From d0d29e6afcbed24b3ff04f0b531fbce9af55dcce Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Tue, 27 Aug 2024 20:50:06 +0100 Subject: [PATCH 01/19] add auto-generated documenattion --- docs/resources/encryption_at_rest.md | 81 +++++++++----- .../resource_encryption_at_rest.go | 102 +++++++++++++----- .../tfplugingen/generator_config.yml | 11 ++ .../resources/encryption_at_rest.md.tmpl | 37 +++++++ 4 files changed, 178 insertions(+), 53 deletions(-) create mode 100644 internal/service/encryptionatrest/tfplugingen/generator_config.yml create mode 100644 templates/resources/encryption_at_rest.md.tmpl diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index ea85a74fa2..10064434e3 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -21,7 +21,7 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ -> **IMPORTANT NOTE** To disable the encryption at rest with customer key management for a project all existing clusters in the project must first either have encryption at rest for the provider set to none, e.g. `encryption_at_rest_provider = "NONE"`, or be deleted. -## Example Usage +## Example Usages ```terraform resource "mongodbatlas_encryption_at_rest" "test" { @@ -106,39 +106,70 @@ resource "mongodbatlas_advanced_cluster" "example_cluster" { ``` -## Argument Reference -* `project_id` - (Required) The unique identifier for the project. + +## Schema -### aws_kms_config -Refer to the example in the [official github repository](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples) to implement Encryption at Rest -* `enabled` - Specifies whether Encryption at Rest is enabled for an Atlas project, To disable Encryption at Rest, pass only this parameter with a value of false, When you disable Encryption at Rest, Atlas also removes the configuration details. -* `customer_master_key_id` - The AWS customer master key used to encrypt and decrypt the MongoDB master keys. -* `region` - The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1 -* `role_id` - ID of an AWS IAM role authorized to manage an AWS customer master key. To find the ID for an existing IAM role check the `role_id` attribute of the `mongodbatlas_cloud_provider_access` resource. +### Required -### azure_key_vault_config -* `enabled` - Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details. -* `client_id` - The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant. -* `azure_environment` - The Azure environment where the Azure account credentials reside. Valid values are the following: AZURE, AZURE_CHINA, AZURE_GERMANY -* `subscription_id` - The unique identifier associated with an Azure subscription. -* `resource_group_name` - The name of the Azure Resource group that contains an Azure Key Vault. -* `key_vault_name` - The name of an Azure Key Vault containing your key. -* `key_identifier` - The unique identifier of a key in an Azure Key Vault. -* `secret` - The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID. -* `tenant_id` - The unique identifier for an Azure AD tenant within an Azure subscription. +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. -### google_cloud_kms_config -* `enabled` - Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details. -* `service_account_key` - String-formatted JSON object containing GCP KMS credentials from your GCP account. -* `key_version_resource_id` - The Key Version Resource ID from your GCP account. +**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. -## Import +### Optional +- `aws_kms_config` (Block List) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedblock--aws_kms_config)) +- `azure_key_vault_config` (Block List) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedblock--azure_key_vault_config)) +- `google_cloud_kms_config` (Block List) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedblock--google_cloud_kms_config)) + +### Read-Only + +- `id` (String) The ID of this resource. + + +### Nested Schema for `aws_kms_config` + +Optional: + +- `access_key_id` (String, Sensitive) Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK). +- `customer_master_key_id` (String, Sensitive) Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys. +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `region` (String) Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. +- `role_id` (String) Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key. +- `secret_access_key` (String, Sensitive) Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key. + + + +### Nested Schema for `azure_key_vault_config` + +Optional: + +- `azure_environment` (String) Azure environment in which your account credentials reside. +- `client_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant. +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `key_identifier` (String, Sensitive) Web address with a unique key that identifies for your Azure Key Vault. +- `key_vault_name` (String) Unique string that identifies the Azure Key Vault that contains your key. +- `require_private_networking` (Boolean) Enable connection to your Azure Key Vault over private networking. +- `resource_group_name` (String) Name of the Azure resource group that contains your Azure Key Vault. +- `secret` (String, Sensitive) Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data. +- `subscription_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies your Azure subscription. +- `tenant_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. + + + +### Nested Schema for `google_cloud_kms_config` + +Optional: + +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS. +- `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object. + +# Import Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g. ``` $ terraform import mongodbatlas_encryption_at_rest.example 1112222b3bf99403840e8934 ``` -For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management) +For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management) \ No newline at end of file diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest.go b/internal/service/encryptionatrest/resource_encryption_at_rest.go index 977664f86b..1dc68017e1 100644 --- a/internal/service/encryptionatrest/resource_encryption_at_rest.go +++ b/internal/service/encryptionatrest/resource_encryption_at_rest.go @@ -100,11 +100,15 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.String{ stringplanmodifier.RequiresReplace(), }, + Description: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", }, }, Blocks: map[string]schema.Block{ "aws_kms_config": schema.ListNestedBlock{ - Validators: []validator.List{listvalidator.SizeAtMost(1)}, + Description: "Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.", + MarkdownDescription: "Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.", + Validators: []validator.List{listvalidator.SizeAtMost(1)}, NestedObject: schema.NestedBlockObject{ Attributes: map[string]schema.Attribute{ "enabled": schema.BoolAttribute{ @@ -113,31 +117,45 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.Bool{ boolplanmodifier.UseStateForUnknown(), }, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", }, "access_key_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", + MarkdownDescription: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", }, "secret_access_key": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", + MarkdownDescription: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", }, "customer_master_key_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", + MarkdownDescription: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", }, "region": schema.StringAttribute{ - Optional: true, + Optional: true, + Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", + MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", }, "role_id": schema.StringAttribute{ - Optional: true, + Optional: true, + Description: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", }, }, Validators: []validator.Object{validate.AwsKmsConfig()}, }, }, "azure_key_vault_config": schema.ListNestedBlock{ - Validators: []validator.List{listvalidator.SizeAtMost(1)}, + Description: "Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).", + MarkdownDescription: "Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).", + Validators: []validator.List{listvalidator.SizeAtMost(1)}, NestedObject: schema.NestedBlockObject{ Attributes: map[string]schema.Attribute{ "enabled": schema.BoolAttribute{ @@ -146,35 +164,53 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.Bool{ boolplanmodifier.UseStateForUnknown(), }, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", }, "client_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", }, "azure_environment": schema.StringAttribute{ - Optional: true, + Optional: true, + Description: "Azure environment in which your account credentials reside.", + MarkdownDescription: "Azure environment in which your account credentials reside.", }, "subscription_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Unique 36-hexadecimal character string that identifies your Azure subscription.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies your Azure subscription.", }, "resource_group_name": schema.StringAttribute{ - Optional: true, + Optional: true, + Description: "Name of the Azure resource group that contains your Azure Key Vault.", + MarkdownDescription: "Name of the Azure resource group that contains your Azure Key Vault.", }, "key_vault_name": schema.StringAttribute{ - Optional: true, + Optional: true, + Description: "Unique string that identifies the Azure Key Vault that contains your key.", + MarkdownDescription: "Unique string that identifies the Azure Key Vault that contains your key.", }, "key_identifier": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Web address with a unique key that identifies for your Azure Key Vault.", + MarkdownDescription: "Web address with a unique key that identifies for your Azure Key Vault.", }, "secret": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", + MarkdownDescription: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", }, "tenant_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", }, "require_private_networking": schema.BoolAttribute{ Optional: true, @@ -182,12 +218,16 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.Bool{ boolplanmodifier.UseStateForUnknown(), }, + Description: "Enable connection to your Azure Key Vault over private networking.", + MarkdownDescription: "Enable connection to your Azure Key Vault over private networking.", }, }, }, }, "google_cloud_kms_config": schema.ListNestedBlock{ - Validators: []validator.List{listvalidator.SizeAtMost(1)}, + Description: "Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).", + MarkdownDescription: "Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).", + Validators: []validator.List{listvalidator.SizeAtMost(1)}, NestedObject: schema.NestedBlockObject{ Attributes: map[string]schema.Attribute{ "enabled": schema.BoolAttribute{ @@ -196,14 +236,20 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.Bool{ boolplanmodifier.UseStateForUnknown(), }, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", }, "service_account_key": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", + MarkdownDescription: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", }, "key_version_resource_id": schema.StringAttribute{ - Optional: true, - Sensitive: true, + Optional: true, + Sensitive: true, + Description: "Resource path that displays the key version resource ID for your Google Cloud KMS.", + MarkdownDescription: "Resource path that displays the key version resource ID for your Google Cloud KMS.", }, }, }, diff --git a/internal/service/encryptionatrest/tfplugingen/generator_config.yml b/internal/service/encryptionatrest/tfplugingen/generator_config.yml new file mode 100644 index 0000000000..08b2657a14 --- /dev/null +++ b/internal/service/encryptionatrest/tfplugingen/generator_config.yml @@ -0,0 +1,11 @@ +provider: + name: mongodbatlas + +resources: + encryption_at_rest: + create: + path: /api/atlas/v2/groups/{groupId}/encryptionAtRest + method: PATCH + read: + path: /api/atlas/v2/groups/{groupId}/encryptionAtRest + method: GET \ No newline at end of file diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl new file mode 100644 index 0000000000..947e4450c9 --- /dev/null +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -0,0 +1,37 @@ +# {{.Type}}: {{.Name}} + +`{{.Name}}` allows management of encryption at rest for an Atlas project with one of the following providers: + +[Amazon Web Services Key Management Service](https://docs.atlas.mongodb.com/security-aws-kms/#security-aws-kms) +[Azure Key Vault](https://docs.atlas.mongodb.com/security-azure-kms/#security-azure-kms) +[Google Cloud KMS](https://docs.atlas.mongodb.com/security-gcp-kms/#security-gcp-kms) + +After configuring at least one Encryption at Rest provider for the Atlas project, Project Owners can enable Encryption at Rest for each Atlas cluster for which they require encryption. The Encryption at Rest provider does not have to match the cluster cloud service provider. + +Atlas does not automatically rotate user-managed encryption keys. Defer to your preferred Encryption at Rest provider’s documentation and guidance for best practices on key rotation. Atlas automatically creates a 90-day key rotation alert when you configure Encryption at Rest using your Key Management in an Atlas project. + +See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/index.html) for more information, including prerequisites and restrictions. + +~> **IMPORTANT** Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest, by default. + +~> **IMPORTANT** Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management + +-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation. + + +-> **IMPORTANT NOTE** To disable the encryption at rest with customer key management for a project all existing clusters in the project must first either have encryption at rest for the provider set to none, e.g. `encryption_at_rest_provider = "NONE"`, or be deleted. + +## Example Usages + + + +{{ .SchemaMarkdown | trimspace }} + +# Import +Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g. + +``` +$ terraform import mongodbatlas_encryption_at_rest.example 1112222b3bf99403840e8934 +``` + +For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management) \ No newline at end of file From 006e81934c12bdad9d029dde9237952cc4428b61 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Tue, 27 Aug 2024 20:56:05 +0100 Subject: [PATCH 02/19] add documentation --- .../service/encryptionatrest/resource_encryption_at_rest.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest.go b/internal/service/encryptionatrest/resource_encryption_at_rest.go index 1dc68017e1..08ff5582ea 100644 --- a/internal/service/encryptionatrest/resource_encryption_at_rest.go +++ b/internal/service/encryptionatrest/resource_encryption_at_rest.go @@ -140,8 +140,8 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ }, "region": schema.StringAttribute{ Optional: true, - Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", - MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", + Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. }, "role_id": schema.StringAttribute{ Optional: true, From 3e3b7744f09371af34fc838dd9c92e00611b54ae Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 15:18:13 +0100 Subject: [PATCH 03/19] initial data source --- .../service/encryptionatrest/data_source.go | 47 ++++ .../encryptionatrest/data_source_schema.go | 256 ++++++++++++++++++ .../{model_encryption_at_rest.go => model.go} | 53 ++-- ...cryption_at_rest_test.go => model_test.go} | 0 ...urce_encryption_at_rest.go => resource.go} | 18 ++ ...ion_test.go => resource_migration_test.go} | 0 ...ption_at_rest_test.go => resource_test.go} | 0 .../tfplugingen/generator_config.yml | 6 + 8 files changed, 355 insertions(+), 25 deletions(-) create mode 100644 internal/service/encryptionatrest/data_source.go create mode 100644 internal/service/encryptionatrest/data_source_schema.go rename internal/service/encryptionatrest/{model_encryption_at_rest.go => model.go} (67%) rename internal/service/encryptionatrest/{model_encryption_at_rest_test.go => model_test.go} (100%) rename internal/service/encryptionatrest/{resource_encryption_at_rest.go => resource.go} (96%) rename internal/service/encryptionatrest/{resource_encryption_at_rest_migration_test.go => resource_migration_test.go} (100%) rename internal/service/encryptionatrest/{resource_encryption_at_rest_test.go => resource_test.go} (100%) diff --git a/internal/service/encryptionatrest/data_source.go b/internal/service/encryptionatrest/data_source.go new file mode 100644 index 0000000000..232c9abbf5 --- /dev/null +++ b/internal/service/encryptionatrest/data_source.go @@ -0,0 +1,47 @@ +package encryptionatrest + +import ( + "context" + + "github.com/hashicorp/terraform-plugin-framework/datasource" + + "github.com/mongodb/terraform-provider-mongodbatlas/internal/config" +) + +var _ datasource.DataSource = &encryptionAtRestDS{} +var _ datasource.DataSourceWithConfigure = &encryptionAtRestDS{} + +func DataSource() datasource.DataSource { + return &encryptionAtRestDS{ + DSCommon: config.DSCommon{ + DataSourceName: encryptionAtRestResourceName, + }, + } +} + +type encryptionAtRestDS struct { + config.DSCommon +} + +func (d *encryptionAtRestDS) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) { + resp.Schema = DataSourceSchema(ctx) +} + +func (d *encryptionAtRestDS) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { + var earConfig TfEncryptionAtRestDSModel + resp.Diagnostics.Append(req.Config.Get(ctx, &earConfig)...) + if resp.Diagnostics.HasError() { + return + } + + connV2 := d.Client.AtlasV2 + projectID := earConfig.ProjectID.ValueString() + + encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute() + if err != nil { + resp.Diagnostics.AddError("error fetching resource", err.Error()) + return + } + + resp.Diagnostics.Append(resp.State.Set(ctx, NewTfEncryptionAtRestDSModel(projectID, encryptionResp))...) +} diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go new file mode 100644 index 0000000000..abb6c8227f --- /dev/null +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -0,0 +1,256 @@ +package encryptionatrest + +import ( + "context" + + "go.mongodb.org/atlas-sdk/v20240805001/admin" + + "github.com/hashicorp/terraform-plugin-framework/datasource/schema" + "github.com/hashicorp/terraform-plugin-framework/types" + + "github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion" +) + +// TODO: check for sensitive attr +// TODO: check about ID attr +// TODO: check if we can add 'valid' to resource & re-use models +func DataSourceSchema(ctx context.Context) schema.Schema { + return schema.Schema{ + Attributes: map[string]schema.Attribute{ + "aws_kms_config": schema.SingleNestedAttribute{ + Attributes: map[string]schema.Attribute{ + "access_key_id": schema.StringAttribute{ + Computed: true, + Description: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", + MarkdownDescription: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", + }, + "customer_master_key_id": schema.StringAttribute{ + Computed: true, + Description: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", + MarkdownDescription: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", + }, + "enabled": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + }, + "region": schema.StringAttribute{ + Computed: true, + Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + }, + "role_id": schema.StringAttribute{ + Computed: true, + Description: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", + }, + "secret_access_key": schema.StringAttribute{ + Computed: true, + Description: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", + MarkdownDescription: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", + }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.", + }, + }, + Computed: true, + Description: "Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.", + MarkdownDescription: "Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.", + }, + "azure_key_vault_config": schema.SingleNestedAttribute{ + Attributes: map[string]schema.Attribute{ + "azure_environment": schema.StringAttribute{ + Computed: true, + Description: "Azure environment in which your account credentials reside.", + MarkdownDescription: "Azure environment in which your account credentials reside.", + }, + "client_id": schema.StringAttribute{ + Computed: true, + Description: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", + }, + "enabled": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + }, + "key_identifier": schema.StringAttribute{ + Computed: true, + Description: "Web address with a unique key that identifies for your Azure Key Vault.", + MarkdownDescription: "Web address with a unique key that identifies for your Azure Key Vault.", + }, + "key_vault_name": schema.StringAttribute{ + Computed: true, + Description: "Unique string that identifies the Azure Key Vault that contains your key.", + MarkdownDescription: "Unique string that identifies the Azure Key Vault that contains your key.", + }, + "require_private_networking": schema.BoolAttribute{ + Computed: true, + Description: "Enable connection to your Azure Key Vault over private networking.", + MarkdownDescription: "Enable connection to your Azure Key Vault over private networking.", + }, + "resource_group_name": schema.StringAttribute{ + Computed: true, + Description: "Name of the Azure resource group that contains your Azure Key Vault.", + MarkdownDescription: "Name of the Azure resource group that contains your Azure Key Vault.", + }, + "secret": schema.StringAttribute{ + Computed: true, + Description: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", + MarkdownDescription: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", + }, + "subscription_id": schema.StringAttribute{ + Computed: true, + Description: "Unique 36-hexadecimal character string that identifies your Azure subscription.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies your Azure subscription.", + }, + "tenant_id": schema.StringAttribute{ + Computed: true, + Description: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", + MarkdownDescription: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", + }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Azure encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Azure encryption key can encrypt and decrypt data.", + }, + }, + Computed: true, + Description: "Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).", + MarkdownDescription: "Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).", + }, + "google_cloud_kms_config": schema.SingleNestedAttribute{ + Attributes: map[string]schema.Attribute{ + "enabled": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + MarkdownDescription: "Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.", + }, + "key_version_resource_id": schema.StringAttribute{ + Computed: true, + Description: "Resource path that displays the key version resource ID for your Google Cloud KMS.", + MarkdownDescription: "Resource path that displays the key version resource ID for your Google Cloud KMS.", + }, + "service_account_key": schema.StringAttribute{ + Computed: true, + Description: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", + MarkdownDescription: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", + }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.", + }, + }, + Computed: true, + Description: "Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).", + MarkdownDescription: "Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).", + }, + "project_id": schema.StringAttribute{ + Required: true, + Description: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", + }, + }, + } +} + +type TfEncryptionAtRestDSModel struct { + ID types.String `tfsdk:"id"` + ProjectID types.String `tfsdk:"project_id"` + AzureKeyVaultConfig TfAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + AwsKmsConfig TfAwsKmsConfigModel `tfsdk:"aws_kms_config"` + GoogleCloudKmsConfig TfGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` +} + +func NewTfEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestDSModel { + return &TfEncryptionAtRestDSModel{ + ID: types.StringValue(projectID), + ProjectID: types.StringValue(projectID), + AwsKmsConfig: *NewTFAwsKmsConfigItem(encryptionResp.AwsKms), + AzureKeyVaultConfig: *NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault), + GoogleCloudKmsConfig: *NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), + } +} + +func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TfAwsKmsConfigModel { + if awsKms == nil { + return nil + } + + return &TfAwsKmsConfigModel{ + Enabled: types.BoolPointerValue(awsKms.Enabled), + CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), + Region: types.StringValue(awsKms.GetRegion()), + AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), + SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), + RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), + Valid: types.BoolPointerValue(awsKms.Valid), + } +} + +func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TfAzureKeyVaultConfigModel { + if az == nil { + return nil + } + + return &TfAzureKeyVaultConfigModel{ + Enabled: types.BoolPointerValue(az.Enabled), + ClientID: types.StringValue(az.GetClientID()), + AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), + SubscriptionID: types.StringValue(az.GetSubscriptionID()), + ResourceGroupName: types.StringValue(az.GetResourceGroupName()), + KeyVaultName: types.StringValue(az.GetKeyVaultName()), + KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), + TenantID: types.StringValue(az.GetTenantID()), + Secret: conversion.StringNullIfEmpty(az.GetSecret()), + RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), + Valid: types.BoolPointerValue(az.Valid), + } +} + +func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TfGcpKmsConfigModel { + if gcpKms == nil { + return nil + } + + return &TfGcpKmsConfigModel{ + Enabled: types.BoolPointerValue(gcpKms.Enabled), + KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), + ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), + Valid: types.BoolPointerValue(gcpKms.Valid), + } +} + +// type TfAwsKmsConfigDSModel struct { +// AccessKeyID types.String `tfsdk:"access_key_id"` +// SecretAccessKey types.String `tfsdk:"secret_access_key"` +// CustomerMasterKeyID types.String `tfsdk:"customer_master_key_id"` +// Region types.String `tfsdk:"region"` +// RoleID types.String `tfsdk:"role_id"` +// Enabled types.Bool `tfsdk:"enabled"` +// Valid types.Bool `tfsdk:"valid"` +// } + +// type TfAzureKeyVaultConfigDSModel struct { +// ClientID types.String `tfsdk:"client_id"` +// AzureEnvironment types.String `tfsdk:"azure_environment"` +// SubscriptionID types.String `tfsdk:"subscription_id"` +// ResourceGroupName types.String `tfsdk:"resource_group_name"` +// KeyVaultName types.String `tfsdk:"key_vault_name"` +// KeyIdentifier types.String `tfsdk:"key_identifier"` +// Secret types.String `tfsdk:"secret"` +// TenantID types.String `tfsdk:"tenant_id"` +// Enabled types.Bool `tfsdk:"enabled"` +// RequirePrivateNetworking types.Bool `tfsdk:"require_private_networking"` +// Valid types.Bool `tfsdk:"valid"` +// } + +// type TfGcpKmsConfigDSModel struct { +// ServiceAccountKey types.String `tfsdk:"service_account_key"` +// KeyVersionResourceID types.String `tfsdk:"key_version_resource_id"` +// Enabled types.Bool `tfsdk:"enabled"` +// Valid types.Bool `tfsdk:"valid"` +// } diff --git a/internal/service/encryptionatrest/model_encryption_at_rest.go b/internal/service/encryptionatrest/model.go similarity index 67% rename from internal/service/encryptionatrest/model_encryption_at_rest.go rename to internal/service/encryptionatrest/model.go index b192009824..ae4ed66409 100644 --- a/internal/service/encryptionatrest/model_encryption_at_rest.go +++ b/internal/service/encryptionatrest/model.go @@ -26,14 +26,15 @@ func NewTFAwsKmsConfig(ctx context.Context, awsKms *admin.AWSKMSConfiguration) [ } return []TfAwsKmsConfigModel{ - { - Enabled: types.BoolPointerValue(awsKms.Enabled), - CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), - Region: types.StringValue(awsKms.GetRegion()), - AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), - SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), - RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), - }, + *NewTFAwsKmsConfigItem(awsKms), + // { + // Enabled: types.BoolPointerValue(awsKms.Enabled), + // CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), + // Region: types.StringValue(awsKms.GetRegion()), + // AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), + // SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), + // RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), + // }, } } @@ -43,18 +44,19 @@ func NewTFAzureKeyVaultConfig(ctx context.Context, az *admin.AzureKeyVault) []Tf } return []TfAzureKeyVaultConfigModel{ - { - Enabled: types.BoolPointerValue(az.Enabled), - ClientID: types.StringValue(az.GetClientID()), - AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), - SubscriptionID: types.StringValue(az.GetSubscriptionID()), - ResourceGroupName: types.StringValue(az.GetResourceGroupName()), - KeyVaultName: types.StringValue(az.GetKeyVaultName()), - KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), - TenantID: types.StringValue(az.GetTenantID()), - Secret: conversion.StringNullIfEmpty(az.GetSecret()), - RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), - }, + *NewTFAzureKeyVaultConfigItem(az), + // { + // Enabled: types.BoolPointerValue(az.Enabled), + // ClientID: types.StringValue(az.GetClientID()), + // AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), + // SubscriptionID: types.StringValue(az.GetSubscriptionID()), + // ResourceGroupName: types.StringValue(az.GetResourceGroupName()), + // KeyVaultName: types.StringValue(az.GetKeyVaultName()), + // KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), + // TenantID: types.StringValue(az.GetTenantID()), + // Secret: conversion.StringNullIfEmpty(az.GetSecret()), + // RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), + // }, } } @@ -64,11 +66,12 @@ func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TfGc } return []TfGcpKmsConfigModel{ - { - Enabled: types.BoolPointerValue(gcpKms.Enabled), - KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), - ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), - }, + *NewTFGcpKmsConfigItem(gcpKms), + // { + // Enabled: types.BoolPointerValue(gcpKms.Enabled), + // KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), + // ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), + // }, } } diff --git a/internal/service/encryptionatrest/model_encryption_at_rest_test.go b/internal/service/encryptionatrest/model_test.go similarity index 100% rename from internal/service/encryptionatrest/model_encryption_at_rest_test.go rename to internal/service/encryptionatrest/model_test.go diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest.go b/internal/service/encryptionatrest/resource.go similarity index 96% rename from internal/service/encryptionatrest/resource_encryption_at_rest.go rename to internal/service/encryptionatrest/resource.go index 08ff5582ea..9fb2b00d49 100644 --- a/internal/service/encryptionatrest/resource_encryption_at_rest.go +++ b/internal/service/encryptionatrest/resource.go @@ -67,6 +67,7 @@ type TfAwsKmsConfigModel struct { Region types.String `tfsdk:"region"` RoleID types.String `tfsdk:"role_id"` Enabled types.Bool `tfsdk:"enabled"` + Valid types.Bool `tfsdk:"valid"` } type TfAzureKeyVaultConfigModel struct { ClientID types.String `tfsdk:"client_id"` @@ -79,11 +80,13 @@ type TfAzureKeyVaultConfigModel struct { TenantID types.String `tfsdk:"tenant_id"` Enabled types.Bool `tfsdk:"enabled"` RequirePrivateNetworking types.Bool `tfsdk:"require_private_networking"` + Valid types.Bool `tfsdk:"valid"` } type TfGcpKmsConfigModel struct { ServiceAccountKey types.String `tfsdk:"service_account_key"` KeyVersionResourceID types.String `tfsdk:"key_version_resource_id"` Enabled types.Bool `tfsdk:"enabled"` + Valid types.Bool `tfsdk:"valid"` } func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) { @@ -148,6 +151,11 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ Description: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", MarkdownDescription: "Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.", }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.", + }, }, Validators: []validator.Object{validate.AwsKmsConfig()}, }, @@ -221,6 +229,11 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ Description: "Enable connection to your Azure Key Vault over private networking.", MarkdownDescription: "Enable connection to your Azure Key Vault over private networking.", }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Azure encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Azure encryption key can encrypt and decrypt data.", + }, }, }, }, @@ -251,6 +264,11 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ Description: "Resource path that displays the key version resource ID for your Google Cloud KMS.", MarkdownDescription: "Resource path that displays the key version resource ID for your Google Cloud KMS.", }, + "valid": schema.BoolAttribute{ + Computed: true, + Description: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.", + MarkdownDescription: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.", + }, }, }, }, diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest_migration_test.go b/internal/service/encryptionatrest/resource_migration_test.go similarity index 100% rename from internal/service/encryptionatrest/resource_encryption_at_rest_migration_test.go rename to internal/service/encryptionatrest/resource_migration_test.go diff --git a/internal/service/encryptionatrest/resource_encryption_at_rest_test.go b/internal/service/encryptionatrest/resource_test.go similarity index 100% rename from internal/service/encryptionatrest/resource_encryption_at_rest_test.go rename to internal/service/encryptionatrest/resource_test.go diff --git a/internal/service/encryptionatrest/tfplugingen/generator_config.yml b/internal/service/encryptionatrest/tfplugingen/generator_config.yml index 