Merge pull request #29250 from bennylu2/f-aws_kms_key_data_source-29201

d/aws_kms_key - additional attributes
hashicorp · Apr 19, 2023 · a23d5dc · a23d5dc
2 parents ded052b + 2094576
commit a23d5dc
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 1 deletion.
diff --git a/.changelog/29250.txt b/.changelog/29250.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+data-source/aws_kms_key: Add `cloud_hsm_cluster_id`, `custom_key_store_id`, `key_spec`, `pending_deletion_window_in_days`, and `xks_key_configuration` attributes
+```
diff --git a/internal/service/kms/key_data_source.go b/internal/service/kms/key_data_source.go
@@ -26,6 +26,10 @@ func DataSourceKey() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"cloud_hsm_cluster_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"creation_date": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -34,6 +38,10 @@ func DataSourceKey() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"custom_key_store_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"deletion_date": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -64,6 +72,10 @@ func DataSourceKey() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"key_spec": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"key_state": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -124,10 +136,26 @@ func DataSourceKey() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"pending_deletion_window_in_days": {
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
 			"valid_to": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"xks_key_configuration": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -155,15 +183,18 @@ func dataSourceKeyRead(ctx context.Context, d *schema.ResourceData, meta interfa
 	d.SetId(aws.StringValue(keyMetadata.KeyId))
 	d.Set("arn", keyMetadata.Arn)
 	d.Set("aws_account_id", keyMetadata.AWSAccountId)
+	d.Set("cloud_hsm_cluster_id", keyMetadata.CloudHsmClusterId)
 	d.Set("creation_date", aws.TimeValue(keyMetadata.CreationDate).Format(time.RFC3339))
 	d.Set("customer_master_key_spec", keyMetadata.CustomerMasterKeySpec)
+	d.Set("custom_key_store_id", keyMetadata.CustomKeyStoreId)
 	if keyMetadata.DeletionDate != nil {
 		d.Set("deletion_date", aws.TimeValue(keyMetadata.DeletionDate).Format(time.RFC3339))
 	}
 	d.Set("description", keyMetadata.Description)
 	d.Set("enabled", keyMetadata.Enabled)
 	d.Set("expiration_model", keyMetadata.ExpirationModel)
 	d.Set("key_manager", keyMetadata.KeyManager)
+	d.Set("key_spec", keyMetadata.KeySpec)
 	d.Set("key_state", keyMetadata.KeyState)
 	d.Set("key_usage", keyMetadata.KeyUsage)
 	d.Set("multi_region", keyMetadata.MultiRegion)
@@ -175,9 +206,17 @@ func dataSourceKeyRead(ctx context.Context, d *schema.ResourceData, meta interfa
 		d.Set("multi_region_configuration", nil)
 	}
 	d.Set("origin", keyMetadata.Origin)
+	d.Set("pending_deletion_window_in_days", keyMetadata.PendingDeletionWindowInDays)
 	if keyMetadata.ValidTo != nil {
 		d.Set("valid_to", aws.TimeValue(keyMetadata.ValidTo).Format(time.RFC3339))
 	}
+	if keyMetadata.XksKeyConfiguration != nil {
+		if err := d.Set("xks_key_configuration", []interface{}{flattenXksKeyConfigurationType(keyMetadata.XksKeyConfiguration)}); err != nil {
+			return sdkdiag.AppendErrorf(diags, "setting xks_key_configuration: %s", err)
+		}
+	} else {
+		d.Set("xks_key_configuration", nil)
+	}
 
 	return diags
 }
@@ -239,3 +278,17 @@ func flattenMultiRegionKeys(apiObjects []*kms.MultiRegionKey) []interface{} {
 
