 * time.Minute), }, + CustomizeDiff: customdiff.All( - tpgresource.DefaultProviderProject, tpgresource.SetLabelsDiff, + tpgresource.DefaultProviderProject, ), Schema: map[string]*schema.Schema{ @@ -61,1252 +59,1798 @@ func ResourcePrivatecaCertificateTemplate() *schema.Resource { Type: schema.TypeString, Required: true, ForceNew: true, - Description: "The location for the resource", + Description: `The location for the resource`, }, - "name": { Type: schema.TypeString, Required: true, ForceNew: true, - Description: "The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`.", + Description: `The resource name for this CertificateTemplate in the format 'projects/*/locations/*/certificateTemplates/*'.`, }, - "description": { Type: schema.TypeString, Optional: true, - Description: "Optional. A human-readable description of scenarios this template is intended for.", - }, - - "effective_labels": { - Type: schema.TypeMap, - Computed: true, - Description: "All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.", + Description: `Optional. A human-readable description of scenarios this template is intended for.`, }, - "identity_constraints": { Type: schema.TypeList, Optional: true, - Description: "Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.", + Description: `Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.`, MaxItems: 1, - Elem: PrivatecaCertificateTemplateIdentityConstraintsSchema(), + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "allow_subject_alt_names_passthrough": { + Type: schema.TypeBool, + Required: true, + Description: `Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.`, + }, + "allow_subject_passthrough": { + Type: schema.TypeBool, + Required: true, + Description: `Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.`, + }, + "cel_expression": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "description": { + Type: schema.TypeString, + Optional: true, + Description: `Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.`, + }, + "expression": { + Type: schema.TypeString, + Optional: true, + Description: `Textual representation of an expression in Common Expression Language syntax.`, + }, + "location": { + Type: schema.TypeString, + Optional: true, + Description: `Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.`, + }, + "title": { + Type: schema.TypeString, + Optional: true, + Description: `Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.`, + }, + }, + }, + }, + }, + }, }, + "labels": { + Type: schema.TypeMap, + Optional: true, + Description: `Optional. Labels with user-defined metadata. +**Note**: This field is non-authoritative, and will only manage the labels present in your configuration. +Please refer to the field 'effective_labels' for all of the labels present on the resource.`, + Elem: &schema.Schema{Type: schema.TypeString}, + }, "maximum_lifetime": { Type: schema.TypeString, Optional: true, - Description: "Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.", + Description: `Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.`, }, - "passthrough_extensions": { Type: schema.TypeList, Optional: true, - Description: "Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.", + Description: `Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.`, MaxItems: 1, - Elem: PrivatecaCertificateTemplatePassthroughExtensionsSchema(), + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "additional_extensions": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "object_id_path": { + Type: schema.TypeList, + Required: true, + Description: `Required. The parts of an OID path. The most significant parts of the path come first.`, + Elem: &schema.Schema{ + Type: schema.TypeInt, + }, + }, + }, + }, + }, + "known_extensions": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, }, - "predefined_values": { Type: schema.TypeList, Optional: true, - Description: "Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.", + Description: `Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.`, MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesSchema(), + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "additional_extensions": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. Describes custom X.509 extensions.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "object_id": { + Type: schema.TypeList, + Required: true, + Description: `Required. The OID for this X.509 extension.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "object_id_path": { + Type: schema.TypeList, + Required: true, + Description: `Required. The parts of an OID path. The most significant parts of the path come first.`, + Elem: &schema.Schema{ + Type: schema.TypeInt, + }, + }, + }, + }, + }, + "value": { + Type: schema.TypeString, + Required: true, + Description: `Required. The value of this X.509 extension.`, + }, + "critical": { + Type: schema.TypeBool, + Optional: true, + Description: `Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).`, + }, + }, + }, + }, + "aia_ocsp_servers": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "ca_options": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. Describes options in this X509Parameters that are relevant in a CA certificate.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "is_ca": { + Type: schema.TypeBool, + Optional: true, + Description: `Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.`, + }, + "max_issuer_path_length": { + Type: schema.TypeInt, + Optional: true, + Description: `Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.`, + }, + }, + }, + }, + "key_usage": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. Indicates the intended use for keys that correspond to a certificate.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "base_key_usage": { + Type: schema.TypeList, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrUnsetBlockDiffSuppress, + Description: `Describes high-level ways in which a key may be used.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "cert_sign": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used to sign certificates.`, + }, + "content_commitment": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".`, + }, + "crl_sign": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used sign certificate revocation lists.`, + }, + "data_encipherment": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used to encipher data.`, + }, + "decipher_only": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used to decipher only.`, + }, + "digital_signature": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used for digital signatures.`, + }, + "encipher_only": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used to encipher only.`, + }, + "key_agreement": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used in a key agreement protocol.`, + }, + "key_encipherment": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `The key may be used to encipher other keys.`, + }, + }, + }, + }, + "extended_key_usage": { + Type: schema.TypeList, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrUnsetBlockDiffSuppress, + Description: `Detailed scenarios in which a key may be used.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "client_auth": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.`, + }, + "code_signing": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".`, + }, + "email_protection": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".`, + }, + "ocsp_signing": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".`, + }, + "server_auth": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.`, + }, + "time_stamping": { + Type: schema.TypeBool, + Optional: true, + DiffSuppressFunc: tpgresource.EmptyOrFalseSuppressBoolean, + Description: `Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".`, + }, + }, + }, + }, + "unknown_extended_key_usages": { + Type: schema.TypeList, + Optional: true, + Description: `Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "object_id_path": { + Type: schema.TypeList, + Required: true, + Description: `Required. The parts of an OID path. The most significant parts of the path come first.`, + Elem: &schema.Schema{ + Type: schema.TypeInt, + }, + }, + }, + }, + }, + }, + }, + }, + "policy_ids": { + Type: schema.TypeList, + Optional: true, + Description: `Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "object_id_path": { + Type: schema.TypeList, + Required: true, + Description: `Required. The parts of an OID path. The most significant parts of the path come first.`, + Elem: &schema.Schema{ + Type: schema.TypeInt, + }, + }, + }, + }, + }, + }, + }, }, - - "project": { - Type: schema.TypeString, - Computed: true, - Optional: true, - ForceNew: true, - DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName, - Description: "The project for the resource", - }, - "create_time": { Type: schema.TypeString, Computed: true, - Description: "Output only. The time at which this CertificateTemplate was created.", + Description: `Output only. The time at which this CertificateTemplate was created.`, }, - - "labels": { + "effective_labels": { Type: schema.TypeMap, - Optional: true, - Description: "Optional. Labels with user-defined metadata.\n\n**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.\nPlease refer to the field `effective_labels` for all of the labels present on the resource.", + Computed: true, + Description: `All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.`, Elem: &schema.Schema{Type: schema.TypeString}, }, - "terraform_labels": { - Type: schema.TypeMap, - Computed: true, - Description: "The combination of labels configured directly on the resource and default labels configured on the provider.", + Type: schema.TypeMap, + Computed: true, + Description: `The combination of labels configured directly on the resource + and default labels configured on the provider.`, + Elem: &schema.Schema{Type: schema.TypeString}, }, - "update_time": { Type: schema.TypeString, Computed: true, - Description: "Output only. The time at which this CertificateTemplate was updated.", + Description: `Output only. The time at which this CertificateTemplate was updated.`, + }, + "project": { + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, }, }, + UseJSONNumber: true, } } -func PrivatecaCertificateTemplateIdentityConstraintsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "allow_subject_alt_names_passthrough": { - Type: schema.TypeBool, - Required: true, - Description: "Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.", - }, +func resourcePrivatecaCertificateTemplateCreate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } - "allow_subject_passthrough": { - Type: schema.TypeBool, - Required: true, - Description: "Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.", - }, + obj := make(map[string]interface{}) + predefinedValuesProp, err := expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("predefined_values"); !tpgresource.IsEmptyValue(reflect.ValueOf(predefinedValuesProp)) && (ok || !reflect.DeepEqual(v, predefinedValuesProp)) { + obj["predefinedValues"] = predefinedValuesProp + } + identityConstraintsProp, err := expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("identity_constraints"); !tpgresource.IsEmptyValue(reflect.ValueOf(identityConstraintsProp)) && (ok || !reflect.DeepEqual(v, identityConstraintsProp)) { + obj["identityConstraints"] = identityConstraintsProp + } + passthroughExtensionsProp, err := expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("passthrough_extensions"); !tpgresource.IsEmptyValue(reflect.ValueOf(passthroughExtensionsProp)) && (ok || !reflect.DeepEqual(v, passthroughExtensionsProp)) { + obj["passthroughExtensions"] = passthroughExtensionsProp + } + maximumLifetimeProp, err := expandPrivatecaCertificateTemplateMaximumLifetime(d.Get("maximum_lifetime"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("maximum_lifetime"); !tpgresource.IsEmptyValue(reflect.ValueOf(maximumLifetimeProp)) && (ok || !reflect.DeepEqual(v, maximumLifetimeProp)) { + obj["maximumLifetime"] = maximumLifetimeProp + } + descriptionProp, err := expandPrivatecaCertificateTemplateDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + labelsProp, err := expandPrivatecaCertificateTemplateEffectiveLabels(d.Get("effective_labels"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("effective_labels"); !tpgresource.IsEmptyValue(reflect.ValueOf(labelsProp)) && (ok || !reflect.DeepEqual(v, labelsProp)) { + obj["labels"] = labelsProp + } - "cel_expression": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel", - MaxItems: 1, - Elem: PrivatecaCertificateTemplateIdentityConstraintsCelExpressionSchema(), - }, - }, + url, err := tpgresource.ReplaceVarsForId(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/certificateTemplates?certificateTemplateId={{name}}") + if err != nil { + return err } -} -func PrivatecaCertificateTemplateIdentityConstraintsCelExpressionSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "description": { - Type: schema.TypeString, - Optional: true, - Description: "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", - }, + log.Printf("[DEBUG] Creating new CertificateTemplate: %#v", obj) + billingProject := "" - "expression": { - Type: schema.TypeString, - Optional: true, - Description: "Textual representation of an expression in Common Expression Language syntax.", - }, + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for CertificateTemplate: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") - "location": { - Type: schema.TypeString, - Optional: true, - Description: "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", - }, + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp + } - "title": { - Type: schema.TypeString, - Optional: true, - Description: "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", - }, - }, + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "POST", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutCreate), + Headers: headers, + }) + if err != nil { + return fmt.Errorf("Error creating CertificateTemplate: %s", err) } -} -func PrivatecaCertificateTemplatePassthroughExtensionsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "additional_extensions": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.", - Elem: PrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsSchema(), - }, + // Store the ID now + id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) + } + d.SetId(id) - "known_extensions": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - }, + // Use the resource in the operation response to populate + // identity fields and d.Id() before read + var opRes map[string]interface{} + err = PrivatecaOperationWaitTimeWithResponse( + config, res, &opRes, tpgresource.GetResourceNameFromSelfLink(project), "Creating CertificateTemplate", userAgent, + d.Timeout(schema.TimeoutCreate)) + if err != nil { + // The resource didn't actually create + d.SetId("") + + return fmt.Errorf("Error waiting to create CertificateTemplate: %s", err) } -} -func PrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "object_id_path": { - Type: schema.TypeList, - Required: true, - Description: "Required. The parts of an OID path. The most significant parts of the path come first.", - Elem: &schema.Schema{Type: schema.TypeInt}, - }, - }, + // This may have caused the ID to update - update it if so. + id, err = tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return fmt.Errorf("Error constructing id: %s", err) } + d.SetId(id) + + log.Printf("[DEBUG] Finished creating CertificateTemplate %q: %#v", d.Id(), res) + + return resourcePrivatecaCertificateTemplateRead(d, meta) } -func PrivatecaCertificateTemplatePredefinedValuesSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "additional_extensions": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. Describes custom X.509 extensions.", - Elem: PrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsSchema(), - }, +func resourcePrivatecaCertificateTemplateRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err + } - "aia_ocsp_servers": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the \"Authority Information Access\" extension in the certificate.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, + url, err := tpgresource.ReplaceVarsForId(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return err + } - "ca_options": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. Describes options in this X509Parameters that are relevant in a CA certificate.", - MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesCaOptionsSchema(), - }, + billingProject := "" - "key_usage": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. Indicates the intended use for keys that correspond to a certificate.", - MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesKeyUsageSchema(), - }, + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for CertificateTemplate: %s", err) + } + billingProject = strings.TrimPrefix(project, "projects/") - "policy_ids": { - Type: schema.TypeList, - Optional: true, - Description: "Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.", - Elem: PrivatecaCertificateTemplatePredefinedValuesPolicyIdsSchema(), - }, - }, + // err == nil indicates that the billing_project value was found + if bp, err := tpgresource.GetBillingProject(d, config); err == nil { + billingProject = bp } -} -func PrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "object_id": { - Type: schema.TypeList, - Required: true, - Description: "Required. The OID for this X.509 extension.", - MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdSchema(), - }, + headers := make(http.Header) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Headers: headers, + }) + if err != nil { + return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("PrivatecaCertificateTemplate %q", d.Id())) + } - "value": { - Type: schema.TypeString, - Required: true, - Description: "Required. The value of this X.509 extension.", - }, + if err := d.Set("project", project); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } - "critical": { - Type: schema.TypeBool, - Optional: true, - Description: "Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).", - }, - }, + if err := d.Set("predefined_values", flattenPrivatecaCertificateTemplatePredefinedValues(res["predefinedValues"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("identity_constraints", flattenPrivatecaCertificateTemplateIdentityConstraints(res["identityConstraints"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("passthrough_extensions", flattenPrivatecaCertificateTemplatePassthroughExtensions(res["passthroughExtensions"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("maximum_lifetime", flattenPrivatecaCertificateTemplateMaximumLifetime(res["maximumLifetime"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) } + if err := d.Set("description", flattenPrivatecaCertificateTemplateDescription(res["description"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("create_time", flattenPrivatecaCertificateTemplateCreateTime(res["createTime"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("update_time", flattenPrivatecaCertificateTemplateUpdateTime(res["updateTime"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("labels", flattenPrivatecaCertificateTemplateLabels(res["labels"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("terraform_labels", flattenPrivatecaCertificateTemplateTerraformLabels(res["labels"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + if err := d.Set("effective_labels", flattenPrivatecaCertificateTemplateEffectiveLabels(res["labels"], d, config)); err != nil { + return fmt.Errorf("Error reading CertificateTemplate: %s", err) + } + + return nil } -func PrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "object_id_path": { - Type: schema.TypeList, - Required: true, - Description: "Required. The parts of an OID path. The most significant parts of the path come first.", - Elem: &schema.Schema{Type: schema.TypeInt}, - }, - }, +func resourcePrivatecaCertificateTemplateUpdate(d *schema.ResourceData, meta interface{}) error { + config := meta.