diff --git a/google-beta/resource_compute_disk.go b/google-beta/resource_compute_disk.go index 097f72641f..931b2e4428 100644 --- a/google-beta/resource_compute_disk.go +++ b/google-beta/resource_compute_disk.go @@ -269,6 +269,12 @@ func resourceComputeDisk() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "kms_key_self_link": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + DiffSuppressFunc: compareSelfLinkRelativePaths, + }, "raw_key": { Type: schema.TypeString, Optional: true, @@ -310,6 +316,12 @@ func resourceComputeDisk() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "kms_key_self_link": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + DiffSuppressFunc: compareSelfLinkRelativePaths, + }, "raw_key": { Type: schema.TypeString, Optional: true, @@ -329,6 +341,12 @@ func resourceComputeDisk() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "kms_key_self_link": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + DiffSuppressFunc: compareSelfLinkRelativePaths, + }, "raw_key": { Type: schema.TypeString, Optional: true, @@ -918,6 +936,8 @@ func flattenComputeDiskSourceImageEncryptionKey(v interface{}) interface{} { flattenComputeDiskSourceImageEncryptionKeyRawKey(original["rawKey"]) transformed["sha256"] = flattenComputeDiskSourceImageEncryptionKeySha256(original["sha256"]) + transformed["kms_key_self_link"] = + flattenComputeDiskSourceImageEncryptionKeyKmsKeySelfLink(original["kmsKeyName"]) return []interface{}{transformed} } func flattenComputeDiskSourceImageEncryptionKeyRawKey(v interface{}) interface{} { @@ -928,6 +948,10 @@ func flattenComputeDiskSourceImageEncryptionKeySha256(v interface{}) interface{} return v } +func flattenComputeDiskSourceImageEncryptionKeyKmsKeySelfLink(v interface{}) interface{} { + return v +} + func flattenComputeDiskSourceImageId(v interface{}) interface{} { return v } @@ -942,6 +966,8 @@ func flattenComputeDiskDiskEncryptionKey(v interface{}) interface{} { flattenComputeDiskDiskEncryptionKeyRawKey(original["rawKey"]) transformed["sha256"] = flattenComputeDiskDiskEncryptionKeySha256(original["sha256"]) + transformed["kms_key_self_link"] = + flattenComputeDiskDiskEncryptionKeyKmsKeySelfLink(original["kmsKeyName"]) return []interface{}{transformed} } func flattenComputeDiskDiskEncryptionKeyRawKey(v interface{}) interface{} { @@ -952,6 +978,10 @@ func flattenComputeDiskDiskEncryptionKeySha256(v interface{}) interface{} { return v } +func flattenComputeDiskDiskEncryptionKeyKmsKeySelfLink(v interface{}) interface{} { + return v +} + func flattenComputeDiskSnapshot(v interface{}) interface{} { if v == nil { return v @@ -967,6 +997,8 @@ func flattenComputeDiskSourceSnapshotEncryptionKey(v interface{}) interface{} { transformed := make(map[string]interface{}) transformed["raw_key"] = flattenComputeDiskSourceSnapshotEncryptionKeyRawKey(original["rawKey"]) + transformed["kms_key_self_link"] = + flattenComputeDiskSourceSnapshotEncryptionKeyKmsKeySelfLink(original["kmsKeyName"]) transformed["sha256"] = flattenComputeDiskSourceSnapshotEncryptionKeySha256(original["sha256"]) return []interface{}{transformed} @@ -975,6 +1007,10 @@ func flattenComputeDiskSourceSnapshotEncryptionKeyRawKey(v interface{}) interfac return v } +func flattenComputeDiskSourceSnapshotEncryptionKeyKmsKeySelfLink(v interface{}) interface{} { + return v +} + func flattenComputeDiskSourceSnapshotEncryptionKeySha256(v interface{}) interface{} { return v } @@ -1053,6 +1089,13 @@ func expandComputeDiskSourceImageEncryptionKey(v interface{}, d *schema.Resource transformed["sha256"] = transformedSha256 } + transformedKmsKeySelfLink, err := expandComputeDiskSourceImageEncryptionKeyKmsKeySelfLink(original["kms_key_self_link"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeySelfLink); val.IsValid() && !isEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeySelfLink + } + return transformed, nil } @@ -1064,6 +1107,10 @@ func expandComputeDiskSourceImageEncryptionKeySha256(v interface{}, d *schema.Re return v, nil } +func expandComputeDiskSourceImageEncryptionKeyKmsKeySelfLink(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeDiskDiskEncryptionKey(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { @@ -1087,6 +1134,13 @@ func expandComputeDiskDiskEncryptionKey(v interface{}, d *schema.ResourceData, c transformed["sha256"] = transformedSha256 } + transformedKmsKeySelfLink, err := expandComputeDiskDiskEncryptionKeyKmsKeySelfLink(original["kms_key_self_link"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeySelfLink); val.IsValid() && !isEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeySelfLink + } + return transformed, nil } @@ -1098,6 +1152,10 @@ func expandComputeDiskDiskEncryptionKeySha256(v interface{}, d *schema.ResourceD return v, nil } +func expandComputeDiskDiskEncryptionKeyKmsKeySelfLink(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeDiskSnapshot(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { f, err := parseGlobalFieldValue("snapshots", v.(string), "project", d, config, true) if err != nil { @@ -1122,6 +1180,13 @@ func expandComputeDiskSourceSnapshotEncryptionKey(v interface{}, d *schema.Resou transformed["rawKey"] = transformedRawKey } + transformedKmsKeySelfLink, err := expandComputeDiskSourceSnapshotEncryptionKeyKmsKeySelfLink(original["kms_key_self_link"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeySelfLink); val.IsValid() && !isEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeySelfLink + } + transformedSha256, err := expandComputeDiskSourceSnapshotEncryptionKeySha256(original["sha256"], d, config) if err != nil { return nil, err @@ -1136,6 +1201,10 @@ func expandComputeDiskSourceSnapshotEncryptionKeyRawKey(v interface{}, d *schema return v, nil } +func expandComputeDiskSourceSnapshotEncryptionKeyKmsKeySelfLink(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeDiskSourceSnapshotEncryptionKeySha256(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } @@ -1211,6 +1280,11 @@ func resourceComputeDiskDecoder(d *schema.ResourceData, meta interface{}, res ma // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["diskEncryptionKey"] = transformed } @@ -1220,6 +1294,11 @@ func resourceComputeDiskDecoder(d *schema.ResourceData, meta interface{}, res ma // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("source_image_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["sourceImageEncryptionKey"] = transformed } @@ -1229,6 +1308,11 @@ func resourceComputeDiskDecoder(d *schema.ResourceData, meta interface{}, res ma // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("source_snapshot_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["sourceSnapshotEncryptionKey"] = transformed } diff --git a/google-beta/resource_compute_disk_test.go b/google-beta/resource_compute_disk_test.go index e85469a1f7..b827aaa94b 100644 --- a/google-beta/resource_compute_disk_test.go +++ b/google-beta/resource_compute_disk_test.go @@ -220,7 +220,7 @@ func TestAccComputeDisk_basic(t *testing.T) { Config: testAccComputeDisk_basic(diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foobar", &disk), + "google_compute_disk.foobar", getTestProjectFromEnv(), &disk), testAccCheckComputeDiskHasLabel(&disk, "my-label", "my-label-value"), testAccCheckComputeDiskHasLabelFingerprint(&disk, "google_compute_disk.foobar"), ), @@ -264,7 +264,7 @@ func TestAccComputeDisk_update(t *testing.T) { Config: testAccComputeDisk_basic(diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foobar", &disk), + "google_compute_disk.foobar", getTestProjectFromEnv(), &disk), resource.TestCheckResourceAttr("google_compute_disk.foobar", "size", "50"), testAccCheckComputeDiskHasLabel(&disk, "my-label", "my-label-value"), testAccCheckComputeDiskHasLabelFingerprint(&disk, "google_compute_disk.foobar"), @@ -274,7 +274,7 @@ func TestAccComputeDisk_update(t *testing.T) { Config: testAccComputeDisk_updated(diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foobar", &disk), + "google_compute_disk.foobar", getTestProjectFromEnv(), &disk), resource.TestCheckResourceAttr("google_compute_disk.foobar", "size", "100"), testAccCheckComputeDiskHasLabel(&disk, "my-label", "my-updated-label-value"), testAccCheckComputeDiskHasLabel(&disk, "a-new-label", "a-new-label-value"), @@ -304,14 +304,14 @@ func TestAccComputeDisk_fromSnapshot(t *testing.T) { Config: testAccComputeDisk_fromSnapshot(projectName, firstDiskName, snapshotName, diskName, "self_link"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.seconddisk", &disk), + "google_compute_disk.seconddisk", getTestProjectFromEnv(), &disk), ), }, resource.TestStep{ Config: testAccComputeDisk_fromSnapshot(projectName, firstDiskName, snapshotName, diskName, "name"), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.seconddisk", &disk), + "google_compute_disk.seconddisk", getTestProjectFromEnv(), &disk), ), }, }, @@ -333,7 +333,7 @@ func TestAccComputeDisk_encryption(t *testing.T) { Config: testAccComputeDisk_encryption(diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foobar", &disk), + "google_compute_disk.foobar", getTestProjectFromEnv(), &disk), testAccCheckEncryptionKey( "google_compute_disk.foobar", &disk), ), @@ -358,7 +358,7 @@ func TestAccComputeDisk_deleteDetach(t *testing.T) { Config: testAccComputeDisk_deleteDetach(instanceName, diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), ), }, // this needs to be a second step so we refresh and see the instance @@ -369,7 +369,7 @@ func TestAccComputeDisk_deleteDetach(t *testing.T) { Config: testAccComputeDisk_deleteDetach(instanceName, diskName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), testAccCheckComputeDiskInstances( "google_compute_disk.foo", &disk), ), @@ -395,7 +395,7 @@ func TestAccComputeDisk_deleteDetachIGM(t *testing.T) { Config: testAccComputeDisk_deleteDetachIGM(diskName, mgrName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), ), }, // this needs to be a second step so we refresh and see the instance @@ -406,7 +406,7 @@ func TestAccComputeDisk_deleteDetachIGM(t *testing.T) { Config: testAccComputeDisk_deleteDetachIGM(diskName, mgrName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), testAccCheckComputeDiskInstances( "google_compute_disk.foo", &disk), ), @@ -416,7 +416,7 @@ func TestAccComputeDisk_deleteDetachIGM(t *testing.T) { Config: testAccComputeDisk_deleteDetachIGM(diskName2, mgrName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), ), }, // Add the extra step like before @@ -424,7 +424,7 @@ func TestAccComputeDisk_deleteDetachIGM(t *testing.T) { Config: testAccComputeDisk_deleteDetachIGM(diskName2, mgrName), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( - "google_compute_disk.foo", &disk), + "google_compute_disk.foo", getTestProjectFromEnv(), &disk), testAccCheckComputeDiskInstances( "google_compute_disk.foo", &disk), ), @@ -483,9 +483,8 @@ func testAccCheckComputeDiskDestroy(s *terraform.State) error { return nil } -func testAccCheckComputeDiskExists(n string, disk *compute.Disk) resource.TestCheckFunc { +func testAccCheckComputeDiskExists(n, p string, disk *compute.Disk) resource.TestCheckFunc { return func(s *terraform.State) error { - p := getTestProjectFromEnv() rs, ok := s.RootModule().Resources[n] if !ok { return fmt.Errorf("Not found: %s", n) @@ -693,6 +692,83 @@ resource "google_compute_disk" "foobar" { }`, diskName) } +func testAccComputeDisk_encryptionKMS(pid, pname, org, billing, diskName, keyRingName, keyName string) string { + return fmt.Sprintf(` +resource "google_project" "project" { + project_id = "%s" + name = "%s" + org_id = "%s" + billing_account = "%s" +} + +data "google_compute_image" "my_image" { + family = "debian-9" + project = "debian-cloud" +} + +resource "google_project_services" "apis" { + project = "${google_project.project.project_id}" + + services = [ + "oslogin.googleapis.com", + "compute.googleapis.com", + "cloudkms.googleapis.com", + "appengine.googleapis.com", + ] +} + +resource "google_project_iam_member" "kms-project-binding" { + project = "${google_project.project.project_id}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${google_project.project.number}@compute-system.iam.gserviceaccount.com" + + depends_on = ["google_project_services.apis"] +} + +resource "google_kms_crypto_key_iam_binding" "kms-key-binding" { + crypto_key_id = "${google_kms_crypto_key.my_crypto_key.self_link}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + members = [ + "serviceAccount:service-${google_project.project.number}@compute-system.iam.gserviceaccount.com", + ] + + depends_on = ["google_project_services.apis"] +} + +resource "google_kms_key_ring" "my_key_ring" { + name = "%s" + project = "${google_project.project.project_id}" + location = "us-central1" + + depends_on = ["google_project_services.apis"] +} + +resource "google_kms_crypto_key" "my_crypto_key" { + name = "%s" + key_ring = "${google_kms_key_ring.my_key_ring.self_link}" +} + +resource "google_compute_disk" "foobar" { + name = "%s" + image = "${data.google_compute_image.my_image.self_link}" + size = 10 + type = "pd-ssd" + zone = "us-central1-a" + project = "${google_project.project.project_id}" + + disk_encryption_key { + kms_key_self_link = "${google_kms_crypto_key.my_crypto_key.self_link}" + } + + depends_on = [ + "google_kms_crypto_key_iam_binding.kms-key-binding", + "google_project_iam_member.kms-project-binding", + ] +} +`, pid, pname, org, billing, keyRingName, keyName, diskName) +} + func testAccComputeDisk_deleteDetach(instanceName, diskName string) string { return fmt.Sprintf(` data "google_compute_image" "my_image" { diff --git a/google-beta/resource_compute_region_disk.go b/google-beta/resource_compute_region_disk.go index 5a91dabac9..7e6af777f1 100644 --- a/google-beta/resource_compute_region_disk.go +++ b/google-beta/resource_compute_region_disk.go @@ -20,6 +20,7 @@ import ( "reflect" "regexp" "strconv" + "strings" "time" "github.com/hashicorp/terraform/helper/customdiff" @@ -76,6 +77,11 @@ func resourceComputeRegionDisk() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "kms_key_name": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, "raw_key": { Type: schema.TypeString, Optional: true, @@ -118,6 +124,11 @@ func resourceComputeRegionDisk() *schema.Resource { MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "kms_key_name": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + }, "raw_key": { Type: schema.TypeString, Optional: true, @@ -648,6 +659,8 @@ func flattenComputeRegionDiskDiskEncryptionKey(v interface{}) interface{} { flattenComputeRegionDiskDiskEncryptionKeyRawKey(original["rawKey"]) transformed["sha256"] = flattenComputeRegionDiskDiskEncryptionKeySha256(original["sha256"]) + transformed["kms_key_name"] = + flattenComputeRegionDiskDiskEncryptionKeyKmsKeyName(original["kmsKeyName"]) return []interface{}{transformed} } func flattenComputeRegionDiskDiskEncryptionKeyRawKey(v interface{}) interface{} { @@ -658,6 +671,10 @@ func flattenComputeRegionDiskDiskEncryptionKeySha256(v interface{}) interface{} return v } +func flattenComputeRegionDiskDiskEncryptionKeyKmsKeyName(v interface{}) interface{} { + return v +} + func flattenComputeRegionDiskSnapshot(v interface{}) interface{} { if v == nil { return v @@ -673,6 +690,8 @@ func flattenComputeRegionDiskSourceSnapshotEncryptionKey(v interface{}) interfac transformed := make(map[string]interface{}) transformed["raw_key"] = flattenComputeRegionDiskSourceSnapshotEncryptionKeyRawKey(original["rawKey"]) + transformed["kms_key_name"] = + flattenComputeRegionDiskSourceSnapshotEncryptionKeyKmsKeyName(original["kmsKeyName"]) transformed["sha256"] = flattenComputeRegionDiskSourceSnapshotEncryptionKeySha256(original["sha256"]) return []interface{}{transformed} @@ -681,6 +700,10 @@ func flattenComputeRegionDiskSourceSnapshotEncryptionKeyRawKey(v interface{}) in return v } +func flattenComputeRegionDiskSourceSnapshotEncryptionKeyKmsKeyName(v interface{}) interface{} { + return v +} + func flattenComputeRegionDiskSourceSnapshotEncryptionKeySha256(v interface{}) interface{} { return v } @@ -768,6 +791,13 @@ func expandComputeRegionDiskDiskEncryptionKey(v interface{}, d *schema.ResourceD transformed["sha256"] = transformedSha256 } + transformedKmsKeyName, err := expandComputeRegionDiskDiskEncryptionKeyKmsKeyName(original["kms_key_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !isEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeyName + } + return transformed, nil } @@ -779,6 +809,10 @@ func expandComputeRegionDiskDiskEncryptionKeySha256(v interface{}, d *schema.Res return v, nil } +func expandComputeRegionDiskDiskEncryptionKeyKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeRegionDiskSnapshot(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { f, err := parseGlobalFieldValue("snapshots", v.