Better error message when attempting to use google_privateca_certificate on a DEVOPS tier CA Pool

[nginthfs]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

The resource type google_privateca_certificate is only supported on the ENTERPRISE tier CA pool, as referenced in this documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/privateca_certificate. However, when you attempt to use this resource, the error message is not clear. It would be helpful for a better error message here indicating that this resource is not supported by DEVOPS tier plans.

Currently, when attempting to use the google_privateca_certificate resource type on a DEVOPS tier CA Pool, you get the following error: Root resource was present, but now absent.

The debug error is also unhelpful since it will "create" the cert successfully:

2023-04-06T11:37:11.613-0500 [INFO]  provider.terraform-provider-google_v4.51.0_x5: 2023/04/06 11:37:11 [DEBUG] Retry Transport: Stopping retries, last request was successful: timestamp=2023-04-06T11:37:11.613-0500
2023-04-06T11:37:11.613-0500 [INFO]  provider.terraform-provider-google_v4.51.0_x5: 2023/04/06 11:37:11 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2023-04-06T11:37:11.613-0500
2023-04-06T11:37:11.613-0500 [INFO]  provider.terraform-provider-google_v4.51.0_x5: 2023/04/06 11:37:11 [DEBUG] Finished creating Certificate "<cert info here ... >"

And then it will go and fail to find that same cert:

2023-04-06T11:37:11.686-0500 [INFO]  provider.terraform-provider-google_v4.51.0_x5: 2023/04/06 11:37:11 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 404 Not Found
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Thu, 06 Apr 2023 16:37:11 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "error": {
    "code": 404,
    "message": "Row not found",
    "status": "NOT_FOUND"
  }
}

New or Affected Resource(s)

• google_privateca_certificate

Potential Terraform Configuration

resource "google_privateca_ca_pool" "default" {
  name     = "ssl-ca-pool"
  location = "us-central1"
  tier     = "DEVOPS"
  publishing_options {
    publish_ca_cert = true
    publish_crl     = true
  }
  issuance_policy {
    baseline_values {
      ca_options {
        is_ca = false
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          key_encipherment  = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = true
        }
      }
    }
  }
}

resource "google_privateca_certificate_authority" "ssl_ca" {
  certificate_authority_id = "ssl-authority"
  location                 = "us-central1"
  pool                     = google_privateca_ca_pool.default.name
  config {
    subject_config {
      subject {
        country_code        = "us"
        organization        = "org"
        organizational_unit = "unit"
        locality            = "atlanta"
        province            = "georgia"
        common_name         = "ssl-certificate-authority"
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = true
        }
      }
    }
  }
  type = "SELF_SIGNED"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}

resource "tls_private_key" "default" {
  algorithm = "RSA"
}

resource "tls_cert_request" "default" {
  private_key_pem = tls_private_key.default.private_key_pem

  subject {
    common_name  = "test.com"
    organization = "Org, Inc."
  }
  dns_names = ["test.com", "localhost"]
}

resource "google_privateca_certificate" "tls-ca" {
  pool                  = google_privateca_ca_pool.default.name
  certificate_authority = google_privateca_certificate_authority.ssl_ca.certificate_authority_id
  location              = "us-central1"
  lifetime              = "94608000s"
  name                  = "test-cert"
  pem_csr               = tls_cert_request.default.cert_request_pem
}

References

May be related to:

• Error Root resource was present, but now absent. #12564

b/277754862

[rileykarson]

Note: We appear to be sending the API error message, so marking upstream

[Netopsyse]

Tried to bypass this issue by using ephemeral block, but did not work #23821.

[jsok]

What is the limitation here? We can request DEVOPS tier certificates via gloud, cert-manager, directly via the API but not the Terraform provider for some reason.

Update after doing some digging:

It seems the resource is relying on certificate issuance tracking, which is explicitly not supported on the devops tier:

Certificates issued by DevOps CAs are not tracked in the CA database and subsequently can't be revoked

So even though the certificate is successfully issued (I see a successful POST projects/{{project}}/locations/{{location}}/caPools/{{name}}/certificates), but then a subsequent GET projects/{{project}}/locations/{{location}}/caPools/{{name}}/certificates/NAME fails with 404 as reported above.