08b2657a14..a06b763f03 100644 --- a/internal/service/encryptionatrest/tfplugingen/generator_config.yml +++ b/internal/service/encryptionatrest/tfplugingen/generator_config.yml @@ -6,6 +6,12 @@ resources: create: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: PATCH + read: + path: /api/atlas/v2/groups/{groupId}/encryptionAtRest + method: GET + +data_sources: + encryption_at_rest: read: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: GET \ No newline at end of file From 31f540e12c490134e3fbcf06cd18b80cf03f2745 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 15:22:40 +0100 Subject: [PATCH 04/19] minor renaming --- .../service/encryptionatrest/data_source.go | 4 +- .../encryptionatrest/data_source_schema.go | 57 +++++-------------- internal/service/encryptionatrest/model.go | 26 ++++----- .../service/encryptionatrest/model_test.go | 44 +++++++------- internal/service/encryptionatrest/resource.go | 36 ++++++------ .../service/encryptionatrest/resource_test.go | 38 ++++++------- 6 files changed, 87 insertions(+), 118 deletions(-) diff --git a/internal/service/encryptionatrest/data_source.go b/internal/service/encryptionatrest/data_source.go index 232c9abbf5..f0acd090cf 100644 --- a/internal/service/encryptionatrest/data_source.go +++ b/internal/service/encryptionatrest/data_source.go @@ -28,7 +28,7 @@ func (d *encryptionAtRestDS) Schema(ctx context.Context, req datasource.SchemaRe } func (d *encryptionAtRestDS) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { - var earConfig TfEncryptionAtRestDSModel + var earConfig TFEncryptionAtRestDSModel resp.Diagnostics.Append(req.Config.Get(ctx, &earConfig)...) if resp.Diagnostics.HasError() { return @@ -43,5 +43,5 @@ func (d *encryptionAtRestDS) Read(ctx context.Context, req datasource.ReadReques return } - resp.Diagnostics.Append(resp.State.Set(ctx, NewTfEncryptionAtRestDSModel(projectID, encryptionResp))...) + resp.Diagnostics.Append(resp.State.Set(ctx, NewTFEncryptionAtRestDSModel(projectID, encryptionResp))...) } diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index abb6c8227f..32a908196e 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -13,7 +13,7 @@ import ( // TODO: check for sensitive attr // TODO: check about ID attr -// TODO: check if we can add 'valid' to resource & re-use models +// TODO: check if we can add 'valid' to resource & re-use models---- func DataSourceSchema(ctx context.Context) schema.Schema { return schema.Schema{ Attributes: map[string]schema.Attribute{ @@ -157,16 +157,16 @@ func DataSourceSchema(ctx context.Context) schema.Schema { } } -type TfEncryptionAtRestDSModel struct { +type TFEncryptionAtRestDSModel struct { ID types.String `tfsdk:"id"` ProjectID types.String `tfsdk:"project_id"` - AzureKeyVaultConfig TfAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` - AwsKmsConfig TfAwsKmsConfigModel `tfsdk:"aws_kms_config"` - GoogleCloudKmsConfig TfGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + AzureKeyVaultConfig TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + AwsKmsConfig TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` + GoogleCloudKmsConfig TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` } -func NewTfEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestDSModel { - return &TfEncryptionAtRestDSModel{ +func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel { + return &TFEncryptionAtRestDSModel{ ID: types.StringValue(projectID), ProjectID: types.StringValue(projectID), AwsKmsConfig: *NewTFAwsKmsConfigItem(encryptionResp.AwsKms), @@ -175,12 +175,12 @@ func NewTfEncryptionAtRestDSModel(projectID string, encryptionResp *admin.Encryp } } -func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TfAwsKmsConfigModel { +func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TFAwsKmsConfigModel { if awsKms == nil { return nil } - return &TfAwsKmsConfigModel{ + return &TFAwsKmsConfigModel{ Enabled: types.BoolPointerValue(awsKms.Enabled), CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), Region: types.StringValue(awsKms.GetRegion()), @@ -191,12 +191,12 @@ func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TfAwsKmsConfigMod } } -func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TfAzureKeyVaultConfigModel { +func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TFAzureKeyVaultConfigModel { if az == nil { return nil } - return &TfAzureKeyVaultConfigModel{ + return &TFAzureKeyVaultConfigModel{ Enabled: types.BoolPointerValue(az.Enabled), ClientID: types.StringValue(az.GetClientID()), AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), @@ -211,46 +211,15 @@ func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TfAzureKeyVaultConfi } } -func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TfGcpKmsConfigModel { +func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TFGcpKmsConfigModel { if gcpKms == nil { return nil } - return &TfGcpKmsConfigModel{ + return &TFGcpKmsConfigModel{ Enabled: types.BoolPointerValue(gcpKms.Enabled), KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), Valid: types.BoolPointerValue(gcpKms.Valid), } } - -// type TfAwsKmsConfigDSModel struct { -// AccessKeyID types.String `tfsdk:"access_key_id"` -// SecretAccessKey types.String `tfsdk:"secret_access_key"` -// CustomerMasterKeyID types.String `tfsdk:"customer_master_key_id"` -// Region types.String `tfsdk:"region"` -// RoleID types.String `tfsdk:"role_id"` -// Enabled types.Bool `tfsdk:"enabled"` -// Valid types.Bool `tfsdk:"valid"` -// } - -// type TfAzureKeyVaultConfigDSModel struct { -// ClientID types.String `tfsdk:"client_id"` -// AzureEnvironment types.String `tfsdk:"azure_environment"` -// SubscriptionID types.String `tfsdk:"subscription_id"` -// ResourceGroupName types.String `tfsdk:"resource_group_name"` -// KeyVaultName types.String `tfsdk:"key_vault_name"` -// KeyIdentifier types.String `tfsdk:"key_identifier"` -// Secret types.String `tfsdk:"secret"` -// TenantID types.String `tfsdk:"tenant_id"` -// Enabled types.Bool `tfsdk:"enabled"` -// RequirePrivateNetworking types.Bool `tfsdk:"require_private_networking"` -// Valid types.Bool `tfsdk:"valid"` -// } - -// type TfGcpKmsConfigDSModel struct { -// ServiceAccountKey types.String `tfsdk:"service_account_key"` -// KeyVersionResourceID types.String `tfsdk:"key_version_resource_id"` -// Enabled types.Bool `tfsdk:"enabled"` -// Valid types.Bool `tfsdk:"valid"` -// } diff --git a/internal/service/encryptionatrest/model.go b/internal/service/encryptionatrest/model.go index ae4ed66409..6a9c90eb28 100644 --- a/internal/service/encryptionatrest/model.go +++ b/internal/service/encryptionatrest/model.go @@ -10,7 +10,7 @@ import ( "github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion" ) -func NewTfEncryptionAtRestRSModel(ctx context.Context, projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestRSModel { +func NewTFEncryptionAtRestRSModel(ctx context.Context, projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestRSModel { return &TfEncryptionAtRestRSModel{ ID: types.StringValue(projectID), ProjectID: types.StringValue(projectID), @@ -20,12 +20,12 @@ func NewTfEncryptionAtRestRSModel(ctx context.Context, projectID string, encrypt } } -func NewTFAwsKmsConfig(ctx context.Context, awsKms *admin.AWSKMSConfiguration) []TfAwsKmsConfigModel { +func NewTFAwsKmsConfig(ctx context.Context, awsKms *admin.AWSKMSConfiguration) []TFAwsKmsConfigModel { if awsKms == nil { - return []TfAwsKmsConfigModel{} + return []TFAwsKmsConfigModel{} } - return []TfAwsKmsConfigModel{ + return []TFAwsKmsConfigModel{ *NewTFAwsKmsConfigItem(awsKms), // { // Enabled: types.BoolPointerValue(awsKms.Enabled), @@ -38,12 +38,12 @@ func NewTFAwsKmsConfig(ctx context.Context, awsKms *admin.AWSKMSConfiguration) [ } } -func NewTFAzureKeyVaultConfig(ctx context.Context, az *admin.AzureKeyVault) []TfAzureKeyVaultConfigModel { +func NewTFAzureKeyVaultConfig(ctx context.Context, az *admin.AzureKeyVault) []TFAzureKeyVaultConfigModel { if az == nil { - return []TfAzureKeyVaultConfigModel{} + return []TFAzureKeyVaultConfigModel{} } - return []TfAzureKeyVaultConfigModel{ + return []TFAzureKeyVaultConfigModel{ *NewTFAzureKeyVaultConfigItem(az), // { // Enabled: types.BoolPointerValue(az.Enabled), @@ -60,12 +60,12 @@ func NewTFAzureKeyVaultConfig(ctx context.Context, az *admin.AzureKeyVault) []Tf } } -func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TfGcpKmsConfigModel { +func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TFGcpKmsConfigModel { if gcpKms == nil { - return []TfGcpKmsConfigModel{} + return []TFGcpKmsConfigModel{} } - return []TfGcpKmsConfigModel{ + return []TFGcpKmsConfigModel{ *NewTFGcpKmsConfigItem(gcpKms), // { // Enabled: types.BoolPointerValue(gcpKms.Enabled), @@ -75,7 +75,7 @@ func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TfGc } } -func NewAtlasAwsKms(tfAwsKmsConfigSlice []TfAwsKmsConfigModel) *admin.AWSKMSConfiguration { +func NewAtlasAwsKms(tfAwsKmsConfigSlice []TFAwsKmsConfigModel) *admin.AWSKMSConfiguration { if len(tfAwsKmsConfigSlice) == 0 { return &admin.AWSKMSConfiguration{} } @@ -93,7 +93,7 @@ func NewAtlasAwsKms(tfAwsKmsConfigSlice []TfAwsKmsConfigModel) *admin.AWSKMSConf } } -func NewAtlasGcpKms(tfGcpKmsConfigSlice []TfGcpKmsConfigModel) *admin.GoogleCloudKMS { +func NewAtlasGcpKms(tfGcpKmsConfigSlice []TFGcpKmsConfigModel) *admin.GoogleCloudKMS { if len(tfGcpKmsConfigSlice) == 0 { return &admin.GoogleCloudKMS{} } @@ -106,7 +106,7 @@ func NewAtlasGcpKms(tfGcpKmsConfigSlice []TfGcpKmsConfigModel) *admin.GoogleClou } } -func NewAtlasAzureKeyVault(tfAzKeyVaultConfigSlice []TfAzureKeyVaultConfigModel) *admin.AzureKeyVault { +func NewAtlasAzureKeyVault(tfAzKeyVaultConfigSlice []TFAzureKeyVaultConfigModel) *admin.AzureKeyVault { if len(tfAzKeyVaultConfigSlice) == 0 { return &admin.AzureKeyVault{} } diff --git a/internal/service/encryptionatrest/model_test.go b/internal/service/encryptionatrest/model_test.go index 9569ff635b..eb3fdf6d2e 100644 --- a/internal/service/encryptionatrest/model_test.go +++ b/internal/service/encryptionatrest/model_test.go @@ -39,7 +39,7 @@ var ( SecretAccessKey: &secretAccessKey, RoleId: &roleID, } - TfAwsKmsConfigModel = encryptionatrest.TfAwsKmsConfigModel{ + TfAwsKmsConfigModel = encryptionatrest.TFAwsKmsConfigModel{ Enabled: types.BoolValue(enabled), CustomerMasterKeyID: types.StringValue(customerMasterKeyID), Region: types.StringValue(region), @@ -59,7 +59,7 @@ var ( Secret: &secret, RequirePrivateNetworking: &requirePrivateNetworking, } - TfAzureKeyVaultConfigModel = encryptionatrest.TfAzureKeyVaultConfigModel{ + TfAzureKeyVaultConfigModel = encryptionatrest.TFAzureKeyVaultConfigModel{ Enabled: types.BoolValue(enabled), ClientID: types.StringValue(clientID), AzureEnvironment: types.StringValue(azureEnvironment), @@ -76,7 +76,7 @@ var ( KeyVersionResourceID: &keyVersionResourceID, ServiceAccountKey: &serviceAccountKey, } - TfGcpKmsConfigModel = encryptionatrest.TfGcpKmsConfigModel{ + TfGcpKmsConfigModel = encryptionatrest.TFGcpKmsConfigModel{ Enabled: types.BoolValue(enabled), KeyVersionResourceID: types.StringValue(keyVersionResourceID), ServiceAccountKey: types.StringValue(serviceAccountKey), @@ -100,16 +100,16 @@ func TestNewTfEncryptionAtRestRSModel(t *testing.T) { expectedResult: &encryptionatrest.TfEncryptionAtRestRSModel{ ID: types.StringValue(projectID), ProjectID: types.StringValue(projectID), - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{TfAwsKmsConfigModel}, - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{TfGcpKmsConfigModel}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel}, }, }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - resultModel := encryptionatrest.NewTfEncryptionAtRestRSModel(context.Background(), projectID, tc.sdkModel) + resultModel := encryptionatrest.NewTFEncryptionAtRestRSModel(context.Background(), projectID, tc.sdkModel) assert.Equal(t, tc.expectedResult, resultModel) }) } @@ -119,19 +119,19 @@ func TestNewTFAwsKmsConfig(t *testing.T) { testCases := []struct { name string sdkModel *admin.AWSKMSConfiguration - expectedResult []encryptionatrest.TfAwsKmsConfigModel + expectedResult []encryptionatrest.TFAwsKmsConfigModel }{ { name: "Success NewTFAwsKmsConfig", sdkModel: AWSKMSConfiguration, - expectedResult: []encryptionatrest.TfAwsKmsConfigModel{ + expectedResult: []encryptionatrest.TFAwsKmsConfigModel{ TfAwsKmsConfigModel, }, }, { name: "Empty sdkModel", sdkModel: nil, - expectedResult: []encryptionatrest.TfAwsKmsConfigModel{}, + expectedResult: []encryptionatrest.TFAwsKmsConfigModel{}, }, } @@ -147,19 +147,19 @@ func TestNewTFAzureKeyVaultConfig(t *testing.T) { testCases := []struct { name string sdkModel *admin.AzureKeyVault - expectedResult []encryptionatrest.TfAzureKeyVaultConfigModel + expectedResult []encryptionatrest.TFAzureKeyVaultConfigModel }{ { name: "Success NewTFAwsKmsConfig", sdkModel: AzureKeyVault, - expectedResult: []encryptionatrest.TfAzureKeyVaultConfigModel{ + expectedResult: []encryptionatrest.TFAzureKeyVaultConfigModel{ TfAzureKeyVaultConfigModel, }, }, { name: "Empty sdkModel", sdkModel: nil, - expectedResult: []encryptionatrest.TfAzureKeyVaultConfigModel{}, + expectedResult: []encryptionatrest.TFAzureKeyVaultConfigModel{}, }, } @@ -175,19 +175,19 @@ func TestNewTFGcpKmsConfig(t *testing.T) { testCases := []struct { name string sdkModel *admin.GoogleCloudKMS - expectedResult []encryptionatrest.TfGcpKmsConfigModel + expectedResult []encryptionatrest.TFGcpKmsConfigModel }{ { name: "Success NewTFGcpKmsConfig", sdkModel: GoogleCloudKMS, - expectedResult: []encryptionatrest.TfGcpKmsConfigModel{ + expectedResult: []encryptionatrest.TFGcpKmsConfigModel{ TfGcpKmsConfigModel, }, }, { name: "Empty sdkModel", sdkModel: nil, - expectedResult: []encryptionatrest.TfGcpKmsConfigModel{}, + expectedResult: []encryptionatrest.TFGcpKmsConfigModel{}, }, } @@ -203,11 +203,11 @@ func TestNewAtlasAwsKms(t *testing.T) { testCases := []struct { name string expectedResult *admin.AWSKMSConfiguration - tfModel []encryptionatrest.TfAwsKmsConfigModel + tfModel []encryptionatrest.TFAwsKmsConfigModel }{ { name: "Success NewAtlasAwsKms", - tfModel: []encryptionatrest.TfAwsKmsConfigModel{TfAwsKmsConfigModel}, + tfModel: []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel}, expectedResult: AWSKMSConfiguration, }, { @@ -229,11 +229,11 @@ func TestNewAtlasGcpKms(t *testing.T) { testCases := []struct { name string expectedResult *admin.GoogleCloudKMS - tfModel []encryptionatrest.TfGcpKmsConfigModel + tfModel []encryptionatrest.TFGcpKmsConfigModel }{ { name: "Success NewAtlasAwsKms", - tfModel: []encryptionatrest.TfGcpKmsConfigModel{TfGcpKmsConfigModel}, + tfModel: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel}, expectedResult: GoogleCloudKMS, }, { @@ -255,11 +255,11 @@ func TestNewAtlasAzureKeyVault(t *testing.T) { testCases := []struct { name string expectedResult *admin.AzureKeyVault - tfModel []encryptionatrest.TfAzureKeyVaultConfigModel + tfModel []encryptionatrest.TFAzureKeyVaultConfigModel }{ { name: "Success NewAtlasAwsKms", - tfModel: []encryptionatrest.TfAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, + tfModel: []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, expectedResult: AzureKeyVault, }, { diff --git a/internal/service/encryptionatrest/resource.go b/internal/service/encryptionatrest/resource.go index 9fb2b00d49..89004eea25 100644 --- a/internal/service/encryptionatrest/resource.go +++ b/internal/service/encryptionatrest/resource.go @@ -55,12 +55,12 @@ type encryptionAtRestRS struct { type TfEncryptionAtRestRSModel struct { ID types.String `tfsdk:"id"` ProjectID types.String `tfsdk:"project_id"` - AwsKmsConfig []TfAwsKmsConfigModel `tfsdk:"aws_kms_config"` - AzureKeyVaultConfig []TfAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` - GoogleCloudKmsConfig []TfGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + AwsKmsConfig []TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` + AzureKeyVaultConfig []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + GoogleCloudKmsConfig []TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` } -type TfAwsKmsConfigModel struct { +type TFAwsKmsConfigModel struct { AccessKeyID types.String `tfsdk:"access_key_id"` SecretAccessKey types.String `tfsdk:"secret_access_key"` CustomerMasterKeyID types.String `tfsdk:"customer_master_key_id"` @@ -69,7 +69,7 @@ type TfAwsKmsConfigModel struct { Enabled types.Bool `tfsdk:"enabled"` Valid types.Bool `tfsdk:"valid"` } -type TfAzureKeyVaultConfigModel struct { +type TFAzureKeyVaultConfigModel struct { ClientID types.String `tfsdk:"client_id"` AzureEnvironment types.String `tfsdk:"azure_environment"` SubscriptionID types.String `tfsdk:"subscription_id"` @@ -82,7 +82,7 @@ type TfAzureKeyVaultConfigModel struct { RequirePrivateNetworking types.Bool `tfsdk:"require_private_networking"` Valid types.Bool `tfsdk:"valid"` } -type TfGcpKmsConfigModel struct { +type TFGcpKmsConfigModel struct { ServiceAccountKey types.String `tfsdk:"service_account_key"` KeyVersionResourceID types.String `tfsdk:"key_version_resource_id"` Enabled types.Bool `tfsdk:"enabled"` @@ -315,7 +315,7 @@ func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequ return } - encryptionAtRestPlanNew := NewTfEncryptionAtRestRSModel(ctx, projectID, encryptionResp.