From 9df67fe67dca43e0eb5287562d67825cc6185cb5 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Tue, 7 Jan 2020 00:08:14 +0000 Subject: [PATCH] Update google_folder import description (#2924) Merged PR #2924. --- .changelog/2924.txt | 3 + ...ata_source_google_kms_secret_ciphertext.go | 3 +- ...ource_google_kms_secret_ciphertext_test.go | 82 ++++++++- google/provider.go | 5 +- google/resource_kms_secret_ciphertext.go | 165 ------------------ google/resource_kms_secret_ciphertext_test.go | 82 --------- ...google_kms_secret_ciphertext.html.markdown | 2 - ...ackend_bucket_signed_url_key.html.markdown | 13 ++ ...ckend_service_signed_url_key.html.markdown | 13 ++ .../r/kms_secret_ciphertext.html.markdown | 126 ------------- website/google.erb | 3 - 11 files changed, 109 insertions(+), 388 deletions(-) create mode 100644 .changelog/2924.txt delete mode 100644 google/resource_kms_secret_ciphertext.go delete mode 100644 google/resource_kms_secret_ciphertext_test.go delete mode 100644 website/docs/r/kms_secret_ciphertext.html.markdown diff --git a/.changelog/2924.txt b/.changelog/2924.txt new file mode 100644 index 00000000000..8ec013c0699 --- /dev/null +++ b/.changelog/2924.txt @@ -0,0 +1,3 @@ +```release-note:none + +``` diff --git a/google/data_source_google_kms_secret_ciphertext.go b/google/data_source_google_kms_secret_ciphertext.go index 2be6daca165..1a78e450bf5 100644 --- a/google/data_source_google_kms_secret_ciphertext.go +++ b/google/data_source_google_kms_secret_ciphertext.go @@ -13,8 +13,7 @@ import ( func dataSourceGoogleKmsSecretCiphertext() *schema.Resource { return &schema.Resource{ - DeprecationMessage: "Use the google_kms_secret_ciphertext resource instead.", - Read: dataSourceGoogleKmsSecretCiphertextRead, + Read: dataSourceGoogleKmsSecretCiphertextRead, Schema: map[string]*schema.Schema{ "crypto_key": { Type: schema.TypeString, diff --git a/google/data_source_google_kms_secret_ciphertext_test.go b/google/data_source_google_kms_secret_ciphertext_test.go index f13409161fa..16675d09066 100644 --- a/google/data_source_google_kms_secret_ciphertext_test.go +++ b/google/data_source_google_kms_secret_ciphertext_test.go @@ -1,41 +1,113 @@ package google import ( + "encoding/base64" "fmt" + "log" "testing" "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/terraform" + "google.golang.org/api/cloudkms/v1" ) -func TestAccDataKmsSecretCiphertext_basic(t *testing.T) { +func TestAccKmsSecretCiphertext_basic(t *testing.T) { t.Parallel() - kms := BootstrapKMSKey(t) + projectOrg := getTestOrgFromEnv(t) + projectBillingAccount := getTestBillingAccountFromEnv(t) + + projectId := "terraform-" + acctest.RandString(10) + keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) plaintext := fmt.Sprintf("secret-%s", acctest.RandString(10)) + // The first test creates resources needed to encrypt plaintext and produce ciphertext resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testGoogleKmsSecretCiphertext_datasource(kms.CryptoKey.Name, plaintext), + Config: testGoogleKmsCryptoKey_basic(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName), Check: func(s *terraform.State) error { - plaintext, err := testAccDecryptSecretDataWithCryptoKey(s, kms.CryptoKey.Name, "data.google_kms_secret_ciphertext.acceptance") + cryptoKeyId, err := getCryptoKeyId(s, "google_kms_crypto_key.crypto_key") if err != nil { return err } - return resource.TestCheckResourceAttr("data.google_kms_secret_ciphertext.acceptance", "plaintext", plaintext)(s) + // The second test asserts that the data source created a ciphertext that can be decrypted to the correct plaintext + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testGoogleKmsSecretCiphertext_datasource(cryptoKeyId.terraformId(), plaintext), + Check: func(s *terraform.State) error { + plaintext, err := testAccDecryptSecretDataWithCryptoKey(s, cryptoKeyId, "data.google_kms_secret_ciphertext.acceptance") + + if err != nil { + return err + } + + return resource.TestCheckResourceAttr("data.google_kms_secret_ciphertext.acceptance", "plaintext", plaintext)(s) + }, + }, + }, + }) + + return nil }, }, }, }) } +func getCryptoKeyId(s *terraform.State, cryptoKeyResourceName string) (*kmsCryptoKeyId, error) { + config := testAccProvider.Meta().