(*transport_tpg.Config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + if err != nil { + return err } -} -func PrivatecaCertificateTemplatePredefinedValuesCaOptionsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "is_ca": { - Type: schema.TypeBool, - Optional: true, - Description: "Optional. Refers to the \"CA\" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.", - }, + billingProject := "" - "max_issuer_path_length": { - Type: schema.TypeInt, - Optional: true, - Description: "Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.", - }, - }, + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for CertificateTemplate: %s", err) } -} - -func PrivatecaCertificateTemplatePredefinedValuesKeyUsageSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "base_key_usage": { - Type: schema.TypeList, - Optional: true, - Description: "Describes high-level ways in which a key may be used.", - MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageSchema(), - }, + billingProject = strings.TrimPrefix(project, "projects/") - "extended_key_usage": { - Type: schema.TypeList, - Optional: true, - Description: "Detailed scenarios in which a key may be used.", - MaxItems: 1, - Elem: PrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageSchema(), - }, + obj := make(map[string]interface{}) + predefinedValuesProp, err := expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("predefined_values"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, predefinedValuesProp)) { + obj["predefinedValues"] = predefinedValuesProp + } + identityConstraintsProp, err := expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("identity_constraints"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, identityConstraintsProp)) { + obj["identityConstraints"] = identityConstraintsProp + } + passthroughExtensionsProp, err := expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("passthrough_extensions"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, passthroughExtensionsProp)) { + obj["passthroughExtensions"] = passthroughExtensionsProp + } + maximumLifetimeProp, err := expandPrivatecaCertificateTemplateMaximumLifetime(d.Get("maximum_lifetime"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("maximum_lifetime"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, maximumLifetimeProp)) { + obj["maximumLifetime"] = maximumLifetimeProp + } + descriptionProp, err := expandPrivatecaCertificateTemplateDescription(d.Get("description"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("description"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) { + obj["description"] = descriptionProp + } + labelsProp, err := expandPrivatecaCertificateTemplateEffectiveLabels(d.Get("effective_labels"), d, config) + if err != nil { + return err + } else if v, ok := d.GetOkExists("effective_labels"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, labelsProp)) { + obj["labels"] = labelsProp + } - "unknown_extended_key_usages": { - Type: schema.TypeList, - Optional: true, - Description: "Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.", - Elem: PrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesSchema(), - }, - }, + url, err := tpgresource.ReplaceVarsForId(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return err } -} -func PrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "cert_sign": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used to sign certificates.", - }, + log.Printf("[DEBUG] Updating CertificateTemplate %q: %#v", d.Id(), obj) + headers := make(http.Header) + updateMask := []string{} - "content_commitment": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used for cryptographic commitments. Note that this may also be referred to as \"non-repudiation\".", - }, - - "crl_sign": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used sign certificate revocation lists.", - }, - - "data_encipherment": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used to encipher data.", - }, - - "decipher_only": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used to decipher only.", - }, - - "digital_signature": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used for digital signatures.", - }, - - "encipher_only": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used to encipher only.", - }, - - "key_agreement": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used in a key agreement protocol.", - }, - - "key_encipherment": { - Type: schema.TypeBool, - Optional: true, - Description: "The key may be used to encipher other keys.", - }, - }, - } -} - -func PrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "client_auth": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as \"TLS WWW client authentication\", though regularly used for non-WWW TLS.", - }, - - "code_signing": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as \"Signing of downloadable executable code client authentication\".", - }, - - "email_protection": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as \"Email protection\".", - }, - - "ocsp_signing": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as \"Signing OCSP responses\".", - }, - - "server_auth": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as \"TLS WWW server authentication\", though regularly used for non-WWW TLS.", - }, - - "time_stamping": { - Type: schema.TypeBool, - Optional: true, - Description: "Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as \"Binding the hash of an object to a time\".", - }, - }, + if d.HasChange("predefined_values") { + updateMask = append(updateMask, "predefinedValues") } -} -func PrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "object_id_path": { - Type: schema.TypeList, - Required: true, - Description: "Required. The parts of an OID path. The most significant parts of the path come first.", - Elem: &schema.Schema{Type: schema.TypeInt}, - }, - }, + if d.HasChange("identity_constraints") { + updateMask = append(updateMask, "identityConstraints") } -} -func PrivatecaCertificateTemplatePredefinedValuesPolicyIdsSchema() *schema.Resource { - return &schema.Resource{ - Schema: map[string]*schema.Schema{ - "object_id_path": { - Type: schema.TypeList, - Required: true, - Description: "Required. The parts of an OID path. The most significant parts of the path come first.", - Elem: &schema.Schema{Type: schema.TypeInt}, - }, - }, + if d.HasChange("passthrough_extensions") { + updateMask = append(updateMask, "passthroughExtensions") } -} -func resourcePrivatecaCertificateTemplateCreate(d *schema.ResourceData, meta interface{}) error { - config := meta.(*transport_tpg.Config) - project, err := tpgresource.GetProject(d, config) - if err != nil { - return err + if d.HasChange("maximum_lifetime") { + updateMask = append(updateMask, "maximumLifetime") } - obj := &privateca.CertificateTemplate{ - Location: dcl.String(d.Get("location").(string)), - Name: dcl.String(d.Get("name").(string)), - Description: dcl.String(d.Get("description").(string)), - Labels: tpgresource.CheckStringMap(d.Get("effective_labels")), - IdentityConstraints: expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints")), - MaximumLifetime: dcl.String(d.Get("maximum_lifetime").(string)), - PassthroughExtensions: expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions")), - PredefinedValues: expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values")), - Project: dcl.String(project), + if d.HasChange("description") { + updateMask = append(updateMask, "description") } - id, err := obj.ID() - if err != nil { - return fmt.Errorf("error constructing id: %s", err) + if d.HasChange("effective_labels") { + updateMask = append(updateMask, "labels") } - d.SetId(id) - directive := tpgdclresource.CreateDirective - userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + // updateMask is a URL parameter but not present in the schema, so ReplaceVars + // won't set it + url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")}) if err != nil { return err } - billingProject := project + // err == nil indicates that the billing_project value was found if bp, err := tpgresource.GetBillingProject(d, config); err == nil { billingProject = bp } - client := transport_tpg.NewDCLPrivatecaClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutCreate)) - if bp, err := tpgresource.ReplaceVars(d, config, client.Config.BasePath); err != nil { - d.SetId("") - return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err) - } else { - client.Config.BasePath = bp - } - res, err := client.ApplyCertificateTemplate(context.Background(), obj, directive...) - if _, ok := err.(dcl.DiffAfterApplyError); ok { - log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err) - } else if err != nil { - // The resource didn't actually create - d.SetId("") - return fmt.Errorf("Error creating CertificateTemplate: %s", err) - } + // if updateMask is empty we are not updating anything so skip the post + if len(updateMask) > 0 { + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "PATCH", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutUpdate), + Headers: headers, + }) + + if err != nil { + return fmt.Errorf("Error updating CertificateTemplate %q: %s", d.Id(), err) + } else { + log.Printf("[DEBUG] Finished updating CertificateTemplate %q: %#v", d.Id(), res) + } - log.Printf("[DEBUG] Finished creating CertificateTemplate %q: %#v", d.Id(), res) + err = PrivatecaOperationWaitTime( + config, res, tpgresource.GetResourceNameFromSelfLink(project), "Updating CertificateTemplate", userAgent, + d.Timeout(schema.TimeoutUpdate)) + + if err != nil { + return err + } + } return resourcePrivatecaCertificateTemplateRead(d, meta) } -func resourcePrivatecaCertificateTemplateRead(d *schema.ResourceData, meta interface{}) error { +func resourcePrivatecaCertificateTemplateDelete(d *schema.ResourceData, meta interface{}) error { config := meta.(*transport_tpg.Config) - project, err := tpgresource.GetProject(d, config) + userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) if err != nil { return err } - obj := &privateca.CertificateTemplate{ - Location: dcl.String(d.Get("location").(string)), - Name: dcl.String(d.Get("name").(string)), - Description: dcl.String(d.Get("description").(string)), - Labels: tpgresource.CheckStringMap(d.Get("effective_labels")), - IdentityConstraints: expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints")), - MaximumLifetime: dcl.String(d.Get("maximum_lifetime").(string)), - PassthroughExtensions: expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions")), - PredefinedValues: expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values")), - Project: dcl.String(project), + billingProject := "" + + project, err := tpgresource.GetProject(d, config) + if err != nil { + return fmt.Errorf("Error fetching project for CertificateTemplate: %s", err) } + billingProject = strings.TrimPrefix(project, "projects/") - userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) + url, err := tpgresource.ReplaceVarsForId(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") if err != nil { return err } - billingProject := project + + var obj map[string]interface{} + // err == nil indicates that the billing_project value was found if bp, err := tpgresource.GetBillingProject(d, config); err == nil { billingProject = bp } - client := transport_tpg.NewDCLPrivatecaClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutRead)) - if bp, err := tpgresource.ReplaceVars(d, config, client.Config.BasePath); err != nil { - d.SetId("") - return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err) - } else { - client.Config.BasePath = bp - } - res, err := client.GetCertificateTemplate(context.Background(), obj) + + headers := make(http.Header) + + log.Printf("[DEBUG] Deleting CertificateTemplate %q", d.Id()) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: billingProject, + RawURL: url, + UserAgent: userAgent, + Body: obj, + Timeout: d.Timeout(schema.TimeoutDelete), + Headers: headers, + }) if err != nil { - resourceName := fmt.Sprintf("PrivatecaCertificateTemplate %q", d.Id()) - return tpgdclresource.HandleNotFoundDCLError(err, d, resourceName) + return transport_tpg.HandleNotFoundError(err, d, "CertificateTemplate") } - if err = d.Set("location", res.Location); err != nil { - return fmt.Errorf("error setting location in state: %s", err) - } - if err = d.Set("name", res.Name); err != nil { - return fmt.Errorf("error setting name in state: %s", err) - } - if err = d.Set("description", res.Description); err != nil { - return fmt.Errorf("error setting description in state: %s", err) + err = PrivatecaOperationWaitTime( + config, res, tpgresource.GetResourceNameFromSelfLink(project), "Deleting CertificateTemplate", userAgent, + d.Timeout(schema.TimeoutDelete)) + + if err != nil { + return err } - if err = d.Set("effective_labels", res.Labels); err != nil { - return fmt.Errorf("error setting effective_labels in state: %s", err) + + log.Printf("[DEBUG] Finished deleting CertificateTemplate %q: %#v", d.Id(), res) + return nil +} + +func resourcePrivatecaCertificateTemplateImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + config := meta.(*transport_tpg.Config) + if err := tpgresource.ParseImportId([]string{ + "^projects/(?P[^/]+)/locations/(?P[^/]+)/certificateTemplates/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)/(?P[^/]+)$", + "^(?P[^/]+)/(?P[^/]+)$", + }, d, config); err != nil { + return nil, err } - if err = d.Set("identity_constraints", flattenPrivatecaCertificateTemplateIdentityConstraints(res.IdentityConstraints)); err != nil { - return fmt.Errorf("error setting identity_constraints in state: %s", err) + + // Replace import id for the resource id + id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return nil, fmt.Errorf("Error constructing id: %s", err) } - if err = d.Set("maximum_lifetime", res.MaximumLifetime); err != nil { - return fmt.Errorf("error setting maximum_lifetime in state: %s", err) + d.SetId(id) + + return []*schema.ResourceData{d}, nil +} + +func flattenPrivatecaCertificateTemplatePredefinedValues(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - if err = d.Set("passthrough_extensions", flattenPrivatecaCertificateTemplatePassthroughExtensions(res.PassthroughExtensions)); err != nil { - return fmt.Errorf("error setting passthrough_extensions in state: %s", err) + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } - if err = d.Set("predefined_values", flattenPrivatecaCertificateTemplatePredefinedValues(res.PredefinedValues)); err != nil { - return fmt.Errorf("error setting predefined_values in state: %s", err) + transformed := make(map[string]interface{}) + transformed["key_usage"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsage(original["keyUsage"], d, config) + transformed["ca_options"] = + flattenPrivatecaCertificateTemplatePredefinedValuesCaOptions(original["caOptions"], d, config) + transformed["policy_ids"] = + flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIds(original["policyIds"], d, config) + transformed["aia_ocsp_servers"] = + flattenPrivatecaCertificateTemplatePredefinedValuesAiaOcspServers(original["aiaOcspServers"], d, config) + transformed["additional_extensions"] = + flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(original["additionalExtensions"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsage(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - if err = d.Set("project", res.Project); err != nil { - return fmt.Errorf("error setting project in state: %s", err) + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } - if err = d.Set("create_time", res.CreateTime); err != nil { - return fmt.Errorf("error setting create_time in state: %s", err) + transformed := make(map[string]interface{}) + transformed["base_key_usage"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(original["baseKeyUsage"], d, config) + transformed["extended_key_usage"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(original["extendedKeyUsage"], d, config) + transformed["unknown_extended_key_usages"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(original["unknownExtendedKeyUsages"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - if err = d.Set("labels", flattenPrivatecaCertificateTemplateLabels(res.Labels, d)); err != nil { - return fmt.Errorf("error setting labels in state: %s", err) + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } - if err = d.Set("terraform_labels", flattenPrivatecaCertificateTemplateTerraformLabels(res.Labels, d)); err != nil { - return fmt.Errorf("error setting terraform_labels in state: %s", err) + transformed := make(map[string]interface{}) + transformed["digital_signature"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDigitalSignature(original["digitalSignature"], d, config) + transformed["content_commitment"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageContentCommitment(original["contentCommitment"], d, config) + transformed["key_encipherment"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyEncipherment(original["keyEncipherment"], d, config) + transformed["data_encipherment"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDataEncipherment(original["dataEncipherment"], d, config) + transformed["key_agreement"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyAgreement(original["keyAgreement"], d, config) + transformed["cert_sign"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCertSign(original["certSign"], d, config) + transformed["crl_sign"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCrlSign(original["crlSign"], d, config) + transformed["encipher_only"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageEncipherOnly(original["encipherOnly"], d, config) + transformed["decipher_only"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDecipherOnly(original["decipherOnly"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDigitalSignature(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageContentCommitment(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyEncipherment(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDataEncipherment(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyAgreement(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCertSign(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCrlSign(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageEncipherOnly(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDecipherOnly(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - if err = d.Set("update_time", res.UpdateTime); err != nil { - return fmt.Errorf("error setting update_time in state: %s", err) + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } + transformed := make(map[string]interface{}) + transformed["server_auth"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageServerAuth(original["serverAuth"], d, config) + transformed["client_auth"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageClientAuth(original["clientAuth"], d, config) + transformed["code_signing"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageCodeSigning(original["codeSigning"], d, config) + transformed["email_protection"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageEmailProtection(original["emailProtection"], d, config) + transformed["time_stamping"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageTimeStamping(original["timeStamping"], d, config) + transformed["ocsp_signing"] = + flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageOcspSigning(original["ocspSigning"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageServerAuth(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - return nil +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageClientAuth(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v } -func resourcePrivatecaCertificateTemplateUpdate(d *schema.ResourceData, meta interface{}) error { - config := meta.(*transport_tpg.Config) - project, err := tpgresource.GetProject(d, config) - if err != nil { - return err - } - obj := &privateca.CertificateTemplate{ - Location: dcl.String(d.Get("location").(string)), - Name: dcl.String(d.Get("name").(string)), - Description: dcl.String(d.Get("description").(string)), - Labels: tpgresource.CheckStringMap(d.Get("effective_labels")), - IdentityConstraints: expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints")), - MaximumLifetime: dcl.String(d.Get("maximum_lifetime").