(*admin.EncryptionAtRest)) + encryptionAtRestPlanNew := NewTFEncryptionAtRestRSModel(ctx, projectID, encryptionResp.(*admin.EncryptionAtRest)) resetDefaultsFromConfigOrState(ctx, encryptionAtRestPlan, encryptionAtRestPlanNew, encryptionAtRestConfig) // set state to fully populated data @@ -373,7 +373,7 @@ func (r *encryptionAtRestRS) Read(ctx context.Context, req resource.ReadRequest, return } - encryptionAtRestStateNew := NewTfEncryptionAtRestRSModel(ctx, projectID, encryptionResp) + encryptionAtRestStateNew := NewTFEncryptionAtRestRSModel(ctx, projectID, encryptionResp) if isImport { setEmptyArrayForEmptyBlocksReturnedFromImport(encryptionAtRestStateNew) } else { @@ -435,7 +435,7 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ return } - encryptionAtRestStateNew := NewTfEncryptionAtRestRSModel(ctx, projectID, encryptionResp) + encryptionAtRestStateNew := NewTFEncryptionAtRestRSModel(ctx, projectID, encryptionResp) resetDefaultsFromConfigOrState(ctx, encryptionAtRestState, encryptionAtRestStateNew, encryptionAtRestConfig) // save updated data into Terraform state @@ -478,15 +478,15 @@ func (r *encryptionAtRestRS) ImportState(ctx context.Context, req resource.Impor resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp) } -func hasGcpKmsConfigChanged(gcpKmsConfigsPlan, gcpKmsConfigsState []TfGcpKmsConfigModel) bool { +func hasGcpKmsConfigChanged(gcpKmsConfigsPlan, gcpKmsConfigsState []TFGcpKmsConfigModel) bool { return !reflect.DeepEqual(gcpKmsConfigsPlan, gcpKmsConfigsState) } -func hasAzureKeyVaultConfigChanged(azureKeyVaultConfigPlan, azureKeyVaultConfigState []TfAzureKeyVaultConfigModel) bool { +func hasAzureKeyVaultConfigChanged(azureKeyVaultConfigPlan, azureKeyVaultConfigState []TFAzureKeyVaultConfigModel) bool { return !reflect.DeepEqual(azureKeyVaultConfigPlan, azureKeyVaultConfigState) } -func hasAwsKmsConfigChanged(awsKmsConfigPlan, awsKmsConfigState []TfAwsKmsConfigModel) bool { +func hasAwsKmsConfigChanged(awsKmsConfigPlan, awsKmsConfigState []TFAwsKmsConfigModel) bool { return !reflect.DeepEqual(awsKmsConfigPlan, awsKmsConfigState) } @@ -506,7 +506,7 @@ func resetDefaultsFromConfigOrState(ctx context.Context, encryptionAtRestRSCurre func HandleGcpKmsConfig(ctx context.Context, earRSCurrent, earRSNew, earRSConfig *TfEncryptionAtRestRSModel) { // this is required to avoid unnecessary change detection during plan after migration to Plugin Framework if user didn't set this block if earRSCurrent.GoogleCloudKmsConfig == nil { - earRSNew.GoogleCloudKmsConfig = []TfGcpKmsConfigModel{} + earRSNew.GoogleCloudKmsConfig = []TFGcpKmsConfigModel{} return } @@ -522,7 +522,7 @@ func HandleGcpKmsConfig(ctx context.Context, earRSCurrent, earRSNew, earRSConfig func HandleAwsKmsConfigDefaults(ctx context.Context, currentStateFile, newStateFile, earRSConfig *TfEncryptionAtRestRSModel) { // this is required to avoid unnecessary change detection during plan after migration to Plugin Framework if user didn't set this block if currentStateFile.AwsKmsConfig == nil { - newStateFile.AwsKmsConfig = []TfAwsKmsConfigModel{} + newStateFile.AwsKmsConfig = []TFAwsKmsConfigModel{} return } @@ -543,7 +543,7 @@ func HandleAwsKmsConfigDefaults(ctx context.Context, currentStateFile, newStateF func HandleAzureKeyVaultConfigDefaults(ctx context.Context, earRSCurrent, earRSNew, earRSConfig *TfEncryptionAtRestRSModel) { // this is required to avoid unnecessary change detection during plan after migration to Plugin Framework if user didn't set this block if earRSCurrent.AzureKeyVaultConfig == nil { - earRSNew.AzureKeyVaultConfig = []TfAzureKeyVaultConfigModel{} + earRSNew.AzureKeyVaultConfig = []TFAzureKeyVaultConfigModel{} return } @@ -564,14 +564,14 @@ func HandleAzureKeyVaultConfigDefaults(ctx context.Context, earRSCurrent, earRSN // - the API returns the block TfAzureKeyVaultConfigModel{enable=false} if the user does not provider AZURE KMS func setEmptyArrayForEmptyBlocksReturnedFromImport(newStateFromImport *TfEncryptionAtRestRSModel) { if len(newStateFromImport.AwsKmsConfig) == 1 && !newStateFromImport.AwsKmsConfig[0].Enabled.ValueBool() { - newStateFromImport.AwsKmsConfig = []TfAwsKmsConfigModel{} + newStateFromImport.AwsKmsConfig = []TFAwsKmsConfigModel{} } if len(newStateFromImport.GoogleCloudKmsConfig) == 1 && !newStateFromImport.GoogleCloudKmsConfig[0].Enabled.ValueBool() { - newStateFromImport.GoogleCloudKmsConfig = []TfGcpKmsConfigModel{} + newStateFromImport.GoogleCloudKmsConfig = []TFGcpKmsConfigModel{} } if len(newStateFromImport.AzureKeyVaultConfig) == 1 && !newStateFromImport.AzureKeyVaultConfig[0].Enabled.ValueBool() { - newStateFromImport.AzureKeyVaultConfig = []TfAzureKeyVaultConfigModel{} + newStateFromImport.AzureKeyVaultConfig = []TFAzureKeyVaultConfigModel{} } } diff --git a/internal/service/encryptionatrest/resource_test.go b/internal/service/encryptionatrest/resource_test.go index 65ba3844e4..a79e0c6d55 100644 --- a/internal/service/encryptionatrest/resource_test.go +++ b/internal/service/encryptionatrest/resource_test.go @@ -322,23 +322,23 @@ func TestAccEncryptionAtRestWithRole_basicAWS(t *testing.T) { var ( ServiceAccountKey = types.StringValue("service") - googleCloudConfigWithServiceAccountKey = []encryptionatrest.TfGcpKmsConfigModel{ + googleCloudConfigWithServiceAccountKey = []encryptionatrest.TFGcpKmsConfigModel{ { ServiceAccountKey: ServiceAccountKey, }, } - awsConfigWithRegion = []encryptionatrest.TfAwsKmsConfigModel{ + awsConfigWithRegion = []encryptionatrest.TFAwsKmsConfigModel{ { Region: types.StringValue(region), }, } - awsConfigWithRegionAndSecretAccessKey = []encryptionatrest.TfAwsKmsConfigModel{ + awsConfigWithRegionAndSecretAccessKey = []encryptionatrest.TFAwsKmsConfigModel{ { Region: types.StringValue(region), SecretAccessKey: ServiceAccountKey, }, } - azureConfigWithSecret = []encryptionatrest.TfAzureKeyVaultConfigModel{ + azureConfigWithSecret = []encryptionatrest.TFAzureKeyVaultConfigModel{ { Secret: types.StringValue(secret), }, @@ -361,22 +361,22 @@ func TestHandleGcpKmsConfig(t *testing.T) { GoogleCloudKmsConfig: nil, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{}, }, }, { name: "Current GoogleCloudKmsConfig not nil, GoogleCloudKmsConfig config is available", earRSCurrent: &encryptionatrest.TfEncryptionAtRestRSModel{ - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{}, }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{ GoogleCloudKmsConfig: googleCloudConfigWithServiceAccountKey, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{{}}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ GoogleCloudKmsConfig: googleCloudConfigWithServiceAccountKey, @@ -389,7 +389,7 @@ func TestHandleGcpKmsConfig(t *testing.T) { }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{}, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - GoogleCloudKmsConfig: []encryptionatrest.TfGcpKmsConfigModel{{}}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ GoogleCloudKmsConfig: googleCloudConfigWithServiceAccountKey, @@ -413,22 +413,22 @@ func TestHandleAwsKmsConfigDefaults(t *testing.T) { AwsKmsConfig: nil, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{}, }, }, { name: "Current AwsKmsConfig not nil, AwsKmsConfig config is available", earRSCurrent: &encryptionatrest.TfEncryptionAtRestRSModel{ - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{}, }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{ AwsKmsConfig: awsConfigWithRegion, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{{}}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ AwsKmsConfig: awsConfigWithRegion, @@ -441,7 +441,7 @@ func TestHandleAwsKmsConfigDefaults(t *testing.T) { }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{}, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AwsKmsConfig: []encryptionatrest.TfAwsKmsConfigModel{{}}, + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ AwsKmsConfig: awsConfigWithRegionAndSecretAccessKey, @@ -465,22 +465,22 @@ func TestHandleAzureKeyVaultConfigDefaults(t *testing.T) { AzureKeyVaultConfig: nil, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{}, }, }, { name: "Current AzureKeyVaultConfig not nil, AzureKeyVaultConfig config is available", earRSCurrent: &encryptionatrest.TfEncryptionAtRestRSModel{ - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{}, }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{ AzureKeyVaultConfig: azureConfigWithSecret, }, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{{}}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ AzureKeyVaultConfig: azureConfigWithSecret, @@ -493,7 +493,7 @@ func TestHandleAzureKeyVaultConfigDefaults(t *testing.T) { }, earRSConfig: &encryptionatrest.TfEncryptionAtRestRSModel{}, earRSNew: &encryptionatrest.TfEncryptionAtRestRSModel{ - AzureKeyVaultConfig: []encryptionatrest.TfAzureKeyVaultConfigModel{{}}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{{}}, }, expectedEarResult: &encryptionatrest.TfEncryptionAtRestRSModel{ AzureKeyVaultConfig: azureConfigWithSecret, From a5fce03fae96ba85e91ea889e130656894aed459 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 23:04:17 +0100 Subject: [PATCH 05/19] update tests --- internal/provider/provider.go | 1 + .../encryptionatrest/data_source_schema.go | 32 +++-- internal/service/encryptionatrest/model.go | 25 ---- .../service/encryptionatrest/resource_test.go | 125 ++++++++++++++---- internal/testutil/acc/encryption_at_rest.go | 10 +- 5 files changed, 127 insertions(+), 66 deletions(-) diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 73ed20a0c1..92cf26cfd2 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -434,6 +434,7 @@ func (p *MongodbtlasProvider) DataSources(context.Context) []func() datasource.D streamconnection.DataSource, streamconnection.PluralDataSource, controlplaneipaddresses.DataSource, + encryptionatrest.DataSource, } previewDataSources := []func() datasource.DataSource{ // Data sources not yet in GA encryptionatrestprivateendpoint.DataSource, diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 32a908196e..589607a53f 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -11,9 +11,6 @@ import ( "github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion" ) -// TODO: check for sensitive attr -// TODO: check about ID attr -// TODO: check if we can add 'valid' to resource & re-use models---- func DataSourceSchema(ctx context.Context) schema.Schema { return schema.Schema{ Attributes: map[string]schema.Attribute{ @@ -21,11 +18,13 @@ func DataSourceSchema(ctx context.Context) schema.Schema { Attributes: map[string]schema.Attribute{ "access_key_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", MarkdownDescription: "Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).", }, "customer_master_key_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", MarkdownDescription: "Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.", }, @@ -46,6 +45,7 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "secret_access_key": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", MarkdownDescription: "Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.", }, @@ -68,6 +68,7 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "client_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", MarkdownDescription: "Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.", }, @@ -78,6 +79,7 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "key_identifier": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Web address with a unique key that identifies for your Azure Key Vault.", MarkdownDescription: "Web address with a unique key that identifies for your Azure Key Vault.", }, @@ -98,16 +100,19 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "secret": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", MarkdownDescription: "Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.", }, "subscription_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Unique 36-hexadecimal character string that identifies your Azure subscription.", MarkdownDescription: "Unique 36-hexadecimal character string that identifies your Azure subscription.", }, "tenant_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", MarkdownDescription: "Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.", }, @@ -130,11 +135,13 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "key_version_resource_id": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "Resource path that displays the key version resource ID for your Google Cloud KMS.", MarkdownDescription: "Resource path that displays the key version resource ID for your Google Cloud KMS.", }, "service_account_key": schema.StringAttribute{ Computed: true, + Sensitive: true, Description: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", MarkdownDescription: "JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.", }, @@ -153,25 +160,28 @@ func DataSourceSchema(ctx context.Context) schema.Schema { Description: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", }, + "id": schema.StringAttribute{ + Computed: true, + }, }, } } type TFEncryptionAtRestDSModel struct { - ID types.String `tfsdk:"id"` - ProjectID types.String `tfsdk:"project_id"` - AzureKeyVaultConfig TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` - AwsKmsConfig TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` - GoogleCloudKmsConfig TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + ID types.String `tfsdk:"id"` + ProjectID types.String `tfsdk:"project_id"` + AzureKeyVaultConfig *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + AwsKmsConfig *TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` + GoogleCloudKmsConfig *TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` } func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel { return &TFEncryptionAtRestDSModel{ ID: types.StringValue(projectID), ProjectID: types.StringValue(projectID), - AwsKmsConfig: *NewTFAwsKmsConfigItem(encryptionResp.AwsKms), - AzureKeyVaultConfig: *NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault), - GoogleCloudKmsConfig: *NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), + AwsKmsConfig: NewTFAwsKmsConfigItem(encryptionResp.AwsKms), + AzureKeyVaultConfig: NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault), + GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), } } diff --git a/internal/service/encryptionatrest/model.go b/internal/service/encryptionatrest/model.go index 6a9c90eb28..e3bf9da368 100644 --- a/internal/service/encryptionatrest/model.go +++ b/internal/service/encryptionatrest/model.go @@ -27,14 +27,6 @@ func NewTFAwsKmsConfig(ctx context.Context, awsKms *admin.AWSKMSConfiguration) [ return []TFAwsKmsConfigModel{ *NewTFAwsKmsConfigItem(awsKms), - // { - // Enabled: types.BoolPointerValue(awsKms.Enabled), - // CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), - // Region: types.StringValue(awsKms.GetRegion()), - // AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), - // SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), - // RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), - // }, } } @@ -45,18 +37,6 @@ func NewTFAzureKeyVaultConfig(ctx context.Context, az *admin.AzureKeyVault) []TF return []TFAzureKeyVaultConfigModel{ *NewTFAzureKeyVaultConfigItem(az), - // { - // Enabled: types.BoolPointerValue(az.Enabled), - // ClientID: types.StringValue(az.GetClientID()), - // AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), - // SubscriptionID: types.StringValue(az.GetSubscriptionID()), - // ResourceGroupName: types.StringValue(az.GetResourceGroupName()), - // KeyVaultName: types.StringValue(az.GetKeyVaultName()), - // KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), - // TenantID: types.StringValue(az.GetTenantID()), - // Secret: conversion.StringNullIfEmpty(az.GetSecret()), - // RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), - // }, } } @@ -67,11 +47,6 @@ func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TFGc return []TFGcpKmsConfigModel{ *NewTFGcpKmsConfigItem(gcpKms), - // { - // Enabled: types.BoolPointerValue(gcpKms.Enabled), - // KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), - // ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), - // }, } } diff --git a/internal/service/encryptionatrest/resource_test.go b/internal/service/encryptionatrest/resource_test.go index a79e0c6d55..3453b80823 100644 --- a/internal/service/encryptionatrest/resource_test.go +++ b/internal/service/encryptionatrest/resource_test.go @@ -24,7 +24,8 @@ import ( ) const ( - resourceName = "mongodbatlas_encryption_at_rest.test" + resourceName = "mongodbatlas_encryption_at_rest.test" + datasourceName = "data.mongodbatlas_encryption_at_rest.test" ) func TestAccEncryptionAtRest_basicAWS(t *testing.T) { @@ -39,6 +40,13 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { Region: conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))), RoleId: conversion.StringPtr(os.Getenv("AWS_ROLE_ID")), } + awsKmsAttrMap = map[string]string{ + "enabled": "true", + "region": awsKms.GetRegion(), + "role_id": awsKms.GetRoleId(), + "customer_master_key_id": awsKms.GetCustomerMasterKeyID(), + "valid": "true", + } awsKmsUpdated = admin.AWSKMSConfiguration{ Enabled: conversion.Pointer(true), @@ -46,6 +54,13 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { Region: conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))), RoleId: conversion.StringPtr(os.Getenv("AWS_ROLE_ID")), } + awsKmsUpdatedAttrMap = map[string]string{ + "enabled": "true", + "region": awsKmsUpdated.GetRegion(), + "role_id": awsKmsUpdated.GetRoleId(), + "customer_master_key_id": awsKmsUpdated.GetCustomerMasterKeyID(), + "valid": "true", + } ) resource.Test(t, resource.TestCase{ @@ -58,12 +73,13 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.region", awsKms.GetRegion()), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.role_id", awsKms.GetRoleId()), + testCheckResourceAttr(resourceName, "aws_kms_config.0", awsKmsAttrMap), resource.TestCheckNoResourceAttr(resourceName, "azure_key_vault_config.