Added data source google kms secret asymmetric (#4664) (#8879)

* Added data source google_kms_secret_asymmetric

* typo in the name

* added missing reference to google_kms_crypto_key_version

* processed lint errors

* remove superfluous brackets

* make it explicit that the crc32 is calculated using castagnoli

* Removed duplicative beta-only imports

* implemented using google.golang.org/api/cloudkms/v1

* Marked kms_secret_asymmetric as beta-only

* added comment on crc32 parameter

Co-authored-by: Mark van Holsteijn <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Mark van Holsteijn <[email protected]>

.changelog/4664.txt

@@ -0,0 +1,3 @@
+```release-note:new-datasource
+`google_kms_secret_asymmetric`
+```

google/config.go

@@ -404,10 +404,10 @@ func (c *Config) NewDnsClient(userAgent string) *dns.Service {
 	return clientDns
 }
 
-func (c *Config) NewKmsClient(userAgent string) *cloudkms.Service {
+func (c *Config) NewKmsClientWithCtx(ctx context.Context, userAgent string) *cloudkms.Service {
 	kmsClientBasePath := removeBasePathVersion(c.KMSBasePath)
 	log.Printf("[INFO] Instantiating Google Cloud KMS client for path %s", kmsClientBasePath)
-	clientKms, err := cloudkms.NewService(c.context, option.WithHTTPClient(c.client))
+	clientKms, err := cloudkms.NewService(ctx, option.WithHTTPClient(c.client))
 	if err != nil {
 		log.Printf("[WARN] Error creating client kms: %s", err)
 		return nil
@@ -418,6 +418,10 @@ func (c *Config) NewKmsClient(userAgent string) *cloudkms.Service {
 	return clientKms
 }
 
+func (c *Config) NewKmsClient(userAgent string) *cloudkms.Service {
+	return c.NewKmsClientWithCtx(c.context, userAgent)
+}
+
 func (c *Config) NewLoggingClient(userAgent string) *cloudlogging.Service {
 	loggingClientBasePath := removeBasePathVersion(c.LoggingBasePath)
 	log.Printf("[INFO] Instantiating Google Stackdriver Logging client for path %s", loggingClientBasePath)

