From 14b020218b19412b5a100171a76d7f1161557ca9 Mon Sep 17 00:00:00 2001
From: Shuya Ma <shuyama@google.com>
Date: Fri, 5 Apr 2024 14:20:37 -0700
Subject: [PATCH] Revert "fixed permission issues when activating a sub-CA in a
 different region (#10354) (#7197)"

This reverts commit feccbe5e2180055888b78752d13f8212c9d73678.
---
 .changelog/10354.txt                          |   3 -
 .../services/privateca/privateca_ca_utils.go  |   4 +-
 ...esource_privateca_certificate_authority.go |   3 +-
 ...ce_privateca_certificate_authority_test.go | 163 ------------------
 4 files changed, 2 insertions(+), 171 deletions(-)
 delete mode 100644 .changelog/10354.txt

diff --git a/.changelog/10354.txt b/.changelog/10354.txt
deleted file mode 100644
index 5d05893929..0000000000
--- a/.changelog/10354.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-```release-note:bug
-privateca: fixed permission issues when activating a sub-CA in a different region
-```
\ No newline at end of file
diff --git a/google-beta/services/privateca/privateca_ca_utils.go b/google-beta/services/privateca/privateca_ca_utils.go
index c897728983..f5305fe623 100644
--- a/google-beta/services/privateca/privateca_ca_utils.go
+++ b/google-beta/services/privateca/privateca_ca_utils.go
@@ -230,14 +230,12 @@ func activateSubCAWithFirstPartyIssuer(config *transport_tpg.Config, d *schema.R
 		return fmt.Errorf("Error creating Certificate: %s", err)
 	}
 	signedCACert := res["pemCertificate"]
-	signerCertChain := res["pemCertificateChain"]
 
 	// 4. activate sub CA with the signed CA cert.
 	activateObj := make(map[string]interface{})
 	activateObj["pemCaCertificate"] = signedCACert
 	activateObj["subordinateConfig"] = make(map[string]interface{})
-	activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"] = make(map[string]interface{})
-	activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"].(map[string]interface{})["pemCertificates"] = signerCertChain
+	activateObj["subordinateConfig"].(map[string]interface{})["certificateAuthority"] = issuer
 
 	activateUrl, err := tpgresource.ReplaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:activate")
 	if err != nil {
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority.go b/google-beta/services/privateca/resource_privateca_certificate_authority.go
index 3971bfb52e..8b478b9564 100644
--- a/google-beta/services/privateca/resource_privateca_certificate_authority.go
+++ b/google-beta/services/privateca/resource_privateca_certificate_authority.go
@@ -709,7 +709,6 @@ and usability purposes only. The resource name is in the format
 						},
 						"pem_issuer_chain": {
 							Type:     schema.TypeList,
-							Computed: true,
 							Optional: true,
 							Description: `Contains the PEM certificate chain for the issuers of this CertificateAuthority,
 but not pem certificate for this CA itself.`,
@@ -1539,7 +1538,7 @@ func flattenPrivatecaCertificateAuthoritySubordinateConfig(v interface{}, d *sch
 	return []interface{}{transformed}
 }
 func flattenPrivatecaCertificateAuthoritySubordinateConfigCertificateAuthority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return d.Get("subordinate_config.0.certificate_authority")
+	return v
 }
 
 func flattenPrivatecaCertificateAuthoritySubordinateConfigPemIssuerChain(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority_test.go b/google-beta/services/privateca/resource_privateca_certificate_authority_test.go
index 53a689427c..60f48ddb06 100644
--- a/google-beta/services/privateca/resource_privateca_certificate_authority_test.go
+++ b/google-beta/services/privateca/resource_privateca_certificate_authority_test.go
@@ -122,33 +122,6 @@ func TestAccPrivatecaCertificateAuthority_rootCaManageDesiredState(t *testing.T)
 	})
 }
 
