add user project override support for data.google_kms_secret_ci… (#4985)

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Nov 25, 2019 · 03cf878 · 03cf878
1 parent c2e94bc
commit 03cf878
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/google/data_source_google_kms_secret_ciphertext.go b/google/data_source_google_kms_secret_ciphertext.go
@@ -5,9 +5,10 @@ import (
 
 	"encoding/base64"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"log"
 	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 )
 
 func dataSourceGoogleKmsSecretCiphertext() *schema.Resource {
@@ -46,7 +47,11 @@ func dataSourceGoogleKmsSecretCiphertextRead(d *schema.ResourceData, meta interf
 		Plaintext: plaintext,
 	}
 
-	encryptResponse, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest).Do()
+	encryptCall := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest)
+	if config.UserProjectOverride {
+		encryptCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project)
+	}
+	encryptResponse, err := encryptCall.Do()
 
 	if err != nil {
 		return fmt.Errorf("Error encrypting plaintext: %s", err)

diff --git a/google/provider_test.go b/google/provider_test.go
@@ -424,6 +424,12 @@ resource "google_project_iam_member" "project-2-kms" {
 	member  = "serviceAccount:${google_service_account.project-1.email}"
 }
 
+resource "google_project_iam_member" "project-2-kms-encrypt" {
+	project = google_project.project-2.project_id
+	role    = "roles/cloudkms.cryptoKeyEncrypter"
+	member  = "serviceAccount:${google_service_account.project-1.email}"
+}
+
 data "google_client_openid_userinfo" "me" {}
 
 // Enable the test runner to get an access token on behalf of
@@ -457,6 +463,12 @@ resource "google_kms_crypto_key" "project-2-key" {
 	name     = "%s"
 	key_ring = google_kms_key_ring.project-2-keyring.self_link
 }
+
+data "google_kms_secret_ciphertext" "project-2-ciphertext" {
+	provider   = google.project-1-token
+	crypto_key = google_kms_crypto_key.project-2-key.self_link
+	plaintext  = "my-secret"
+}
 `, testAccProviderIndirectUserProjectOverride_step3(pid, name, org, billing, sa, override), pid, pid)
 }
 

diff --git a/website/docs/d/google_kms_secret_ciphertext.html.markdown b/website/docs/d/google_kms_secret_ciphertext.html.markdown
@@ -97,3 +97,7 @@ The following arguments are supported:
 The following attribute is exported:
 
 * `ciphertext` - Contains the result of encrypting the provided plaintext, encoded in base64.
+
+## User Project Overrides
+
+This data source supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).