google/data_source_google_kms_secret_asymmetric.go

@@ -0,0 +1 @@
+package google

google/data_source_google_kms_secret_asymmetric_test.go

@@ -0,0 +1 @@
+package google

website/docs/d/kms_secret_asymmetric.html.markdown

@@ -0,0 +1,152 @@
+---
+subcategory: "Cloud Key Management Service"
+layout: "google"
+page_title: "Google: google_kms_secret_asymmetric"
+sidebar_current: "docs-google-kms-secret-asymmetric"
+description: |-
+  Provides access to secret data encrypted with Google Cloud KMS asymmetric key
+---
+
+# google\_kms\_secret\_asymmetric
+
+This data source allows you to use data encrypted with a Google Cloud KMS asymmetric key
+within your resource definitions.
+
+For more information see
+[the official documentation](https://cloud.google.com/kms/docs/encrypt-decrypt-rsa).
+
+~> **NOTE:** Using this data provider will allow you to conceal secret data within your
+resource definitions, but it does not take care of protecting that data in the
+logging output, plan output, or state output.  Please take care to secure your secret
+data outside of resource definitions.
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+## Example Usage
+
+First, create a KMS KeyRing and CryptoKey using the resource definitions:
+
+```hcl
+resource "google_kms_key_ring" "my_key_ring" {
+  project  = "my-project"
+  name     = "my-key-ring"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "my_crypto_key" {
+  name     = "my-crypto-key"
+  key_ring = google_kms_key_ring.my_key_ring.self_link
+  purpose  = "ASYMMETRIC_DECRYPT"
+  version_template {
+    algorithm = "RSA_DECRYPT_OAEP_4096_SHA256"
+  }
+}
+
+data "google_kms_crypto_key_version" "my_crypto_key" {
+  crypto_key = google_kms_crypto_key.my_crypto_key.id
+}
+```
+
+Next, use the [Cloud SDK](https://cloud.google.com/kms/docs/encrypt-decrypt-rsa#kms-encrypt-asymmetric-cli) to encrypt 
+some sensitive information:
+
+```bash
+## get the public key to encrypt the secret with
+$ gcloud kms keys versions get-public-key 1 \
+  --project my-project \
+  --location us-central1 \
+  --keyring my-key-ring \
+  --key my-crypto-key \
+  --output-file public-key.pem
+
+## encrypt secret with the public key
+$ echo -n my-secret-password | \
+  openssl pkeyutl -in - \
+    -encrypt \
+    -pubin \
+    -inkey public-key.pem \
+    -pkeyopt rsa_padding_mode:oaep \
+    -pkeyopt rsa_oaep_md:sha256 \
+    -pkeyopt rsa_mgf1_md:sha256 > \
+  my-secret-password.enc
+
+## base64 encode the ciphertext  
+$ openssl base64 -in my-secret-password.enc
+M7nUoba9EGVTu2LjNjBKGdGVBYjyS/i/AY+4yQMQF0Qf/RfUfX31Jw6+VO9OuThq
+ylu/7ihX9XD4bM7yYdXnMv9p1OHQUlorSBSbb/J6n1W9UJhcp6um8Tw8/Isx4f75
+4PskYS6f8Y2ItliGt1/A9iR5BTgGtJBwOxMlgoX2Ggq+Nh4E5SbdoaE5o6CO1nBx
+eIPsPEebQ6qC4JehQM3IGuV/lrm58+hZhaXAqNzX1cEYyAt5GYqJIVCiI585SUYs
+wRToGyTgaN+zthF0HP9IWlR4Am4LmJ/1OcePTnYw11CkU8wNRbDzVAzogwNH+rXr
+LTmf7hxVjBm6bBSVSNFcBKAXFlllubSfIeZ5hgzGqn54OmSf6odO12L5JxllddHc
+yAd54vWKs2kJtnsKV2V4ZdkI0w6y1TeI67baFZDNGo6qsCpFMPnvv7d46Pg2VOp1
+J6Ivner0NnNHE4MzNmpZRk8WXMwqq4P/gTiT7F/aCX6oFCUQ4AWPQhJYh2dkcOmL
+IP+47Veb10aFn61F1CJwpmOOiGNXKdDT1vK8CMnnwhm825K0q/q9Zqpzc1+1ae1z
+mSqol1zCoa88CuSN6nTLQlVnN/dzfrGbc0boJPaM0iGhHtSzHk4SWg84LhiJB1q9
+A9XFJmOVdkvRY9nnz/iVLAdd0Q3vFtLqCdUYsNN2yh4=
+
+## optionally calculate the CRC32 of the ciphertext
+$ go get github.com/binxio/crc32 
+$ $GOPATH/bin/crc32 -polynomial castagnoli < my-secret-password.enc
+12c59e54
+```
+
+Finally, reference the encrypted ciphertext in your resource definitions:
+
+```hcl
+data "google_kms_secret_asymmetric" "sql_user_password" {
+  crypto_key_version = data.google_kms_crypto_key_version.my_crypto_key.id
+  crc32              = "12c59e54"
+  ciphertext         = <<EOT
+    M7nUoba9EGVTu2LjNjBKGdGVBYjyS/i/AY+4yQMQF0Qf/RfUfX31Jw6+VO9OuThq
+    ylu/7ihX9XD4bM7yYdXnMv9p1OHQUlorSBSbb/J6n1W9UJhcp6um8Tw8/Isx4f75
+    4PskYS6f8Y2ItliGt1/A9iR5BTgGtJBwOxMlgoX2Ggq+Nh4E5SbdoaE5o6CO1nBx
+    eIPsPEebQ6qC4JehQM3IGuV/lrm58+hZhaXAqNzX1cEYyAt5GYqJIVCiI585SUYs
+    wRToGyTgaN+zthF0HP9IWlR4Am4LmJ/1OcePTnYw11CkU8wNRbDzVAzogwNH+rXr
+    LTmf7hxVjBm6bBSVSNFcBKAXFlllubSfIeZ5hgzGqn54OmSf6odO12L5JxllddHc
+    yAd54vWKs2kJtnsKV2V4ZdkI0w6y1TeI67baFZDNGo6qsCpFMPnvv7d46Pg2VOp1
+    J6Ivner0NnNHE4MzNmpZRk8WXMwqq4P/gTiT7F/aCX6oFCUQ4AWPQhJYh2dkcOmL
+    IP+47Veb10aFn61F1CJwpmOOiGNXKdDT1vK8CMnnwhm825K0q/q9Zqpzc1+1ae1z
+    mSqol1zCoa88CuSN6nTLQlVnN/dzfrGbc0boJPaM0iGhHtSzHk4SWg84LhiJB1q9
+    A9XFJmOVdkvRY9nnz/iVLAdd0Q3vFtLqCdUYsNN2yh4=
+  EOT
+}
+
+resource "random_id" "db_name_suffix" {
+  byte_length = 4
+}
+
+resource "google_sql_database_instance" "master" {
+  name = "master-instance-${random_id.db_name_suffix.hex}"
+
+  settings {
+    tier = "db-f1-micro"
+  }
+}
+
+resource "google_sql_user" "users" {
+  name     = "me"
+  instance = google_sql_database_instance.master.name
+  host     = "me.com"
+  password = data.google_kms_secret.sql_user_password.plaintext
+}
+```
+
+This will result in a Cloud SQL user being created with password `my-secret-password`.
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `ciphertext` (Required) - The ciphertext to be decrypted, encoded in base64
+* `crypto_key_version` (Required) - The id of the CryptoKey version that will be used to
+  decrypt the provided ciphertext. This is represented by the format
+  `projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}/cryptoKeyVersions/{version}`.
+* `crc32` (Optional) - The crc32 checksum of the `ciphertext` in hexadecimal notation. If not specified, it will be computed.
+
+## Attributes Reference
+
+The following attribute is exported:
+
+* `plaintext` - Contains the result of decrypting the provided ciphertext.
+* `crc32` - Contains the crc32 checksum of the provided ciphertext.

website/google.erb

@@ -1000,6 +1000,10 @@
           <a href="/docs/providers/google/d/kms_secret.html">google_kms_secret</a>
           </li>
 
+          <li>
+          <a href="/docs/providers/google/d/kms_secret_asymmetric.html">google_kms_secret_asymmetric</a>
+          </li>
+
           <li>
           <a href="/docs/providers/google/d/kms_secret_ciphertext.html">google_kms_secret_ciphertext</a>
           </li>