(*Config) + rs, ok := s.RootModule().Resources[cryptoKeyResourceName] + if !ok { + return nil, fmt.Errorf("Resource not found: %s", cryptoKeyResourceName) + } + + return parseKmsCryptoKeyId(rs.Primary.Attributes["id"], config) +} + +func testAccDecryptSecretDataWithCryptoKey(s *terraform.State, cryptoKeyId *kmsCryptoKeyId, secretCiphertextResourceName string) (string, error) { + config := testAccProvider.Meta().(*Config) + rs, ok := s.RootModule().Resources[secretCiphertextResourceName] + if !ok { + return "", fmt.Errorf("Resource not found: %s", secretCiphertextResourceName) + } + ciphertext, ok := rs.Primary.Attributes["ciphertext"] + if !ok { + return "", fmt.Errorf("Attribute 'ciphertext' not found in resource '%s'", secretCiphertextResourceName) + } + + kmsDecryptRequest := &cloudkms.DecryptRequest{ + Ciphertext: ciphertext, + } + + decryptResponse, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Decrypt(cryptoKeyId.cryptoKeyId(), kmsDecryptRequest).Do() + + if err != nil { + return "", fmt.Errorf("Error decrypting ciphertext: %s", err) + } + + plaintextBytes, err := base64.StdEncoding.DecodeString(decryptResponse.Plaintext) + + if err != nil { + return "", err + } + + plaintext := string(plaintextBytes) + log.Printf("[INFO] Successfully decrypted ciphertext and got plaintext: %s", plaintext) + + return plaintext, nil +} + func testGoogleKmsSecretCiphertext_datasource(cryptoKeyTerraformId, plaintext string) string { return fmt.Sprintf(` data "google_kms_secret_ciphertext" "acceptance" { diff --git a/google/provider.go b/google/provider.go index b95f77c44f2..2a2bb55fd96 100644 --- a/google/provider.go +++ b/google/provider.go @@ -477,9 +477,9 @@ func Provider() terraform.ResourceProvider { return provider } -// Generated resources: 96 +// Generated resources: 95 // Generated IAM resources: 45 -// Total generated resources: 141 +// Total generated resources: 140 func ResourceMap() map[string]*schema.Resource { resourceMap, _ := ResourceMapWithErrors() return resourceMap @@ -597,7 +597,6 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) { "google_identity_platform_tenant": resourceIdentityPlatformTenant(), "google_kms_key_ring": resourceKMSKeyRing(), "google_kms_crypto_key": resourceKMSCryptoKey(), - "google_kms_secret_ciphertext": resourceKMSSecretCiphertext(), "google_logging_metric": resourceLoggingMetric(), "google_ml_engine_model": resourceMLEngineModel(), "google_monitoring_alert_policy": resourceMonitoringAlertPolicy(), diff --git a/google/resource_kms_secret_ciphertext.go b/google/resource_kms_secret_ciphertext.go deleted file mode 100644 index 712c216fb7e..00000000000 --- a/google/resource_kms_secret_ciphertext.go +++ /dev/null @@ -1,165 +0,0 @@ -// ---------------------------------------------------------------------------- -// -// *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** -// -// ---------------------------------------------------------------------------- -// -// This file is automatically generated by Magic Modules and manual -// changes will be clobbered when the file is regenerated. -// -// Please read more about how to change this file in -// .github/CONTRIBUTING.md. -// -// ---------------------------------------------------------------------------- - -package google - -import ( - "encoding/base64" - "fmt" - "log" - "reflect" - "regexp" - "time" - - "github.com/hashicorp/terraform-plugin-sdk/helper/schema" -) - -func resourceKMSSecretCiphertext() *schema.Resource { - return &schema.Resource{ - Create: resourceKMSSecretCiphertextCreate, - Read: resourceKMSSecretCiphertextRead, - Delete: resourceKMSSecretCiphertextDelete, - - Timeouts: &schema.ResourceTimeout{ - Create: schema.DefaultTimeout(4 * time.Minute), - Delete: schema.DefaultTimeout(4 * time.Minute), - }, - - Schema: map[string]*schema.Schema{ - "crypto_key": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: `The full name of the CryptoKey that will be used to encrypt the provided plaintext. -Format: ''projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}''`, - }, - "plaintext": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: `The plaintext to be encrypted.