(string)), - PassthroughExtensions: expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions")), - PredefinedValues: expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values")), - Project: dcl.String(project), - } - directive := tpgdclresource.UpdateDirective - userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) - if err != nil { - return err +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageCodeSigning(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageEmailProtection(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageTimeStamping(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageOcspSigning(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "object_id_path": flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesObjectIdPath(original["objectIdPath"], d, config), + }) } + return transformed +} +func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesObjectIdPath(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - billingProject := "" - // err == nil indicates that the billing_project value was found - if bp, err := tpgresource.GetBillingProject(d, config); err == nil { - billingProject = bp +func flattenPrivatecaCertificateTemplatePredefinedValuesCaOptions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - client := transport_tpg.NewDCLPrivatecaClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutUpdate)) - if bp, err := tpgresource.ReplaceVars(d, config, client.Config.BasePath); err != nil { - d.SetId("") - return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err) - } else { - client.Config.BasePath = bp + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } - res, err := client.ApplyCertificateTemplate(context.Background(), obj, directive...) + transformed := make(map[string]interface{}) + transformed["is_ca"] = + flattenPrivatecaCertificateTemplatePredefinedValuesCaOptionsIsCa(original["isCa"], d, config) + transformed["max_issuer_path_length"] = + flattenPrivatecaCertificateTemplatePredefinedValuesCaOptionsMaxIssuerPathLength(original["maxIssuerPathLength"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesCaOptionsIsCa(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - if _, ok := err.(dcl.DiffAfterApplyError); ok { - log.Printf("[DEBUG] Diff after apply returned from the DCL: %s", err) - } else if err != nil { - // The resource didn't actually create - d.SetId("") - return fmt.Errorf("Error updating CertificateTemplate: %s", err) +func flattenPrivatecaCertificateTemplatePredefinedValuesCaOptionsMaxIssuerPathLength(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } } - log.Printf("[DEBUG] Finished creating CertificateTemplate %q: %#v", d.Id(), res) + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } - return resourcePrivatecaCertificateTemplateRead(d, meta) + return v // let terraform core handle it otherwise } -func resourcePrivatecaCertificateTemplateDelete(d *schema.ResourceData, meta interface{}) error { - config := meta.(*transport_tpg.Config) - project, err := tpgresource.GetProject(d, config) - if err != nil { - return err +func flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIds(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "object_id_path": flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIdsObjectIdPath(original["objectIdPath"], d, config), + }) } + return transformed +} +func flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIdsObjectIdPath(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesAiaOcspServers(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - obj := &privateca.CertificateTemplate{ - Location: dcl.String(d.Get("location").(string)), - Name: dcl.String(d.Get("name").(string)), - Description: dcl.String(d.Get("description").(string)), - Labels: tpgresource.CheckStringMap(d.Get("effective_labels")), - IdentityConstraints: expandPrivatecaCertificateTemplateIdentityConstraints(d.Get("identity_constraints")), - MaximumLifetime: dcl.String(d.Get("maximum_lifetime").(string)), - PassthroughExtensions: expandPrivatecaCertificateTemplatePassthroughExtensions(d.Get("passthrough_extensions")), - PredefinedValues: expandPrivatecaCertificateTemplatePredefinedValues(d.Get("predefined_values")), - Project: dcl.String(project), +func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "object_id": flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(original["objectId"], d, config), + "critical": flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsCritical(original["critical"], d, config), + "value": flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsValue(original["value"], d, config), + }) } + return transformed +} +func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["object_id_path"] = + flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdObjectIdPath(original["objectIdPath"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdObjectIdPath(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - log.Printf("[DEBUG] Deleting CertificateTemplate %q", d.Id()) - userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent) - if err != nil { - return err +func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsCritical(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsValue(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateIdentityConstraints(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - billingProject := project - // err == nil indicates that the billing_project value was found - if bp, err := tpgresource.GetBillingProject(d, config); err == nil { - billingProject = bp + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } - client := transport_tpg.NewDCLPrivatecaClient(config, userAgent, billingProject, d.Timeout(schema.TimeoutDelete)) - if bp, err := tpgresource.ReplaceVars(d, config, client.Config.BasePath); err != nil { - d.SetId("") - return fmt.Errorf("Could not format %q: %w", client.Config.BasePath, err) - } else { - client.Config.BasePath = bp + transformed := make(map[string]interface{}) + transformed["cel_expression"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpression(original["celExpression"], d, config) + transformed["allow_subject_passthrough"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectPassthrough(original["allowSubjectPassthrough"], d, config) + transformed["allow_subject_alt_names_passthrough"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectAltNamesPassthrough(original["allowSubjectAltNamesPassthrough"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpression(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } - if err := client.DeleteCertificateTemplate(context.Background(), obj); err != nil { - return fmt.Errorf("Error deleting CertificateTemplate: %s", err) + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil } + transformed := make(map[string]interface{}) + transformed["expression"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionExpression(original["expression"], d, config) + transformed["title"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionTitle(original["title"], d, config) + transformed["description"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionDescription(original["description"], d, config) + transformed["location"] = + flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionLocation(original["location"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionExpression(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - log.Printf("[DEBUG] Finished deleting CertificateTemplate %q", d.Id()) - return nil +func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionTitle(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v } -func resourcePrivatecaCertificateTemplateImport(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - config := meta.(*transport_tpg.Config) +func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - if err := tpgresource.ParseImportId([]string{ - "projects/(?P[^/]+)/locations/(?P[^/]+)/certificateTemplates/(?P[^/]+)", - "(?P[^/]+)/(?P[^/]+)/(?P[^/]+)", - "(?P[^/]+)/(?P[^/]+)", - }, d, config); err != nil { - return nil, err +func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpressionLocation(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectPassthrough(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectAltNamesPassthrough(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplatePassthroughExtensions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["known_extensions"] = + flattenPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensions(original["knownExtensions"], d, config) + transformed["additional_extensions"] = + flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(original["additionalExtensions"], d, config) + return []interface{}{transformed} +} +func flattenPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - // Replace import id for the resource id - id, err := tpgresource.ReplaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") - if err != nil { - return nil, fmt.Errorf("Error constructing id: %s", err) +func flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "object_id_path": flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsObjectIdPath(original["objectIdPath"], d, config), + }) } - d.SetId(id) + return transformed +} +func flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsObjectIdPath(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} - return []*schema.ResourceData{d}, nil +func flattenPrivatecaCertificateTemplateMaximumLifetime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v } -func expandPrivatecaCertificateTemplateIdentityConstraints(o interface{}) *privateca.CertificateTemplateIdentityConstraints { - if o == nil { - return privateca.EmptyCertificateTemplateIdentityConstraints - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplateIdentityConstraints +func flattenPrivatecaCertificateTemplateDescription(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateCreateTime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateUpdateTime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenPrivatecaCertificateTemplateLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplateIdentityConstraints{ - AllowSubjectAltNamesPassthrough: dcl.Bool(obj["allow_subject_alt_names_passthrough"].(bool)), - AllowSubjectPassthrough: dcl.Bool(obj["allow_subject_passthrough"].(bool)), - CelExpression: expandPrivatecaCertificateTemplateIdentityConstraintsCelExpression(obj["cel_expression"]), + + transformed := make(map[string]interface{}) + if l, ok := d.GetOkExists("labels"); ok { + for k := range l.(map[string]interface{}) { + transformed[k] = v.(map[string]interface{})[k] + } } + + return transformed } -func flattenPrivatecaCertificateTemplateIdentityConstraints(obj *privateca.CertificateTemplateIdentityConstraints) interface{} { - if obj == nil || obj.Empty() { - return nil +func flattenPrivatecaCertificateTemplateTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v } - transformed := map[string]interface{}{ - "allow_subject_alt_names_passthrough": obj.AllowSubjectAltNamesPassthrough, - "allow_subject_passthrough": obj.AllowSubjectPassthrough, - "cel_expression": flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpression(obj.CelExpression), + + transformed := make(map[string]interface{}) + if l, ok := d.GetOkExists("terraform_labels"); ok { + for k := range l.(map[string]interface{}) { + transformed[k] = v.(map[string]interface{})[k] + } } - return []interface{}{transformed} + return transformed +} +func flattenPrivatecaCertificateTemplateEffectiveLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v } -func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpression(o interface{}) *privateca.CertificateTemplateIdentityConstraintsCelExpression { - if o == nil { - return privateca.EmptyCertificateTemplateIdentityConstraintsCelExpression +func expandPrivatecaCertificateTemplatePredefinedValues(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplateIdentityConstraintsCelExpression + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedKeyUsage, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsage(original["key_usage"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKeyUsage); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["keyUsage"] = transformedKeyUsage } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplateIdentityConstraintsCelExpression{ - Description: dcl.String(obj["description"].(string)), - Expression: dcl.String(obj["expression"].(string)), - Location: dcl.String(obj["location"].(string)), - Title: dcl.String(obj["title"].(string)), + + transformedCaOptions, err := expandPrivatecaCertificateTemplatePredefinedValuesCaOptions(original["ca_options"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedCaOptions); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["caOptions"] = transformedCaOptions } -} -func flattenPrivatecaCertificateTemplateIdentityConstraintsCelExpression(obj *privateca.CertificateTemplateIdentityConstraintsCelExpression) interface{} { - if obj == nil || obj.Empty() { - return nil + transformedPolicyIds, err := expandPrivatecaCertificateTemplatePredefinedValuesPolicyIds(original["policy_ids"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPolicyIds); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["policyIds"] = transformedPolicyIds } - transformed := map[string]interface{}{ - "description": obj.Description, - "expression": obj.Expression, - "location": obj.Location, - "title": obj.Title, + + transformedAiaOcspServers, err := expandPrivatecaCertificateTemplatePredefinedValuesAiaOcspServers(original["aia_ocsp_servers"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAiaOcspServers); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["aiaOcspServers"] = transformedAiaOcspServers } - return []interface{}{transformed} + transformedAdditionalExtensions, err := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(original["additional_extensions"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAdditionalExtensions); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["additionalExtensions"] = transformedAdditionalExtensions + } + return transformed, nil } -func expandPrivatecaCertificateTemplatePassthroughExtensions(o interface{}) *privateca.CertificateTemplatePassthroughExtensions { - if o == nil { - return privateca.EmptyCertificateTemplatePassthroughExtensions - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePassthroughExtensions +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsage(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePassthroughExtensions{ - AdditionalExtensions: expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsArray(obj["additional_extensions"]), - KnownExtensions: expandPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensionsArray(obj["known_extensions"]), - } -} + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) -func flattenPrivatecaCertificateTemplatePassthroughExtensions(obj *privateca.CertificateTemplatePassthroughExtensions) interface{} { - if obj == nil || obj.Empty() { - return nil + transformedBaseKeyUsage, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(original["base_key_usage"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedBaseKeyUsage); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["baseKeyUsage"] = transformedBaseKeyUsage } - transformed := map[string]interface{}{ - "additional_extensions": flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsArray(obj.AdditionalExtensions), - "known_extensions": flattenPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensionsArray(obj.KnownExtensions), + + transformedExtendedKeyUsage, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(original["extended_key_usage"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedExtendedKeyUsage); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["extendedKeyUsage"] = transformedExtendedKeyUsage } - return []interface{}{transformed} + transformedUnknownExtendedKeyUsages, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(original["unknown_extended_key_usages"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedUnknownExtendedKeyUsages); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["unknownExtendedKeyUsages"] = transformedUnknownExtendedKeyUsages + } + return transformed, nil } -func expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsArray(o interface{}) []privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions { - if o == nil { - return make([]privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions, 0) - } - objs := o.([]interface{}) - if len(objs) == 0 || objs[0] == nil { - return make([]privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions, 0) +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) - items := make([]privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions, 0, len(objs)) - for _, item := range objs { - i := expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(item) - items = append(items, *i) + transformedDigitalSignature, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDigitalSignature(original["digital_signature"], d, config) + if err != nil { + return nil, err + } else { + transformed["digitalSignature"] = transformedDigitalSignature } - return items -} + transformedContentCommitment, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageContentCommitment(original["content_commitment"], d, config) + if err != nil { + return nil, err + } else { + transformed["contentCommitment"] = transformedContentCommitment + } -func expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(o interface{}) *privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions { - if o == nil { - return privateca.EmptyCertificateTemplatePassthroughExtensionsAdditionalExtensions + transformedKeyEncipherment, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyEncipherment(original["key_encipherment"], d, config) + if err != nil { + return nil, err + } else { + transformed["keyEncipherment"] = transformedKeyEncipherment } - obj := o.(map[string]interface{}) - return &privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions{ - ObjectIdPath: tpgdclresource.ExpandIntegerArray(obj["object_id_path"]), + transformedDataEncipherment, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDataEncipherment(original["data_encipherment"], d, config) + if err != nil { + return nil, err + } else { + transformed["dataEncipherment"] = transformedDataEncipherment } -} -func flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsArray(objs []privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions) []interface{} { - if objs == nil { - return nil + transformedKeyAgreement, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyAgreement(original["key_agreement"], d, config) + if err != nil { + return nil, err + } else { + transformed["keyAgreement"] = transformedKeyAgreement } - items := []interface{}{} - for _, item := range objs { - i := flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(&item) - items = append(items, i) + transformedCertSign, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCertSign(original["cert_sign"], d, config) + if err != nil { + return nil, err + } else { + transformed["certSign"] = transformedCertSign } - return items -} + transformedCrlSign, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCrlSign(original["crl_sign"], d, config) + if err != nil { + return nil, err + } else { + transformed["crlSign"] = transformedCrlSign + } -func flattenPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(obj *privateca.CertificateTemplatePassthroughExtensionsAdditionalExtensions) interface{} { - if obj == nil || obj.Empty() { - return nil + transformedEncipherOnly, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageEncipherOnly(original["encipher_only"], d, config) + if err != nil { + return nil, err + } else { + transformed["encipherOnly"] = transformedEncipherOnly } - transformed := map[string]interface{}{ - "object_id_path": obj.ObjectIdPath, + + transformedDecipherOnly, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDecipherOnly(original["decipher_only"], d, config) + if err != nil { + return nil, err + } else { + transformed["decipherOnly"] = transformedDecipherOnly } - return transformed + return transformed, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDigitalSignature(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValues(o interface{}) *privateca.CertificateTemplatePredefinedValues { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValues - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValues - } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValues{ - AdditionalExtensions: expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsArray(obj["additional_extensions"]), - AiaOcspServers: tpgdclresource.ExpandStringArray(obj["aia_ocsp_servers"]), - CaOptions: expandPrivatecaCertificateTemplatePredefinedValuesCaOptions(obj["ca_options"]), - KeyUsage: expandPrivatecaCertificateTemplatePredefinedValuesKeyUsage(obj["key_usage"]), - PolicyIds: expandPrivatecaCertificateTemplatePredefinedValuesPolicyIdsArray(obj["policy_ids"]), - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageContentCommitment(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValues(obj *privateca.CertificateTemplatePredefinedValues) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "additional_extensions": flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsArray(obj.AdditionalExtensions), - "aia_ocsp_servers": obj.AiaOcspServers, - "ca_options": flattenPrivatecaCertificateTemplatePredefinedValuesCaOptions(obj.CaOptions), - "key_usage": flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsage(obj.KeyUsage), - "policy_ids": flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIdsArray(obj.PolicyIds), - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyEncipherment(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return []interface{}{transformed} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDataEncipherment(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageKeyAgreement(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsArray(o interface{}) []privateca.CertificateTemplatePredefinedValuesAdditionalExtensions { - if o == nil { - return make([]privateca.CertificateTemplatePredefinedValuesAdditionalExtensions, 0) - } - objs := o.