(string), "project", d, config, true) if err != nil { @@ -803,6 +837,13 @@ func expandComputeRegionDiskSourceSnapshotEncryptionKey(v interface{}, d *schema transformed["rawKey"] = transformedRawKey } + transformedKmsKeyName, err := expandComputeRegionDiskSourceSnapshotEncryptionKeyKmsKeyName(original["kms_key_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !isEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeyName + } + transformedSha256, err := expandComputeRegionDiskSourceSnapshotEncryptionKeySha256(original["sha256"], d, config) if err != nil { return nil, err @@ -817,6 +858,10 @@ func expandComputeRegionDiskSourceSnapshotEncryptionKeyRawKey(v interface{}, d * return v, nil } +func expandComputeRegionDiskSourceSnapshotEncryptionKeyKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeRegionDiskSourceSnapshotEncryptionKeySha256(v interface{}, d *schema.ResourceData, config *Config) (interface{}, error) { return v, nil } @@ -892,6 +937,11 @@ func resourceComputeRegionDiskDecoder(d *schema.ResourceData, meta interface{}, // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["diskEncryptionKey"] = transformed } @@ -901,6 +951,11 @@ func resourceComputeRegionDiskDecoder(d *schema.ResourceData, meta interface{}, // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("source_image_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["sourceImageEncryptionKey"] = transformed } @@ -910,6 +965,11 @@ func resourceComputeRegionDiskDecoder(d *schema.ResourceData, meta interface{}, // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("source_snapshot_encryption_key.0.raw_key") transformed["sha256"] = original["sha256"] + + // The response for crypto keys often includes the version of the key which needs to be removed + // format: projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/1 + transformed["kmsKeyName"] = strings.Split(original["kmsKeyName"].(string), "/cryptoKeyVersions")[0] + res["sourceSnapshotEncryptionKey"] = transformed } diff --git a/website/docs/r/compute_disk.html.markdown b/website/docs/r/compute_disk.html.markdown index 67e933e998..6487878fa2 100644 --- a/website/docs/r/compute_disk.html.markdown +++ b/website/docs/r/compute_disk.html.markdown @@ -175,6 +175,13 @@ The `source_image_encryption_key` block supports: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. +* `kms_key_self_link` - + (Optional) + The self link of the encryption key used to encrypt the disk. Also called KmsKeyName + in the cloud console. In order to use this additional + IAM permissions need to be set on the Compute Engine Service Agent. See + https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys + The `disk_encryption_key` block supports: * `raw_key` - @@ -186,6 +193,13 @@ The `disk_encryption_key` block supports: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. +* `kms_key_self_link` - + (Optional) + The self link of the encryption key used to encrypt the disk. Also called KmsKeyName + in the cloud console. In order to use this additional + IAM permissions need to be set on the Compute Engine Service Agent. See + https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys + The `source_snapshot_encryption_key` block supports: * `raw_key` - @@ -193,6 +207,13 @@ The `source_snapshot_encryption_key` block supports: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. +* `kms_key_self_link` - + (Optional) + The self link of the encryption key used to encrypt the disk. Also called KmsKeyName + in the cloud console. In order to use this additional + IAM permissions need to be set on the Compute Engine Service Agent. See + https://cloud.google.com/compute/docs/disks/customer-managed-encryption#encrypt_a_new_persistent_disk_with_your_own_keys + * `sha256` - The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. diff --git a/website/docs/r/compute_region_disk.html.markdown b/website/docs/r/compute_region_disk.html.markdown index 7be51631f5..dbb9c2b182 100644 --- a/website/docs/r/compute_region_disk.html.markdown +++ b/website/docs/r/compute_region_disk.html.markdown @@ -175,6 +175,10 @@ The `disk_encryption_key` block supports: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. +* `kms_key_name` - + (Optional) + The name of the encryption key that is stored in Google Cloud KMS. + The `source_snapshot_encryption_key` block supports: * `raw_key` - @@ -182,6 +186,10 @@ The `source_snapshot_encryption_key` block supports: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. +* `kms_key_name` - + (Optional) + The name of the encryption key that is stored in Google Cloud KMS. + * `sha256` - The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.