Added data source google kms secret asymmetric #4664
Conversation
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
melinath
changed the title
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 6 files changed, 461 insertions(+), 2 deletions(-)) |
|
I have triggered VCR tests based on this PR's diffs. See the results here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=181054" |
melinath
requested review from
a team and
slevenick
and removed request for
a team
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccCloudRunDomainMapping_foregroundDeletion|TestAccDataprocCluster_withConfigOverrides You can view the result here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=181066" |
|
Hah, yeah, thanks for catching that! |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 5 files changed, 164 insertions(+), 2 deletions(-)) |
|
I have triggered VCR tests based on this PR's diffs. See the results here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=181247" |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccCloudRunDomainMapping_foregroundDeletion|TestAccComputeRouterPeer_advertiseMode|TestAccDataprocCluster_withConfigOverrides You can view the result here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=181253" |
|
Tests failed during RECORDING mode: TestAccDataprocCluster_withConfigOverrides|TestAccCloudRunDomainMapping_foregroundDeletion Please fix these to complete your PR |
| return crc32.Checksum(data, t) | ||
| } | ||
|
|
||
| ciphertextCRC32C := crc32c(ciphertext) |
There was a problem hiding this comment.
If we can calculate the checksum from the ciphertext, why would a user input a checksum? I'm not super familiar with this, but it feels strange
There was a problem hiding this comment.
It looks like this feature is for data integrity purposes.
There was a problem hiding this comment.
Oh, you mean why would we allow them to input it rather than just always calculating it? good question!
There was a problem hiding this comment.
@mvanholsteijn what would you think about always calculating the ciphertext, instead of letting users optionally set it?
There was a problem hiding this comment.
If the user passes in the checksum, s/he is absolutely sure that the ciphertext being decrypted is the one s/he generated. If this feels unnecessary, then the checksum can be calculated for them.
For ease of use and simplicity, I am fine with ditching the crc32 as a parameter.
There was a problem hiding this comment.
I think it would be fine to take it out or leave it in - but if it stays in, the docs should clarify that we will still calculate & send it if they don't supply a value.
There was a problem hiding this comment.
Hi @melinath, I created the following PR on the PR. Is this sufficient?
|
The I think the improvement here over google_kms_secret is that the encryption is asymmetric. |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
Upstreams hashicorp/terraform-provider-google-beta#3126, which is a fixed version of hashicorp/terraform-provider-google-beta#3052 (previously upstreamed as #4609). Note that although the original PR was against tpg-beta, it seems to be a GA API.
Related to hashicorp/terraform-provider-google#6462.
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintto ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)