([]interface{}) - if len(objs) == 0 || objs[0] == nil { - return make([]privateca.CertificateTemplatePredefinedValuesAdditionalExtensions, 0) - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCertSign(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - items := make([]privateca.CertificateTemplatePredefinedValuesAdditionalExtensions, 0, len(objs)) - for _, item := range objs { - i := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(item) - items = append(items, *i) - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageCrlSign(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return items +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageEncipherOnly(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(o interface{}) *privateca.CertificateTemplatePredefinedValuesAdditionalExtensions { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesAdditionalExtensions +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsageDecipherOnly(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) - obj := o.(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesAdditionalExtensions{ - ObjectId: expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(obj["object_id"]), - Value: dcl.String(obj["value"].(string)), - Critical: dcl.Bool(obj["critical"].(bool)), + transformedServerAuth, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageServerAuth(original["server_auth"], d, config) + if err != nil { + return nil, err + } else { + transformed["serverAuth"] = transformedServerAuth } -} -func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsArray(objs []privateca.CertificateTemplatePredefinedValuesAdditionalExtensions) []interface{} { - if objs == nil { - return nil + transformedClientAuth, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageClientAuth(original["client_auth"], d, config) + if err != nil { + return nil, err + } else { + transformed["clientAuth"] = transformedClientAuth } - items := []interface{}{} - for _, item := range objs { - i := flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(&item) - items = append(items, i) + transformedCodeSigning, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageCodeSigning(original["code_signing"], d, config) + if err != nil { + return nil, err + } else { + transformed["codeSigning"] = transformedCodeSigning } - return items -} + transformedEmailProtection, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageEmailProtection(original["email_protection"], d, config) + if err != nil { + return nil, err + } else { + transformed["emailProtection"] = transformedEmailProtection + } -func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(obj *privateca.CertificateTemplatePredefinedValuesAdditionalExtensions) interface{} { - if obj == nil || obj.Empty() { - return nil + transformedTimeStamping, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageTimeStamping(original["time_stamping"], d, config) + if err != nil { + return nil, err + } else { + transformed["timeStamping"] = transformedTimeStamping } - transformed := map[string]interface{}{ - "object_id": flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(obj.ObjectId), - "value": obj.Value, - "critical": obj.Critical, + + transformedOcspSigning, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageOcspSigning(original["ocsp_signing"], d, config) + if err != nil { + return nil, err + } else { + transformed["ocspSigning"] = transformedOcspSigning } - return transformed + return transformed, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageServerAuth(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(o interface{}) *privateca.CertificateTemplatePredefinedValuesAdditionalExtensionsObjectId { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId - } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesAdditionalExtensionsObjectId{ - ObjectIdPath: tpgdclresource.ExpandIntegerArray(obj["object_id_path"]), - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageClientAuth(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(obj *privateca.CertificateTemplatePredefinedValuesAdditionalExtensionsObjectId) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "object_id_path": obj.ObjectIdPath, - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageCodeSigning(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return []interface{}{transformed} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageEmailProtection(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageTimeStamping(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesCaOptions(o interface{}) *privateca.CertificateTemplatePredefinedValuesCaOptions { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesCaOptions - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesCaOptions - } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesCaOptions{ - IsCa: dcl.Bool(obj["is_ca"].(bool)), - MaxIssuerPathLength: dcl.Int64(int64(obj["max_issuer_path_length"].(int))), - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsageOcspSigning(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesCaOptions(obj *privateca.CertificateTemplatePredefinedValuesCaOptions) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "is_ca": obj.IsCa, - "max_issuer_path_length": obj.MaxIssuerPathLength, - } +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedObjectIdPath, err := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesObjectIdPath(original["object_id_path"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedObjectIdPath); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["objectIdPath"] = transformedObjectIdPath + } - return []interface{}{transformed} + req = append(req, transformed) + } + return req, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesObjectIdPath(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsage(o interface{}) *privateca.CertificateTemplatePredefinedValuesKeyUsage { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsage - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsage +func expandPrivatecaCertificateTemplatePredefinedValuesCaOptions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesKeyUsage{ - BaseKeyUsage: expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(obj["base_key_usage"]), - ExtendedKeyUsage: expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(obj["extended_key_usage"]), - UnknownExtendedKeyUsages: expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesArray(obj["unknown_extended_key_usages"]), - } -} + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) -func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsage(obj *privateca.CertificateTemplatePredefinedValuesKeyUsage) interface{} { - if obj == nil || obj.Empty() { - return nil + transformedIsCa, err := expandPrivatecaCertificateTemplatePredefinedValuesCaOptionsIsCa(original["is_ca"], d, config) + if err != nil { + return nil, err + } else { + transformed["isCa"] = transformedIsCa } - transformed := map[string]interface{}{ - "base_key_usage": flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(obj.BaseKeyUsage), - "extended_key_usage": flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(obj.ExtendedKeyUsage), - "unknown_extended_key_usages": flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesArray(obj.UnknownExtendedKeyUsages), + + transformedMaxIssuerPathLength, err := expandPrivatecaCertificateTemplatePredefinedValuesCaOptionsMaxIssuerPathLength(original["max_issuer_path_length"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMaxIssuerPathLength); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["maxIssuerPathLength"] = transformedMaxIssuerPathLength } - return []interface{}{transformed} + return transformed, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesCaOptionsIsCa(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(o interface{}) *privateca.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage - } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage{ - CertSign: dcl.Bool(obj["cert_sign"].(bool)), - ContentCommitment: dcl.Bool(obj["content_commitment"].(bool)), - CrlSign: dcl.Bool(obj["crl_sign"].(bool)), - DataEncipherment: dcl.Bool(obj["data_encipherment"].(bool)), - DecipherOnly: dcl.Bool(obj["decipher_only"].(bool)), - DigitalSignature: dcl.Bool(obj["digital_signature"].(bool)), - EncipherOnly: dcl.Bool(obj["encipher_only"].(bool)), - KeyAgreement: dcl.Bool(obj["key_agreement"].(bool)), - KeyEncipherment: dcl.Bool(obj["key_encipherment"].(bool)), - } +func expandPrivatecaCertificateTemplatePredefinedValuesCaOptionsMaxIssuerPathLength(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage(obj *privateca.CertificateTemplatePredefinedValuesKeyUsageBaseKeyUsage) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "cert_sign": obj.CertSign, - "content_commitment": obj.ContentCommitment, - "crl_sign": obj.CrlSign, - "data_encipherment": obj.DataEncipherment, - "decipher_only": obj.DecipherOnly, - "digital_signature": obj.DigitalSignature, - "encipher_only": obj.EncipherOnly, - "key_agreement": obj.KeyAgreement, - "key_encipherment": obj.KeyEncipherment, +func expandPrivatecaCertificateTemplatePredefinedValuesPolicyIds(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedObjectIdPath, err := expandPrivatecaCertificateTemplatePredefinedValuesPolicyIdsObjectIdPath(original["object_id_path"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedObjectIdPath); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["objectIdPath"] = transformedObjectIdPath + } + + req = append(req, transformed) } + return req, nil +} - return []interface{}{transformed} +func expandPrivatecaCertificateTemplatePredefinedValuesPolicyIdsObjectIdPath(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} +func expandPrivatecaCertificateTemplatePredefinedValuesAiaOcspServers(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(o interface{}) *privateca.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage - } - objArr := o.([]interface{}) - if len(objArr) == 0 || objArr[0] == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage - } - obj := objArr[0].(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage{ - ClientAuth: dcl.Bool(obj["client_auth"].(bool)), - CodeSigning: dcl.Bool(obj["code_signing"].(bool)), - EmailProtection: dcl.Bool(obj["email_protection"].(bool)), - OcspSigning: dcl.Bool(obj["ocsp_signing"].(bool)), - ServerAuth: dcl.Bool(obj["server_auth"].(bool)), - TimeStamping: dcl.Bool(obj["time_stamping"].(bool)), +func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedObjectId, err := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(original["object_id"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedObjectId); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["objectId"] = transformedObjectId + } + + transformedCritical, err := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsCritical(original["critical"], d, config) + if err != nil { + return nil, err + } else { + transformed["critical"] = transformedCritical + } + + transformedValue, err := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsValue(original["value"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedValue); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["value"] = transformedValue + } + + req = append(req, transformed) } + return req, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage(obj *privateca.CertificateTemplatePredefinedValuesKeyUsageExtendedKeyUsage) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "client_auth": obj.ClientAuth, - "code_signing": obj.CodeSigning, - "email_protection": obj.EmailProtection, - "ocsp_signing": obj.OcspSigning, - "server_auth": obj.ServerAuth, - "time_stamping": obj.TimeStamping, +func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) - return []interface{}{transformed} + transformedObjectIdPath, err := expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdObjectIdPath(original["object_id_path"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedObjectIdPath); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["objectIdPath"] = transformedObjectIdPath + } + return transformed, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesArray(o interface{}) []privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages { - if o == nil { - return make([]privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages, 0) - } - objs := o.([]interface{}) - if len(objs) == 0 || objs[0] == nil { - return make([]privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages, 0) - } +func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsObjectIdObjectIdPath(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - items := make([]privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages, 0, len(objs)) - for _, item := range objs { - i := expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(item) - items = append(items, *i) - } +func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsCritical(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return items +func expandPrivatecaCertificateTemplatePredefinedValuesAdditionalExtensionsValue(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(o interface{}) *privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages +func expandPrivatecaCertificateTemplateIdentityConstraints(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) - obj := o.(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages{ - ObjectIdPath: tpgdclresource.ExpandIntegerArray(obj["object_id_path"]), + transformedCelExpression, err := expandPrivatecaCertificateTemplateIdentityConstraintsCelExpression(original["cel_expression"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedCelExpression); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["celExpression"] = transformedCelExpression } -} -func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsagesArray(objs []privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages) []interface{} { - if objs == nil { - return nil + transformedAllowSubjectPassthrough, err := expandPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectPassthrough(original["allow_subject_passthrough"], d, config) + if err != nil { + return nil, err + } else { + transformed["allowSubjectPassthrough"] = transformedAllowSubjectPassthrough } - items := []interface{}{} - for _, item := range objs { - i := flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(&item) - items = append(items, i) + transformedAllowSubjectAltNamesPassthrough, err := expandPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectAltNamesPassthrough(original["allow_subject_alt_names_passthrough"], d, config) + if err != nil { + return nil, err + } else { + transformed["allowSubjectAltNamesPassthrough"] = transformedAllowSubjectAltNamesPassthrough } - return items + return transformed, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages(obj *privateca.CertificateTemplatePredefinedValuesKeyUsageUnknownExtendedKeyUsages) interface{} { - if obj == nil || obj.Empty() { - return nil - } - transformed := map[string]interface{}{ - "object_id_path": obj.ObjectIdPath, +func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpression(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) - return transformed + transformedExpression, err := expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionExpression(original["expression"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedExpression); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["expression"] = transformedExpression + } -} -func expandPrivatecaCertificateTemplatePredefinedValuesPolicyIdsArray(o interface{}) []privateca.CertificateTemplatePredefinedValuesPolicyIds { - if o == nil { - return make([]privateca.CertificateTemplatePredefinedValuesPolicyIds, 0) + transformedTitle, err := expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionTitle(original["title"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedTitle); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["title"] = transformedTitle } - objs := o.([]interface{}) - if len(objs) == 0 || objs[0] == nil { - return make([]privateca.CertificateTemplatePredefinedValuesPolicyIds, 0) + transformedDescription, err := expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionDescription(original["description"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDescription); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["description"] = transformedDescription } - items := make([]privateca.CertificateTemplatePredefinedValuesPolicyIds, 0, len(objs)) - for _, item := range objs { - i := expandPrivatecaCertificateTemplatePredefinedValuesPolicyIds(item) - items = append(items, *i) + transformedLocation, err := expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionLocation(original["location"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedLocation); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["location"] = transformedLocation } - return items + return transformed, nil } -func expandPrivatecaCertificateTemplatePredefinedValuesPolicyIds(o interface{}) *privateca.CertificateTemplatePredefinedValuesPolicyIds { - if o == nil { - return privateca.EmptyCertificateTemplatePredefinedValuesPolicyIds - } +func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionExpression(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - obj := o.(map[string]interface{}) - return &privateca.CertificateTemplatePredefinedValuesPolicyIds{ - ObjectIdPath: tpgdclresource.ExpandIntegerArray(obj["object_id_path"]), - } +func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionTitle(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIdsArray(objs []privateca.CertificateTemplatePredefinedValuesPolicyIds) []interface{} { - if objs == nil { - return nil - } +func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - items := []interface{}{} - for _, item := range objs { - i := flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIds(&item) - items = append(items, i) - } +func expandPrivatecaCertificateTemplateIdentityConstraintsCelExpressionLocation(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return items +func expandPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectPassthrough(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePredefinedValuesPolicyIds(obj *privateca.CertificateTemplatePredefinedValuesPolicyIds) interface{} { - if obj == nil || obj.Empty() { - return nil +func expandPrivatecaCertificateTemplateIdentityConstraintsAllowSubjectAltNamesPassthrough(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandPrivatecaCertificateTemplatePassthroughExtensions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil } - transformed := map[string]interface{}{ - "object_id_path": obj.ObjectIdPath, + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedKnownExtensions, err := expandPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensions(original["known_extensions"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKnownExtensions); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["knownExtensions"] = transformedKnownExtensions } - return transformed + transformedAdditionalExtensions, err := expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(original["additional_extensions"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAdditionalExtensions); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["additionalExtensions"] = transformedAdditionalExtensions + } + return transformed, nil } -func flattenPrivatecaCertificateTemplateLabels(v map[string]string, d *schema.ResourceData) interface{} { - if v == nil { - return nil - } +func expandPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - transformed := make(map[string]interface{}) - if l, ok := d.Get("labels").