`, - Sensitive: true, - }, - "ciphertext": { - Type: schema.TypeString, - Computed: true, - Description: `Contains the result of encrypting the provided plaintext, encoded in base64.`, - }, - }, - } -} - -func resourceKMSSecretCiphertextCreate(d *schema.ResourceData, meta interface{}) error { - config := meta.(*Config) - - obj := make(map[string]interface{}) - plaintextProp, err := expandKMSSecretCiphertextPlaintext(d.Get("plaintext"), d, config) - if err != nil { - return err - } else if v, ok := d.GetOkExists("plaintext"); !isEmptyValue(reflect.ValueOf(plaintextProp)) && (ok || !reflect.DeepEqual(v, plaintextProp)) { - obj["plaintext"] = plaintextProp - } - - url, err := replaceVars(d, config, "{{KMSBasePath}}{{crypto_key}}:encrypt") - if err != nil { - return err - } - - log.Printf("[DEBUG] Creating new SecretCiphertext: %#v", obj) - var project string - if parts := regexp.MustCompile(`projects\/([^\/]+)\/`).FindStringSubmatch(url); parts != nil { - project = parts[1] - } - res, err := sendRequestWithTimeout(config, "POST", project, url, obj, d.Timeout(schema.TimeoutCreate)) - if err != nil { - return fmt.Errorf("Error creating SecretCiphertext: %s", err) - } - - // Store the ID now - id, err := replaceVars(d, config, "{{crypto_key}}/{{ciphertext}}") - if err != nil { - return fmt.Errorf("Error constructing id: %s", err) - } - d.SetId(id) - - log.Printf("[DEBUG] Finished creating SecretCiphertext %q: %#v", d.Id(), res) - - // we don't set anything on read and instead do it all in create - ciphertext, ok := res["ciphertext"] - if !ok { - return fmt.Errorf("Create response didn't contain critical fields. Create may not have succeeded.") - } - d.Set("ciphertext", ciphertext.(string)) - - id, err = replaceVars(d, config, "{{crypto_key}}/{{ciphertext}}") - if err != nil { - return fmt.Errorf("Error constructing id: %s", err) - } - d.SetId(id) - - return resourceKMSSecretCiphertextRead(d, meta) -} - -func resourceKMSSecretCiphertextRead(d *schema.ResourceData, meta interface{}) error { - config := meta.(*Config) - - url, err := replaceVars(d, config, "{{KMSBasePath}}{{crypto_key}}") - if err != nil { - return err - } - - var project string - if parts := regexp.MustCompile(`projects\/([^\/]+)\/`).FindStringSubmatch(url); parts != nil { - project = parts[1] - } - res, err := sendRequest(config, "GET", project, url, nil) - if err != nil { - return handleNotFoundError(err, d, fmt.Sprintf("KMSSecretCiphertext %q", d.Id())) - } - - res, err = resourceKMSSecretCiphertextDecoder(d, meta, res) - if err != nil { - return err - } - - if res == nil { - // Decoding the object has resulted in it being gone. It may be marked deleted - log.Printf("[DEBUG] Removing KMSSecretCiphertext because it no longer exists.") - d.SetId("") - return nil - } - - return nil -} - -func resourceKMSSecretCiphertextDelete(d *schema.ResourceData, meta interface{}) error { - log.Printf("[WARNING] KMS SecretCiphertext resources"+ - " cannot be deleted from GCP. The resource %s will be removed from Terraform"+ - " state, but will still be present on the server.", d.Id()) - d.SetId("") - - return nil -} - -func expandKMSSecretCiphertextPlaintext(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { - if v == nil { - return nil, nil - } - - return base64.StdEncoding.EncodeToString([]byte(v.(string))), nil -} - -func resourceKMSSecretCiphertextDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) { - return res, nil -} diff --git a/google/resource_kms_secret_ciphertext_test.go b/google/resource_kms_secret_ciphertext_test.go deleted file mode 100644 index 03400ca461f..00000000000 --- a/google/resource_kms_secret_ciphertext_test.go +++ /dev/null @@ -1,82 +0,0 @@ -package google - -import ( - "encoding/base64" - "fmt" - "log" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" - "github.com/hashicorp/terraform-plugin-sdk/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/terraform" - "google.golang.org/api/cloudkms/v1" -) - -func TestAccKmsSecretCiphertext_basic(t *testing.T) { - t.Parallel() - - kms := BootstrapKMSKey(t) - - plaintext := fmt.Sprintf("secret-%s", acctest.RandString(10)) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - Steps: []resource.TestStep{ - { - Config: testGoogleKmsSecretCiphertext(kms.CryptoKey.Name, plaintext), - Check: func(s *terraform.State) error { - plaintext, err := testAccDecryptSecretDataWithCryptoKey(s, kms.CryptoKey.Name, "google_kms_secret_ciphertext.acceptance") - - if err != nil { - return err - } - - return resource.TestCheckResourceAttr("google_kms_secret_ciphertext.acceptance", "plaintext", plaintext)(s) - }, - }, - }, - }) -} - -func testAccDecryptSecretDataWithCryptoKey(s *terraform.State, cryptoKeyId string, secretCiphertextResourceName string) (string, error) { - config := testAccProvider.Meta().(*Config) - rs, ok := s.RootModule().Resources[secretCiphertextResourceName] - if !ok { - return "", fmt.Errorf("Resource not found: %s", secretCiphertextResourceName) - } - ciphertext, ok := rs.Primary.Attributes["ciphertext"] - if !ok { - return "", fmt.Errorf("Attribute 'ciphertext' not found in resource '%s'", secretCiphertextResourceName) - } - - kmsDecryptRequest := &cloudkms.DecryptRequest{ - Ciphertext: ciphertext, - } - - decryptResponse, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Decrypt(cryptoKeyId, kmsDecryptRequest).Do() - - if err != nil { - return "", fmt.Errorf("Error decrypting ciphertext: %s", err) - } - - plaintextBytes, err := base64.StdEncoding.DecodeString(decryptResponse.Plaintext) - - if err != nil { - return "", err - } - - plaintext := string(plaintextBytes) - log.Printf("[INFO] Successfully decrypted ciphertext and got plaintext: %s", plaintext) - - return plaintext, nil -} - -func testGoogleKmsSecretCiphertext(cryptoKeyTerraformId, plaintext string) string { - return fmt.Sprintf(` -resource "google_kms_secret_ciphertext" "acceptance" { - crypto_key = "%s" - plaintext = "%s" -} -`, cryptoKeyTerraformId, plaintext) -} diff --git a/website/docs/d/google_kms_secret_ciphertext.html.markdown b/website/docs/d/google_kms_secret_ciphertext.html.markdown index 9e06d5c1057..cbfc407d53e 100644 --- a/website/docs/d/google_kms_secret_ciphertext.html.markdown +++ b/website/docs/d/google_kms_secret_ciphertext.html.markdown @@ -9,8 +9,6 @@ description: |- # google\_kms\_secret\_ciphertext -!> **Warning:** This data source is deprecated. Use the [`google_kms_secret_ciphertext`](../../r/kms_secret_ciphertext.html) **resource** instead. - This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions. diff --git a/website/docs/r/compute_backend_bucket_signed_url_key.html.markdown b/website/docs/r/compute_backend_bucket_signed_url_key.html.markdown index 0ce1c4957e5..54a5ae20dd7 100644 --- a/website/docs/r/compute_backend_bucket_signed_url_key.html.markdown +++ b/website/docs/r/compute_backend_bucket_signed_url_key.html.markdown @@ -94,6 +94,19 @@ This resource provides the following - `create` - Default is 4 minutes. - `delete` - Default is 4 minutes. +## Import + +BackendBucketSignedUrlKey can be imported using any of these accepted formats: + +``` +$ terraform import google_compute_backend_bucket_signed_url_key.default projects/{{project}}/global/backendBuckets/{{backend_bucket}}/{{name}} +$ terraform import google_compute_backend_bucket_signed_url_key.default {{project}}/{{backend_bucket}}/{{name}} +$ terraform import google_compute_backend_bucket_signed_url_key.default {{backend_bucket}}/{{name}} +``` + +-> If you're importing a resource with beta features, make sure to include `-provider=google-beta` +as an argument so that Terraform uses the correct provider to import your resource. + ## User Project Overrides This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override). diff --git a/website/docs/r/compute_backend_service_signed_url_key.html.markdown b/website/docs/r/compute_backend_service_signed_url_key.html.markdown index afd2809c04d..d4946a1c70b 100644 --- a/website/docs/r/compute_backend_service_signed_url_key.html.markdown +++ b/website/docs/r/compute_backend_service_signed_url_key.html.markdown @@ -132,6 +132,19 @@ This resource provides the following - `create` - Default is 4 minutes. - `delete` - Default is 4 minutes. +## Import + +BackendServiceSignedUrlKey can be imported using any of these accepted formats: + +``` +$ terraform import