Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add updates for big query kms changes #9500

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/4934.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
bigquery: add `kms_key_version` as an output on `bigquery_table.encryption_configuration` and the `destination_encryption_configuration` blocks of `bigquery_job.query`, `bigquery_job.load`, and `bigquery_copy`.
```
138 changes: 105 additions & 33 deletions google/resource_bigquery_job.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,11 @@ Creation, truncation and append actions occur as one atomic update upon job comp
Description: `Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.`,
},
"kms_key_version": {
Type: schema.TypeString,
Computed: true,
Description: `Describes the Cloud KMS encryption key version used to protect destination BigQuery table.`,
},
},
},
},
Expand Down Expand Up @@ -407,6 +412,11 @@ Creation, truncation and append actions occur as one atomic update upon job comp
Description: `Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.`,
},
"kms_key_version": {
Type: schema.TypeString,
Computed: true,
Description: `Describes the Cloud KMS encryption key version used to protect destination BigQuery table.`,
},
},
},
},
Expand Down Expand Up @@ -645,6 +655,11 @@ or of the form 'projects/{{project}}/datasets/{{dataset_id}}' if not.`,
Description: `Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.`,
},
"kms_key_version": {
Type: schema.TypeString,
Computed: true,
Description: `Describes the Cloud KMS encryption key version used to protect destination BigQuery table.`,
},
},
},
},
Expand Down Expand Up @@ -1344,21 +1359,29 @@ func flattenBigQueryJobConfigurationQuerySchemaUpdateOptions(v interface{}, d *s
return v
}

// KmsKeyName switched from using a key name to a key version, this will separate the key name from the key version and save them
// separately in state. https://github.com/hashicorp/terraform-provider-google/issues/9208
func flattenBigQueryJobConfigurationQueryDestinationEncryptionConfiguration(v interface{}, d *schema.ResourceData, config *Config) interface{} {
if v == nil {
return nil
return []map[string]interface{}{}
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil

kmsKeyName := v.(map[string]interface{})["kmsKeyName"].(string)
re := regexp.MustCompile(`(projects/.*/locations/.*/keyRings/.*/cryptoKeys/.*)/cryptoKeyVersions/.*`)
paths := re.FindStringSubmatch(kmsKeyName)

if len(paths) > 0 {
return []map[string]interface{}{
{
"kms_key_name": paths[0],
"kms_key_version": kmsKeyName,
},
}
}
transformed := make(map[string]interface{})
transformed["kms_key_name"] =
flattenBigQueryJobConfigurationQueryDestinationEncryptionConfigurationKmsKeyName(original["kmsKeyName"], d, config)
return []interface{}{transformed}
}
func flattenBigQueryJobConfigurationQueryDestinationEncryptionConfigurationKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) interface{} {
return v

// The key name was returned, no need to set the version
return []map[string]interface{}{{"kms_key_name": kmsKeyName, "kms_key_version": ""}}

}

func flattenBigQueryJobConfigurationQueryScriptOptions(v interface{}, d *schema.ResourceData, config *Config) interface{} {
Expand Down Expand Up @@ -1578,21 +1601,29 @@ func flattenBigQueryJobConfigurationLoadTimePartitioningField(v interface{}, d *
return v
}

// KmsKeyName switched from using a key name to a key version, this will separate the key name from the key version and save them
// separately in state. https://github.com/hashicorp/terraform-provider-google/issues/9208
func flattenBigQueryJobConfigurationLoadDestinationEncryptionConfiguration(v interface{}, d *schema.ResourceData, config *Config) interface{} {
if v == nil {
return nil
return []map[string]interface{}{}
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil

kmsKeyName := v.(map[string]interface{})["kmsKeyName"].(string)
re := regexp.MustCompile(`(projects/.*/locations/.*/keyRings/.*/cryptoKeys/.*)/cryptoKeyVersions/.*`)
paths := re.FindStringSubmatch(kmsKeyName)

