diff --git a/build/terraform b/build/terraform index 4b617183d608..ef9af199ef66 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit 4b617183d608b1e2e6b0aad37e12ceda97a076cd +Subproject commit ef9af199ef66ccc1510b67af93b531ea38810779 diff --git a/build/terraform-beta b/build/terraform-beta index c4c1494c9f82..7eb7179bef65 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit c4c1494c9f822bf3951c54b1b2b92eb0fcdcf102 +Subproject commit 7eb7179bef658ccae2617942190bc56ce8a685dd diff --git a/third_party/terraform/resources/resource_google_service_account_key.go b/third_party/terraform/resources/resource_google_service_account_key.go index a8688c0b81aa..6cd114e72f74 100644 --- a/third_party/terraform/resources/resource_google_service_account_key.go +++ b/third_party/terraform/resources/resource_google_service_account_key.go @@ -4,7 +4,6 @@ import ( "fmt" "log" - "github.com/hashicorp/terraform-plugin-sdk/helper/encryption" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" "google.golang.org/api/iam/v1" @@ -31,10 +30,10 @@ func resourceGoogleServiceAccountKey() *schema.Resource { ValidateFunc: validation.StringInSlice([]string{"KEY_ALG_UNSPECIFIED", "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048"}, false), }, "pgp_key": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - Deprecated: "The pgp_key field has been deprecated and support for encrypting values in state will be removed in version 3.0.0. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.", + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Removed: "The pgp_key field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.", }, "private_key_type": { Type: schema.TypeString, @@ -77,10 +76,12 @@ func resourceGoogleServiceAccountKey() *schema.Resource { "private_key_encrypted": { Type: schema.TypeString, Computed: true, + Removed: "The private_key_encrypted field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.", }, "private_key_fingerprint": { Type: schema.TypeString, Computed: true, + Removed: "The private_key_fingerprint field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.", }, }, } @@ -108,22 +109,7 @@ func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interfac // Data only available on create. d.Set("valid_after", sak.ValidAfterTime) d.Set("valid_before", sak.ValidBeforeTime) - if v, ok := d.GetOk("pgp_key"); ok { - encryptionKey, err := encryption.RetrieveGPGKey(v.(string)) - if err != nil { - return err - } - - fingerprint, encrypted, err := encryption.EncryptValue(encryptionKey, sak.PrivateKeyData, "Google Service Account Key") - if err != nil { - return err - } - - d.Set("private_key_encrypted", encrypted) - d.Set("private_key_fingerprint", fingerprint) - } else { - d.Set("private_key", sak.PrivateKeyData) - } + d.Set("private_key", sak.PrivateKeyData) err = serviceAccountKeyWaitTime(config.clientIAM.Projects.ServiceAccounts.Keys, d.Id(), d.Get("public_key_type").(string), "Creating Service account key", 4) if err != nil { diff --git a/third_party/terraform/tests/resource_google_service_account_key_test.go b/third_party/terraform/tests/resource_google_service_account_key_test.go index 7f60a169a9c9..2c236906c8a4 100644 --- a/third_party/terraform/tests/resource_google_service_account_key_test.go +++ b/third_party/terraform/tests/resource_google_service_account_key_test.go @@ -58,28 +58,6 @@ func TestAccServiceAccountKey_fromEmail(t *testing.T) { }) } -func TestAccServiceAccountKey_pgp(t *testing.T) { - t.Parallel() - resourceName := "google_service_account_key.acceptance" - accountID := "a" + acctest.RandString(10) - displayName := "Terraform Test" - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - Steps: []resource.TestStep{ - { - Config: testAccServiceAccountKey_pgp(accountID, displayName, testKeyPairPubKey1), - Check: resource.ComposeTestCheckFunc( - testAccCheckGoogleServiceAccountKeyExists(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "public_key"), - resource.TestCheckResourceAttrSet(resourceName, "private_key_encrypted"), - resource.TestCheckResourceAttrSet(resourceName, "private_key_fingerprint"), - ), - }, - }, - }) -} - func testAccCheckGoogleServiceAccountKeyExists(r string) resource.TestCheckFunc { return func(s *terraform.State) error { @@ -129,47 +107,3 @@ resource "google_service_account_key" "acceptance" { } `, account, name) } - -func testAccServiceAccountKey_pgp(account, name string, key string) string { - return fmt.Sprintf(` -resource "google_service_account" "acceptance" { - account_id = "%s" - display_name = "%s" -} - -resource "google_service_account_key" "acceptance" { - service_account_id = "${google_service_account.acceptance.name}" - public_key_type = "TYPE_X509_PEM_FILE" - pgp_key = < **NOTE:** The pgp_key field has been deprecated and support for encrypting values in state will be removed in version 3.0.0. -See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information. - - ## Attributes Reference The following attributes are exported in addition to the arguments listed above: @@ -97,15 +88,7 @@ The following attributes are exported in addition to the arguments listed above: * `public_key` - The public key, base64 encoded * `private_key` - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating -service account keys through the CLI or web console. This is only populated when creating a new key, and when no -`pgp_key` is provided. - -* `private_key_encrypted` – The private key material, base 64 encoded and -encrypted with the given `pgp_key`. This is only populated when creating a new -key and `pgp_key` is supplied - -* `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted -private key. This is only populated when creating a new key and `pgp_key` is supplied +service account keys through the CLI or web console. This is only populated when creating a new key. * `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".