#"), resource.TestCheckNoResourceAttr(resourceName, "google_cloud_kms_config.#"), + + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "aws_kms_config.", awsKmsAttrMap), ), }, { @@ -71,12 +87,13 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.region", awsKmsUpdated.GetRegion()), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.role_id", awsKmsUpdated.GetRoleId()), + testCheckResourceAttr(resourceName, "aws_kms_config.0", awsKmsUpdatedAttrMap), resource.TestCheckNoResourceAttr(resourceName, "azure_key_vault_config.#"), resource.TestCheckNoResourceAttr(resourceName, "google_cloud_kms_config.#"), + + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "aws_kms_config", awsKmsUpdatedAttrMap), ), }, { @@ -107,6 +124,18 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), } + azureKeyVaultAttrMap = map[string]string{ + "enabled": "true", + "azure_environment": azureKeyVault.GetAzureEnvironment(), + "resource_group_name": azureKeyVault.GetResourceGroupName(), + "key_vault_name": azureKeyVault.GetKeyVaultName(), + "client_id": azureKeyVault.GetClientID(), + "key_identifier": azureKeyVault.GetKeyIdentifier(), + "subscription_id": azureKeyVault.GetSubscriptionID(), + "tenant_id": azureKeyVault.GetTenantID(), + "require_private_networking": "false", + } + azureKeyVaultUpdated = admin.AzureKeyVault{ Enabled: conversion.Pointer(true), ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID_UPDATED")), @@ -118,6 +147,18 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { Secret: conversion.StringPtr(os.Getenv("AZURE_SECRET_UPDATED")), TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), } + + azureKeyVaultUpdatedAttrMap = map[string]string{ + "enabled": "true", + "azure_environment": azureKeyVaultUpdated.GetAzureEnvironment(), + "resource_group_name": azureKeyVaultUpdated.GetResourceGroupName(), + "key_vault_name": azureKeyVaultUpdated.GetKeyVaultName(), + "client_id": azureKeyVaultUpdated.GetClientID(), + "key_identifier": azureKeyVaultUpdated.GetKeyIdentifier(), + "subscription_id": azureKeyVaultUpdated.GetSubscriptionID(), + "tenant_id": azureKeyVaultUpdated.GetTenantID(), + "require_private_networking": "false", + } ) resource.Test(t, resource.TestCase{ @@ -130,11 +171,9 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.azure_environment", azureKeyVault.GetAzureEnvironment()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.resource_group_name", azureKeyVault.GetResourceGroupName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.key_vault_name", azureKeyVault.GetKeyVaultName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.require_private_networking", "false"), + testCheckResourceAttr(resourceName, "azure_key_vault_config.0", azureKeyVaultAttrMap), + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "azure_key_vault_config", azureKeyVaultAttrMap), ), }, { @@ -142,11 +181,9 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.azure_environment", azureKeyVaultUpdated.GetAzureEnvironment()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.resource_group_name", azureKeyVaultUpdated.GetResourceGroupName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.key_vault_name", azureKeyVaultUpdated.GetKeyVaultName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.require_private_networking", "false"), + testCheckResourceAttr(resourceName, "azure_key_vault_config.0", azureKeyVaultUpdatedAttrMap), + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "azure_key_vault_config", azureKeyVaultUpdatedAttrMap), ), }, { @@ -161,6 +198,12 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { }) } +func testCheckResourceAttr(resourceName, prefix string, attrsMap map[string]string) resource.TestCheckFunc { + checks := acc.AddAttrChecksPrefix(resourceName, []resource.TestCheckFunc{}, attrsMap, prefix) + + return resource.ComposeAggregateTestCheckFunc(checks...) +} + func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T) { acc.SkipTestForCI(t) // needs Azure configuration @@ -180,6 +223,18 @@ func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T RequirePrivateNetworking: conversion.Pointer(true), } + azureKeyVaultAttrMap = map[string]string{ + "enabled": "true", + "azure_environment": azureKeyVault.GetAzureEnvironment(), + "resource_group_name": azureKeyVault.GetResourceGroupName(), + "key_vault_name": azureKeyVault.GetKeyVaultName(), + "client_id": azureKeyVault.GetClientID(), + "key_identifier": azureKeyVault.GetKeyIdentifier(), + "subscription_id": azureKeyVault.GetSubscriptionID(), + "tenant_id": azureKeyVault.GetTenantID(), + "require_private_networking": strconv.FormatBool((azureKeyVault.GetRequirePrivateNetworking())), + } + azureKeyVaultUpdated = admin.AzureKeyVault{ Enabled: conversion.Pointer(true), ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID_UPDATED")), @@ -192,6 +247,18 @@ func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), RequirePrivateNetworking: conversion.Pointer(false), } + + azureKeyVaultUpdatedAttrMap = map[string]string{ + "enabled": "true", + "azure_environment": azureKeyVaultUpdated.GetAzureEnvironment(), + "resource_group_name": azureKeyVaultUpdated.GetResourceGroupName(), + "key_vault_name": azureKeyVaultUpdated.GetKeyVaultName(), + "client_id": azureKeyVaultUpdated.GetClientID(), + "key_identifier": azureKeyVaultUpdated.GetKeyIdentifier(), + "subscription_id": azureKeyVaultUpdated.GetSubscriptionID(), + "tenant_id": azureKeyVaultUpdated.GetTenantID(), + "require_private_networking": strconv.FormatBool((azureKeyVaultUpdated.GetRequirePrivateNetworking())), + } ) resource.Test(t, resource.TestCase{ @@ -204,23 +271,21 @@ func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.azure_environment", azureKeyVault.GetAzureEnvironment()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.resource_group_name", azureKeyVault.GetResourceGroupName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.key_vault_name", azureKeyVault.GetKeyVaultName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.require_private_networking", strconv.FormatBool((azureKeyVault.GetRequirePrivateNetworking()))), + testCheckResourceAttr(resourceName, "azure_key_vault_config.0", azureKeyVaultAttrMap), + + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "azure_key_vault_config", azureKeyVaultAttrMap), ), }, { - Config: acc.ConfigEARAzureKeyVault(projectID, &azureKeyVaultUpdated, false), + Config: acc.ConfigEARAzureKeyVault(projectID, &azureKeyVaultUpdated, true), Check: resource.ComposeAggregateTestCheckFunc( testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName), resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.azure_environment", azureKeyVaultUpdated.GetAzureEnvironment()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.resource_group_name", azureKeyVaultUpdated.GetResourceGroupName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.key_vault_name", azureKeyVaultUpdated.GetKeyVaultName()), - resource.TestCheckResourceAttr(resourceName, "azure_key_vault_config.0.require_private_networking", strconv.FormatBool((azureKeyVaultUpdated.GetRequirePrivateNetworking()))), + testCheckResourceAttr(resourceName, "azure_key_vault_config.0", azureKeyVaultUpdatedAttrMap), + + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + testCheckResourceAttr(datasourceName, "azure_key_vault_config.", azureKeyVaultUpdatedAttrMap), ), }, { @@ -600,7 +665,9 @@ func testAccMongoDBAtlasEncryptionAtRestConfigAwsKms(projectID string, aws *admi role_id = "%s" } } - `, projectID, aws.GetEnabled(), aws.GetCustomerMasterKeyID(), aws.GetRegion(), aws.GetRoleId()) + + %s + `, projectID, aws.GetEnabled(), aws.GetCustomerMasterKeyID(), aws.GetRegion(), aws.GetRoleId(), acc.TestAccDatasourceConfig()) } func testAccMongoDBAtlasEncryptionAtRestConfigGoogleCloudKms(projectID string, google *admin.GoogleCloudKMS) string { diff --git a/internal/testutil/acc/encryption_at_rest.go b/internal/testutil/acc/encryption_at_rest.go index f1a2a1308a..579ba98418 100644 --- a/internal/testutil/acc/encryption_at_rest.go +++ b/internal/testutil/acc/encryption_at_rest.go @@ -29,6 +29,14 @@ func ConfigEARAzureKeyVault(projectID string, azure *admin.AzureKeyVault, useReq %s } } + + %s `, projectID, *azure.Enabled, azure.GetClientID(), azure.GetAzureEnvironment(), azure.GetSubscriptionID(), azure.GetResourceGroupName(), - azure.GetKeyVaultName(), azure.GetKeyIdentifier(), azure.GetSecret(), azure.GetTenantID(), requirePrivateNetworkingAttr) + azure.GetKeyVaultName(), azure.GetKeyIdentifier(), azure.GetSecret(), azure.GetTenantID(), requirePrivateNetworkingAttr, TestAccDatasourceConfig()) +} + +func TestAccDatasourceConfig() string { + return `data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id + }` } From b63ee696ebb2036d3d90a5c9194cc1ce2da5321b Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 23:09:51 +0100 Subject: [PATCH 06/19] changelog entry --- .changelog/2538.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .changelog/2538.txt diff --git a/.changelog/2538.txt b/.changelog/2538.txt new file mode 100644 index 0000000000..9127a008da --- /dev/null +++ b/.changelog/2538.txt @@ -0,0 +1,7 @@ +```release-note:new-datasource +data-source/mongodbatlas_encryption_at_rest +``` + +```release-note:enhancement +resource/mongodbatlas_encryption_at_rest: Adds `aws_kms_config.0.valid`, `azure_key_vault_config.0.valid` and `google_cloud_kms_config.0.valid` attribute +``` From 48c0f09aa84116fa7abb4369d7f639a50dd5aa2d Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 23:18:16 +0100 Subject: [PATCH 07/19] minor --- .../encryptionatrest/data_source_schema.go | 51 ------------------- internal/service/encryptionatrest/model.go | 49 ++++++++++++++++++ 2 files changed, 49 insertions(+), 51 deletions(-) diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 589607a53f..5c4ecc9b46 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -7,8 +7,6 @@ import ( "github.com/hashicorp/terraform-plugin-framework/datasource/schema" "github.com/hashicorp/terraform-plugin-framework/types" - - "github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion" ) func DataSourceSchema(ctx context.Context) schema.Schema { @@ -184,52 +182,3 @@ func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.Encryp GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), } } - -func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TFAwsKmsConfigModel { - if awsKms == nil { - return nil - } - - return &TFAwsKmsConfigModel{ - Enabled: types.BoolPointerValue(awsKms.Enabled), - CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), - Region: types.StringValue(awsKms.GetRegion()), - AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), - SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), - RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), - Valid: types.BoolPointerValue(awsKms.Valid), - } -} - -func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TFAzureKeyVaultConfigModel { - if az == nil { - return nil - } - - return &TFAzureKeyVaultConfigModel{ - Enabled: types.BoolPointerValue(az.Enabled), - ClientID: types.StringValue(az.GetClientID()), - AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), - SubscriptionID: types.StringValue(az.GetSubscriptionID()), - ResourceGroupName: types.StringValue(az.GetResourceGroupName()), - KeyVaultName: types.StringValue(az.GetKeyVaultName()), - KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), - TenantID: types.StringValue(az.GetTenantID()), - Secret: conversion.StringNullIfEmpty(az.GetSecret()), - RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), - Valid: types.BoolPointerValue(az.Valid), - } -} - -func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TFGcpKmsConfigModel { - if gcpKms == nil { - return nil - } - - return &TFGcpKmsConfigModel{ - Enabled: types.BoolPointerValue(gcpKms.Enabled), - KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), - ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), - Valid: types.BoolPointerValue(gcpKms.Valid), - } -} diff --git a/internal/service/encryptionatrest/model.go b/internal/service/encryptionatrest/model.go index e3bf9da368..d2e268410f 100644 --- a/internal/service/encryptionatrest/model.go +++ b/internal/service/encryptionatrest/model.go @@ -50,6 +50,55 @@ func NewTFGcpKmsConfig(ctx context.Context, gcpKms *admin.GoogleCloudKMS) []TFGc } } +func NewTFAwsKmsConfigItem(awsKms *admin.AWSKMSConfiguration) *TFAwsKmsConfigModel { + if awsKms == nil { + return nil + } + + return &TFAwsKmsConfigModel{ + Enabled: types.BoolPointerValue(awsKms.Enabled), + CustomerMasterKeyID: types.StringValue(awsKms.GetCustomerMasterKeyID()), + Region: types.StringValue(awsKms.GetRegion()), + AccessKeyID: conversion.StringNullIfEmpty(awsKms.GetAccessKeyID()), + SecretAccessKey: conversion.StringNullIfEmpty(awsKms.GetSecretAccessKey()), + RoleID: conversion.StringNullIfEmpty(awsKms.GetRoleId()), + Valid: types.BoolPointerValue(awsKms.Valid), + } +} + +func NewTFAzureKeyVaultConfigItem(az *admin.AzureKeyVault) *TFAzureKeyVaultConfigModel { + if az == nil { + return nil + } + + return &TFAzureKeyVaultConfigModel{ + Enabled: types.BoolPointerValue(az.Enabled), + ClientID: types.StringValue(az.GetClientID()), + AzureEnvironment: types.StringValue(az.GetAzureEnvironment()), + SubscriptionID: types.StringValue(az.GetSubscriptionID()), + ResourceGroupName: types.StringValue(az.GetResourceGroupName()), + KeyVaultName: types.StringValue(az.GetKeyVaultName()), + KeyIdentifier: types.StringValue(az.GetKeyIdentifier()), + TenantID: types.StringValue(az.GetTenantID()), + Secret: conversion.StringNullIfEmpty(az.GetSecret()), + RequirePrivateNetworking: types.BoolValue(az.GetRequirePrivateNetworking()), + Valid: types.BoolPointerValue(az.Valid), + } +} + +func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TFGcpKmsConfigModel { + if gcpKms == nil { + return nil + } + + return &TFGcpKmsConfigModel{ + Enabled: types.BoolPointerValue(gcpKms.Enabled), + KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()), + ServiceAccountKey: conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()), + Valid: types.BoolPointerValue(gcpKms.Valid), + } +} + func NewAtlasAwsKms(tfAwsKmsConfigSlice []TFAwsKmsConfigModel) *admin.AWSKMSConfiguration { if len(tfAwsKmsConfigSlice) == 0 { return &admin.AWSKMSConfiguration{} From 726e53ba8a25752fa59a7cd8ca525aabb95bdf4d Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 28 Aug 2024 23:22:35 +0100 Subject: [PATCH 08/19] lint fix --- internal/service/encryptionatrest/data_source_schema.