if len(paths) > 0 {
return []map[string]interface{}{
{
"kms_key_name": paths[0],
"kms_key_version": kmsKeyName,
},
}
}
transformed := make(map[string]interface{})
transformed["kms_key_name"] =
flattenBigQueryJobConfigurationLoadDestinationEncryptionConfigurationKmsKeyName(original["kmsKeyName"], d, config)
return []interface{}{transformed}
}
func flattenBigQueryJobConfigurationLoadDestinationEncryptionConfigurationKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) interface{} {
return v

// The key name was returned, no need to set the version
return []map[string]interface{}{{"kms_key_name": kmsKeyName, "kms_key_version": ""}}

}

func flattenBigQueryJobConfigurationCopy(v interface{}, d *schema.ResourceData, config *Config) interface{} {
Expand Down Expand Up @@ -1672,21 +1703,29 @@ func flattenBigQueryJobConfigurationCopyWriteDisposition(v interface{}, d *schem
return v
}

// KmsKeyName switched from using a key name to a key version, this will separate the key name from the key version and save them
// separately in state. https://github.com/hashicorp/terraform-provider-google/issues/9208
func flattenBigQueryJobConfigurationCopyDestinationEncryptionConfiguration(v interface{}, d *schema.ResourceData, config *Config) interface{} {
if v == nil {
return nil
return []map[string]interface{}{}
}
original := v.(map[string]interface{})
if len(original) == 0 {
return nil

kmsKeyName := v.(map[string]interface{})["kmsKeyName"].(string)
re := regexp.MustCompile(`(projects/.*/locations/.*/keyRings/.*/cryptoKeys/.*)/cryptoKeyVersions/.*`)
paths := re.FindStringSubmatch(kmsKeyName)

if len(paths) > 0 {
return []map[string]interface{}{
{
"kms_key_name": paths[0],
"kms_key_version": kmsKeyName,
},
}
}
transformed := make(map[string]interface{})
transformed["kms_key_name"] =
flattenBigQueryJobConfigurationCopyDestinationEncryptionConfigurationKmsKeyName(original["kmsKeyName"], d, config)
return []interface{}{transformed}
}
func flattenBigQueryJobConfigurationCopyDestinationEncryptionConfigurationKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) interface{} {
return v

// The key name was returned, no need to set the version
return []map[string]interface{}{{"kms_key_name": kmsKeyName, "kms_key_version": ""}}

}

func flattenBigQueryJobConfigurationExtract(v interface{}, d *schema.ResourceData, config *Config) interface{} {
Expand Down Expand Up @@ -2259,13 +2298,24 @@ func expandBigQueryJobConfigurationQueryDestinationEncryptionConfiguration(v int
transformed["kmsKeyName"] = transformedKmsKeyName
}

transformedKmsKeyVersion, err := expandBigQueryJobConfigurationQueryDestinationEncryptionConfigurationKmsKeyVersion(original["kms_key_version"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedKmsKeyVersion); val.IsValid() && !isEmptyValue(val) {
transformed["kmsKeyVersion"] = transformedKmsKeyVersion
}

return transformed, nil
}

func expandBigQueryJobConfigurationQueryDestinationEncryptionConfigurationKmsKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationQueryDestinationEncryptionConfigurationKmsKeyVersion(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationQueryScriptOptions(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down Expand Up @@ -2614,13 +2664,24 @@ func expandBigQueryJobConfigurationLoadDestinationEncryptionConfiguration(v inte
transformed["kmsKeyName"] = transformedKmsKeyName
}

transformedKmsKeyVersion, err := expandBigQueryJobConfigurationLoadDestinationEncryptionConfigurationKmsKeyVersion(original["kms_key_version"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedKmsKeyVersion); val.IsValid() && !isEmptyValue(val) {
transformed["kmsKeyVersion"] = transformedKmsKeyVersion
}

return transformed, nil
}

func expandBigQueryJobConfigurationLoadDestinationEncryptionConfigurationKmsKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationLoadDestinationEncryptionConfigurationKmsKeyVersion(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationCopy(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down Expand Up @@ -2762,13 +2823,24 @@ func expandBigQueryJobConfigurationCopyDestinationEncryptionConfiguration(v inte