 	return tfList
 }
+
+func flattenXksKeyConfigurationType(apiObject *kms.XksKeyConfigurationType) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.Id; v != nil {
+		tfMap["id"] = aws.StringValue(v)
+	}
+
+	return tfMap
+}
diff --git a/internal/service/kms/key_data_source_test.go b/internal/service/kms/key_data_source_test.go
@@ -131,19 +131,24 @@ func TestAccKMSKeyDataSource_byAliasID(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"),
 					acctest.CheckResourceAttrAccountID(dataSourceName, "aws_account_id"),
+					resource.TestCheckResourceAttr(dataSourceName, "cloud_hsm_cluster_id", ""),
 					resource.TestCheckResourceAttrSet(dataSourceName, "creation_date"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "customer_master_key_spec", resourceName, "customer_master_key_spec"),
+					resource.TestCheckResourceAttr(dataSourceName, "custom_key_store_id", ""),
 					resource.TestCheckNoResourceAttr(dataSourceName, "deletion_date"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "description", resourceName, "description"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "enabled", resourceName, "is_enabled"),
 					resource.TestCheckResourceAttr(dataSourceName, "expiration_model", ""),
 					resource.TestCheckResourceAttr(dataSourceName, "key_manager", "CUSTOMER"),
+					resource.TestCheckResourceAttr(dataSourceName, "key_spec", "SYMMETRIC_DEFAULT"),
 					resource.TestCheckResourceAttr(dataSourceName, "key_state", "Enabled"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "key_usage", resourceName, "key_usage"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "multi_region", resourceName, "multi_region"),
 					resource.TestCheckResourceAttr(dataSourceName, "multi_region_configuration.#", "0"),
 					resource.TestCheckResourceAttr(dataSourceName, "origin", "AWS_KMS"),
+					resource.TestCheckResourceAttr(dataSourceName, "pending_deletion_window_in_days", "0"),
 					resource.TestCheckNoResourceAttr(dataSourceName, "valid_to"),
+					resource.TestCheckResourceAttr(dataSourceName, "xks_key_configuration.#", "0"),
 				),
 			},
 		},

diff --git a/website/docs/d/kms_key.html.markdown b/website/docs/d/kms_key.html.markdown
@@ -47,19 +47,24 @@ data "aws_kms_key" "by_key_arn" {
 * `id`: The globally unique identifier for the key
 * `arn`: The ARN of the key
 * `aws_account_id`: The twelve-digit account ID of the AWS account that owns the key
+* `cloud_hsm_cluster_id`: The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
 * `creation_date`: The date and time when the key was created
+* `custom_key_store_id`: A unique identifier for the custom key store that contains the KMS key.
+* `customer_master_key_spec`: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
 * `deletion_date`: The date and time after which AWS KMS deletes the key. This value is present only when `key_state` is `PendingDeletion`, otherwise this value is 0
 * `description`: The description of the key.
 * `enabled`: Specifies whether the key is enabled. When `key_state` is `Enabled` this value is true, otherwise it is false
 * `expiration_model`: Specifies whether the Key's key material expires. This value is present only when `origin` is `EXTERNAL`, otherwise this value is empty
 * `key_manager`: The key's manager
+* `key_spec`: Describes the type of key material in the KMS key.
 * `key_state`: The state of the key
 * `key_usage`: Specifies the intended use of the key
-* `customer_master_key_spec`: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
 * `multi_region`: Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key.
 * `multi_region_configuration`: Lists the primary and replica keys in same multi-Region key. Present only when the value of `multi_region` is `true`.
 * `origin`: When this value is `AWS_KMS`, AWS KMS created the key material. When this value is `EXTERNAL`, the key material was imported from your existing key management infrastructure or the CMK lacks key material
+* `pending_deletion_window_in_days`: The waiting period before the primary key in a multi-Region key is deleted.
 * `valid_to`: The time at which the imported key material expires. This value is present only when `origin` is `EXTERNAL` and whose `expiration_model` is `KEY_MATERIAL_EXPIRES`, otherwise this value is 0
+* `xks_key_configuration`: Information about the external key that is associated with a KMS key in an external key store.
 
 The `multi_region_configuration` object supports the following: