Add support for protection_level to google_kms_crypto_key (#2751)

/cc @rileykarson
2024-07-01 15:52:39 +00:00 · 2018-12-27 10:07:51 -08:00 · 2018-12-27 10:07:51 -08:00 · a1e5c4fff0
commit a1e5c4fff0
parent 2ab6d1995f
3 changed files with 78 additions and 1 deletions
--- a/google/resource_kms_crypto_key.go
+++ b/google/resource_kms_crypto_key.go
@ -2,6 +2,7 @@ package google

 import (
 	"fmt"
+	"github.com/hashicorp/terraform/helper/validation"
 	"log"
 	"regexp"
 	"strconv"
@ -39,6 +40,27 @@ func resourceKmsCryptoKey() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validateKmsCryptoKeyRotationPeriod,
 			},
+			"version_template": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"algorithm": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"protection_level": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ForceNew:     true,
+							Default:      "SOFTWARE",
+							ValidateFunc: validation.StringInSlice([]string{"SOFTWARE", "HSM", ""}, false),
+						},
+					},
+				},
+			},
 			"self_link": {
 				Type:     schema.TypeString,
 				Computed: true,
@ -84,7 +106,10 @@ func resourceKmsCryptoKeyCreate(d *schema.ResourceData, meta interface{}) error
 		Name:      d.Get("name").(string),
 	}

-	key := cloudkms.CryptoKey{Purpose: "ENCRYPT_DECRYPT"}
+	key := cloudkms.CryptoKey{
+		Purpose:         "ENCRYPT_DECRYPT",
+		VersionTemplate: expandVersionTemplate(d.Get("version_template").([]interface{})),
+	}

 	if d.Get("rotation_period") != "" {
 		rotationPeriod := d.Get("rotation_period").(string)
@ -133,6 +158,10 @@ func resourceKmsCryptoKeyUpdate(d *schema.ResourceData, meta interface{}) error
 		key.RotationPeriod = rotationPeriod
 	}

+	if d.HasChange("version_template") {
+		key.VersionTemplate = expandVersionTemplate(d.Get("version_template").([]interface{}))
+	}
+
 	cryptoKey, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Patch(cryptoKeyId.cryptoKeyId(), &key).UpdateMask("rotation_period,next_rotation_time").Do()

 	if err != nil {
@ -165,6 +194,10 @@ func resourceKmsCryptoKeyRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("rotation_period", cryptoKey.RotationPeriod)
 	d.Set("self_link", cryptoKey.Name)

+	if err = d.Set("version_template", flattenVersionTemplate(cryptoKey.VersionTemplate)); err != nil {
+		return fmt.Errorf("Error setting version_template in state: %s", err.Error())
+	}
+
 	d.SetId(cryptoKeyId.cryptoKeyId())

 	return nil
@ -219,6 +252,33 @@ and all its CryptoKeyVersions will be destroyed, but it will still be present on
 	return nil
 }

+func expandVersionTemplate(configured []interface{}) *cloudkms.CryptoKeyVersionTemplate {
+	if configured == nil || len(configured) == 0 {
+		return nil
+	}
+
+	data := configured[0].(map[string]interface{})
+	return &cloudkms.CryptoKeyVersionTemplate{
+		Algorithm:       data["algorithm"].(string),
+		ProtectionLevel: data["protection_level"].(string),
+	}
+}
+
+func flattenVersionTemplate(versionTemplate *cloudkms.CryptoKeyVersionTemplate) []map[string]interface{} {
+	if versionTemplate == nil {
+		return nil
+	}
+
+	versionTemplateSchema := make([]map[string]interface{}, 0, 1)
+	data := map[string]interface{}{
+		"algorithm":        versionTemplate.Algorithm,
+		"protection_level": versionTemplate.ProtectionLevel,
+	}
+
+	versionTemplateSchema = append(versionTemplateSchema, data)
+	return versionTemplateSchema
+}
+
 func validateKmsCryptoKeyRotationPeriod(value interface{}, _ string) (ws []string, errors []error) {
 	period := value.(string)
 	pattern := regexp.MustCompile("^([0-9.]*\\d)s$")
--- a/google/resource_kms_crypto_key_test.go
+++ b/google/resource_kms_crypto_key_test.go
@ -270,6 +270,10 @@ resource "google_kms_crypto_key" "crypto_key" {
 	name            = "%s"
 	key_ring        = "${google_kms_key_ring.key_ring.self_link}"
 	rotation_period = "1000000s"
+	version_template {
+		algorithm =        "GOOGLE_SYMMETRIC_ENCRYPTION"
+		protection_level = "SOFTWARE"
+	}
 }
 	`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)
 }
--- a/website/docs/r/google_kms_crypto_key.html.markdown
+++ b/website/docs/r/google_kms_crypto_key.html.markdown
@ -59,6 +59,19 @@ The following arguments are supported:
    the primary. The first rotation will take place after the specified period. The rotation period has the format
    of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than
    a day (ie, 86400).
+    
+* `version_template` - (Optional) A template describing settings for new crypto key versions. Structure is documented below.
+
+---
+
+The `version_template` block supports:
+
+* `algorithm` - (Required)  The algorithm to use when creating a version based on this template.
+See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)
+for possible inputs.
+
+* `protection_level` - (Optional) The protection level to use when creating a version based on this template.
+One of `SOFTWARE`, or `HSM`.

 ## Attributes Reference