fix: provide a sensible example for a privateca Root CA example (terraform-google-modules#631)

hoexter · glasnt · iennae · web-flow · commit 89252597615a · 2024-11-04T15:42:39.000+11:00
This one looks a lot like someone copied by accident the subordinate
example out of `certificate_authority_subordinate/main.tf` as a root
CA. Thus it contains a lot of values set which are outright invalid
or not recommend for Root CA certficates if you consider RFC 5280
and CA/B Baseline Requirements as the standard to follow.

Also the subordinate example is a bit odd, e.g. configuring SAN
on any kind of CA certificate doesn't make sense. And the resources
examples there make use of the same pool name.

Align the lifetime to some practical values, 10years for a Root CA
and 5years for a subordinate.

Signed-off-by: Sven Höxter &lt;sven@stormbind.net&gt;
Co-authored-by: Katie McLaughlin &lt;katie@glasnt.com&gt;
Co-authored-by: Jennifer Davis &lt;sigje@google.com&gt;
diff --git a/privateca/certificate_authority_basic/main.tf b/privateca/certificate_authority_basic/main.tf
@@ -15,52 +15,41 @@
  */
 
 # [START privateca_create_ca]
-resource "google_privateca_certificate_authority" "default" {
+resource "google_privateca_certificate_authority" "root_ca" {
   // This example assumes this pool already exists.
   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
-  pool                     = "my-pool"
-  certificate_authority_id = "my-certificate-authority-hashicorp"
-  location                 = "us-central1"
-  deletion_protection      = false # set to true to prevent destruction of the resource
+  pool                                   = "my-pool"
+  certificate_authority_id               = "my-certificate-authority-root"
+  location                               = "us-central1"
+  deletion_protection                    = false # set to true to prevent destruction of the resource
+  ignore_active_certificates_on_deletion = true
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name  = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
-        is_ca                  = true
-        max_issuer_path_length = 10
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
       }
       key_usage {
         base_key_usage {
-          digital_signature  = true
-          content_commitment = true
-          key_encipherment   = false
-          data_encipherment  = true
-          key_agreement      = true
-          cert_sign          = true
-          crl_sign           = true
-          decipher_only      = true
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign  = true
         }
         extended_key_usage {
-          server_auth      = true
-          client_auth      = false
-          email_protection = true
-          code_signing     = true
-          time_stamping    = true
         }
       }
     }
   }
-  lifetime = "86400s"
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
+  // valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
 }
 # [END privateca_create_ca]
diff --git a/privateca/certificate_authority_subordinate/main.tf b/privateca/certificate_authority_subordinate/main.tf
@@ -16,6 +16,8 @@
 
 # [START privateca_create_subordinateca]
 resource "google_privateca_certificate_authority" "root_ca" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
   pool                                   = "my-pool"
   certificate_authority_id               = "my-certificate-authority-root"
   location                               = "us-central1"
@@ -24,12 +26,9 @@ resource "google_privateca_certificate_authority" "root_ca" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name  = "my-certificate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -43,20 +42,21 @@ resource "google_privateca_certificate_authority" "root_ca" {
           crl_sign  = true
         }
         extended_key_usage {
-          server_auth = false
         }
       }
     }
   }
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }
+  // valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
 }
 
-resource "google_privateca_certificate_authority" "default" {
+resource "google_privateca_certificate_authority" "sub_ca" {
   // This example assumes this pool already exists.
   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
-  pool                     = "my-pool"
+  pool                     = "my-sub-pool"
   certificate_authority_id = "my-certificate-authority-sub"
   location                 = "us-central1"
   deletion_protection      = false # set to true to prevent destruction of the resource
@@ -66,12 +66,9 @@ resource "google_privateca_certificate_authority" "default" {
   config {
     subject_config {
       subject {
-        organization = "HashiCorp"
+        organization = "ACME"
         common_name  = "my-subordinate-authority"
       }
-      subject_alt_name {
-        dns_names = ["hashicorp.com"]
-      }
     }
     x509_config {
       ca_options {
@@ -81,28 +78,18 @@ resource "google_privateca_certificate_authority" "default" {
       }
       key_usage {
         base_key_usage {
-          digital_signature  = true
-          content_commitment = true
-          key_encipherment   = false
-          data_encipherment  = true
-          key_agreement      = true
-          cert_sign          = true
-          crl_sign           = true
-          decipher_only      = true
+          cert_sign = true
+          crl_sign  = true
         }
         extended_key_usage {
-          server_auth      = true
-          client_auth      = false
-          email_protection = true
-          code_signing     = true
-          time_stamping    = true
         }
       }
     }
   }
-  lifetime = "86400s"
+  // valid for 5 years
+  lifetime = "${5 * 365 * 24 * 3600}s"
   key_spec {
-    algorithm = "RSA_PKCS1_4096_SHA256"
+    algorithm = "RSA_PKCS1_2048_SHA256"
   }
   type = "SUBORDINATE"
 }

