Skip to content

Commit

Permalink
aws: kms_key - Add support for is_enabled + enable_key_rotation
Browse files Browse the repository at this point in the history
  • Loading branch information
radeksimko committed Nov 15, 2015
1 parent b9715f0 commit c35afea
Show file tree
Hide file tree
Showing 3 changed files with 230 additions and 5 deletions.
136 changes: 135 additions & 1 deletion builtin/providers/aws/resource_aws_kms_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package aws
import (
"fmt"
"log"
"time"

"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/helper/schema"

"github.com/aws/aws-sdk-go/aws"
Expand Down Expand Up @@ -51,6 +53,16 @@ func resourceAwsKmsKey() *schema.Resource {
Computed: true,
StateFunc: normalizeJson,
},
"is_enabled": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: true,
},
"enable_key_rotation": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
},
"deletion_window_in_days": &schema.Schema{
Type: schema.TypeInt,
Optional: true,
Expand Down Expand Up @@ -88,8 +100,9 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
}

d.SetId(*resp.KeyMetadata.KeyId)
d.Set("key_id", resp.KeyMetadata.KeyId)

return resourceAwsKmsKeyRead(d, meta)
return resourceAwsKmsKeyUpdate(d, meta)
}

func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
Expand All @@ -110,6 +123,7 @@ func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
d.Set("key_id", metadata.KeyId)
d.Set("description", metadata.Description)
d.Set("key_usage", metadata.KeyUsage)
d.Set("is_enabled", metadata.Enabled)

p, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
KeyId: metadata.KeyId,
Expand All @@ -121,12 +135,33 @@ func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {

d.Set("policy", normalizeJson(*p.Policy))

krs, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
KeyId: metadata.KeyId,
})
if err != nil {
return err
}
d.Set("enable_key_rotation", krs.KeyRotationEnabled)

return nil
}

func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).kmsconn

if d.HasChange("is_enabled") && d.Get("is_enabled").(bool) {
// Enable before any attributes will be modified
if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
return err
}
}

if d.HasChange("enable_key_rotation") {
if err := updateKmsKeyRotationStatus(conn, d); err != nil {
return err
}
}

if d.HasChange("description") {
if err := resourceAwsKmsKeyDescriptionUpdate(conn, d); err != nil {
return err
Expand All @@ -137,6 +172,15 @@ func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
return err
}
}

if d.HasChange("is_enabled") && !d.Get("is_enabled").(bool) {
// Only disable when all attributes are modified
// because we cannot modify disabled keys
if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
return err
}
}

return resourceAwsKmsKeyRead(d, meta)
}

Expand Down Expand Up @@ -169,6 +213,96 @@ func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error
return err
}

func updateKmsKeyStatus(conn *kms.KMS, id string, shouldBeEnabled bool) error {
var err error

if shouldBeEnabled {
log.Printf("[DEBUG] Enabling KMS key %q", id)
_, err = conn.EnableKey(&kms.EnableKeyInput{
KeyId: aws.String(id),
})
} else {
log.Printf("[DEBUG] Disabling KMS key %q", id)
_, err = conn.DisableKey(&kms.DisableKeyInput{
KeyId: aws.String(id),
})
}

if err != nil {
return fmt.Errorf("Failed to set KMS key %q status to %t: %q",
id, shouldBeEnabled, err.Error())
}

// Wait for propagation since KMS is eventually consistent
wait := resource.StateChangeConf{
Pending: []string{fmt.Sprintf("%t", !shouldBeEnabled)},
Target: fmt.Sprintf("%t", shouldBeEnabled),
Timeout: 5 * time.Minute,
MinTimeout: 60 * time.Second,
Refresh: func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking if KMS key %s enabled status is %t",
id, shouldBeEnabled)
resp, err := conn.DescribeKey(&kms.DescribeKeyInput{
KeyId: aws.String(id),
})
if err != nil {
return resp, "FAILED", err
}
status := fmt.Sprintf("%t", *resp.KeyMetadata.Enabled)

return resp, status, nil
},
}

_, err = wait.WaitForState()
return err
}

func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error {
var err error
shouldEnableRotation := d.Get("enable_key_rotation").(bool)
if shouldEnableRotation {
log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id())
_, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{
KeyId: aws.String(d.Id()),
})
} else {
log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id())
_, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{
KeyId: aws.String(d.Id()),
})
}

if err != nil {
return fmt.Errorf("Failed to set key rotation for %q to %t: %q",
d.Id(), shouldEnableRotation, err.Error())
}