transformed["kmsKeyName"] = transformedKmsKeyName
}

transformedKmsKeyVersion, err := expandBigQueryJobConfigurationCopyDestinationEncryptionConfigurationKmsKeyVersion(original["kms_key_version"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedKmsKeyVersion); val.IsValid() && !isEmptyValue(val) {
transformed["kmsKeyVersion"] = transformedKmsKeyVersion
}

return transformed, nil
}

func expandBigQueryJobConfigurationCopyDestinationEncryptionConfigurationKmsKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationCopyDestinationEncryptionConfigurationKmsKeyVersion(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandBigQueryJobConfigurationExtract(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down
21 changes: 20 additions & 1 deletion google/resource_bigquery_table.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"errors"
"fmt"
"log"
"regexp"
"sort"
"strconv"
"strings"
Expand Down Expand Up @@ -820,6 +821,11 @@ func resourceBigQueryTable() *schema.Resource {
Required: true,
Description: `The self link or full name of a key which should be used to encrypt this table. Note that the default bigquery service account will need to have encrypt/decrypt permissions on this key - you may want to see the google_bigquery_default_service_account datasource and the google_kms_crypto_key_iam_binding resource.`,
},
"kms_key_version": {
Type: schema.TypeString,
Computed: true,
Description: `The self link or full name of the kms key version used to encrypt this table.`,
},
},
},
},
Expand Down Expand Up @@ -1543,7 +1549,20 @@ func expandRangePartitioning(configured interface{}) (*bigquery.RangePartitionin
}

func flattenEncryptionConfiguration(ec *bigquery.EncryptionConfiguration) []map[string]interface{} {
return []map[string]interface{}{{"kms_key_name": ec.KmsKeyName}}
re := regexp.MustCompile(`(projects/.*/locations/.*/keyRings/.*/cryptoKeys/.*)/cryptoKeyVersions/.*`)
paths := re.FindStringSubmatch(ec.KmsKeyName)

if len(paths) > 0 {
return []map[string]interface{}{
{
"kms_key_name": paths[0],
"kms_key_version": ec.KmsKeyName,
},
}
}

// The key name was returned, no need to set the version
return []map[string]interface{}{{"kms_key_name": ec.KmsKeyName, "kms_key_version": ""}}
}

func flattenTimePartitioning(tp *bigquery.TimePartitioning) []map[string]interface{} {
Expand Down
9 changes: 9 additions & 0 deletions website/docs/r/bigquery_job.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,9 @@ The `destination_encryption_configuration` block supports:
Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.

* `kms_key_version` -
Describes the Cloud KMS encryption key version used to protect destination BigQuery table.

The `script_options` block supports:

* `statement_timeout_ms` -
Expand Down Expand Up @@ -731,6 +734,9 @@ The `destination_encryption_configuration` block supports:
Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.

* `kms_key_version` -
Describes the Cloud KMS encryption key version used to protect destination BigQuery table.

The `copy` block supports:

* `source_tables` -
Expand Down Expand Up @@ -806,6 +812,9 @@ The `destination_encryption_configuration` block supports:
Describes the Cloud KMS encryption key that will be used to protect destination BigQuery table.
The BigQuery Service Account associated with your project requires access to this encryption key.

* `kms_key_version` -
Describes the Cloud KMS encryption key version used to protect destination BigQuery table.

The `extract` block supports:

* `destination_uris` -
Expand Down
2 changes: 2 additions & 0 deletions website/docs/r/bigquery_table.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,8 @@ exported:

* `etag` - A hash of the resource.

* `kms_key_version` - The self link or full name of the kms key version used to encrypt this table.

* `last_modified_time` - The time when this table was last modified, in milliseconds since the epoch.

* `location` - The geographic location where the table resides. This value is inherited from the dataset.
Expand Down