(map[string]interface{}); ok { - for k, _ := range l { - transformed[k] = v[k] +func expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensions(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedObjectIdPath, err := expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsObjectIdPath(original["object_id_path"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedObjectIdPath); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["objectIdPath"] = transformedObjectIdPath } - } - return transformed + req = append(req, transformed) + } + return req, nil } -func flattenPrivatecaCertificateTemplateTerraformLabels(v map[string]string, d *schema.ResourceData) interface{} { - if v == nil { - return nil - } +func expandPrivatecaCertificateTemplatePassthroughExtensionsAdditionalExtensionsObjectIdPath(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - transformed := make(map[string]interface{}) - if l, ok := d.Get("terraform_labels").(map[string]interface{}); ok { - for k, _ := range l { - transformed[k] = v[k] - } - } +func expandPrivatecaCertificateTemplateMaximumLifetime(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} - return transformed +func expandPrivatecaCertificateTemplateDescription(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil } -func flattenPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensionsArray(obj []privateca.CertificateTemplatePassthroughExtensionsKnownExtensionsEnum) interface{} { - if obj == nil { - return nil - } - items := []string{} - for _, item := range obj { - items = append(items, string(item)) +func expandPrivatecaCertificateTemplateEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) { + if v == nil { + return map[string]string{}, nil } - return items -} -func expandPrivatecaCertificateTemplatePassthroughExtensionsKnownExtensionsArray(o interface{}) []privateca.CertificateTemplatePassthroughExtensionsKnownExtensionsEnum { - objs := o.([]interface{}) - items := make([]privateca.CertificateTemplatePassthroughExtensionsKnownExtensionsEnum, 0, len(objs)) - for _, item := range objs { - i := privateca.CertificateTemplatePassthroughExtensionsKnownExtensionsEnumRef(item.(string)) - items = append(items, *i) + m := make(map[string]string) + for k, val := range v.(map[string]interface{}) { + m[k] = val.(string) } - return items + return m, nil } diff --git a/google/services/privateca/resource_privateca_certificate_template_generated_test.go b/google/services/privateca/resource_privateca_certificate_template_generated_test.go index 34d38211f18..3894e64b2f7 100644 --- a/google/services/privateca/resource_privateca_certificate_template_generated_test.go +++ b/google/services/privateca/resource_privateca_certificate_template_generated_test.go @@ -3,42 +3,37 @@ // ---------------------------------------------------------------------------- // -// *** AUTO GENERATED CODE *** Type: DCL *** +// *** AUTO GENERATED CODE *** Type: MMv1 *** // // ---------------------------------------------------------------------------- // -// This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules) -// and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library). -// Changes will need to be made to the DCL or Magic Modules instead of here. +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. // -// We are not currently able to accept contributions to this file. If changes -// are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. // // ---------------------------------------------------------------------------- package privateca_test import ( - "context" "fmt" - dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl" - privateca "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/privateca" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "strings" "testing" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/hashicorp/terraform-provider-google/google/acctest" - "github.com/hashicorp/terraform-provider-google/google/envvar" + "github.com/hashicorp/terraform-provider-google/google/tpgresource" transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" ) -func TestAccPrivatecaCertificateTemplate_BasicCertificateTemplate(t *testing.T) { +func TestAccPrivatecaCertificateTemplate_privatecaTemplateBasicExample(t *testing.T) { t.Parallel() context := map[string]interface{}{ - "project_name": envvar.GetTestProjectFromEnv(), - "region": envvar.GetTestRegionFromEnv(), "random_suffix": acctest.RandString(t, 10), } @@ -48,33 +43,24 @@ func TestAccPrivatecaCertificateTemplate_BasicCertificateTemplate(t *testing.T) CheckDestroy: testAccCheckPrivatecaCertificateTemplateDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplate(context), - }, - { - ResourceName: "google_privateca_certificate_template.primary", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels"}, - }, - { - Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplateUpdate0(context), + Config: testAccPrivatecaCertificateTemplate_privatecaTemplateBasicExample(context), }, { - ResourceName: "google_privateca_certificate_template.primary", + ResourceName: "google_privateca_certificate_template.default", ImportState: true, ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels"}, + ImportStateVerifyIgnore: []string{"labels", "location", "name", "terraform_labels"}, }, }, }) } -func testAccPrivatecaCertificateTemplate_BasicCertificateTemplate(context map[string]interface{}) string { +func testAccPrivatecaCertificateTemplate_privatecaTemplateBasicExample(context map[string]interface{}) string { return acctest.Nprintf(` -resource "google_privateca_certificate_template" "primary" { - location = "%{region}" - name = "tf-test-template%{random_suffix}" - description = "An updated sample certificate template" +resource "google_privateca_certificate_template" "default" { + name = "tf-test-my-template%{random_suffix}" + location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -94,7 +80,6 @@ resource "google_privateca_certificate_template" "primary" { additional_extensions { object_id_path = [1, 6] } - known_extensions = ["EXTENDED_KEY_USAGE"] } @@ -103,18 +88,14 @@ resource "google_privateca_certificate_template" "primary" { object_id { object_id_path = [1, 6] } - value = "c3RyaW5nCg==" critical = true } - aia_ocsp_servers = ["string"] - ca_options { is_ca = false max_issuer_path_length = 6 } - key_usage { base_key_usage { cert_sign = false @@ -127,7 +108,6 @@ resource "google_privateca_certificate_template" "primary" { key_agreement = true key_encipherment = true } - extended_key_usage { client_auth = true code_signing = true @@ -136,121 +116,26 @@ resource "google_privateca_certificate_template" "primary" { server_auth = true time_stamping = true } - unknown_extended_key_usages { object_id_path = [1, 6] } } - policy_ids { object_id_path = [1, 6] } } - project = "%{project_name}" - - labels = { - label-two = "value-two" - } -} - - -`, context) -} - -func testAccPrivatecaCertificateTemplate_BasicCertificateTemplateUpdate0(context map[string]interface{}) string { - return acctest.Nprintf(` -resource "google_privateca_certificate_template" "primary" { - location = "%{region}" - name = "tf-test-template%{random_suffix}" - description = "A sample certificate template" - - identity_constraints { - allow_subject_alt_names_passthrough = false - allow_subject_passthrough = false - - cel_expression { - description = "Always false" - expression = "false" - location = "update.certificate_template.json" - title = "New sample expression" - } - } - - maximum_lifetime = "172800s" - - passthrough_extensions { - additional_extensions { - object_id_path = [1, 7] - } - - known_extensions = ["BASE_KEY_USAGE"] - } - - predefined_values { - additional_extensions { - object_id { - object_id_path = [1, 7] - } - - value = "bmV3LXN0cmluZw==" - critical = false - } - - aia_ocsp_servers = ["new-string"] - - ca_options { - is_ca = true - max_issuer_path_length = 7 - } - - key_usage { - base_key_usage { - cert_sign = true - content_commitment = false - crl_sign = true - data_encipherment = false - decipher_only = false - digital_signature = false - encipher_only = false - key_agreement = false - key_encipherment = false - } - - extended_key_usage { - client_auth = false - code_signing = false - email_protection = false - ocsp_signing = false - server_auth = false - time_stamping = false - } - - unknown_extended_key_usages { - object_id_path = [1, 7] - } - } - - policy_ids { - object_id_path = [1, 7] - } - } - - project = "%{project_name}" - labels = { label-one = "value-one" } } - - `, context) } func testAccCheckPrivatecaCertificateTemplateDestroyProducer(t *testing.T) func(s *terraform.State) error { return func(s *terraform.State) error { for name, rs := range s.RootModule().Resources { - if rs.Type != "rs.google_privateca_certificate_template" { + if rs.Type != "google_privateca_certificate_template" { continue } if strings.HasPrefix(name, "data.") { @@ -259,27 +144,29 @@ func testAccCheckPrivatecaCertificateTemplateDestroyProducer(t *testing.T) func( config := acctest.GoogleProviderConfig(t) + url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}") + if err != nil { + return err + } + billingProject := "" + if config.BillingProject != "" { billingProject = config.BillingProject } - obj := &privateca.CertificateTemplate{ - Location: dcl.String(rs.Primary.Attributes["location"]), - Name: dcl.String(rs.Primary.Attributes["name"]), - Description: dcl.String(rs.Primary.Attributes["description"]), - MaximumLifetime: dcl.String(rs.Primary.Attributes["maximum_lifetime"]), - Project: dcl.StringOrNil(rs.Primary.Attributes["project"]), - CreateTime: dcl.StringOrNil(rs.Primary.Attributes["create_time"]), - UpdateTime: dcl.StringOrNil(rs.Primary.Attributes["update_time"]), - } - - client := transport_tpg.NewDCLPrivatecaClient(config, config.UserAgent, billingProject, 0) - _, err := client.GetCertificateTemplate(context.Background(), obj) + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: billingProject, + RawURL: url, + UserAgent: config.UserAgent, + }) if err == nil { - return fmt.Errorf("google_privateca_certificate_template still exists %v", obj) + return fmt.Errorf("PrivatecaCertificateTemplate still exists at %s", url) } } + return nil } } diff --git a/google/services/privateca/resource_privateca_certificate_template_sweeper.go b/google/services/privateca/resource_privateca_certificate_template_sweeper.go index 7760e82f693..52846cdbe4a 100644 --- a/google/services/privateca/resource_privateca_certificate_template_sweeper.go +++ b/google/services/privateca/resource_privateca_certificate_template_sweeper.go @@ -3,16 +3,15 @@ // ---------------------------------------------------------------------------- // -// *** AUTO GENERATED CODE *** Type: DCL *** +// *** AUTO GENERATED CODE *** Type: MMv1 *** // // ---------------------------------------------------------------------------- // -// This file is managed by Magic Modules (https://github.com/GoogleCloudPlatform/magic-modules) -// and is based on the DCL (https://github.com/GoogleCloudPlatform/declarative-resource-client-library). -// Changes will need to be made to the DCL or Magic Modules instead of here. +// This file is automatically generated by Magic Modules and manual +// changes will be clobbered when the file is regenerated. // -// We are not currently able to accept contributions to this file. If changes -// are required, please file an issue at https://github.com/hashicorp/terraform-provider-google/issues/new/choose +// Please read more about how to change this file in +// .github/CONTRIBUTING.md. // // ---------------------------------------------------------------------------- @@ -21,11 +20,12 @@ package privateca import ( "context" "log" + "strings" "testing" - privateca "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/privateca" "github.com/hashicorp/terraform-provider-google/google/envvar" "github.com/hashicorp/terraform-provider-google/google/sweeper" + "github.com/hashicorp/terraform-provider-google/google/tpgresource" transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport" ) @@ -33,8 +33,10 @@ func init() { sweeper.AddTestSweepers("PrivatecaCertificateTemplate", testSweepPrivatecaCertificateTemplate) } +// At the time of writing, the CI only passes us-central1 as the region func testSweepPrivatecaCertificateTemplate(region string) error { - log.Print("[INFO][SWEEPER_LOG] Starting sweeper for PrivatecaCertificateTemplate") + resourceName := "PrivatecaCertificateTemplate" + log.Printf("[INFO][SWEEPER_LOG] Starting sweeper for %s", resourceName) config, err := sweeper.SharedConfigForRegion(region) if err != nil { @@ -51,23 +53,87 @@ func testSweepPrivatecaCertificateTemplate(region string) error { t := &testing.T{} billingId := envvar.GetTestBillingAccountFromEnv(t) - // Setup variables to be used for Delete arguments. - d := map[string]string{ - "project": config.Project, - "region": region, - "location": region, - "zone": "-", - "billing_account": billingId, + // Setup variables to replace in list template + d := &tpgresource.ResourceDataMock{ + FieldsInSchema: map[string]interface{}{ + "project": config.Project, + "region": region, + "location": region, + "zone": "-", + "billing_account": billingId, + }, } - client := transport_tpg.NewDCLPrivatecaClient(config, config.UserAgent, "", 0) - err = client.DeleteAllCertificateTemplate(context.Background(), d["project"], d["location"], isDeletablePrivatecaCertificateTemplate) + listTemplate := strings.Split("https://privateca.googleapis.com/v1/projects/{{project}}/locations/{{location}}/certificateTemplates", "?")[0] + listUrl, err := tpgresource.ReplaceVars(d, config, listTemplate) if err != nil { - return err + log.Printf("[INFO][SWEEPER_LOG] error preparing sweeper list url: %s", err) + return nil } - return nil -} -func isDeletablePrivatecaCertificateTemplate(r *privateca.CertificateTemplate) bool { - return sweeper.IsSweepableTestResource(*r.Name) + res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "GET", + Project: config.Project, + RawURL: listUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error in response from request %s: %s", listUrl, err) + return nil + } + + resourceList, ok := res["certificateTemplates"] + if !ok { + log.Printf("[INFO][SWEEPER_LOG] Nothing found in response.") + return nil + } + + rl := resourceList.([]interface{}) + + log.Printf("[INFO][SWEEPER_LOG] Found %d items in %s list response.", len(rl), resourceName) + // Keep count of items that aren't sweepable for logging. + nonPrefixCount := 0 + for _, ri := range rl { + obj := ri.(map[string]interface{}) + if obj["name"] == nil { + log.Printf("[INFO][SWEEPER_LOG] %s resource name was nil", resourceName) + return nil + } + + name := tpgresource.GetResourceNameFromSelfLink(obj["name"].(string)) + // Skip resources that shouldn't be sweeped + if !sweeper.IsSweepableTestResource(name) { + nonPrefixCount++ + continue + } + + deleteTemplate := "https://privateca.googleapis.com/v1/projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}" + deleteUrl, err := tpgresource.ReplaceVars(d, config, deleteTemplate) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] error preparing delete url: %s", err) + return nil + } + deleteUrl = deleteUrl + name + + // Don't wait on operations as we may have a lot to delete + _, err = transport_tpg.SendRequest(transport_tpg.SendRequestOptions{ + Config: config, + Method: "DELETE", + Project: config.Project, + RawURL: deleteUrl, + UserAgent: config.UserAgent, + }) + if err != nil { + log.Printf("[INFO][SWEEPER_LOG] Error deleting for url %s : %s", deleteUrl, err) + } else { + log.Printf("[INFO][SWEEPER_LOG] Sent delete request for %s resource: %s", resourceName, name) + } + } + + if nonPrefixCount > 0 { + log.Printf("[INFO][SWEEPER_LOG] %d items were non-sweepable and skipped.", nonPrefixCount) + } + + return nil } diff --git a/google/services/privateca/resource_privateca_certificate_template_test.go b/google/services/privateca/resource_privateca_certificate_template_test.go new file mode 100644 index 00000000000..b2f5953b8ae --- /dev/null +++ b/google/services/privateca/resource_privateca_certificate_template_test.go @@ -0,0 +1,434 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 +package privateca_test + +import ( + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + "github.com/hashicorp/terraform-provider-google/google/acctest" + "github.com/hashicorp/terraform-provider-google/google/envvar" +) + +func TestAccPrivatecaCertificateTemplate_BasicCertificateTemplate(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "project_name": envvar.GetTestProjectFromEnv(), + "region": envvar.GetTestRegionFromEnv(), + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckPrivatecaCertificateTemplateDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplate(context), + }, + { + ResourceName: "google_privateca_certificate_template.primary", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels"}, + }, + { + Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplateUpdate0(context), + }, + { + ResourceName: "google_privateca_certificate_template.primary", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels"}, + }, + }, + }) +} + +func TestAccPrivatecaCertificateTemplate_BasicCertificateTemplateLongForm(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "project_name": envvar.GetTestProjectFromEnv(), + "region": envvar.GetTestRegionFromEnv(), + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckPrivatecaCertificateTemplateDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplateLongForm(context), + }, + { + ResourceName: "google_privateca_certificate_template.primary", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels", "project", "location", "name"}, + }, + { + Config: testAccPrivatecaCertificateTemplate_BasicCertificateTemplateLongFormUpdate0(context), + }, + { + ResourceName: "google_privateca_certificate_template.primary", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"predefined_values.0.key_usage.0.extended_key_usage", "labels", "terraform_labels", "project", "location", "name"}, + }, + }, + }) +} + +func testAccPrivatecaCertificateTemplate_BasicCertificateTemplate(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_privateca_certificate_template" "primary" { + location = "%{region}" + name = "tf-test-template%{random_suffix}" + maximum_lifetime = "86400s" + description = "An updated sample certificate template" + + identity_constraints { + allow_subject_alt_names_passthrough = true + allow_subject_passthrough = true + + cel_expression { + description = "Always true" + expression = "true" + location = "any.file.anywhere" + title = "Sample expression" + } + } + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + + value = "c3RyaW5nCg==" + critical = true + } + + aia_ocsp_servers = ["string"] + + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + + policy_ids { + object_id_path = [1, 6] + } + } + + project = "%{project_name}" + + labels = { + label-two = "value-two" + } +} + + +`, context) +} + +func testAccPrivatecaCertificateTemplate_BasicCertificateTemplateUpdate0(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_privateca_certificate_template" "primary" { + location = "%{region}" + name = "tf-test-template%{random_suffix}" + maximum_lifetime = "172800s" + description = "A sample certificate template" + + identity_constraints { + allow_subject_alt_names_passthrough = false + allow_subject_passthrough = false + + cel_expression { + description = "Always