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 5c4ecc9b46..93cbaebf56 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -166,11 +166,11 @@ func DataSourceSchema(ctx context.Context) schema.Schema { } type TFEncryptionAtRestDSModel struct { - ID types.String `tfsdk:"id"` - ProjectID types.String `tfsdk:"project_id"` AzureKeyVaultConfig *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` AwsKmsConfig *TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` GoogleCloudKmsConfig *TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + ID types.String `tfsdk:"id"` + ProjectID types.String `tfsdk:"project_id"` } func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel { From 85a9b116339a80b9b7117ff7bcf4e9ab2116453e Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 10:58:59 +0100 Subject: [PATCH 09/19] address PR comments --- .../service/encryptionatrest/resource_test.go | 112 +++++++----------- 1 file changed, 44 insertions(+), 68 deletions(-) diff --git a/internal/service/encryptionatrest/resource_test.go b/internal/service/encryptionatrest/resource_test.go index 3453b80823..6483155ab3 100644 --- a/internal/service/encryptionatrest/resource_test.go +++ b/internal/service/encryptionatrest/resource_test.go @@ -106,6 +106,20 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { }) } +func convertToAzureKeyVaultAttrMap(az *admin.AzureKeyVault) map[string]string { + return map[string]string{ + "enabled": strconv.FormatBool(az.GetEnabled()), + "azure_environment": az.GetAzureEnvironment(), + "resource_group_name": az.GetResourceGroupName(), + "key_vault_name": az.GetKeyVaultName(), + "client_id": az.GetClientID(), + "key_identifier": az.GetKeyIdentifier(), + "subscription_id": az.GetSubscriptionID(), + "tenant_id": az.GetTenantID(), + "require_private_networking": strconv.FormatBool(az.GetRequirePrivateNetworking()), + } +} + func TestAccEncryptionAtRest_basicAzure(t *testing.T) { acc.SkipTestForCI(t) // needs Azure configuration @@ -113,52 +127,34 @@ func TestAccEncryptionAtRest_basicAzure(t *testing.T) { projectID = os.Getenv("MONGODB_ATLAS_PROJECT_ID") azureKeyVault = admin.AzureKeyVault{ - Enabled: conversion.Pointer(true), - ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID")), - AzureEnvironment: conversion.StringPtr("AZURE"), - SubscriptionID: conversion.StringPtr(os.Getenv("AZURE_SUBSCRIPTION_ID")), - ResourceGroupName: conversion.StringPtr(os.Getenv("AZURE_RESOURCE_GROUP_NAME")), - KeyVaultName: conversion.StringPtr(os.Getenv("AZURE_KEY_VAULT_NAME")), - KeyIdentifier: conversion.StringPtr(os.Getenv("AZURE_KEY_IDENTIFIER")), - Secret: conversion.StringPtr(os.Getenv("AZURE_SECRET")), - TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), + Enabled: conversion.Pointer(true), + ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID")), + AzureEnvironment: conversion.StringPtr("AZURE"), + SubscriptionID: conversion.StringPtr(os.Getenv("AZURE_SUBSCRIPTION_ID")), + ResourceGroupName: conversion.StringPtr(os.Getenv("AZURE_RESOURCE_GROUP_NAME")), + KeyVaultName: conversion.StringPtr(os.Getenv("AZURE_KEY_VAULT_NAME")), + KeyIdentifier: conversion.StringPtr(os.Getenv("AZURE_KEY_IDENTIFIER")), + Secret: conversion.StringPtr(os.Getenv("AZURE_SECRET")), + TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), + RequirePrivateNetworking: conversion.Pointer(false), } - azureKeyVaultAttrMap = map[string]string{ - "enabled": "true", - "azure_environment": azureKeyVault.GetAzureEnvironment(), - "resource_group_name": azureKeyVault.GetResourceGroupName(), - "key_vault_name": azureKeyVault.GetKeyVaultName(), - "client_id": azureKeyVault.GetClientID(), - "key_identifier": azureKeyVault.GetKeyIdentifier(), - "subscription_id": azureKeyVault.GetSubscriptionID(), - "tenant_id": azureKeyVault.GetTenantID(), - "require_private_networking": "false", - } + azureKeyVaultAttrMap = convertToAzureKeyVaultAttrMap(&azureKeyVault) azureKeyVaultUpdated = admin.AzureKeyVault{ - Enabled: conversion.Pointer(true), - ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID_UPDATED")), - AzureEnvironment: conversion.StringPtr("AZURE"), - SubscriptionID: conversion.StringPtr(os.Getenv("AZURE_SUBSCRIPTION_ID")), - ResourceGroupName: conversion.StringPtr(os.Getenv("AZURE_RESOURCE_GROUP_NAME_UPDATED")), - KeyVaultName: conversion.StringPtr(os.Getenv("AZURE_KEY_VAULT_NAME_UPDATED")), - KeyIdentifier: conversion.StringPtr(os.Getenv("AZURE_KEY_IDENTIFIER_UPDATED")), - Secret: conversion.StringPtr(os.Getenv("AZURE_SECRET_UPDATED")), - TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), + Enabled: conversion.Pointer(true), + ClientID: conversion.StringPtr(os.Getenv("AZURE_CLIENT_ID_UPDATED")), + AzureEnvironment: conversion.StringPtr("AZURE"), + SubscriptionID: conversion.StringPtr(os.Getenv("AZURE_SUBSCRIPTION_ID")), + ResourceGroupName: conversion.StringPtr(os.Getenv("AZURE_RESOURCE_GROUP_NAME_UPDATED")), + KeyVaultName: conversion.StringPtr(os.Getenv("AZURE_KEY_VAULT_NAME_UPDATED")), + KeyIdentifier: conversion.StringPtr(os.Getenv("AZURE_KEY_IDENTIFIER_UPDATED")), + Secret: conversion.StringPtr(os.Getenv("AZURE_SECRET_UPDATED")), + TenantID: conversion.StringPtr(os.Getenv("AZURE_TENANT_ID")), + RequirePrivateNetworking: conversion.Pointer(false), } - azureKeyVaultUpdatedAttrMap = map[string]string{ - "enabled": "true", - "azure_environment": azureKeyVaultUpdated.GetAzureEnvironment(), - "resource_group_name": azureKeyVaultUpdated.GetResourceGroupName(), - "key_vault_name": azureKeyVaultUpdated.GetKeyVaultName(), - "client_id": azureKeyVaultUpdated.GetClientID(), - "key_identifier": azureKeyVaultUpdated.GetKeyIdentifier(), - "subscription_id": azureKeyVaultUpdated.GetSubscriptionID(), - "tenant_id": azureKeyVaultUpdated.GetTenantID(), - "require_private_networking": "false", - } + azureKeyVaultUpdatedAttrMap = convertToAzureKeyVaultAttrMap(&azureKeyVaultUpdated) ) resource.Test(t, resource.TestCase{ @@ -223,17 +219,7 @@ func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T RequirePrivateNetworking: conversion.Pointer(true), } - azureKeyVaultAttrMap = map[string]string{ - "enabled": "true", - "azure_environment": azureKeyVault.GetAzureEnvironment(), - "resource_group_name": azureKeyVault.GetResourceGroupName(), - "key_vault_name": azureKeyVault.GetKeyVaultName(), - "client_id": azureKeyVault.GetClientID(), - "key_identifier": azureKeyVault.GetKeyIdentifier(), - "subscription_id": azureKeyVault.GetSubscriptionID(), - "tenant_id": azureKeyVault.GetTenantID(), - "require_private_networking": strconv.FormatBool((azureKeyVault.GetRequirePrivateNetworking())), - } + azureKeyVaultAttrMap = convertToAzureKeyVaultAttrMap(&azureKeyVault) azureKeyVaultUpdated = admin.AzureKeyVault{ Enabled: conversion.Pointer(true), @@ -248,17 +234,7 @@ func TestAccEncryptionAtRest_azure_requirePrivateNetworking_preview(t *testing.T RequirePrivateNetworking: conversion.Pointer(false), } - azureKeyVaultUpdatedAttrMap = map[string]string{ - "enabled": "true", - "azure_environment": azureKeyVaultUpdated.GetAzureEnvironment(), - "resource_group_name": azureKeyVaultUpdated.GetResourceGroupName(), - "key_vault_name": azureKeyVaultUpdated.GetKeyVaultName(), - "client_id": azureKeyVaultUpdated.GetClientID(), - "key_identifier": azureKeyVaultUpdated.GetKeyIdentifier(), - "subscription_id": azureKeyVaultUpdated.GetSubscriptionID(), - "tenant_id": azureKeyVaultUpdated.GetTenantID(), - "require_private_networking": strconv.FormatBool((azureKeyVaultUpdated.GetRequirePrivateNetworking())), - } + azureKeyVaultUpdatedAttrMap = convertToAzureKeyVaultAttrMap(&azureKeyVaultUpdated) ) resource.Test(t, resource.TestCase{ @@ -656,17 +632,17 @@ func testAccCheckMongoDBAtlasEncryptionAtRestDestroy(s *terraform.State) error { func testAccMongoDBAtlasEncryptionAtRestConfigAwsKms(projectID string, aws *admin.AWSKMSConfiguration) string { return fmt.Sprintf(` resource "mongodbatlas_encryption_at_rest" "test" { - project_id = "%s" + project_id = %[1]q aws_kms_config { - enabled = %t - customer_master_key_id = "%s" - region = "%s" - role_id = "%s" + enabled = %[2]t + customer_master_key_id = %[3]q + region = %[4]q + role_id = %[5]q } } - %s + %[6]s `, projectID, aws.GetEnabled(), aws.GetCustomerMasterKeyID(), aws.GetRegion(), aws.GetRoleId(), acc.TestAccDatasourceConfig()) } From ed25f5af80648620eed7302de7bf9fe5049331d1 Mon Sep 17 00:00:00 2001 From: maastha <122359335+maastha@users.noreply.github.com> Date: Fri, 30 Aug 2024 11:00:11 +0100 Subject: [PATCH 10/19] Update internal/service/encryptionatrest/data_source_schema.go Co-authored-by: lmkerbey-mdb <105309825+lmkerbey-mdb@users.noreply.github.com> --- internal/service/encryptionatrest/data_source_schema.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 93cbaebf56..4d83bebd53 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -33,8 +33,8 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "region": schema.StringAttribute{ Computed: true, - Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. - MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + Description: "Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + MarkdownDescription: "Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. }, "role_id": schema.StringAttribute{ Computed: true, From b4152535daaae4f7228af957d1cf92f9dc1ede11 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 11:16:36 +0100 Subject: [PATCH 11/19] update doc --- internal/service/encryptionatrest/resource.go | 4 ++-- .../encryptionatrest/tfplugingen/generator_config.yml | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/internal/service/encryptionatrest/resource.go b/internal/service/encryptionatrest/resource.go index 89004eea25..d8840fe92b 100644 --- a/internal/service/encryptionatrest/resource.go +++ b/internal/service/encryptionatrest/resource.go @@ -143,8 +143,8 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ }, "region": schema.StringAttribute{ Optional: true, - Description: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. - MarkdownDescription: "Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + Description: "Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. + MarkdownDescription: "Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.", //nolint:lll // reason: auto-generated from Open API spec. }, "role_id": schema.StringAttribute{ Optional: true, diff --git a/internal/service/encryptionatrest/tfplugingen/generator_config.yml b/internal/service/encryptionatrest/tfplugingen/generator_config.yml index a06b763f03..c009b1db89 100644 --- a/internal/service/encryptionatrest/tfplugingen/generator_config.yml +++ b/internal/service/encryptionatrest/tfplugingen/generator_config.yml @@ -3,6 +3,11 @@ provider: resources: encryption_at_rest: + schema: + attributes: + overrides: + aws_kms_config.region: + description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. create: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: PATCH @@ -12,6 +17,11 @@ resources: data_sources: encryption_at_rest: + schema: + attributes: + overrides: + aws_kms_config.region: + description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. read: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: GET \ No newline at end of file From e74ba18702dacfae2a99997926afbef24a08d625 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 12:27:28 +0100 Subject: [PATCH 12/19] minor --- .../service/encryptionatrest/tfplugingen/generator_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/service/encryptionatrest/tfplugingen/generator_config.yml b/internal/service/encryptionatrest/tfplugingen/generator_config.yml index c009b1db89..435960cd2e 100644 --- a/internal/service/encryptionatrest/tfplugingen/generator_config.yml +++ b/internal/service/encryptionatrest/tfplugingen/generator_config.yml @@ -6,7 +6,7 @@ resources: schema: attributes: overrides: - aws_kms_config.region: + "aws_kms_config.region": description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. create: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest @@ -20,7 +20,7 @@ data_sources: schema: attributes: overrides: - aws_kms_config.region: + "aws_kms_config.region": description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. read: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest From 5cd0a9f1781ccb4e43808bdc4d865df089adc508 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 15:58:50 +0100 Subject: [PATCH 13/19] minor --- .../encryptionatrest/tfplugingen/generator_config.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/internal/service/encryptionatrest/tfplugingen/generator_config.yml b/internal/service/encryptionatrest/tfplugingen/generator_config.yml index 435960cd2e..a06b763f03 100644 --- a/internal/service/encryptionatrest/tfplugingen/generator_config.yml +++ b/internal/service/encryptionatrest/tfplugingen/generator_config.yml @@ -3,11 +3,6 @@ provider: resources: encryption_at_rest: - schema: - attributes: - overrides: - "aws_kms_config.region": - description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. create: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: PATCH @@ -17,11 +12,6 @@ resources: data_sources: encryption_at_rest: - schema: - attributes: - overrides: - "aws_kms_config.region": - description: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. read: path: /api/atlas/v2/groups/{groupId}/encryptionAtRest method: GET \ No newline at end of file From 2a7c38bad1e773f81153e7271a29a103f05086e6 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 20:03:56 +0100 Subject: [PATCH 14/19] add example & docs --- docs/data-sources/encryption_at_rest.md | 192 ++++++++++++++++++ docs/resources/encryption_at_rest.md | 144 +++++++------ .../aws/atlas-cluster/main.tf | 8 + .../azure/README.md | 54 +++++ .../azure/main.tf | 25 +++ .../azure/providers.tf | 5 + .../azure/variables.tf | 50 +++++ .../azure/versions.tf | 9 + .../data-sources/encryption_at_rest.md.tmpl | 57 ++++++ .../resources/encryption_at_rest.md.tmpl | 19 ++ 10 files changed, 505 insertions(+), 58 deletions(-) create mode 100644 docs/data-sources/encryption_at_rest.md create mode 100644 examples/mongodbatlas_encryption_at_rest/azure/README.md create mode 100644 examples/mongodbatlas_encryption_at_rest/azure/main.tf create mode 100644 examples/mongodbatlas_encryption_at_rest/azure/providers.tf create mode 100644 examples/mongodbatlas_encryption_at_rest/azure/variables.tf create mode 100644 examples/mongodbatlas_encryption_at_rest/azure/versions.tf create mode 100644 templates/data-sources/encryption_at_rest.md.tmpl diff --git a/docs/data-sources/encryption_at_rest.md b/docs/data-sources/encryption_at_rest.md new file mode 100644 index 0000000000..61027b10ac --- /dev/null +++ b/docs/data-sources/encryption_at_rest.md @@ -0,0 +1,192 @@ +# Data Source: mongodbatlas_encryption_at_rest + +`mongodbatlas_encryption_at_rest` describes encryption at rest configuration for an Atlas project with one of the following providers: + +[Amazon Web Services Key Management Service](https://docs.atlas.mongodb.com/security-aws-kms/#security-aws-kms) +[Azure Key Vault](https://docs.atlas.mongodb.com/security-azure-kms/#security-azure-kms) +[Google Cloud KMS](https://docs.atlas.mongodb.com/security-gcp-kms/#security-gcp-kms) + + +~> **IMPORTANT** Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest, by default. + +~> **IMPORTANT** Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management + +-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation. + + +## Example Usages + +### Example: Configuring encryption at rest using customer key management in AWS +```terraform +resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { + project_id = var.atlas_project_id + provider_name = "AWS" +} + +resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { + project_id = var.atlas_project_id + role_id = mongodbatlas_cloud_provider_access_setup.setup_only.role_id + + aws { + iam_assumed_role_arn = aws_iam_role.test_role.arn + } +} + +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + aws_kms_config { + enabled = true + customer_master_key_id = aws_kms_key.kms_key.id + region = var.atlas_region + role_id = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id + } +} + +resource "mongodbatlas_advanced_cluster" "cluster" { + project_id = var.atlas_project_id + name = "MyCluster" + cluster_type = "REPLICASET" + backup_enabled = true + encryption_at_rest_provider = "AWS" + + replication_specs { + region_configs { + priority = 7 + provider_name = "AWS" + region_name = "US_EAST_1" + electable_specs { + instance_size = "M10" + node_count = 3 + } + } + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "is_aws_kms_encryption_at_rest_valid" { + value = data.mongodbatlas_encryption_at_rest.test.aws_kms_config.valid +} +``` + +### Example: Configuring encryption at rest using customer key management in Azure +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + azure_key_vault_config { + enabled = true + azure_environment = "AZURE" + + tenant_id = var.azure_tenant_id + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + secret = var.azure_client_secret + + resource_group_name = var.azure_resource_group_name + key_vault_name = var.azure_key_vault_name + key_identifier = var.azure_key_identifier + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "azure_encryption_at_rest_validity" { + value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid +} +``` + +-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + +### Example: Configuring encryption at rest using customer key management in GCP +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + google_cloud_kms_config { + enabled = true + service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}" + key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1" + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "is_gcp_encryption_at_rest_valid" { + value = data.mongodbatlas_encryption_at_rest.test.google_cloud_kms_config.valid +} +``` + + +## Schema + +### Required + +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. + +**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. + +### Read-Only + +- `aws_kms_config` (Attributes) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedatt--aws_kms_config)) +- `azure_key_vault_config` (Attributes) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedatt--azure_key_vault_config)) +- `google_cloud_kms_config` (Attributes) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedatt--google_cloud_kms_config)) +- `id` (String) The ID of this resource. + + +### Nested Schema for `aws_kms_config` + +Read-Only: + +- `access_key_id` (String, Sensitive) Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK). +- `customer_master_key_id` (String, Sensitive) Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys. +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `region` (String) Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. +- `role_id` (String) Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key. +- `secret_access_key` (String, Sensitive) Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key. +- `valid` (Boolean) Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data. + + + +### Nested