Skip to content

Commit

Permalink
Merge pull request #38492 from kamilturek/f-aws-cloudwatch-event-bus-…
Browse files Browse the repository at this point in the history
…kms-key-identifier

rd/aws_cloudwatch_event_bus: Add `kms_key_identifier` argument
  • Loading branch information
jar-b authored Jul 25, 2024
2 parents c5d502a + e9d3fbf commit 2369532
Show file tree
Hide file tree
Showing 7 changed files with 252 additions and 2 deletions.
7 changes: 7 additions & 0 deletions .changelog/38492.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:enhancement
resource/aws_cloudwatch_event_bus: Add `kms_key_identifier` argument
```

```release-note:enhancement
data-source/aws_cloudwatch_event_bus: Add `kms_key_identifier` attribute
```
28 changes: 27 additions & 1 deletion internal/service/events/bus.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/hashicorp/terraform-provider-aws/internal/conns"
"github.com/hashicorp/terraform-provider-aws/internal/errs"
"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
Expand Down Expand Up @@ -46,6 +47,11 @@ func resourceBus() *schema.Resource {
ForceNew: true,
ValidateFunc: validSourceName,
},
"kms_key_identifier": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringLenBetween(1, 2048),
},
names.AttrName: {
Type: schema.TypeString,
Required: true,
Expand Down Expand Up @@ -74,6 +80,10 @@ func resourceBusCreate(ctx context.Context, d *schema.ResourceData, meta interfa
input.EventSourceName = aws.String(v.(string))
}

if v, ok := d.GetOk("kms_key_identifier"); ok {
input.KmsKeyIdentifier = aws.String(v.(string))
}

output, err := conn.CreateEventBus(ctx, input)

// Some partitions (e.g. ISO) may not support tag-on-create.
Expand Down Expand Up @@ -123,15 +133,31 @@ func resourceBusRead(ctx context.Context, d *schema.ResourceData, meta interface
}

d.Set(names.AttrARN, output.Arn)
d.Set("kms_key_identifier", output.KmsKeyIdentifier)
d.Set(names.AttrName, output.Name)

return diags
}

func resourceBusUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
var diags diag.Diagnostics
conn := meta.(*conns.AWSClient).EventsClient(ctx)

if d.HasChange("kms_key_identifier") {
input := &eventbridge.UpdateEventBusInput{
Name: aws.String(d.Get(names.AttrName).(string)),
}

if v, ok := d.GetOk("kms_key_identifier"); ok {
input.KmsKeyIdentifier = aws.String(v.(string))
}

_, err := conn.UpdateEventBus(ctx, input)

// Tags only.
if err != nil {
return sdkdiag.AppendErrorf(diags, "updating EventBridge Event Bus (%s): %s", d.Id(), err)
}
}

return append(diags, resourceBusRead(ctx, d, meta)...)
}
Expand Down
5 changes: 5 additions & 0 deletions internal/service/events/bus_data_source.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ func dataSourceBus() *schema.Resource {
Type: schema.TypeString,
Computed: true,
},
"kms_key_identifier": {
Type: schema.TypeString,
Computed: true,
},
names.AttrName: {
Type: schema.TypeString,
Required: true,
Expand All @@ -44,6 +48,7 @@ func dataSourceBusRead(ctx context.Context, d *schema.ResourceData, meta interfa

d.SetId(eventBusName)
d.Set(names.AttrARN, output.Arn)
d.Set("kms_key_identifier", output.KmsKeyIdentifier)
d.Set(names.AttrName, output.Name)

return diags
Expand Down
86 changes: 86 additions & 0 deletions internal/service/events/bus_data_source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,27 @@ func TestAccEventsBusDataSource_basic(t *testing.T) {
})
}

func TestAccEventsBusDataSource_kmsKeyIdentifier(t *testing.T) {
ctx := acctest.Context(t)
busName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
dataSourceName := "data.aws_cloudwatch_event_bus.test"
resourceName := "aws_cloudwatch_event_bus.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.EventsServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
Steps: []resource.TestStep{
{
Config: testAccBusDataSourceConfig_kmsKeyIdentifier(busName),
Check: resource.ComposeAggregateTestCheckFunc(
resource.TestCheckResourceAttrPair(dataSourceName, "kms_key_identifier", resourceName, "kms_key_identifier"),
),
},
},
})
}

func testAccBusDataSourceConfig_basic(busName string) string {
return fmt.Sprintf(`
resource "aws_cloudwatch_event_bus" "test" {
Expand All @@ -46,3 +67,68 @@ data "aws_cloudwatch_event_bus" "test" {
}
`, busName)
}

func testAccBusDataSourceConfig_kmsKeyIdentifier(busName string) string {
return fmt.Sprintf(`
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
resource "aws_kms_key" "test" {
deletion_window_in_days = 7
}
data "aws_iam_policy_document" "key_policy" {
statement {
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
resources = [
aws_kms_key.test.arn,
]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