false" + expression = "false" + location = "update.certificate_template.json" + title = "New sample expression" + } + } + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 7] + } + + known_extensions = ["BASE_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 7] + } + + value = "bmV3LXN0cmluZw==" + critical = false + } + + aia_ocsp_servers = ["new-string"] + + ca_options { + is_ca = true + max_issuer_path_length = 7 + } + + key_usage { + base_key_usage { + cert_sign = true + content_commitment = false + crl_sign = true + data_encipherment = false + decipher_only = false + digital_signature = false + encipher_only = false + key_agreement = false + key_encipherment = false + } + + extended_key_usage { + client_auth = false + code_signing = false + email_protection = false + ocsp_signing = false + server_auth = false + time_stamping = false + } + + unknown_extended_key_usages { + object_id_path = [1, 7] + } + } + + policy_ids { + object_id_path = [1, 7] + } + } + + project = "%{project_name}" + + labels = { + label-one = "value-one" + } +} + + +`, context) +} + +func testAccPrivatecaCertificateTemplate_BasicCertificateTemplateLongForm(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_privateca_certificate_template" "primary" { + location = "long/form/%{region}" + name = "long/form/tf-test-template%{random_suffix}" + description = "An updated sample certificate template" + + identity_constraints { + allow_subject_alt_names_passthrough = true + allow_subject_passthrough = true + + cel_expression { + description = "Always true" + expression = "true" + location = "any.file.anywhere" + title = "Sample expression" + } + } + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 6] + } + + known_extensions = ["EXTENDED_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 6] + } + + value = "c3RyaW5nCg==" + critical = true + } + + aia_ocsp_servers = ["string"] + + ca_options { + is_ca = false + max_issuer_path_length = 6 + } + + key_usage { + base_key_usage { + cert_sign = false + content_commitment = true + crl_sign = false + data_encipherment = true + decipher_only = true + digital_signature = true + encipher_only = true + key_agreement = true + key_encipherment = true + } + + extended_key_usage { + client_auth = true + code_signing = true + email_protection = true + ocsp_signing = true + server_auth = true + time_stamping = true + } + + unknown_extended_key_usages { + object_id_path = [1, 6] + } + } + + policy_ids { + object_id_path = [1, 6] + } + } + + project = "projects/%{project_name}" + + labels = { + label-two = "value-two" + } +} + + +`, context) +} + +func testAccPrivatecaCertificateTemplate_BasicCertificateTemplateLongFormUpdate0(context map[string]interface{}) string { + return acctest.Nprintf(` +resource "google_privateca_certificate_template" "primary" { + location = "long/form/%{region}" + name = "long/form/tf-test-template%{random_suffix}" + description = "A sample certificate template" + + identity_constraints { + allow_subject_alt_names_passthrough = false + allow_subject_passthrough = false + + cel_expression { + description = "Always false" + expression = "false" + location = "update.certificate_template.json" + title = "New sample expression" + } + } + + passthrough_extensions { + additional_extensions { + object_id_path = [1, 7] + } + + known_extensions = ["BASE_KEY_USAGE"] + } + + predefined_values { + additional_extensions { + object_id { + object_id_path = [1, 7] + } + + value = "bmV3LXN0cmluZw==" + critical = false + } + + aia_ocsp_servers = ["new-string"] + + ca_options { + is_ca = true + max_issuer_path_length = 7 + } + + key_usage { + base_key_usage { + cert_sign = true + content_commitment = false + crl_sign = true + data_encipherment = false + decipher_only = false + digital_signature = false + encipher_only = false + key_agreement = false + key_encipherment = false + } + + extended_key_usage { + client_auth = false + code_signing = false + email_protection = false + ocsp_signing = false + server_auth = false + time_stamping = false + } + + unknown_extended_key_usages { + object_id_path = [1, 7] + } + } + + policy_ids { + object_id_path = [1, 7] + } + } + + project = "projects/%{project_name}" + + labels = { + label-one = "value-one" + } +} + + +`, context) +} diff --git a/google/transport/provider_dcl_client_creation.go b/google/transport/provider_dcl_client_creation.go index 58c8db9a1eb..b926f031e82 100644 --- a/google/transport/provider_dcl_client_creation.go +++ b/google/transport/provider_dcl_client_creation.go @@ -40,7 +40,6 @@ import ( gkehub "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/gkehub" networkconnectivity "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/networkconnectivity" orgpolicy "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/orgpolicy" - privateca "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/privateca" recaptchaenterprise "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/recaptchaenterprise" ) @@ -412,29 +411,6 @@ func NewDCLOrgPolicyClient(config *Config, userAgent, billingProject string, tim return orgpolicy.NewClient(dclConfig) } -func NewDCLPrivatecaClient(config *Config, userAgent, billingProject string, timeout time.Duration) *privateca.Client { - configOptions := []dcl.ConfigOption{ - dcl.WithHTTPClient(config.Client), - dcl.WithUserAgent(userAgent), - dcl.WithLogger(dclLogger{}), - dcl.WithBasePath(config.PrivatecaBasePath), - } - - if timeout != 0 { - configOptions = append(configOptions, dcl.WithTimeout(timeout)) - } - - if config.UserProjectOverride { - configOptions = append(configOptions, dcl.WithUserProjectOverride()) - if billingProject != "" { - configOptions = append(configOptions, dcl.WithBillingProject(billingProject)) - } - } - - dclConfig := dcl.NewConfig(configOptions...) - return privateca.NewClient(dclConfig) -} - func NewDCLRecaptchaEnterpriseClient(config *Config, userAgent, billingProject string, timeout time.Duration) *recaptchaenterprise.Client { configOptions := []dcl.ConfigOption{ dcl.WithHTTPClient(config.Client), diff --git a/website/docs/d/artifact_registry_repository_iam_policy.html.markdown b/website/docs/d/artifact_registry_repository_iam_policy.html.markdown index f3d11f73e4b..411eddb1263 100644 --- a/website/docs/d/artifact_registry_repository_iam_policy.html.markdown +++ b/website/docs/d/artifact_registry_repository_iam_policy.html.markdown @@ -37,8 +37,10 @@ data "google_artifact_registry_repository_iam_policy" "policy" { The following arguments are supported: * `repository` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this repository is located in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this repository is located in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/bigquery_analytics_hub_data_exchange_iam_policy.html.markdown b/website/docs/d/bigquery_analytics_hub_data_exchange_iam_policy.html.markdown index f3afa166339..8d97dee5039 100644 --- a/website/docs/d/bigquery_analytics_hub_data_exchange_iam_policy.html.markdown +++ b/website/docs/d/bigquery_analytics_hub_data_exchange_iam_policy.html.markdown @@ -37,8 +37,10 @@ data "google_bigquery_analytics_hub_data_exchange_iam_policy" "policy" { The following arguments are supported: * `data_exchange_id` - (Required) The ID of the data exchange. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this data exchange. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this data exchange. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/bigquery_analytics_hub_listing_iam_policy.html.markdown b/website/docs/d/bigquery_analytics_hub_listing_iam_policy.html.markdown index 02abc34ae74..30488a754c5 100644 --- a/website/docs/d/bigquery_analytics_hub_listing_iam_policy.html.markdown +++ b/website/docs/d/bigquery_analytics_hub_listing_iam_policy.html.markdown @@ -39,8 +39,10 @@ The following arguments are supported: * `data_exchange_id` - (Required) The ID of the data exchange. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to * `listing_id` - (Required) The ID of the listing. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this data exchange listing. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this data exchange listing. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/bigquery_connection_iam_policy.html.markdown b/website/docs/d/bigquery_connection_iam_policy.html.markdown index ee2219c4723..8c677f51250 100644 --- a/website/docs/d/bigquery_connection_iam_policy.html.markdown +++ b/website/docs/d/bigquery_connection_iam_policy.html.markdown @@ -38,13 +38,15 @@ The following arguments are supported: * `connection_id` - (Required) Optional connection id that should be assigned to the created connection. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The geographic location where the connection should reside. +* `location` - (Optional) The geographic location where the connection should reside. Cloud SQL instance must be in the same location as the connection with following exceptions: Cloud SQL us-central1 maps to BigQuery US, Cloud SQL europe-west1 maps to BigQuery EU. Examples: US, EU, asia-northeast1, us-central1, europe-west1. Spanner Connections same as spanner region AWS allowed regions are aws-us-east-1 -Azure allowed regions are azure-eastus2 Used to find the parent resource to bind the IAM policy to +Azure allowed regions are azure-eastus2 Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/bigquery_datapolicy_data_policy_iam_policy.html.markdown b/website/docs/d/bigquery_datapolicy_data_policy_iam_policy.html.markdown index ddc7f3dbe17..0cbf65a5ab9 100644 --- a/website/docs/d/bigquery_datapolicy_data_policy_iam_policy.html.markdown +++ b/website/docs/d/bigquery_datapolicy_data_policy_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_bigquery_datapolicy_data_policy_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The name of the location of the data policy. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location of the data policy. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloud_run_service_iam_policy.html.markdown b/website/docs/d/cloud_run_service_iam_policy.html.markdown index 8b5b58d22a5..60868a387d1 100644 --- a/website/docs/d/cloud_run_service_iam_policy.html.markdown +++ b/website/docs/d/cloud_run_service_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloud_run_service_iam_policy" "policy" { The following arguments are supported: * `service` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run instance. eg us-central1 Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run instance. eg us-central1 Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloud_run_v2_job_iam_policy.html.markdown b/website/docs/d/cloud_run_v2_job_iam_policy.html.markdown index 0838b3881d1..9bb4d7c0d77 100644 --- a/website/docs/d/cloud_run_v2_job_iam_policy.html.markdown +++ b/website/docs/d/cloud_run_v2_job_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloud_run_v2_job_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run job Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run job Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloud_run_v2_service_iam_policy.html.markdown b/website/docs/d/cloud_run_v2_service_iam_policy.html.markdown index aa1fbf506a1..90daf34975a 100644 --- a/website/docs/d/cloud_run_v2_service_iam_policy.html.markdown +++ b/website/docs/d/cloud_run_v2_service_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloud_run_v2_service_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run service Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run service Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloud_tasks_queue_iam_policy.html.markdown b/website/docs/d/cloud_tasks_queue_iam_policy.html.markdown index 9cfb79053ce..2af5b2df133 100644 --- a/website/docs/d/cloud_tasks_queue_iam_policy.html.markdown +++ b/website/docs/d/cloud_tasks_queue_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloud_tasks_queue_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the queue Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the queue Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloudbuildv2_connection_iam_policy.html.markdown b/website/docs/d/cloudbuildv2_connection_iam_policy.html.markdown index 0f83397775e..a58c37496e2 100644 --- a/website/docs/d/cloudbuildv2_connection_iam_policy.html.markdown +++ b/website/docs/d/cloudbuildv2_connection_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloudbuildv2_connection_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/clouddeploy_custom_target_type_iam_policy.html.markdown b/website/docs/d/clouddeploy_custom_target_type_iam_policy.html.markdown index 7f6855f522b..8a7b51e679d 100644 --- a/website/docs/d/clouddeploy_custom_target_type_iam_policy.html.markdown +++ b/website/docs/d/clouddeploy_custom_target_type_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_clouddeploy_custom_target_type_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the source. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the source. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/cloudfunctions2_function_iam_policy.html.markdown b/website/docs/d/cloudfunctions2_function_iam_policy.html.markdown index 43eeeae0372..e68e110f961 100644 --- a/website/docs/d/cloudfunctions2_function_iam_policy.html.markdown +++ b/website/docs/d/cloudfunctions2_function_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_cloudfunctions2_function_iam_policy" "policy" { The following arguments are supported: * `cloud_function` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of this cloud function. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of this cloud function. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataplex_aspect_type_iam_policy.html.markdown b/website/docs/d/dataplex_aspect_type_iam_policy.html.markdown index 841a53a696d..0e210e2b0e8 100644 --- a/website/docs/d/dataplex_aspect_type_iam_policy.html.markdown +++ b/website/docs/d/dataplex_aspect_type_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_dataplex_aspect_type_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where aspect type will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where aspect type will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataplex_datascan_iam_policy.html.markdown b/website/docs/d/dataplex_datascan_iam_policy.html.markdown index dbab9ebf031..1d12d3b8081 100644 --- a/website/docs/d/dataplex_datascan_iam_policy.html.markdown +++ b/website/docs/d/dataplex_datascan_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_dataplex_datascan_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where the data scan should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the data scan should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataplex_entry_group_iam_policy.html.markdown b/website/docs/d/dataplex_entry_group_iam_policy.html.markdown index cff820e5ebe..41834af72c2 100644 --- a/website/docs/d/dataplex_entry_group_iam_policy.html.markdown +++ b/website/docs/d/dataplex_entry_group_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_dataplex_entry_group_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where entry group will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where entry group will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataplex_task_iam_policy.html.markdown b/website/docs/d/dataplex_task_iam_policy.html.markdown index 5a60498859a..b04a1899920 100644 --- a/website/docs/d/dataplex_task_iam_policy.html.markdown +++ b/website/docs/d/dataplex_task_iam_policy.html.markdown @@ -37,8 +37,10 @@ data "google_dataplex_task_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location in which the task will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location in which the task will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `lake` - (Required) The lake in which the task will be created in. Used to find the parent resource to bind the IAM policy to diff --git a/website/docs/d/dataproc_autoscaling_policy_iam_policy.html.markdown b/website/docs/d/dataproc_autoscaling_policy_iam_policy.html.markdown index daa7bfa04b4..a158641c24f 100644 --- a/website/docs/d/dataproc_autoscaling_policy_iam_policy.html.markdown +++ b/website/docs/d/dataproc_autoscaling_policy_iam_policy.html.markdown @@ -40,9 +40,11 @@ The following arguments are supported: and hyphens (-). Cannot begin or end with underscore or hyphen. Must consist of between 3 and 50 characters. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location where the autoscaling policy should reside. +* `location` - (Optional) The location where the autoscaling policy should reside. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataproc_metastore_federation_iam_policy.html.markdown b/website/docs/d/dataproc_metastore_federation_iam_policy.html.markdown index 8fab62ecad8..75993350c66 100644 --- a/website/docs/d/dataproc_metastore_federation_iam_policy.html.markdown +++ b/website/docs/d/dataproc_metastore_federation_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_dataproc_metastore_federation_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where the metastore federation should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the metastore federation should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/dataproc_metastore_service_iam_policy.html.markdown b/website/docs/d/dataproc_metastore_service_iam_policy.html.markdown index 4290c576fdf..d79578dd870 100644 --- a/website/docs/d/dataproc_metastore_service_iam_policy.html.markdown +++ b/website/docs/d/dataproc_metastore_service_iam_policy.html.markdown @@ -36,9 +36,11 @@ data "google_dataproc_metastore_service_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where the metastore service should reside. +* `location` - (Optional) The location where the metastore service should reside. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/gke_backup_backup_plan_iam_policy.html.markdown b/website/docs/d/gke_backup_backup_plan_iam_policy.html.markdown index ea647b2083c..28d812665d1 100644 --- a/website/docs/d/gke_backup_backup_plan_iam_policy.html.markdown +++ b/website/docs/d/gke_backup_backup_plan_iam_policy.html.markdown @@ -37,8 +37,10 @@ data "google_gke_backup_backup_plan_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The region of the Backup Plan. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The region of the Backup Plan. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/gke_backup_restore_plan_iam_policy.html.markdown b/website/docs/d/gke_backup_restore_plan_iam_policy.html.markdown index 83f6bacc923..f47f56ffe36 100644 --- a/website/docs/d/gke_backup_restore_plan_iam_policy.html.markdown +++ b/website/docs/d/gke_backup_restore_plan_iam_policy.html.markdown @@ -37,8 +37,10 @@ data "google_gke_backup_restore_plan_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The region of the Restore Plan. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The region of the Restore Plan. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/gke_hub_feature_iam_policy.html.markdown b/website/docs/d/gke_hub_feature_iam_policy.html.markdown index 83150135405..0b0076da4a3 100644 --- a/website/docs/d/gke_hub_feature_iam_policy.html.markdown +++ b/website/docs/d/gke_hub_feature_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_gke_hub_feature_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/gke_hub_membership_iam_policy.html.markdown b/website/docs/d/gke_hub_membership_iam_policy.html.markdown index c93a3d1982b..8bbde489a1d 100644 --- a/website/docs/d/gke_hub_membership_iam_policy.html.markdown +++ b/website/docs/d/gke_hub_membership_iam_policy.html.markdown @@ -36,9 +36,11 @@ data "google_gke_hub_membership_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) Location of the membership. +* `location` - (Optional) Location of the membership. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/network_security_address_group_iam_policy.html.markdown b/website/docs/d/network_security_address_group_iam_policy.html.markdown index bf94c37b6df..98e51083603 100644 --- a/website/docs/d/network_security_address_group_iam_policy.html.markdown +++ b/website/docs/d/network_security_address_group_iam_policy.html.markdown @@ -37,8 +37,10 @@ name = google_network_security_address_group.default.name The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the gateway security policy. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the gateway security policy. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/notebooks_instance_iam_policy.html.markdown b/website/docs/d/notebooks_instance_iam_policy.html.markdown index 0fd61c2d8fd..ca41f5ece36 100644 --- a/website/docs/d/notebooks_instance_iam_policy.html.markdown +++ b/website/docs/d/notebooks_instance_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_notebooks_instance_iam_policy" "policy" { The following arguments are supported: * `instance_name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/notebooks_runtime_iam_policy.html.markdown b/website/docs/d/notebooks_runtime_iam_policy.html.markdown index d2e369b92d7..707eec9f073 100644 --- a/website/docs/d/notebooks_runtime_iam_policy.html.markdown +++ b/website/docs/d/notebooks_runtime_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_notebooks_runtime_iam_policy" "policy" { The following arguments are supported: * `runtime_name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/privateca_ca_pool_iam_policy.html.markdown b/website/docs/d/privateca_ca_pool_iam_policy.html.markdown index 9ab0bb32908..7f30ff4aab8 100644 --- a/website/docs/d/privateca_ca_pool_iam_policy.html.markdown +++ b/website/docs/d/privateca_ca_pool_iam_policy.html.markdown @@ -35,9 +35,11 @@ data "google_privateca_ca_pool_iam_policy" "policy" { The following arguments are supported: * `ca_pool` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) Location of the CaPool. A full list of valid locations can be found by +* `location` - (Optional) Location of the CaPool. A full list of valid locations can be found by running `gcloud privateca locations list`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/privateca_certificate_template_iam_policy.html.markdown b/website/docs/d/privateca_certificate_template_iam_policy.html.markdown index d12cba8e477..14090adf293 100644 --- a/website/docs/d/privateca_certificate_template_iam_policy.html.markdown +++ b/website/docs/d/privateca_certificate_template_iam_policy.html.markdown @@ -35,6 +35,9 @@ data "google_privateca_certificate_template_iam_policy" "policy" { The following arguments are supported: * `certificate_template` - (Required) Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/secure_source_manager_instance_iam_policy.html.markdown b/website/docs/d/secure_source_manager_instance_iam_policy.html.markdown index 0808ac08121..349e2057927 100644 --- a/website/docs/d/secure_source_manager_instance_iam_policy.html.markdown +++ b/website/docs/d/secure_source_manager_instance_iam_policy.html.markdown @@ -36,8 +36,10 @@ data "google_secure_source_manager_instance_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location for the Instance. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the Instance. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `instance_id` - (Required) The name for the Instance. Used to find the parent resource to bind the IAM policy to diff --git a/website/docs/d/vertex_ai_endpoint_iam_policy.html.markdown b/website/docs/d/vertex_ai_endpoint_iam_policy.html.markdown index c38dd815797..3a6181de6a2 100644 --- a/website/docs/d/vertex_ai_endpoint_iam_policy.html.markdown +++ b/website/docs/d/vertex_ai_endpoint_iam_policy.html.markdown @@ -39,7 +39,9 @@ data "google_vertex_ai_endpoint_iam_policy" "policy" { The following arguments are supported: * `endpoint` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `region` - (Optional) The region for the resource Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. diff --git a/website/docs/d/workbench_instance_iam_policy.html.markdown b/website/docs/d/workbench_instance_iam_policy.html.markdown index ece6d8005c1..7268747d5d4 100644 --- a/website/docs/d/workbench_instance_iam_policy.html.markdown +++ b/website/docs/d/workbench_instance_iam_policy.html.markdown @@ -37,7 +37,9 @@ data "google_workbench_instance_iam_policy" "policy" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) Part of `parent`. See documentation of `projectsId`. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) Part of `parent`. See documentation of `projectsId`. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/workstations_workstation_config_iam_policy.html.markdown b/website/docs/d/workstations_workstation_config_iam_policy.html.markdown index 7f1b2897ce7..4f66c31b438 100644 --- a/website/docs/d/workstations_workstation_config_iam_policy.html.markdown +++ b/website/docs/d/workstations_workstation_config_iam_policy.html.markdown @@ -40,8 +40,10 @@ data "google_workstations_workstation_config_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where the workstation cluster config should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the workstation cluster config should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/d/workstations_workstation_iam_policy.html.markdown b/website/docs/d/workstations_workstation_iam_policy.html.markdown index cc55c290172..40fa1fa49e2 100644 --- a/website/docs/d/workstations_workstation_iam_policy.html.markdown +++ b/website/docs/d/workstations_workstation_iam_policy.html.markdown @@ -41,8 +41,10 @@ data "google_workstations_workstation_iam_policy" "policy" { The following arguments are supported: -* `location` - (Required) The location where the workstation parent resources reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the workstation parent resources reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/artifact_registry_repository_iam.html.markdown b/website/docs/r/artifact_registry_repository_iam.html.markdown index dbd33498400..a53dc95ba1f 100644 --- a/website/docs/r/artifact_registry_repository_iam.html.markdown +++ b/website/docs/r/artifact_registry_repository_iam.html.markdown @@ -86,8 +86,10 @@ resource "google_artifact_registry_repository_iam_member" "member" { The following arguments are supported: * `repository` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this repository is located in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this repository is located in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/bigquery_analytics_hub_data_exchange_iam.html.markdown b/website/docs/r/bigquery_analytics_hub_data_exchange_iam.html.markdown index 95db52a0da3..8d6042bcb70 100644 --- a/website/docs/r/bigquery_analytics_hub_data_exchange_iam.html.markdown +++ b/website/docs/r/bigquery_analytics_hub_data_exchange_iam.html.markdown @@ -86,8 +86,10 @@ resource "google_bigquery_analytics_hub_data_exchange_iam_member" "member" { The following arguments are supported: * `data_exchange_id` - (Required) The ID of the data exchange. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this data exchange. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this data exchange. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/bigquery_analytics_hub_listing_iam.html.markdown b/website/docs/r/bigquery_analytics_hub_listing_iam.html.markdown index 5706d51bb55..9ba0a24fe25 100644 --- a/website/docs/r/bigquery_analytics_hub_listing_iam.html.markdown +++ b/website/docs/r/bigquery_analytics_hub_listing_iam.html.markdown @@ -90,8 +90,10 @@ The following arguments are supported: * `data_exchange_id` - (Required) The ID of the data exchange. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to * `listing_id` - (Required) The ID of the listing. Must contain only Unicode letters, numbers (0-9), underscores (_). Should not use characters that require URL-escaping, or characters outside of ASCII, spaces. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The name of the location this data exchange listing. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location this data exchange listing. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/bigquery_connection_iam.html.markdown b/website/docs/r/bigquery_connection_iam.html.markdown index ae9b4ab5b07..8b8629672b9 100644 --- a/website/docs/r/bigquery_connection_iam.html.markdown +++ b/website/docs/r/bigquery_connection_iam.html.markdown @@ -87,13 +87,15 @@ The following arguments are supported: * `connection_id` - (Required) Optional connection id that should be assigned to the created connection. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The geographic location where the connection should reside. +* `location` - (Optional) The geographic location where the connection should reside. Cloud SQL instance must be in the same location as the connection with following exceptions: Cloud SQL us-central1 maps to BigQuery US, Cloud SQL europe-west1 maps to BigQuery EU. Examples: US, EU, asia-northeast1, us-central1, europe-west1. Spanner Connections same as spanner region AWS allowed regions are aws-us-east-1 -Azure allowed regions are azure-eastus2 Used to find the parent resource to bind the IAM policy to +Azure allowed regions are azure-eastus2 Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/bigquery_datapolicy_data_policy_iam.html.markdown b/website/docs/r/bigquery_datapolicy_data_policy_iam.html.markdown index f731e472e41..e9169778806 100644 --- a/website/docs/r/bigquery_datapolicy_data_policy_iam.html.markdown +++ b/website/docs/r/bigquery_datapolicy_data_policy_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_bigquery_datapolicy_data_policy_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The name of the location of the data policy. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The name of the location of the data policy. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloud_run_service_iam.html.markdown b/website/docs/r/cloud_run_service_iam.html.markdown index 34c6f02f81e..af770cf0963 100644 --- a/website/docs/r/cloud_run_service_iam.html.markdown +++ b/website/docs/r/cloud_run_service_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloud_run_service_iam_member" "member" { The following arguments are supported: * `service` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run instance. eg us-central1 Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run instance. eg us-central1 Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloud_run_v2_job_iam.html.markdown b/website/docs/r/cloud_run_v2_job_iam.html.markdown index 4bd2ce37de2..a0d0a2c2738 100644 --- a/website/docs/r/cloud_run_v2_job_iam.html.markdown +++ b/website/docs/r/cloud_run_v2_job_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloud_run_v2_job_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run job Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run job Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloud_run_v2_service_iam.html.markdown b/website/docs/r/cloud_run_v2_service_iam.html.markdown index 7f5f8f56d15..90b9a96ba55 100644 --- a/website/docs/r/cloud_run_v2_service_iam.html.markdown +++ b/website/docs/r/cloud_run_v2_service_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloud_run_v2_service_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the cloud run service Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the cloud run service Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloud_tasks_queue_iam.html.markdown b/website/docs/r/cloud_tasks_queue_iam.html.markdown index d6200debf91..0620752b771 100644 --- a/website/docs/r/cloud_tasks_queue_iam.html.markdown +++ b/website/docs/r/cloud_tasks_queue_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloud_tasks_queue_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the queue Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the queue Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloudbuildv2_connection_iam.html.markdown b/website/docs/r/cloudbuildv2_connection_iam.html.markdown index eb53ca1192e..0c90c36da2f 100644 --- a/website/docs/r/cloudbuildv2_connection_iam.html.markdown +++ b/website/docs/r/cloudbuildv2_connection_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloudbuildv2_connection_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/clouddeploy_custom_target_type_iam.html.markdown b/website/docs/r/clouddeploy_custom_target_type_iam.html.markdown index b87c98cb4c1..2c447cd05d1 100644 --- a/website/docs/r/clouddeploy_custom_target_type_iam.html.markdown +++ b/website/docs/r/clouddeploy_custom_target_type_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_clouddeploy_custom_target_type_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the source. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the source. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/cloudfunctions2_function_iam.html.markdown b/website/docs/r/cloudfunctions2_function_iam.html.markdown index ad1a0fb43dc..1e622c27c92 100644 --- a/website/docs/r/cloudfunctions2_function_iam.html.markdown +++ b/website/docs/r/cloudfunctions2_function_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_cloudfunctions2_function_iam_member" "member" { The following arguments are supported: * `cloud_function` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of this cloud function. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of this cloud function. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataplex_aspect_type_iam.html.markdown b/website/docs/r/dataplex_aspect_type_iam.html.markdown index 656cb709040..e916076b107 100644 --- a/website/docs/r/dataplex_aspect_type_iam.html.markdown +++ b/website/docs/r/dataplex_aspect_type_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_dataplex_aspect_type_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where aspect type will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where aspect type will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataplex_datascan_iam.html.markdown b/website/docs/r/dataplex_datascan_iam.html.markdown index 4cf191dc001..639ca29dc0a 100644 --- a/website/docs/r/dataplex_datascan_iam.html.markdown +++ b/website/docs/r/dataplex_datascan_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_dataplex_datascan_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where the data scan should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the data scan should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataplex_entry_group_iam.html.markdown b/website/docs/r/dataplex_entry_group_iam.html.markdown index ee8b7777dab..fc86f8f9c18 100644 --- a/website/docs/r/dataplex_entry_group_iam.html.markdown +++ b/website/docs/r/dataplex_entry_group_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_dataplex_entry_group_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where entry group will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where entry group will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataplex_task_iam.html.markdown b/website/docs/r/dataplex_task_iam.html.markdown index a1f791bb5b1..674b66dad37 100644 --- a/website/docs/r/dataplex_task_iam.html.markdown +++ b/website/docs/r/dataplex_task_iam.html.markdown @@ -88,8 +88,10 @@ resource "google_dataplex_task_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location in which the task will be created in. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location in which the task will be created in. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `lake` - (Required) The lake in which the task will be created in. Used to find the parent resource to bind the IAM policy to diff --git a/website/docs/r/dataproc_autoscaling_policy_iam.html.markdown b/website/docs/r/dataproc_autoscaling_policy_iam.html.markdown index be1af07e9c9..1f2382bf7fa 100644 --- a/website/docs/r/dataproc_autoscaling_policy_iam.html.markdown +++ b/website/docs/r/dataproc_autoscaling_policy_iam.html.markdown @@ -89,9 +89,11 @@ The following arguments are supported: and hyphens (-). Cannot begin or end with underscore or hyphen. Must consist of between 3 and 50 characters. Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location where the autoscaling policy should reside. +* `location` - (Optional) The location where the autoscaling policy should reside. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataproc_metastore_federation_iam.html.markdown b/website/docs/r/dataproc_metastore_federation_iam.html.markdown index 5aab8553953..477e8298b6e 100644 --- a/website/docs/r/dataproc_metastore_federation_iam.html.markdown +++ b/website/docs/r/dataproc_metastore_federation_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_dataproc_metastore_federation_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where the metastore federation should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the metastore federation should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/dataproc_metastore_service_iam.html.markdown b/website/docs/r/dataproc_metastore_service_iam.html.markdown index bfba51d70dc..8b37d5c2405 100644 --- a/website/docs/r/dataproc_metastore_service_iam.html.markdown +++ b/website/docs/r/dataproc_metastore_service_iam.html.markdown @@ -85,9 +85,11 @@ resource "google_dataproc_metastore_service_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where the metastore service should reside. +* `location` - (Optional) The location where the metastore service should reside. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/gke_backup_backup_plan_iam.html.markdown b/website/docs/r/gke_backup_backup_plan_iam.html.markdown index e5f5ad64d27..ef42c244d0e 100644 --- a/website/docs/r/gke_backup_backup_plan_iam.html.markdown +++ b/website/docs/r/gke_backup_backup_plan_iam.html.markdown @@ -86,8 +86,10 @@ resource "google_gke_backup_backup_plan_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The region of the Backup Plan. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The region of the Backup Plan. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/gke_backup_restore_plan_iam.html.markdown b/website/docs/r/gke_backup_restore_plan_iam.html.markdown index a3f43ef9505..b07ee9aa935 100644 --- a/website/docs/r/gke_backup_restore_plan_iam.html.markdown +++ b/website/docs/r/gke_backup_restore_plan_iam.html.markdown @@ -86,8 +86,10 @@ resource "google_gke_backup_restore_plan_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The region of the Restore Plan. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The region of the Restore Plan. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/gke_hub_feature_iam.html.markdown b/website/docs/r/gke_hub_feature_iam.html.markdown index 4d9501ad208..e27bd2fb761 100644 --- a/website/docs/r/gke_hub_feature_iam.html.markdown +++ b/website/docs/r/gke_hub_feature_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_gke_hub_feature_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/gke_hub_membership_iam.html.markdown b/website/docs/r/gke_hub_membership_iam.html.markdown index 9f3e27b1ecf..96765b66d20 100644 --- a/website/docs/r/gke_hub_membership_iam.html.markdown +++ b/website/docs/r/gke_hub_membership_iam.html.markdown @@ -85,9 +85,11 @@ resource "google_gke_hub_membership_iam_member" "member" { The following arguments are supported: -* `location` - (Required) Location of the membership. +* `location` - (Optional) Location of the membership. The default value is `global`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/network_security_address_group_iam.html.markdown b/website/docs/r/network_security_address_group_iam.html.markdown index 34dab67d9d4..1e4f3475cf3 100644 --- a/website/docs/r/network_security_address_group_iam.html.markdown +++ b/website/docs/r/network_security_address_group_iam.html.markdown @@ -86,8 +86,10 @@ name = google_network_security_address_group.default.name The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location of the gateway security policy. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location of the gateway security policy. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/notebooks_instance_iam.html.markdown b/website/docs/r/notebooks_instance_iam.html.markdown index 43d41a590bc..67a63f5744d 100644 --- a/website/docs/r/notebooks_instance_iam.html.markdown +++ b/website/docs/r/notebooks_instance_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_notebooks_instance_iam_member" "member" { The following arguments are supported: * `instance_name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/notebooks_runtime_iam.html.markdown b/website/docs/r/notebooks_runtime_iam.html.markdown index dfe3b46cc57..5bbdaa35eb1 100644 --- a/website/docs/r/notebooks_runtime_iam.html.markdown +++ b/website/docs/r/notebooks_runtime_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_notebooks_runtime_iam_member" "member" { The following arguments are supported: * `runtime_name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) A reference to the zone where the machine resides. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/privateca_ca_pool_iam.html.markdown b/website/docs/r/privateca_ca_pool_iam.html.markdown index 7c0e9b42175..e3b408c9097 100644 --- a/website/docs/r/privateca_ca_pool_iam.html.markdown +++ b/website/docs/r/privateca_ca_pool_iam.html.markdown @@ -136,9 +136,11 @@ resource "google_privateca_ca_pool_iam_member" "member" { The following arguments are supported: * `ca_pool` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) Location of the CaPool. A full list of valid locations can be found by +* `location` - (Optional) Location of the CaPool. A full list of valid locations can be found by running `gcloud privateca locations list`. - Used to find the parent resource to bind the IAM policy to + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/privateca_certificate_template.html.markdown b/website/docs/r/privateca_certificate_template.html.markdown index 5b3fe136f4f..f2c9271c4b2 100644 --- a/website/docs/r/privateca_certificate_template.html.markdown +++ b/website/docs/r/privateca_certificate_template.html.markdown @@ -1,37 +1,48 @@ --- # ---------------------------------------------------------------------------- # -# *** AUTO GENERATED CODE *** Type: DCL *** +# *** AUTO GENERATED CODE *** Type: MMv1 *** # # ---------------------------------------------------------------------------- # -# This file is managed by Magic Modules (https:#github.com/GoogleCloudPlatform/magic-modules) -# and is based on the DCL (https:#github.com/GoogleCloudPlatform/declarative-resource-client-library). -# Changes will need to be made to the DCL or Magic Modules instead of here. +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. # -# We are not currently able to accept contributions to this file. If changes -# are required, please file an issue at https:#github.com/hashicorp/terraform-provider-google/issues/new/choose +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. # # ---------------------------------------------------------------------------- subcategory: "Certificate Authority Service" description: |- - Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework. + Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. --- # google_privateca_certificate_template -Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework. +Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework. + + +To get more information about CertificateTemplate, see: + +* [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest) +* How-to Guides + * [Official Documentation](https://cloud.google.com/certificate-authority-service) + * [Understanding Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/certificate-template) + * [Common configurations and Certificate Profiles](https://cloud.google.com/certificate-authority-service/docs/certificate-profile) + +