Schema for `azure_key_vault_config` + +Read-Only: + +- `azure_environment` (String) Azure environment in which your account credentials reside. +- `client_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant. +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `key_identifier` (String, Sensitive) Web address with a unique key that identifies for your Azure Key Vault. +- `key_vault_name` (String) Unique string that identifies the Azure Key Vault that contains your key. +- `require_private_networking` (Boolean) Enable connection to your Azure Key Vault over private networking. +- `resource_group_name` (String) Name of the Azure resource group that contains your Azure Key Vault. +- `secret` (String, Sensitive) Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data. +- `subscription_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies your Azure subscription. +- `tenant_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. +- `valid` (Boolean) Flag that indicates whether the Azure encryption key can encrypt and decrypt data. + + + +### Nested Schema for `google_cloud_kms_config` + +Read-Only: + +- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. +- `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS. +- `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object. +- `valid` (Boolean) Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data. + +# Import +Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g. + +``` +$ terraform import mongodbatlas_encryption_at_rest.example 1112222b3bf99403840e8934 +``` + +For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management) \ No newline at end of file diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index 10064434e3..e6f13faf40 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -23,79 +23,45 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages +### Example: Configuring encryption at rest using customer key management in AWS ```terraform -resource "mongodbatlas_encryption_at_rest" "test" { - project_id = "" - - aws_kms_config { - enabled = true - customer_master_key_id = "5ce83906-6563-46b7-8045-11c20e3a5766" - region = "US_EAST_1" - role_id = "60815e2fe01a49138a928ebb" - } - - azure_key_vault_config { - enabled = true - client_id = "g54f9e2-89e3-40fd-8188-EXAMPLEID" - azure_environment = "AZURE" - subscription_id = "0ec944e3-g725-44f9-a147-EXAMPLEID" - resource_group_name = "ExampleRGName" - key_vault_name = "EXAMPLEKeyVault" - key_identifier = "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86" - secret = "EXAMPLESECRET" - tenant_id = "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID" - } - - google_cloud_kms_config { - enabled = true - service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}" - key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1" - } +resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { + project_id = var.atlas_project_id + provider_name = "AWS" } -``` -**NOTE** if using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. +resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { + project_id = var.atlas_project_id + role_id = mongodbatlas_cloud_provider_access_setup.setup_only.role_id -```terraform -resource "mongodbatlas_encryption_at_rest" "default" { - (...) - depends_on = [mongodbatlas_cloud_provider_access_setup., mongodbatlas_cloud_provider_access_authorization.] + aws { + iam_assumed_role_arn = aws_iam_role.test_role.arn + } } -``` - -## Example: Configuring encryption at rest using customer key management in Azure and then creating a cluster -The configuration of encryption at rest with customer key management, `mongodbatlas_encryption_at_rest`, needs to be completed before a cluster is created in the project. Force this wait by using an implicit dependency via `project_id` as shown in the example below. - -```terraform -resource "mongodbatlas_encryption_at_rest" "example" { - project_id = "" +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id - azure_key_vault_config { - enabled = true - client_id = "g54f9e2-89e3-40fd-8188-EXAMPLEID" - azure_environment = "AZURE" - subscription_id = "0ec944e3-g725-44f9-a147-EXAMPLEID" - resource_group_name = "ExampleRGName" - key_vault_name = "EXAMPLEKeyVault" - key_identifier = "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86" - secret = "EXAMPLESECRET" - tenant_id = "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID" + aws_kms_config { + enabled = true + customer_master_key_id = aws_kms_key.kms_key.id + region = var.atlas_region + role_id = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id } } -resource "mongodbatlas_advanced_cluster" "example_cluster" { - project_id = mongodbatlas_encryption_at_rest.example.project_id - name = "CLUSTER NAME" +resource "mongodbatlas_advanced_cluster" "cluster" { + project_id = var.atlas_project_id + name = "MyCluster" cluster_type = "REPLICASET" backup_enabled = true - encryption_at_rest_provider = "AZURE" + encryption_at_rest_provider = "AWS" replication_specs { region_configs { priority = 7 - provider_name = "AZURE" - region_name = "REGION" + provider_name = "AWS" + region_name = "US_EAST_1" electable_specs { instance_size = "M10" node_count = 3 @@ -104,8 +70,58 @@ resource "mongodbatlas_advanced_cluster" "example_cluster" { } } +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "is_aws_kms_encryption_at_rest_valid" { + value = data.mongodbatlas_encryption_at_rest.test.aws_kms_config.valid +} ``` +### Example: Configuring encryption at rest using customer key management in Azure +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + azure_key_vault_config { + enabled = true + azure_environment = "AZURE" + + tenant_id = var.azure_tenant_id + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + secret = var.azure_client_secret + + resource_group_name = var.azure_resource_group_name + key_vault_name = var.azure_key_vault_name + key_identifier = var.azure_key_identifier + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "azure_encryption_at_rest_validity" { + value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid +} +``` + +-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + +### Example: Configuring encryption at rest using customer key management in GCP +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + google_cloud_kms_config { + enabled = true + service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}" + key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1" + } +} +``` ## Schema @@ -134,10 +150,14 @@ Optional: - `access_key_id` (String, Sensitive) Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK). - `customer_master_key_id` (String, Sensitive) Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys. - `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`. -- `region` (String) Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. +- `region` (String) Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts. - `role_id` (String) Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key. - `secret_access_key` (String, Sensitive) Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key. +Read-Only: + +- `valid` (Boolean) Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data. + ### Nested Schema for `azure_key_vault_config` @@ -155,6 +175,10 @@ Optional: - `subscription_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies your Azure subscription. - `tenant_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. +Read-Only: + +- `valid` (Boolean) Flag that indicates whether the Azure encryption key can encrypt and decrypt data. + ### Nested Schema for `google_cloud_kms_config` @@ -165,6 +189,10 @@ Optional: - `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS. - `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object. +Read-Only: + +- `valid` (Boolean) Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data. + # Import Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g. diff --git a/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf b/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf index fb4b6d9826..20c797e31e 100644 --- a/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf +++ b/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf @@ -42,3 +42,11 @@ resource "mongodbatlas_advanced_cluster" "cluster" { } } } + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "is_aws_kms_encryption_at_rest_valid" { + value = data.mongodbatlas_encryption_at_rest.test.aws_kms_config.valid +} diff --git a/examples/mongodbatlas_encryption_at_rest/azure/README.md b/examples/mongodbatlas_encryption_at_rest/azure/README.md new file mode 100644 index 0000000000..c8dd523c24 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest/azure/README.md @@ -0,0 +1,54 @@ +# MongoDB Atlas Provider -- Encryption At Rest using Customer Key Management with Azure +This example shows how to configure encryption at rest with customer managed keys with Azure Key Vault. + +Note: It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + +## Dependencies + +* Terraform MongoDB Atlas Provider +* A MongoDB Atlas account +* A Microsoft Azure account + +## Usage + +**1\. Provide the appropriate values for the input variables.** + +- `atlas_public_key`: The public API key for MongoDB Atlas +- `atlas_private_key`: The private API key for MongoDB Atlas +- `atlas_project_id`: Atlas Project ID +- `azure_subscription_id`: Azure ID that identifies your Azure subscription +- `azure_client_id`: Azure ID identifies an Azure application associated with your Azure Active Directory tenant +- `azure_client_secret`: Secret associated to the Azure application +- `azure_tenant_id`: Azure ID that identifies the Azure Active Directory tenant within your Azure subscription +- `azure_resource_group_name`: Name of the Azure resource group that contains your Azure Key Vault +- `azure_key_vault_name`: Unique string that identifies the Azure Key Vault that contains your key +- `azure_key_identifier`: Web address with a unique key that identifies for your Azure Key Vault + + +**2\. Review the Terraform plan.** + +Execute the following command and ensure you are happy with the plan. + +``` bash +$ terraform plan +``` +This project currently supports the following deployments: + +- Configure encryption at rest in an existing project using a custom Azure Key. + +**3\. Execute the Terraform apply.** + +Now execute the plan to provision the resources. + +``` bash +$ terraform apply +``` + +**4\. Destroy the resources.** + +When you have finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges. + +``` bash +$ terraform destroy +``` + diff --git a/examples/mongodbatlas_encryption_at_rest/azure/main.tf b/examples/mongodbatlas_encryption_at_rest/azure/main.tf new file mode 100644 index 0000000000..c64fe13596 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest/azure/main.tf @@ -0,0 +1,25 @@ +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + azure_key_vault_config { + enabled = true + azure_environment = "AZURE" + + tenant_id = var.azure_tenant_id + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + secret = var.azure_client_secret + + resource_group_name = var.azure_resource_group_name + key_vault_name = var.azure_key_vault_name + key_identifier = var.azure_key_identifier + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "azure_encryption_at_rest_validity" { + value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid +} diff --git a/examples/mongodbatlas_encryption_at_rest/azure/providers.tf b/examples/mongodbatlas_encryption_at_rest/azure/providers.tf new file mode 100644 index 0000000000..6fc0d099e0 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest/azure/providers.tf @@ -0,0 +1,5 @@ +provider "mongodbatlas" { + public_key = var.atlas_public_key + private_key = var.atlas_private_key +} + diff --git a/examples/mongodbatlas_encryption_at_rest/azure/variables.tf b/examples/mongodbatlas_encryption_at_rest/azure/variables.tf new file mode 100644 index 0000000000..d4b94a39b5 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest/azure/variables.tf @@ -0,0 +1,50 @@ +variable "atlas_public_key" { + description = "The public API key for MongoDB Atlas" + type = string +} +variable "atlas_private_key" { + description = "The private API key for MongoDB Atlas" + type = string + sensitive = true +} +variable "atlas_project_id" { + description = "Atlas Project ID" + type = string +} +variable "azure_subscription_id" { + type = string + description = "Azure ID that identifies your Azure subscription" +} + +variable "azure_client_id" { + type = string + description = "Azure ID identifies an Azure application associated with your Azure Active Directory tenant" +} + +variable "azure_client_secret" { + type = string + sensitive = true + description = "Secret associated to the Azure application" +} + +variable "azure_tenant_id" { + type = string + description = "Azure ID that identifies the Azure Active Directory tenant within your Azure subscription" +} + +variable "azure_resource_group_name" { + type = string + description = "Name of the Azure resource group that contains your Azure Key Vault" +} + +variable "azure_key_vault_name" { + type = string + description = "Unique string that identifies the Azure Key Vault that contains your key" +} + +variable "azure_key_identifier" { + type = string + description = "Web address with a unique key that identifies for your Azure Key Vault" +} + + diff --git a/examples/mongodbatlas_encryption_at_rest/azure/versions.tf b/examples/mongodbatlas_encryption_at_rest/azure/versions.tf new file mode 100644 index 0000000000..9b4be6c14c --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest/azure/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "~> 1.18" + } + } + required_version = ">= 1.0" +} diff --git a/templates/data-sources/encryption_at_rest.md.tmpl b/templates/data-sources/encryption_at_rest.md.tmpl new file mode 100644 index 0000000000..51be997ef2 --- /dev/null +++ b/templates/data-sources/encryption_at_rest.md.tmpl @@ -0,0 +1,57 @@ +# {{.Type}}: {{.Name}} + +`{{.Name}}` describes encryption at rest configuration for an Atlas project with one of the following providers: + +[Amazon Web Services Key Management Service](https://docs.atlas.mongodb.com/security-aws-kms/#security-aws-kms) +[Azure Key Vault](https://docs.atlas.mongodb.com/security-azure-kms/#security-azure-kms) +[Google Cloud KMS](https://docs.atlas.mongodb.com/security-gcp-kms/#security-gcp-kms) + + +~> **IMPORTANT** Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest, by default. + +~> **IMPORTANT** Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management + +-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation. + + +## Example Usages + +### Example: Configuring encryption at rest using customer key management in AWS +{{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} + +### Example: Configuring encryption at rest using customer key management in Azure +{{ tffile (printf "examples/%s/azure/main.tf" .Name )}} + +-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + +### Example: Configuring encryption at rest using customer key management in GCP +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + google_cloud_kms_config { + enabled = true + service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}" + key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1" + } +} + +data "mongodbatlas_encryption_at_rest" "test" { + project_id = mongodbatlas_encryption_at_rest.test.project_id +} + +output "is_gcp_encryption_at_rest_valid" { + value = data.mongodbatlas_encryption_at_rest.test.google_cloud_kms_config.valid +} +``` + +{{ .SchemaMarkdown | trimspace }} + +# Import +Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g. + +``` +$ terraform import mongodbatlas_encryption_at_rest.example 1112222b3bf99403840e8934 +``` + +For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management) \ No newline at end of file diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl index 947e4450c9..6edcfbade2 100644 --- a/templates/resources/encryption_at_rest.md.tmpl +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -23,7 +23,26 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages +### Example: Configuring encryption at rest using customer key management in AWS +{{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} +### Example: Configuring encryption at rest using customer key management in Azure +{{ tffile (printf "examples/%s/azure/main.tf" .Name )}} + +-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + +### Example: Configuring encryption at rest using customer key management in GCP +```terraform +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.atlas_project_id + + google_cloud_kms_config { + enabled = true + service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}" + key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1" + } +} +``` {{ .SchemaMarkdown | trimspace }} From 3eb348ccce8c2efcc898c88c360fff0d8268ba86 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 20:04:55 +0100 Subject: [PATCH 15/19] add GHA --- .github/workflows/code-health.