// Wait for propagation since KMS is eventually consistent
wait := resource.StateChangeConf{
Pending: []string{fmt.Sprintf("%t", !shouldEnableRotation)},
Target: fmt.Sprintf("%t", shouldEnableRotation),
Timeout: 5 * time.Minute,
MinTimeout: 60 * time.Second,
Refresh: func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking if KMS key %s rotation status is %t",
d.Id(), shouldEnableRotation)
resp, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
KeyId: aws.String(d.Id()),
})
if err != nil {
return resp, "FAILED", err
}
status := fmt.Sprintf("%t", *resp.KeyRotationEnabled)

return resp, status, nil
},
}

_, err = wait.WaitForState()
return err
}

func resourceAwsKmsKeyDelete(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).kmsconn
keyId := d.Get("key_id").(string)
Expand Down
96 changes: 92 additions & 4 deletions builtin/providers/aws/resource_aws_kms_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ import (
)

func TestAccAWSKmsKey_basic(t *testing.T) {
var keyBefore, keyAfter kms.KeyMetadata

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Expand All @@ -20,13 +22,52 @@ func TestAccAWSKmsKey_basic(t *testing.T) {
resource.TestStep{
Config: testAccAWSKmsKey,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSKmsKeyExists("aws_kms_key.foo"),
testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore),
),
},
resource.TestStep{
Config: testAccAWSKmsKey_removedPolicy,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSKmsKeyExists("aws_kms_key.foo"),
testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter),
),
},
},
})
}

func TestAccAWSKmsKey_isEnabled(t *testing.T) {
var key1, key2, key3 kms.KeyMetadata

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSKmsKeyDestroy,
Steps: []resource.TestStep{
resource.TestStep{
Config: testAccAWSKmsKey_enabledRotation,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1),
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
testAccCheckAWSKmsKeyIsEnabled(&key1, true),
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
),
},
resource.TestStep{
Config: testAccAWSKmsKey_disabled,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2),
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"),
testAccCheckAWSKmsKeyIsEnabled(&key2, false),
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"),
),
},
resource.TestStep{
Config: testAccAWSKmsKey_enabled,
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3),
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
testAccCheckAWSKmsKeyIsEnabled(&key3, true),
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
),
},
},
Expand Down Expand Up @@ -55,13 +96,39 @@ func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error {
return nil
}

func testAccCheckAWSKmsKeyExists(name string) resource.TestCheckFunc {
func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc {
return func(s *terraform.State) error {
_, ok := s.RootModule().Resources[name]
rs, ok := s.RootModule().Resources[name]
if !ok {
return fmt.Errorf("Not found: %s", name)
}

if rs.Primary.ID == "" {
return fmt.Errorf("No KMS Key ID is set")
}

conn := testAccProvider.Meta().(*AWSClient).kmsconn

out, err := conn.DescribeKey(&kms.DescribeKeyInput{
KeyId: aws.String(rs.Primary.ID),
})
if err != nil {
return err
}

*key = *out.KeyMetadata

return nil
}
}

func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc {
return func(s *terraform.State) error {
if *key.Enabled != isEnabled {
return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t",
*key.Arn, isEnabled, *key.Enabled)
}

return nil
}
}
Expand Down Expand Up @@ -95,3 +162,24 @@ resource "aws_kms_key" "foo" {
description = "Terraform acc test %s"
deletion_window_in_days = 7
}`, kmsTimestamp)

var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(`
resource "aws_kms_key" "bar" {
description = "Terraform acc test is_enabled %s"
deletion_window_in_days = 7
enable_key_rotation = true
}`, kmsTimestamp)
var testAccAWSKmsKey_disabled = fmt.Sprintf(`
resource "aws_kms_key" "bar" {
description = "Terraform acc test is_enabled %s"
deletion_window_in_days = 7
enable_key_rotation = false
is_enabled = false
}`, kmsTimestamp)
var testAccAWSKmsKey_enabled = fmt.Sprintf(`
resource "aws_kms_key" "bar" {
description = "Terraform acc test is_enabled %s"
deletion_window_in_days = 7
enable_key_rotation = true
is_enabled = true
}`, kmsTimestamp)
3 changes: 3 additions & 0 deletions website/source/docs/providers/aws/r/kms_key.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ The following arguments are supported:
* `policy` - (Optional) A valid policy JSON document.
* `deletion_window_in_days` - (Optional) Duration in days after which the key is deleted
after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
* `is_enabled` - (Optional) Specifies whether the key is enabled. Defaults to true.
* `enable_key_rotation` - (Optional) Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
is enabled. Defaults to false.

## Attributes Reference

Expand Down

0 comments on commit c35afea

Please sign in to comment.