IBM-Cloud · hkantare · Mar 24, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 21, 2024
diff --git a/ibm/service/kms/resource_ibm_kms_instance_policies.go b/ibm/service/kms/resource_ibm_kms_instance_policies.go
@@ -36,6 +36,13 @@ func ResourceIBMKmsInstancePolicy() *schema.Resource {
 				Description:      "Key protect or hpcs instance GUID or CRN",
 				DiffSuppressFunc: suppressKMSInstanceIDDiff,
 			},
+			"endpoint_type": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: validate.ValidateAllowedStringValues([]string{"public", "private"}),
+				Description:  "public or private",
+			},
 			"dual_auth_delete": {
 				Type:         schema.TypeList,
 				Optional:     true,

diff --git a/ibm/service/kms/resource_ibm_kms_key.go b/ibm/service/kms/resource_ibm_kms_key.go
@@ -139,6 +139,31 @@ func ResourceIBMKmskey() *schema.Resource {
 				Computed:    true,
 				Description: "Key protect or hpcs instance CRN",
 			},
+
+			"registrations": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Registrations of the key across different services",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"key_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The id of the key being used in the registration",
+						},
+						"resource_crn": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The CRN of the resource tied to the key registration",
+						},
+						"prevent_key_deletion": {
+							Type:        schema.TypeBool,
+							Computed:    true,
+							Description: "Determines if the registration of the key prevents a deletion.",
+						},
+					},
+				},
+			},
 			flex.ResourceName: {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -225,7 +250,17 @@ func resourceIBMKmsKeyDelete(d *schema.ResourceData, meta interface{}) error {
 
 	_, err1 := kpAPI.DeleteKey(context.Background(), keyid, kp.ReturnRepresentation, f)
 	if err1 != nil {
-		return fmt.Errorf("[ERROR] Error while deleting: %s", err1)
+		registrations := d.Get("registrations").([]interface{})
+		var registrationLog error
+		if registrations != nil && len(registrations) > 0 {
+			resourceCrns := make([]string, 0)
+			for _, registration := range registrations {
+				r := registration.(map[string]interface{})
+				resourceCrns = append(resourceCrns, r["resource_crn"].(string))
+			}
+			registrationLog = fmt.Errorf(". The key has the following active registrations which may interfere with deletion: %v", resourceCrns)
+		}
+		return fmt.Errorf("[ERROR] Error while deleting: %s%s", err1, registrationLog)
 	}
 	d.SetId("")
 	return nil
@@ -327,6 +362,23 @@ func setKeyDetails(d *schema.ResourceData, meta interface{}, instanceID string,
 
 	d.Set(flex.ResourceControllerURL, rcontroller+"/services/kms/"+url.QueryEscape(crn1)+"%3A%3A")
 
+	// Get the Registration of the key
+	registrations, err := kpAPI.ListRegistrations(context.Background(), key.ID, "")
+	if err != nil {
+		return err
+	}
+	// making a map[string]interface{} for terraform key.registration Attribute
+	rSlice := make([]map[string]interface{}, 0)
+	for _, r := range registrations.Registrations {
+		registration := map[string]interface{}{
+			"key_id":               r.KeyID,
+			"resource_crn":         r.ResourceCrn,
+			"prevent_key_deletion": r.PreventKeyDeletion,
+		}
+		rSlice = append(rSlice, registration)
+	}
+	d.Set("registrations", rSlice)
+
 	return nil
 }
 
@@ -396,7 +448,8 @@ func populateSchemaData(d *schema.ResourceData, meta interface{}) (*kp.Client, e
 		return nil, err
 	}
 	// keyid := d.Id()
-	key, err := kpAPI.GetKey(context.Background(), keyid)
+	ctx := context.Background()
+	key, err := kpAPI.GetKey(ctx, keyid)
 	if err != nil {
 		kpError := err.(*kp.Error)
 		if kpError.StatusCode == 404 || kpError.StatusCode == 409 {
@@ -413,5 +466,6 @@ func populateSchemaData(d *schema.ResourceData, meta interface{}) (*kp.Client, e
 	if err != nil {
 		return nil, err
 	}
+
 	return kpAPI, nil
 }
diff --git a/website/docs/r/kms_instance_policies.html.markdown b/website/docs/r/kms_instance_policies.html.markdown
@@ -57,6 +57,8 @@ The following arguments are supported:
 
 
 - `instance_id` - (Required, String) The key-protect instance ID for creating policies.
+- `endpoint_type` - (Optional, String) The type of the public endpoint, or private endpoint to be used for creating keys.
+
 - `rotation` - (Optional,list) The Instance rotation time interval in months, with a minimum of 1, and a maximum of 12.
   Nested scheme for `rotation`:
 

diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown
@@ -131,6 +131,13 @@ In addition to all argument reference list, you can access the following attribu
 - `key_id` - (String) The ID of the key.
 - `key_ring_id` - (String) The ID of the key ring that your Key Protect key belongs to.
 - `type` - (String) The type of the key KMS or HPCS.
+- `registrations` - (List) The registrations associated with the key.
+
+  Nested scheme for `registrations`:
+  - `key_id` - (String) The id of the key associated with the association.
+  - `resource_crn` - (String) The CRN of the resource that has a registration to the key.
+  - `prevent_key_deletion` - (Boolean) Determines if the resource prevents the key deletion.
+
 - `policy` - (String) The policies associated with the key.
 
   Nested scheme for `policy`:
@@ -155,6 +162,7 @@ In addition to all argument reference list, you can access the following attribu
      - `last_update_date` - (Timestamp)  The date when the policy last replaced or modified. The date format follows RFC 3339.
      - `updated_by` - (String) The unique ID for the resource that updated the policy.
 
+
 ## Import
 The `ibm_kms_key` can be imported by using the `id` and `crn`.