statement {
actions = [
"kms:*",
]
resources = [
aws_kms_key.test.arn
]
principals {
type = "AWS"
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
resource "aws_kms_key_policy" "test" {
key_id = aws_kms_key.test.id
policy = data.aws_iam_policy_document.key_policy.json
}
resource "aws_cloudwatch_event_bus" "test" {
name = %[1]q
kms_key_identifier = aws_kms_key.test.arn
}
data "aws_cloudwatch_event_bus" "test" {
name = aws_cloudwatch_event_bus.test.name
}
`, busName)
}
124 changes: 124 additions & 0 deletions internal/service/events/bus_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,41 @@ func TestAccEventsBus_basic(t *testing.T) {
})
}

func TestAccEventsBus_kmsKeyIdentifier(t *testing.T) {
ctx := acctest.Context(t)
var v1, v2 eventbridge.DescribeEventBusOutput
busName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
resourceName := "aws_cloudwatch_event_bus.test"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.EventsServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckBusDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccBusConfig_kmsKeyIdentifier1(busName),
Check: resource.ComposeTestCheckFunc(
testAccCheckBusExists(ctx, resourceName, &v1),
resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_key.test1", names.AttrARN),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccBusConfig_kmsKeyIdentifier2(busName),
Check: resource.ComposeTestCheckFunc(
testAccCheckBusExists(ctx, resourceName, &v2),
resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_key.test2", names.AttrARN),
),
},
},
})
}

func TestAccEventsBus_tags(t *testing.T) {
ctx := acctest.Context(t)
var v1, v2, v3 eventbridge.DescribeEventBusOutput
Expand Down Expand Up @@ -300,3 +335,92 @@ resource "aws_cloudwatch_event_bus" "test" {
}
`, name)
}

func testAccBusConfig_kmsKeyIdentifierBase() string {
return `
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
resource "aws_kms_key" "test1" {
deletion_window_in_days = 7
}
resource "aws_kms_key" "test2" {
deletion_window_in_days = 7
}
data "aws_iam_policy_document" "key_policy" {
statement {
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
resources = [
aws_kms_key.test1.arn,
aws_kms_key.test2.arn,
]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
statement {
actions = [
"kms:*",
]
resources = [
aws_kms_key.test1.arn,
aws_kms_key.test2.arn,
]
principals {
type = "AWS"
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
resource "aws_kms_key_policy" "test1" {
key_id = aws_kms_key.test1.id
policy = data.aws_iam_policy_document.key_policy.json
}
resource "aws_kms_key_policy" "test2" {
key_id = aws_kms_key.test2.id
policy = data.aws_iam_policy_document.key_policy.json
}
`
}

func testAccBusConfig_kmsKeyIdentifier1(name string) string {
return acctest.ConfigCompose(
testAccBusConfig_kmsKeyIdentifierBase(),
fmt.Sprintf(`
resource "aws_cloudwatch_event_bus" "test" {
name = %[1]q
kms_key_identifier = aws_kms_key.test1.arn
}
`, name))
}

func testAccBusConfig_kmsKeyIdentifier2(name string) string {
return acctest.ConfigCompose(
testAccBusConfig_kmsKeyIdentifierBase(),
fmt.Sprintf(`
resource "aws_cloudwatch_event_bus" "test" {
name = %[1]q
kms_key_identifier = aws_kms_key.test2.arn
}
`, name))
}
1 change: 1 addition & 0 deletions website/docs/d/cloudwatch_event_bus.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,4 @@ data "aws_cloudwatch_event_bus" "example" {
This data source exports the following attributes in addition to the arguments above:

* `arn` - ARN.
* `kms_key_identifier` - The identifier of the AWS KMS customer managed key for EventBridge to use to encrypt events on this event bus, if one has been specified.
3 changes: 2 additions & 1 deletion website/docs/r/cloudwatch_event_bus.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ resource "aws_cloudwatch_event_bus" "examplepartner" {
This resource supports the following arguments:

* `name` - (Required) The name of the new event bus. The names of custom event buses can't contain the / character. To create a partner event bus, ensure the `name` matches the `event_source_name`.
* `event_source_name` (Optional) The partner event source that the new event bus will be matched with. Must match `name`.
* `event_source_name` - (Optional) The partner event source that the new event bus will be matched with. Must match `name`.
* `kms_key_identifier` - (Optional) The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt events on this event bus. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN.
* `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.

## Attribute Reference
Expand Down

0 comments on commit 2369532

Please sign in to comment.