-func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssuerOnCreation(t *testing.T) {
-	t.Parallel()
-	acctest.SkipIfVcr(t)
-
-	random_suffix := acctest.RandString(t, 10)
-	context := map[string]interface{}{
-		"root_location": "us-central1",
-		"sub_location":  "australia-southeast1",
-		"random_suffix": random_suffix,
-	}
-
-	resourceName := "google_privateca_certificate_authority.sub-1"
-	acctest.VcrTest(t, resource.TestCase{
-		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
-		CheckDestroy:             testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
-		Steps: []resource.TestStep{
-			{
-				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "state", "ENABLED"),
-				),
-			},
-		},
-	})
-}
-
 func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privateca_certificate_authority" "default" {
@@ -314,139 +287,3 @@ resource "google_privateca_certificate_authority" "default" {
 }
 `, context)
 }
-
-// testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer provides a config
-// which contains
-// * A CaPool for root CA
-// * A root CA
-// * A CaPool for sub CA
-// * A subordinate CA which should be activated by the above root CA
-func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context map[string]interface{}) string {
-	return acctest.Nprintf(`
-resource "google_privateca_ca_pool" "root-pool" {
-	name     = "root-pool-%{random_suffix}"
-	location = "%{root_location}"
-	tier     = "ENTERPRISE"
-	publishing_options {
-	  publish_ca_cert = true
-	  publish_crl     = true
-	}
-}
-
-resource "google_privateca_certificate_authority" "root-1" {
-	pool = google_privateca_ca_pool.root-pool.name 
-	certificate_authority_id = "tf-test-my-certificate-authority-root-%{random_suffix}"
-	location = "%{root_location}"
-	config {
-		subject_config {
-		subject {
-			organization = "HashiCorp"
-			common_name = "my-certificate-authority"
-		}
-		subject_alt_name {
-			dns_names = ["hashicorp.com"]
-		}
-		}
-		x509_config {
-		ca_options {
-			is_ca = true
-			max_issuer_path_length = 10
-		}
-		key_usage {
-			base_key_usage {
-			digital_signature = true
-			content_commitment = true
-			key_encipherment = false
-			data_encipherment = true
-			key_agreement = true
-			cert_sign = true
-			crl_sign = true
-			decipher_only = true
-			}
-			extended_key_usage {
-			server_auth = true
-			client_auth = false
-			email_protection = true
-			code_signing = true
-			time_stamping = true
-			}
-		}
-		}
-	}
-	lifetime = "86400s"
-	key_spec {
-		algorithm = "RSA_PKCS1_4096_SHA256"
-	}
-
-	// Disable CA deletion related safe checks for easier cleanup.
-	deletion_protection                    = false
-	skip_grace_period                      = true
-	ignore_active_certificates_on_deletion = true
-}
-
-resource "google_privateca_ca_pool" "sub-pool" {
-	name     = "sub-pool-%{random_suffix}"
-	location = "%{sub_location}"
-	tier     = "ENTERPRISE"
-	publishing_options {
-	  publish_ca_cert = true
-	  publish_crl     = true
-	}
-}
-
-resource "google_privateca_certificate_authority" "sub-1" {
-	pool = google_privateca_ca_pool.sub-pool.name 
-	certificate_authority_id = "tf-test-my-certificate-authority-sub-%{random_suffix}"
-	location = "%{sub_location}"
-	subordinate_config {
-		certificate_authority = google_privateca_certificate_authority.root-1.name
-	}
-	config {
-		subject_config {
-		subject {
-			organization = "HashiCorp"
-			common_name = "my-certificate-authority"
-		}
-		subject_alt_name {
-			dns_names = ["hashicorp.com"]
-		}
-		}
-		x509_config {
-		ca_options {
-			is_ca = true
-			max_issuer_path_length = 10
-		}
-		key_usage {
-			base_key_usage {
-			digital_signature = true
-			content_commitment = true
-			key_encipherment = false
-			data_encipherment = true
-			key_agreement = true
-			cert_sign = true
-			crl_sign = true
-			decipher_only = true
-			}
-			extended_key_usage {
-			server_auth = true
-			client_auth = false
-			email_protection = true
-			code_signing = true
-			time_stamping = true
-			}
-		}
-		}
-	}
-	lifetime = "86400s"
-	key_spec {
-		algorithm = "RSA_PKCS1_4096_SHA256"
-	}
-	type = "SUBORDINATE"
-
-	// Disable CA deletion related safe checks for easier cleanup.
-	deletion_protection                    = false
-	skip_grace_period                      = true
-	ignore_active_certificates_on_deletion = true
-}
-`, context)
-}