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@`
`16`	`16`
`17`	`17`	`# [START privateca_create_subordinateca]`
`18`	`18`	`resource "google_privateca_certificate_authority" "root_ca" {`
	`19`	`+ // This example assumes this pool already exists.`
	`20`	`+ // Pools cannot be deleted in normal test circumstances, so we depend on static pools`
`19`	`21`	`pool = "my-pool"`
`20`	`22`	`certificate_authority_id = "my-certificate-authority-root"`
`21`	`23`	`location = "us-central1"`
`@@ -24,12 +26,9 @@ resource "google_privateca_certificate_authority" "root_ca" {`
`24`	`26`	`config {`
`25`	`27`	`subject_config {`
`26`	`28`	`subject {`
`27`		`- organization = "HashiCorp"`
	`29`	`+ organization = "ACME"`
`28`	`30`	`common_name = "my-certificate-authority"`
`29`	`31`	`}`
`30`		`- subject_alt_name {`
`31`		`- dns_names = ["hashicorp.com"]`
`32`		`- }`
`33`	`32`	`}`
`34`	`33`	`x509_config {`
`35`	`34`	`ca_options {`
`@@ -43,20 +42,21 @@ resource "google_privateca_certificate_authority" "root_ca" {`
`43`	`42`	`crl_sign = true`
`44`	`43`	`}`
`45`	`44`	`extended_key_usage {`
`46`		`- server_auth = false`
`47`	`45`	`}`
`48`	`46`	`}`
`49`	`47`	`}`
`50`	`48`	`}`
`51`	`49`	`key_spec {`
`52`	`50`	`algorithm = "RSA_PKCS1_4096_SHA256"`
`53`	`51`	`}`
	`52`	`+ // valid for 10 years`
	`53`	`+ lifetime = "${10 * 365 * 24 * 3600}s"`
`54`	`54`	`}`
`55`	`55`
`56`		`-resource "google_privateca_certificate_authority" "default" {`
	`56`	`+resource "google_privateca_certificate_authority" "sub_ca" {`
`57`	`57`	`// This example assumes this pool already exists.`
`58`	`58`	`// Pools cannot be deleted in normal test circumstances, so we depend on static pools`
`59`		`- pool = "my-pool"`
	`59`	`+ pool = "my-sub-pool"`
`60`	`60`	`certificate_authority_id = "my-certificate-authority-sub"`
`61`	`61`	`location = "us-central1"`
`62`	`62`	`deletion_protection = false # set to true to prevent destruction of the resource`
`@@ -66,12 +66,9 @@ resource "google_privateca_certificate_authority" "default" {`
`66`	`66`	`config {`
`67`	`67`	`subject_config {`
`68`	`68`	`subject {`
`69`		`- organization = "HashiCorp"`
	`69`	`+ organization = "ACME"`
`70`	`70`	`common_name = "my-subordinate-authority"`
`71`	`71`	`}`
`72`		`- subject_alt_name {`
`73`		`- dns_names = ["hashicorp.com"]`
`74`		`- }`
`75`	`72`	`}`
`76`	`73`	`x509_config {`
`77`	`74`	`ca_options {`
`@@ -81,28 +78,18 @@ resource "google_privateca_certificate_authority" "default" {`
`81`	`78`	`}`
`82`	`79`	`key_usage {`
`83`	`80`	`base_key_usage {`
`84`		`- digital_signature = true`
`85`		`- content_commitment = true`
`86`		`- key_encipherment = false`
`87`		`- data_encipherment = true`
`88`		`- key_agreement = true`
`89`		`- cert_sign = true`
`90`		`- crl_sign = true`
`91`		`- decipher_only = true`
	`81`	`+ cert_sign = true`
	`82`	`+ crl_sign = true`
`92`	`83`	`}`
`93`	`84`	`extended_key_usage {`
`94`		`- server_auth = true`
`95`		`- client_auth = false`
`96`		`- email_protection = true`
`97`		`- code_signing = true`
`98`		`- time_stamping = true`
`99`	`85`	`}`
`100`	`86`	`}`
`101`	`87`	`}`
`102`	`88`	`}`
`103`		`- lifetime = "86400s"`
	`89`	`+ // valid for 5 years`
	`90`	`+ lifetime = "${5 * 365 * 24 * 3600}s"`
`104`	`91`	`key_spec {`
`105`		`- algorithm = "RSA_PKCS1_4096_SHA256"`
	`92`	`+ algorithm = "RSA_PKCS1_2048_SHA256"`
`106`	`93`	`}`
`107`	`94`	`type = "SUBORDINATE"`
`108`	`95`	`}`