Skip to content

Commit

Permalink
[Terraform]: Add support for protection level to kms crypto key (#1107)
Browse files Browse the repository at this point in the history
Merged PR #1107.
  • Loading branch information
rileykarson authored and modular-magician committed Dec 27, 2018
1 parent fc82d52 commit a425d9b
Show file tree
Hide file tree
Showing 5 changed files with 80 additions and 3 deletions.
2 changes: 1 addition & 1 deletion build/terraform
2 changes: 1 addition & 1 deletion build/terraform-beta
62 changes: 61 additions & 1 deletion third_party/terraform/resources/resource_kms_crypto_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package google

import (
"fmt"
"github.com/hashicorp/terraform/helper/validation"
"log"
"regexp"
"strconv"
Expand Down Expand Up @@ -39,6 +40,27 @@ func resourceKmsCryptoKey() *schema.Resource {
Optional: true,
ValidateFunc: validateKmsCryptoKeyRotationPeriod,
},
"version_template": {
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"algorithm": {
Type: schema.TypeString,
Required: true,
},
"protection_level": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Default: "SOFTWARE",
ValidateFunc: validation.StringInSlice([]string{"SOFTWARE", "HSM", ""}, false),
},
},
},
},
"self_link": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -84,7 +106,10 @@ func resourceKmsCryptoKeyCreate(d *schema.ResourceData, meta interface{}) error
Name: d.Get("name").(string),
}

key := cloudkms.CryptoKey{Purpose: "ENCRYPT_DECRYPT"}
key := cloudkms.CryptoKey{
Purpose: "ENCRYPT_DECRYPT",
VersionTemplate: expandVersionTemplate(d.Get("version_template").([]interface{})),
}

if d.Get("rotation_period") != "" {
rotationPeriod := d.Get("rotation_period").(string)
Expand Down Expand Up @@ -133,6 +158,10 @@ func resourceKmsCryptoKeyUpdate(d *schema.ResourceData, meta interface{}) error
key.RotationPeriod = rotationPeriod
}

if d.HasChange("version_template") {
key.VersionTemplate = expandVersionTemplate(d.Get("version_template").([]interface{}))
}

cryptoKey, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Patch(cryptoKeyId.cryptoKeyId(), &key).UpdateMask("rotation_period,next_rotation_time").Do()

if err != nil {
Expand Down Expand Up @@ -165,6 +194,10 @@ func resourceKmsCryptoKeyRead(d *schema.ResourceData, meta interface{}) error {
d.Set("rotation_period", cryptoKey.RotationPeriod)
d.Set("self_link", cryptoKey.Name)

if err = d.Set("version_template", flattenVersionTemplate(cryptoKey.VersionTemplate)); err != nil {
return fmt.Errorf("Error setting version_template in state: %s", err.Error())
}

d.SetId(cryptoKeyId.cryptoKeyId())

return nil
Expand Down Expand Up @@ -219,6 +252,33 @@ and all its CryptoKeyVersions will be destroyed, but it will still be present on
return nil
}

func expandVersionTemplate(configured []interface{}) *cloudkms.CryptoKeyVersionTemplate {
if configured == nil || len(configured) == 0 {
return nil
}

data := configured[0].(map[string]interface{})
return &cloudkms.CryptoKeyVersionTemplate{
Algorithm: data["algorithm"].(string),
ProtectionLevel: data["protection_level"].(string),
}
}

func flattenVersionTemplate(versionTemplate *cloudkms.CryptoKeyVersionTemplate) []map[string]interface{} {
if versionTemplate == nil {
return nil
}

versionTemplateSchema := make([]map[string]interface{}, 0, 1)
data := map[string]interface{}{
"algorithm": versionTemplate.Algorithm,
"protection_level": versionTemplate.ProtectionLevel,
}

versionTemplateSchema = append(versionTemplateSchema, data)
return versionTemplateSchema
}

func validateKmsCryptoKeyRotationPeriod(value interface{}, _ string) (ws []string, errors []error) {
period := value.(string)
pattern := regexp.MustCompile("^([0-9.]*\\d)s$")
Expand Down
4 changes: 4 additions & 0 deletions third_party/terraform/tests/resource_kms_crypto_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,10 @@ resource "google_kms_crypto_key" "crypto_key" {
name = "%s"
key_ring = "${google_kms_key_ring.key_ring.self_link}"
rotation_period = "1000000s"
version_template {
algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"
protection_level = "SOFTWARE"
}
}
`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,19 @@ The following arguments are supported:
the primary. The first rotation will take place after the specified period. The rotation period has the format
of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than
a day (ie, 86400).

* `version_template` - (Optional) A template describing settings for new crypto key versions. Structure is documented below.

---

The `version_template` block supports:

* `algorithm` - (Required) The algorithm to use when creating a version based on this template.
See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)
for possible inputs.

* `protection_level` - (Optional) The protection level to use when creating a version based on this template.
One of `SOFTWARE`, or `HSM`.

## Attributes Reference

Expand Down

0 comments on commit a425d9b

Please sign in to comment.