new resource "azurerm_key_vault_key_encrypt" and data source "azurerm_key_vault_key_decrypt" #8895
Conversation
ghost
added
|
dependent on #7856 (comment) |
This comment has been minimized.
This comment has been minimized.
| @@ -0,0 +1,94 @@ | |||
| package keyvault | |||
There was a problem hiding this comment.
If the intention is to encrypt secrets, might i suggest that the resource instead be called:
azurerm_key_vault_secret_encrypt
There was a problem hiding this comment.
becasue key vault key and key vault secret are different resource, and the rest api is using key vault key to encrypt and decrypt data. So personally I think azurerm_key_vault_secret_encrypt maybe a little misleading?
| @@ -0,0 +1,83 @@ | |||
| package keyvault | |||
There was a problem hiding this comment.
If the intention is to decrypt secrets, might i suggest that the resource instead be called:
azurerm_key_vault_secret_decrypt
| @@ -0,0 +1,94 @@ | |||
| package keyvault | |||
|
|
|||
There was a problem hiding this comment.
I can see there being a value in having a resource block for encrypting secrets with a static encrypted blob, and a data source for encrypting secrets with a value that changes on every apply, but I only see an encrypt resource.
Could you create an equivalent encrypt data source, as if we're modelling it after aws_kms_ciphertext, we should have the ability for users to choose whether to change the encrypted blob frequently or infrequently.
There was a problem hiding this comment.
is there any scenario that users want to change the encrypted data every time? In the resource, we could also change the encrypted data by changing the property name
azurerm/internal/services/keyvault/key_vault_key_encrypt_resource.go
Outdated
Show resolved
Hide resolved
| ValidateFunc: azure.ValidateKeyVaultChildId, | ||
| }, | ||
|
|
||
| "payload": { |
There was a problem hiding this comment.
what format are we expecting here? base64?
| "payload": { | |
| "encrypted_base64_data": { |
| }, false), | ||
| }, | ||
|
|
||
| "cipher_text": { |
There was a problem hiding this comment.
should this also then be
| "cipher_text": { | |
| "encrypted_data_in_base64": { |
There was a problem hiding this comment.
the result format is base64url, which is slightly different from base64. please refer to RFC: https://tools.ietf.org/html/rfc4648#section-5. I have noted it in the doc. Should I still rename this property?
There was a problem hiding this comment.
yes lets rename it to match what is expected so people don't have to look at docs and can tell from the property name. as for url in there is this different then any other base64 property for azure?
There was a problem hiding this comment.
lets go with encrypted_data_in_base64 and then add a validation function to ensure its the right base64 format
| return fmt.Sprintf(` | ||
| %s | ||
|
|
||
| data "azurerm_key_vault_key_decrypt" "test" { |
There was a problem hiding this comment.
could we use the encrypt resource and decrypt to check that the workflow works?
There was a problem hiding this comment.
yes, in this data source, we assign the cipher_text of azurerm_key_vault_key_encrypt to payload, and in the check functions, we checked whether the descrypt value is the inital input plaintext.
In this way, we checked the whole encrypt and decrypt workflow
|
Thanks @katbyte , I have rebased and refine this PR |
| "payload": { | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| }, |
There was a problem hiding this comment.
lets just use base64 without any url in the property name and then validate it?
| }, false), | ||
| }, | ||
|
|
||
| "cipher_text": { |
There was a problem hiding this comment.
lets go with encrypted_data_in_base64 and then add a validation function to ensure its the right base64 format
|
@katbyte Thanks for your opinion, I have renamed the field and added validation |
|
Any thoughts on my comments @njuCZ?
|
|
@IanMoroney sorry for late reply. I thought this PR was blocked, but it seems things become better now. I have commented inline. Thanks for your review |
|
@njuCZ @IanMoroney What is the status here, actually? |
``` $ TF_ACC=1 go test -v ./internal/services/keyvault -run=TestAccEncryptedValueDataSource_ === RUN TestAccEncryptedValueDataSource_encryptAndDecrypt === PAUSE TestAccEncryptedValueDataSource_encryptAndDecrypt === CONT TestAccEncryptedValueDataSource_encryptAndDecrypt --- PASS: TestAccEncryptedValueDataSource_encryptAndDecrypt (274.42s) PASS ok github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault 276.443s ``` This commit supersedes #8895 by converting this into a Data Source rather than a Resource which handles the bi-directional conversion of encrypted/decrypted values as necessary.
|
hi @njuCZ Apologies for the delayed re-review of this PR - taking a look through here whilst this is functional these both want to be data sources and since the value can be converted bi-directionally we can make these a singular data source for "encrypted value". Since there's some larger changes to get this PR in, I hope you don't mind but I've opened #15873 which supersedes this PR and will allow this to ship via the Thanks! |
``` $ TF_ACC=1 go test -v ./internal/services/keyvault -run=TestAccEncryptedValueDataSource_ === RUN TestAccEncryptedValueDataSource_encryptAndDecrypt === PAUSE TestAccEncryptedValueDataSource_encryptAndDecrypt === CONT TestAccEncryptedValueDataSource_encryptAndDecrypt --- PASS: TestAccEncryptedValueDataSource_encryptAndDecrypt (274.42s) PASS ok github.com/hashicorp/terraform-provider-azurerm/internal/services/keyvault 276.443s ``` This commit supersedes #8895 by converting this into a Data Source rather than a Resource which handles the bi-directional conversion of encrypted/decrypted values as necessary.
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
fix #7856
resource "azurerm_key_vault_key_encrypt" is similar with "aws_kms_ciphertext"
data source "azurerm_key_vault_key_decrypt" is similar with "aws_kms_secret"
to keep a stable encrypted value, make "azurerm_key_vault_key_encrypt" be a resource but not a data source.
there is no need to support "import" operation for resource "azurerm_key_vault_key_encrypt"