Add certificate template field to privateca Certificate (GoogleCloudP…

…latform#5135)

* Add certificate authority field to Certificate, now that certificate authority is present in TF.

Also adds test - which will only successfully run in CI since it depends on a static CA pool.

* compare resource names instead, because we have a project number.

mmv1/products/privateca/api.yaml

@@ -891,6 +891,17 @@ objects:
           Output only. The time at which this CertificateAuthority was updated.
           This is in RFC3339 text format.
         output: true
+        # Note: would be a resourceref, except that CertificateTemplate is in the DCL
+        # and we don't have references across mmv1-dcl bridge yet.
+      - !ruby/object:Api::Type::String
+        name: 'certificateTemplate'
+        input: true
+        description: |
+          The resource name for a CertificateTemplate used to issue this certificate,
+          in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified,
+          the caller must have the necessary permission to use this template. If this is
+          omitted, no template will be used. This template must be in the same location
+          as the Certificate.
       - !ruby/object:Api::Type::KeyValuePairs
         name: 'labels'
         description: |

mmv1/products/privateca/terraform.yaml

@@ -81,6 +81,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     properties:
       config.x509Config: !ruby/object:Overrides::Terraform::PropertyOverride
         custom_flatten: 'templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb'
+      certificateTemplate: !ruby/object:Overrides::Terraform::PropertyOverride
+        diff_suppress_func: 'compareResourceNames'
     examples:
       - !ruby/object:Provider::Terraform::Examples
         name: "privateca_certificate_config"
@@ -92,6 +94,17 @@ overrides: !ruby/object:Overrides::ResourceOverrides
           project: :PROJECT_NAME
         test_vars_overrides:
           pool: "\"static-ca-pool\""
+      - !ruby/object:Provider::Terraform::Examples
+        name: "privateca_certificate_with_template"
+        primary_resource_id: "default"
+        vars:
+          certificate_name: "my-certificate"
+          certificate_authority_id: "my-certificate-authority"
+          certificate_template_name: "my-certificate-template"
+        test_env_vars:
+          project: :PROJECT_NAME
+        test_vars_overrides:
+          pool: "\"static-ca-pool\""
       - !ruby/object:Provider::Terraform::Examples
         name: "privateca_certificate_csr"
         primary_resource_id: "default"

mmv1/templates/terraform/examples/privateca_certificate_with_template.tf.erb

@@ -0,0 +1,121 @@
+resource "google_privateca_certificate_template" "template" {
+  location    = "us-central1"
+  name = "<%= ctx[:vars]["certificate_template_name"] %>"
+  description = "An updated sample certificate template"
+
+  identity_constraints {
+    allow_subject_alt_names_passthrough = true
+    allow_subject_passthrough           = true
+
+    cel_expression {
+      description = "Always true"
+      expression  = "true"
+      location    = "any.file.anywhere"
+      title       = "Sample expression"
+    }
+  }
+
+  passthrough_extensions {
+    additional_extensions {
+      object_id_path = [1, 6]
+    }
+
+    known_extensions = ["EXTENDED_KEY_USAGE"]
+  }
+
+  predefined_values {
+    additional_extensions {
+      object_id {
+        object_id_path = [1, 6]
+      }
+
+      value    = "c3RyaW5nCg=="
+      critical = true
+    }
+
+    aia_ocsp_servers = ["string"]
+
+    ca_options {
+      is_ca                  = false
+      max_issuer_path_length = 6
+    }
+
+    key_usage {
+      base_key_usage {
+        cert_sign          = false
+        content_commitment = true
+        crl_sign           = false
+        data_encipherment  = true
+        decipher_only      = true
+        digital_signature  = true
+        encipher_only      = true
+        key_agreement      = true
+        key_encipherment   = true
+      }
+
+      extended_key_usage {
+        client_auth      = true
+        code_signing     = true
+        email_protection = true
+        ocsp_signing     = true
+        server_auth      = true
+        time_stamping    = true
+      }
+
+      unknown_extended_key_usages {
+        object_id_path = [1, 6]
+      }
+    }
+
+    policy_ids {
+      object_id_path = [1, 6]
+    }
+  }
+}
+
+resource "google_privateca_certificate_authority" "test-ca" {
+  pool = "<%= ctx[:vars]["pool"] %>"
+  certificate_authority_id = "<%= ctx[:vars]["certificate_authority_id"] %>"
+  location = "us-central1"
+  config {
+    subject_config {
+      subject {
+        organization = "HashiCorp"
+        common_name = "my-certificate-authority"
+      }
+      subject_alt_name {
+        dns_names = ["hashicorp.com"]
+      }
+    }
+    x509_config {
+      ca_options {
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+          server_auth = false
+        }
+      }
+    }
+  }
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+}
+
+
+resource "google_privateca_certificate" "<%= ctx[:primary_resource_id] %>" {
+  pool = "<%= ctx[:vars]["pool"] %>"
+  location = "us-central1"
+  certificate_authority = google_privateca_certificate_authority.test-ca.certificate_authority_id
+  lifetime = "860s"
+  name = "<%= ctx[:vars]["certificate_name"] %>"
+  pem_csr = file("test-fixtures/rsa_csr.pem")
+  certificate_template = google_privateca_certificate_template.template.id
+}