+ + Open in Cloud Shell + +
+## Example Usage - Privateca Template Basic + -For more information, see: -* [Understanding Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/certificate-template) -* [Common configurations and Certificate Profiles](https://cloud.google.com/certificate-authority-service/docs/certificate-profile) -## Example Usage - basic_certificate_template -An example of a basic privateca certificate template ```hcl -resource "google_privateca_certificate_template" "primary" { - location = "us-west1" - name = "template" - description = "An updated sample certificate template" +resource "google_privateca_certificate_template" "default" { + name = "my-template" + location = "us-central1" + description = "A sample certificate template" identity_constraints { allow_subject_alt_names_passthrough = true @@ -51,7 +62,6 @@ resource "google_privateca_certificate_template" "primary" { additional_extensions { object_id_path = [1, 6] } - known_extensions = ["EXTENDED_KEY_USAGE"] } @@ -60,18 +70,14 @@ resource "google_privateca_certificate_template" "primary" { object_id { object_id_path = [1, 6] } - value = "c3RyaW5nCg==" critical = true } - aia_ocsp_servers = ["string"] - ca_options { is_ca = false max_issuer_path_length = 6 } - key_usage { base_key_usage { cert_sign = false @@ -84,7 +90,6 @@ resource "google_privateca_certificate_template" "primary" { key_agreement = true key_encipherment = true } - extended_key_usage { client_auth = true code_signing = true @@ -93,266 +98,276 @@ resource "google_privateca_certificate_template" "primary" { server_auth = true time_stamping = true } - unknown_extended_key_usages { object_id_path = [1, 6] } } - policy_ids { object_id_path = [1, 6] } } - project = "my-project-name" - labels = { - label-two = "value-two" + label-one = "value-one" } } - - ``` ## Argument Reference The following arguments are supported: -* `location` - - (Required) - The location for the resource - + * `name` - (Required) The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`. - - -The `object_id` block supports: - -* `object_id_path` - +* `location` - (Required) - Required. The parts of an OID path. The most significant parts of the path come first. - + The location for the resource + + - - - -* `description` - + +* `predefined_values` - (Optional) - Optional. A human-readable description of scenarios this template is intended for. - + Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail. + Structure is [documented below](#nested_predefined_values). + * `identity_constraints` - (Optional) Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. - -* `labels` - - (Optional) - Optional. Labels with user-defined metadata. + Structure is [documented below](#nested_identity_constraints). -**Note**: This field is non-authoritative, and will only manage the labels present in your configuration. -Please refer to the field `effective_labels` for all of the labels present on the resource. - -* `maximum_lifetime` - - (Optional) - Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. - * `passthrough_extensions` - (Optional) Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. - -* `predefined_values` - - (Optional) - Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail. - -* `project` - - (Optional) - The project for the resource - - + Structure is [documented below](#nested_passthrough_extensions). -The `identity_constraints` block supports: - -* `allow_subject_alt_names_passthrough` - - (Required) - Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded. - -* `allow_subject_passthrough` - - (Required) - Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded. - -* `cel_expression` - +* `maximum_lifetime` - (Optional) - Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel - -The `cel_expression` block supports: - + Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. + * `description` - (Optional) - Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. - -* `expression` - - (Optional) - Textual representation of an expression in Common Expression Language syntax. - -* `location` - - (Optional) - Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. - -* `title` - - (Optional) - Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. - -The `passthrough_extensions` block supports: - -* `additional_extensions` - - (Optional) - Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions. - -* `known_extensions` - - (Optional) - Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions. - -The `additional_extensions` block supports: - -* `object_id_path` - - (Required) - Required. The parts of an OID path. The most significant parts of the path come first. - -The `predefined_values` block supports: - -* `additional_extensions` - + Optional. A human-readable description of scenarios this template is intended for. + +* `labels` - (Optional) - Optional. Describes custom X.509 extensions. - -* `aia_ocsp_servers` - + Optional. Labels with user-defined metadata. + **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. + Please refer to the field `effective_labels` for all of the labels present on the resource. + +* `project` - (Optional) The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + + +The `predefined_values` block supports: + +* `key_usage` - (Optional) - Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. - + Optional. Indicates the intended use for keys that correspond to a certificate. + Structure is [documented below](#nested_key_usage). + * `ca_options` - (Optional) Optional. Describes options in this X509Parameters that are relevant in a CA certificate. - -* `key_usage` - - (Optional) - Optional. Indicates the intended use for keys that correspond to a certificate. - + Structure is [documented below](#nested_ca_options). + * `policy_ids` - (Optional) Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. - -The `additional_extensions` block supports: - -* `critical` - - (Optional) - Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). - -* `object_id` - - (Required) - Required. The OID for this X.509 extension. - -* `value` - - (Required) - Required. The value of this X.509 extension. - -The `ca_options` block supports: - -* `is_ca` - + Structure is [documented below](#nested_policy_ids). + +* `aia_ocsp_servers` - (Optional) - Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate. - -* `max_issuer_path_length` - + Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. + +* `additional_extensions` - (Optional) - Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate. - -The `key_usage` block supports: - + Optional. Describes custom X.509 extensions. + Structure is [documented below](#nested_additional_extensions). + + +The `key_usage` block supports: + * `base_key_usage` - (Optional) Describes high-level ways in which a key may be used. - + Structure is [documented below](#nested_base_key_usage). + * `extended_key_usage` - (Optional) Detailed scenarios in which a key may be used. - + Structure is [documented below](#nested_extended_key_usage). + * `unknown_extended_key_usages` - (Optional) Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message. - -The `base_key_usage` block supports: - -* `cert_sign` - + Structure is [documented below](#nested_unknown_extended_key_usages). + + +The `base_key_usage` block supports: + +* `digital_signature` - (Optional) - The key may be used to sign certificates. - + The key may be used for digital signatures. + * `content_commitment` - (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". - -* `crl_sign` - + +* `key_encipherment` - (Optional) - The key may be used sign certificate revocation lists. - + The key may be used to encipher other keys. + * `data_encipherment` - (Optional) The key may be used to encipher data. - -* `decipher_only` - + +* `key_agreement` - (Optional) - The key may be used to decipher only. - -* `digital_signature` - + The key may be used in a key agreement protocol. + +* `cert_sign` - (Optional) - The key may be used for digital signatures. - + The key may be used to sign certificates. + +* `crl_sign` - + (Optional) + The key may be used sign certificate revocation lists. + * `encipher_only` - (Optional) The key may be used to encipher only. - -* `key_agreement` - + +* `decipher_only` - (Optional) - The key may be used in a key agreement protocol. - -* `key_encipherment` - + The key may be used to decipher only. + +The `extended_key_usage` block supports: + +* `server_auth` - (Optional) - The key may be used to encipher other keys. - -The `extended_key_usage` block supports: - + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + * `client_auth` - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. - + * `code_signing` - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". - + * `email_protection` - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". - + +* `time_stamping` - + (Optional) + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + * `ocsp_signing` - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". - -* `server_auth` - + +The `unknown_extended_key_usages` block supports: + +* `object_id_path` - + (Required) + Required. The parts of an OID path. The most significant parts of the path come first. + +The `ca_options` block supports: + +* `is_ca` - (Optional) - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. - -* `time_stamping` - + Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate. + +* `max_issuer_path_length` - (Optional) - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". - -The `unknown_extended_key_usages` block supports: - + Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate. + +The `policy_ids` block supports: + * `object_id_path` - (Required) Required. The parts of an OID path. The most significant parts of the path come first. - -The `policy_ids` block supports: - + +The `additional_extensions` block supports: + +* `object_id` - + (Required) + Required. The OID for this X.509 extension. + Structure is [documented below](#nested_object_id). + +* `critical` - + (Optional) + Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + +* `value` - + (Required) + Required. The value of this X.509 extension. + + +The `object_id` block supports: + * `object_id_path` - (Required) Required. The parts of an OID path. The most significant parts of the path come first. - + +The `identity_constraints` block supports: + +* `cel_expression` - + (Optional) + Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel + Structure is [documented below](#nested_cel_expression). + +* `allow_subject_passthrough` - + (Required) + Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded. + +* `allow_subject_alt_names_passthrough` - + (Required) + Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded. + + +The `cel_expression` block supports: + +* `expression` - + (Optional) + Textual representation of an expression in Common Expression Language syntax. + +* `title` - + (Optional) + Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + +* `description` - + (Optional) + Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + +* `location` - + (Optional) + Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + +The `passthrough_extensions` block supports: + +* `known_extensions` - + (Optional) + Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions. + +* `additional_extensions` - + (Optional) + Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions. + Structure is [documented below](#nested_additional_extensions). + + +The `additional_extensions` block supports: + +* `object_id_path` - + (Required) + Required. The parts of an OID path. The most significant parts of the path come first. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: @@ -361,16 +376,18 @@ In addition to the arguments listed above, the following computed attributes are * `create_time` - Output only. The time at which this CertificateTemplate was created. - -* `effective_labels` - - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services. - -* `terraform_labels` - - The combination of labels configured directly on the resource and default labels configured on the provider. - + * `update_time` - Output only. The time at which this CertificateTemplate was updated. - + +* `terraform_labels` - + The combination of labels configured directly on the resource + and default labels configured on the provider. + +* `effective_labels` - + All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services. + + ## Timeouts This resource provides the following @@ -382,13 +399,15 @@ This resource provides the following ## Import + CertificateTemplate can be imported using any of these accepted formats: + * `projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}` * `{{project}}/{{location}}/{{name}}` * `{{location}}/{{name}}` -In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CertificateTemplate using one of the formats above. For example: +In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CertificateTemplate using one of the formats above. For example: ```tf import { @@ -405,5 +424,6 @@ $ terraform import google_privateca_certificate_template.default {{project}}/{{l $ terraform import google_privateca_certificate_template.default {{location}}/{{name}} ``` +## User Project Overrides - +This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override). diff --git a/website/docs/r/privateca_certificate_template_iam.html.markdown b/website/docs/r/privateca_certificate_template_iam.html.markdown index 4b2cc02daa5..5e012cfbf4f 100644 --- a/website/docs/r/privateca_certificate_template_iam.html.markdown +++ b/website/docs/r/privateca_certificate_template_iam.html.markdown @@ -136,6 +136,9 @@ resource "google_privateca_certificate_template_iam_member" "member" { The following arguments are supported: * `certificate_template` - (Required) Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/secure_source_manager_instance_iam.html.markdown b/website/docs/r/secure_source_manager_instance_iam.html.markdown index b9ab04a7499..21160f34777 100644 --- a/website/docs/r/secure_source_manager_instance_iam.html.markdown +++ b/website/docs/r/secure_source_manager_instance_iam.html.markdown @@ -85,8 +85,10 @@ resource "google_secure_source_manager_instance_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location for the Instance. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the Instance. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `instance_id` - (Required) The name for the Instance. Used to find the parent resource to bind the IAM policy to diff --git a/website/docs/r/vertex_ai_endpoint_iam.html.markdown b/website/docs/r/vertex_ai_endpoint_iam.html.markdown index 0076084c42d..f493729ccaf 100644 --- a/website/docs/r/vertex_ai_endpoint_iam.html.markdown +++ b/website/docs/r/vertex_ai_endpoint_iam.html.markdown @@ -88,7 +88,9 @@ resource "google_vertex_ai_endpoint_iam_member" "member" { The following arguments are supported: * `endpoint` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) The location for the resource Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location for the resource Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `region` - (Optional) The region for the resource Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. diff --git a/website/docs/r/workbench_instance_iam.html.markdown b/website/docs/r/workbench_instance_iam.html.markdown index 54f3418346b..b29d0f9ce73 100644 --- a/website/docs/r/workbench_instance_iam.html.markdown +++ b/website/docs/r/workbench_instance_iam.html.markdown @@ -86,7 +86,9 @@ resource "google_workbench_instance_iam_member" "member" { The following arguments are supported: * `name` - (Required) Used to find the parent resource to bind the IAM policy to -* `location` - (Required) Part of `parent`. See documentation of `projectsId`. Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) Part of `parent`. See documentation of `projectsId`. Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/workstations_workstation_config_iam.html.markdown b/website/docs/r/workstations_workstation_config_iam.html.markdown index abcf9b652bc..01fb7f669b2 100644 --- a/website/docs/r/workstations_workstation_config_iam.html.markdown +++ b/website/docs/r/workstations_workstation_config_iam.html.markdown @@ -94,8 +94,10 @@ resource "google_workstations_workstation_config_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where the workstation cluster config should reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the workstation cluster config should reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. diff --git a/website/docs/r/workstations_workstation_iam.html.markdown b/website/docs/r/workstations_workstation_iam.html.markdown index cb3c8f0d052..e2102070845 100644 --- a/website/docs/r/workstations_workstation_iam.html.markdown +++ b/website/docs/r/workstations_workstation_iam.html.markdown @@ -97,8 +97,10 @@ resource "google_workstations_workstation_iam_member" "member" { The following arguments are supported: -* `location` - (Required) The location where the workstation parent resources reside. - Used to find the parent resource to bind the IAM policy to +* `location` - (Optional) The location where the workstation parent resources reside. + Used to find the parent resource to bind the IAM policy to. If not specified, + the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no + location is specified, it is taken from the provider configuration. * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.