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml index a6930734e1..ec4c2be7c6 100644 --- a/.github/workflows/code-health.yml +++ b/.github/workflows/code-health.yml @@ -75,6 +75,8 @@ jobs: run: export resource_name=push_based_log_export && make generate-doc - name: Doc for search_deployment run: export resource_name=search_deployment && make generate-doc + - name: Doc for encryption_at_rest + run: export resource_name=encryption_at_rest && make generate-doc - name: Find mutations id: self_mutation run: |- From f23833a8135b024bf0285789adbe214fe0b8996d Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 20:09:53 +0100 Subject: [PATCH 16/19] minor --- docs/data-sources/encryption_at_rest.md | 6 +++--- docs/resources/encryption_at_rest.md | 6 +++--- templates/data-sources/encryption_at_rest.md.tmpl | 6 +++--- templates/resources/encryption_at_rest.md.tmpl | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/data-sources/encryption_at_rest.md b/docs/data-sources/encryption_at_rest.md index 61027b10ac..bd7da0d0e1 100644 --- a/docs/data-sources/encryption_at_rest.md +++ b/docs/data-sources/encryption_at_rest.md @@ -16,7 +16,7 @@ ## Example Usages -### Example: Configuring encryption at rest using customer key management in AWS +### Configuring encryption at rest using customer key management in AWS ```terraform resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { project_id = var.atlas_project_id @@ -72,7 +72,7 @@ output "is_aws_kms_encryption_at_rest_valid" { } ``` -### Example: Configuring encryption at rest using customer key management in Azure +### Configuring encryption at rest using customer key management in Azure ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id @@ -103,7 +103,7 @@ output "azure_encryption_at_rest_validity" { -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. -### Example: Configuring encryption at rest using customer key management in GCP +### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index e6f13faf40..d0990a83f2 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -23,7 +23,7 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages -### Example: Configuring encryption at rest using customer key management in AWS +### Configuring encryption at rest using customer key management in AWS ```terraform resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { project_id = var.atlas_project_id @@ -79,7 +79,7 @@ output "is_aws_kms_encryption_at_rest_valid" { } ``` -### Example: Configuring encryption at rest using customer key management in Azure +### Configuring encryption at rest using customer key management in Azure ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id @@ -110,7 +110,7 @@ output "azure_encryption_at_rest_validity" { -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. -### Example: Configuring encryption at rest using customer key management in GCP +### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id diff --git a/templates/data-sources/encryption_at_rest.md.tmpl b/templates/data-sources/encryption_at_rest.md.tmpl index 51be997ef2..2e7124e16e 100644 --- a/templates/data-sources/encryption_at_rest.md.tmpl +++ b/templates/data-sources/encryption_at_rest.md.tmpl @@ -16,15 +16,15 @@ ## Example Usages -### Example: Configuring encryption at rest using customer key management in AWS +### Configuring encryption at rest using customer key management in AWS {{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} -### Example: Configuring encryption at rest using customer key management in Azure +### Configuring encryption at rest using customer key management in Azure {{ tffile (printf "examples/%s/azure/main.tf" .Name )}} -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. -### Example: Configuring encryption at rest using customer key management in GCP +### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl index 6edcfbade2..c1ab830778 100644 --- a/templates/resources/encryption_at_rest.md.tmpl +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -23,15 +23,15 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages -### Example: Configuring encryption at rest using customer key management in AWS +### Configuring encryption at rest using customer key management in AWS {{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} -### Example: Configuring encryption at rest using customer key management in Azure +### Configuring encryption at rest using customer key management in Azure {{ tffile (printf "examples/%s/azure/main.tf" .Name )}} -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. -### Example: Configuring encryption at rest using customer key management in GCP +### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { project_id = var.atlas_project_id From fc4cf60151384fe4262a1e17028b727c9eec4a35 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 20:22:15 +0100 Subject: [PATCH 17/19] update docs --- docs/data-sources/encryption_at_rest.md | 4 ++-- docs/resources/encryption_at_rest.md | 15 +++++++++++++-- .../aws/atlas-cluster/main.tf | 2 +- .../mongodbatlas_encryption_at_rest/azure/main.tf | 2 +- templates/resources/encryption_at_rest.md.tmpl | 11 +++++++++++ 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/docs/data-sources/encryption_at_rest.md b/docs/data-sources/encryption_at_rest.md index bd7da0d0e1..ca5332e2ee 100644 --- a/docs/data-sources/encryption_at_rest.md +++ b/docs/data-sources/encryption_at_rest.md @@ -44,7 +44,7 @@ resource "mongodbatlas_encryption_at_rest" "test" { } resource "mongodbatlas_advanced_cluster" "cluster" { - project_id = var.atlas_project_id + project_id = mongodbatlas_encryption_at_rest.test.project_id name = "MyCluster" cluster_type = "REPLICASET" backup_enabled = true @@ -96,7 +96,7 @@ data "mongodbatlas_encryption_at_rest" "test" { project_id = mongodbatlas_encryption_at_rest.test.project_id } -output "azure_encryption_at_rest_validity" { +output "is_azure_encryption_at_rest_valid" { value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid } ``` diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index d0990a83f2..5a95d0e320 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -24,6 +24,8 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages ### Configuring encryption at rest using customer key management in AWS +The configuration of encryption at rest with customer key management, `mongodbatlas_encryption_at_rest`, needs to be completed before a cluster is created in the project. Force this wait by using an implicit dependency via `project_id` as shown in the example below. + ```terraform resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { project_id = var.atlas_project_id @@ -51,7 +53,7 @@ resource "mongodbatlas_encryption_at_rest" "test" { } resource "mongodbatlas_advanced_cluster" "cluster" { - project_id = var.atlas_project_id + project_id = mongodbatlas_encryption_at_rest.test.project_id name = "MyCluster" cluster_type = "REPLICASET" backup_enabled = true @@ -79,6 +81,8 @@ output "is_aws_kms_encryption_at_rest_valid" { } ``` +**NOTE** if using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. + ### Configuring encryption at rest using customer key management in Azure ```terraform resource "mongodbatlas_encryption_at_rest" "test" { @@ -103,13 +107,20 @@ data "mongodbatlas_encryption_at_rest" "test" { project_id = mongodbatlas_encryption_at_rest.test.project_id } -output "azure_encryption_at_rest_validity" { +output "is_azure_encryption_at_rest_valid" { value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid } ``` -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. +```terraform +resource "mongodbatlas_encryption_at_rest" "default" { + (...) + depends_on = [mongodbatlas_cloud_provider_access_setup., mongodbatlas_cloud_provider_access_authorization.] +} +``` + ### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { diff --git a/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf b/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf index 20c797e31e..e07e46e1e4 100644 --- a/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf +++ b/examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf @@ -24,7 +24,7 @@ resource "mongodbatlas_encryption_at_rest" "test" { } resource "mongodbatlas_advanced_cluster" "cluster" { - project_id = var.atlas_project_id + project_id = mongodbatlas_encryption_at_rest.test.project_id name = "MyCluster" cluster_type = "REPLICASET" backup_enabled = true diff --git a/examples/mongodbatlas_encryption_at_rest/azure/main.tf b/examples/mongodbatlas_encryption_at_rest/azure/main.tf index c64fe13596..2323df7241 100644 --- a/examples/mongodbatlas_encryption_at_rest/azure/main.tf +++ b/examples/mongodbatlas_encryption_at_rest/azure/main.tf @@ -20,6 +20,6 @@ data "mongodbatlas_encryption_at_rest" "test" { project_id = mongodbatlas_encryption_at_rest.test.project_id } -output "azure_encryption_at_rest_validity" { +output "is_azure_encryption_at_rest_valid" { value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid } diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl index c1ab830778..6b1217d5a3 100644 --- a/templates/resources/encryption_at_rest.md.tmpl +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -24,13 +24,24 @@ See [Encryption at Rest](https://docs.atlas.mongodb.com/security-kms-encryption/ ## Example Usages ### Configuring encryption at rest using customer key management in AWS +The configuration of encryption at rest with customer key management, `mongodbatlas_encryption_at_rest`, needs to be completed before a cluster is created in the project. Force this wait by using an implicit dependency via `project_id` as shown in the example below. + {{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} +**NOTE** if using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. + ### Configuring encryption at rest using customer key management in Azure {{ tffile (printf "examples/%s/azure/main.tf" .Name )}} -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. +```terraform +resource "mongodbatlas_encryption_at_rest" "default" { + (...) + depends_on = [mongodbatlas_cloud_provider_access_setup., mongodbatlas_cloud_provider_access_authorization.] +} +``` + ### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { From c8998d9d85f12faca9c184e320ea90a56386c3b6 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Fri, 30 Aug 2024 20:35:53 +0100 Subject: [PATCH 18/19] minor --- docs/resources/encryption_at_rest.md | 15 ++++++++------- templates/resources/encryption_at_rest.md.tmpl | 13 +++++++------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index 5a95d0e320..32313f0143 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -81,7 +81,14 @@ output "is_aws_kms_encryption_at_rest_valid" { } ``` -**NOTE** if using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. +**NOTE** If using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. + +```terraform +resource "mongodbatlas_encryption_at_rest" "default" { + (...) + depends_on = [mongodbatlas_cloud_provider_access_setup., mongodbatlas_cloud_provider_access_authorization.] +} +``` ### Configuring encryption at rest using customer key management in Azure ```terraform @@ -114,12 +121,6 @@ output "is_azure_encryption_at_rest_valid" { -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. -```terraform -resource "mongodbatlas_encryption_at_rest" "default" { - (...) - depends_on = [mongodbatlas_cloud_provider_access_setup., mongodbatlas_cloud_provider_access_authorization.] -} -``` ### Configuring encryption at rest using customer key management in GCP ```terraform diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl index 6b1217d5a3..2e3018586d 100644 --- a/templates/resources/encryption_at_rest.md.tmpl +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -28,12 +28,7 @@ The configuration of encryption at rest with customer key management, `mongodbat {{ tffile (printf "examples/%s/aws/atlas-cluster/main.tf" .Name )}} -**NOTE** if using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. - -### Configuring encryption at rest using customer key management in Azure -{{ tffile (printf "examples/%s/azure/main.tf" .Name )}} - --> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. +**NOTE** If using the two resources path for cloud provider access, `cloud_provider_access_setup` and `cloud_provider_access_authorization`, you may need to define a `depends_on` statement for these two resources, because terraform is not able to infer the dependency. ```terraform resource "mongodbatlas_encryption_at_rest" "default" { @@ -42,6 +37,12 @@ resource "mongodbatlas_encryption_at_rest" "default" { } ``` +### Configuring encryption at rest using customer key management in Azure +{{ tffile (printf "examples/%s/azure/main.tf" .Name )}} + +-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details. + + ### Configuring encryption at rest using customer key management in GCP ```terraform resource "mongodbatlas_encryption_at_rest" "test" { From 23ca1d447a931baef2262e576a134f9ac02729d5 Mon Sep 17 00:00:00 2001 From: Aastha Mahendru Date: Wed, 4 Sep 2024 14:36:18 +0100 Subject: [PATCH 19/19] address PR comments --- docs/data-sources/encryption_at_rest.md | 4 +--- docs/resources/encryption_at_rest.md | 4 +--- internal/service/encryptionatrest/data_source_schema.go | 4 ++-- internal/service/encryptionatrest/resource.go | 7 ++++--- templates/resources/encryption_at_rest.md.tmpl | 2 ++ 5 files changed, 10 insertions(+), 11 deletions(-) diff --git a/docs/data-sources/encryption_at_rest.md b/docs/data-sources/encryption_at_rest.md index ca5332e2ee..a58b44a094 100644 --- a/docs/data-sources/encryption_at_rest.md +++ b/docs/data-sources/encryption_at_rest.md @@ -129,9 +129,7 @@ output "is_gcp_encryption_at_rest_valid" { ### Required -- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. - -**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. ### Read-Only diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index ad977e6997..e88e45fdba 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -142,9 +142,7 @@ resource "mongodbatlas_encryption_at_rest" "test" { ### Required -- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. - -**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. ### Optional diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 2c3c5e8267..540fc59159 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -155,8 +155,8 @@ func DataSourceSchema(ctx context.Context) schema.Schema { }, "project_id": schema.StringAttribute{ Required: true, - Description: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", - MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", + Description: "Unique 24-hexadecimal digit string that identifies your project.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.", }, "id": schema.StringAttribute{ Computed: true, diff --git a/internal/service/encryptionatrest/resource.go b/internal/service/encryptionatrest/resource.go index 0370d0af3c..7a82d2bc69 100644 --- a/internal/service/encryptionatrest/resource.go +++ b/internal/service/encryptionatrest/resource.go @@ -9,6 +9,8 @@ import ( "reflect" "time" + "go.mongodb.org/atlas-sdk/v20240805003/admin" + "github.com/hashicorp/terraform-plugin-framework-validators/listvalidator" "github.com/hashicorp/terraform-plugin-framework/path" "github.com/hashicorp/terraform-plugin-framework/resource" @@ -25,7 +27,6 @@ import ( "github.com/mongodb/terraform-provider-mongodbatlas/internal/common/validate" "github.com/mongodb/terraform-provider-mongodbatlas/internal/config" "github.com/mongodb/terraform-provider-mongodbatlas/internal/service/project" - "go.mongodb.org/atlas-sdk/v20240805003/admin" ) const ( @@ -102,8 +103,8 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ PlanModifiers: []planmodifier.String{ stringplanmodifier.RequiresReplace(), }, - Description: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", - MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.", + Description: "Unique 24-hexadecimal digit string that identifies your project.", + MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.", }, }, Blocks: map[string]schema.Block{ diff --git a/templates/resources/encryption_at_rest.md.tmpl b/templates/resources/encryption_at_rest.md.tmpl index 2e3018586d..a01b48e279 100644 --- a/templates/resources/encryption_at_rest.md.tmpl +++ b/templates/resources/encryption_at_rest.md.tmpl @@ -6,6 +6,8 @@ [Azure Key Vault](https://docs.atlas.mongodb.com/security-azure-kms/#security-azure-kms) [Google Cloud KMS](https://docs.atlas.mongodb.com/security-gcp-kms/#security-gcp-kms) +The [encryption at rest Terraform module](https://registry.terraform.io/modules/terraform-mongodbatlas-modules/encryption-at-rest/mongodbatlas/latest) makes use of this resource and simplifies its use. + After configuring at least one Encryption at Rest provider for the Atlas project, Project Owners can enable Encryption at Rest for each Atlas cluster for which they require encryption. The Encryption at Rest provider does not have to match the cluster cloud service provider. Atlas does not automatically rotate user-managed encryption keys. Defer to your preferred Encryption at Rest provider’s documentation and guidance for best practices on key rotation. Atlas automatically creates a 90-day key rotation alert when you configure Encryption at Rest using your Key Management in an Atlas project.