google_compute_backend_service_signed_url_key.default projects/{{project}}/global/backendServices/{{backend_service}}/{{name}} +$ terraform import google_compute_backend_service_signed_url_key.default {{project}}/{{backend_service}}/{{name}} +$ terraform import google_compute_backend_service_signed_url_key.default {{backend_service}}/{{name}} +``` + +-> If you're importing a resource with beta features, make sure to include `-provider=google-beta` +as an argument so that Terraform uses the correct provider to import your resource. + ## User Project Overrides This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override). diff --git a/website/docs/r/kms_secret_ciphertext.html.markdown b/website/docs/r/kms_secret_ciphertext.html.markdown deleted file mode 100644 index 4bb0c4365da..00000000000 --- a/website/docs/r/kms_secret_ciphertext.html.markdown +++ /dev/null @@ -1,126 +0,0 @@ ---- -# ---------------------------------------------------------------------------- -# -# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** -# -# ---------------------------------------------------------------------------- -# -# This file is automatically generated by Magic Modules and manual -# changes will be clobbered when the file is regenerated. -# -# Please read more about how to change this file in -# .github/CONTRIBUTING.md. -# -# ---------------------------------------------------------------------------- -subcategory: "Cloud KMS" -layout: "google" -page_title: "Google: google_kms_secret_ciphertext" -sidebar_current: "docs-google-kms-secret-ciphertext" -description: |- - Encrypts secret data with Google Cloud KMS and provides access to the ciphertext. ---- - -# google\_kms\_secret\_ciphertext - -Encrypts secret data with Google Cloud KMS and provides access to the ciphertext. - - -~> **NOTE**: Using this resource will allow you to conceal secret data within your -resource definitions, but it does not take care of protecting that data in the -logging output, plan output, or state output. Please take care to secure your secret -data outside of resource definitions. - - -To get more information about SecretCiphertext, see: - -* [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt) -* How-to Guides - * [Encrypting and decrypting data with a symmetric key](https://cloud.google.com/kms/docs/encrypt-decrypt) - -## Example Usage - Kms Secret Ciphertext Basic - - -```hcl -resource "google_kms_key_ring" "keyring" { - name = "keyring-example" - location = "global" -} - -resource "google_kms_crypto_key" "cryptokey" { - name = "crypto-key-example" - key_ring = google_kms_key_ring.keyring.id - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_secret_ciphertext" "my_password" { - crypto_key = google_kms_crypto_key.cryptokey.id - plaintext = "my-secret-password" -} - -resource "google_compute_instance" "instance" { - name = "my-instance" - machine_type = "n1-standard-1" - zone = "us-central1-a" - - boot_disk { - initialize_params { - image = "debian-cloud/debian-9" - } - } - - network_interface { - network = "default" - - access_config { - } - } - - metadata = { - password = google_kms_secret_ciphertext.my_password.ciphertext - } -} -``` - -## Argument Reference - -The following arguments are supported: - - -* `plaintext` - - (Required) - The plaintext to be encrypted. - -* `crypto_key` - - (Required) - The full name of the CryptoKey that will be used to encrypt the provided plaintext. - Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'` - - -- - - - - - -## Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - - -* `ciphertext` - - Contains the result of encrypting the provided plaintext, encoded in base64. - - -## Timeouts - -This resource provides the following -[Timeouts](/docs/configuration/resources.html#timeouts) configuration options: - -- `create` - Default is 4 minutes. -- `delete` - Default is 4 minutes. - -## User Project Overrides - -This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override). diff --git a/website/google.erb b/website/google.erb index ed50c8727cf..d7c556cb5b4 100644 --- a/website/google.erb +++ b/website/google.erb @@ -865,9 +865,6 @@ > google_kms_key_ring_iam_policy - > - google_kms_secret_ciphertext -