From 73fad58a3977cd07f1c76dce0ffc934bdc2e88b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sven=20H=C3=B6xter?= <sven@stormbind.net>
Date: Wed, 6 Nov 2024 16:56:35 +0100
Subject: [PATCH] fix(privateca): configure pathLen: 0 constrain correctly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For the terraform provider to configure the `pathLen` constrain
correctly to the value `0`, and not omit it completely, it's required to
explicitly set `zero_max_issuer_path_length = true`.

Signed-off-by: Sven Höxter <sven@stormbind.net>
---
 privateca/certificate_authority_subordinate/main.tf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/privateca/certificate_authority_subordinate/main.tf b/privateca/certificate_authority_subordinate/main.tf
index 975b7941b..7f590b15e 100644
--- a/privateca/certificate_authority_subordinate/main.tf
+++ b/privateca/certificate_authority_subordinate/main.tf
@@ -73,8 +73,11 @@ resource "google_privateca_certificate_authority" "sub_ca" {
     x509_config {
       ca_options {
         is_ca = true
-        # Force the sub CA to only issue leaf certs
-        max_issuer_path_length = 0
+        # Force the sub CA to only issue leaf certs.
+        # Use e.g.
+        #    max_issuer_path_length = 1
+        # if you need to chain more subordinates.
+        zero_max_issuer_path_length = true
       }
       key_usage {
         base_key_usage {