Merge pull request #635 from RedisLabs/feat/OPCR-6-cmk

OPCR-6: Customer Managed Key support for pro and active active subscriptions

Author: burythehammer

CHANGELOG.md

@@ -3,18 +3,23 @@
 All notable changes to this project will be documented in this file.
 See updating [Changelog example here](https://keepachangelog.com/en/1.0.0/)
 
+# 2.1.6 (31st July 2025)
+
+### Added
+
+- Customer Managed Key support for active-active and pro subscriptions. Only supports redis internal GCP cloud subscriptions. CMKs are externally provided by a customer-supplied GCP account and are managed externally by the user.
 
 # 2.1.5 (1st July 2025)
 
 ### Added
 
-Feature: Support Marketplace as a payment method for Essentials subscription
-Feature: Add TLS certificate to databases’ data sources
+- Feature: Support Marketplace as a payment method for Essentials subscription
+- Feature: Add TLS certificate to databases’ data sources
 
 ### Fixed:
 
-Unexpected state `dynamic-endpoints-creation-pending'
-Can not disable default user on essentials db
+- Unexpected state `dynamic-endpoints-creation-pending'
+- Can not disable default user on essentials db
 
 # 2.1.4 (22nd May 2025)
 

docs/resources/rediscloud_active_active_subscription.md

@@ -19,6 +19,8 @@ subscription, then the databases defined as separate resources will be attached
 the subscription. The creation_plan block can ONLY be used for provisioning new
 subscriptions, the block will be ignored if you make any further changes or try importing the resource (e.g. `terraform import` ...).
 
+~> **Note:** The CMK (customer managed encryption key) fields require a specific flow which involves a multi step apply. Please refer to the relevant documents if using these fields.
+
 ## Example Usage
 
 ```hcl
@@ -62,6 +64,9 @@ The following arguments are supported:
 * `redis_version` - (Optional) The Redis version of the databases in the subscription. If omitted, the Redis version will be the default. **Modifying this attribute will force creation of a new resource.**
 * `creation_plan` - (Required) A creation plan object, documented below. Ignored after creation.
 * `maintenance_windows` - (Optional) The subscription's maintenance window specification, documented below.
+* `customer_managed_key_enabled` - (Optional) Whether to enable the CMK flow.
+* `customer_managed_key_deletion_grace_period` - (Optional) The grace period for deleting the subscription. If not set, will default to immediate deletion grace period.
+* `customer_managed_key` - (Optional) The customer managed keys (CMK) to use for this subscription. If is active-active subscription, must set a key for each region.
 
 The `creation_plan` block supports:
 
@@ -78,6 +83,10 @@ The creation_plan `region` block supports:
 * `write_operations_per_second` - (Required) Throughput measurement for an active-active subscription
 * `read_operations_per_second` - (Required) Throughput measurement for an active-active subscription
 
+The `customer_managed_key` block supports:
+* `resource_name` - Resource name of the customer managed key as defined by the cloud provider, e.g. projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME
+* `region` - Name of the region for the customer managed key as defined by the cloud provider.
+
 The `maintenance_windows` object has these attributes:
 
 * `mode` - Either `automatic` (Redis specified) or `manual` (User specified)
@@ -93,6 +102,8 @@ The `window` object has these attributes:
 
 ## Attribute reference
 
+* `customer_managed_key_redis_service_account` - Outputs the id of the service account associated with the subscription. Useful as part of the CMK flow.
+
 * `pricing` - A list of pricing objects, documented below
 
 The `pricing` object has these attributes:

docs/resources/rediscloud_subscription.md

@@ -20,6 +20,8 @@ subscription, then the databases defined as separate resources will be attached
 the subscription. The creation_plan block can ONLY be used for provisioning new
 subscriptions, the block will be ignored if you make any further changes or try importing the resource (e.g. `terraform import` ...).
 
+~> **Note:** The CMK (customer managed encryption key) fields require a specific flow which involves a multi step apply. Please refer to the relevant documents if using these fields.
+
 ## Example Usage
 
 ```hcl
@@ -80,6 +82,9 @@ The following arguments are supported:
 * `cloud_provider` - (Required) A cloud provider object, documented below. **Modifying this attribute will force creation of a new resource.**
 * `creation_plan` - (Required) A creation plan object, documented below.
 * `maintenance_windows` - (Optional) The subscription's maintenance window specification, documented below.
+* `customer_managed_key_enabled` - (Optional) Whether to enable the customer managed encryption key flow.
+* `customer_managed_key_deletion_grace_period` - (Optional) The grace period for deleting the subscription. If not set, will default to immediate deletion grace period.
+* `customer_managed_key` - (Optional) The customer managed keys (CMK) to use for this subscription. If is active-active subscription, must set a key for each region.
 
 The `allowlist` block supports:
 
@@ -128,6 +133,9 @@ The cloud_provider `region` block supports:
 ~> **Note:** The preferred_availability_zones parameter is required for Terraform, but is optional within the Redis Enterprise Cloud UI.
 This difference in behaviour is to guarantee that a plan after an apply does not generate differences. In AWS Redis internal cloud account, please set the zone IDs (for example: `["use-az2", "use-az3", "use-az5"]`).
 
+The `customer_managed_key` block supports:
+* `resource_name` - The resource name of the customer managed key as defined by the cloud provider, e.g. projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME
+
 The `maintenance_windows` object has these attributes:
 
 * `mode` - Either `automatic` (Redis specified) or `manual` (User specified)
@@ -149,6 +157,8 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/d
 
 ## Attribute reference
 
+* `customer_managed_key_redis_service_account` - Outputs the id of the service account associated with the subscription. Useful as part of the CMK flow.
+
 The `region` block has these attributes:
 
 * `networks` - List of generated network configuration

go.mod

@@ -3,7 +3,7 @@ module github.com/RedisLabs/terraform-provider-rediscloud
 go 1.22.4
 
 require (
-	github.com/RedisLabs/rediscloud-go-api v0.29.0
+	github.com/RedisLabs/rediscloud-go-api v0.31.0
 	github.com/bflad/tfproviderlint v0.31.0
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1

go.sum

@@ -4,8 +4,8 @@ github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migc
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
 github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
-github.com/RedisLabs/rediscloud-go-api v0.29.0 h1:XLVBMSgHwaaHFmf+TXrsU2veQ67J+e5Xrz54FggnwTY=
-github.com/RedisLabs/rediscloud-go-api v0.29.0/go.mod h1:3/oVb71rv2OstFRYEc65QCIbfwnJTgZeQhtPCcdHook=
+github.com/RedisLabs/rediscloud-go-api v0.31.0 h1:hFdR7nrJcCVQN8h3DeXtP0g4zVQP6X5wtS5FoinG8bo=
+github.com/RedisLabs/rediscloud-go-api v0.31.0/go.mod h1:3/oVb71rv2OstFRYEc65QCIbfwnJTgZeQhtPCcdHook=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=

provider/datasource_rediscloud_essentials_plan_test.go

@@ -196,6 +196,7 @@ data "rediscloud_essentials_plan" "impossible" {
 const testAccResourceRedisCloudPaidEssentialsSubscriptionDataSource = `
 data "rediscloud_payment_method" "card" {
 	card_type = "Visa"
+	last_four_numbers = "5556"
 }
 
 data "rediscloud_essentials_plan" "fixed" {

provider/datasource_rediscloud_payment_method_test.go

@@ -31,7 +31,8 @@ func TestAccDataSourceRedisCloudPaymentMethod_basic(t *testing.T) {
 }
 
 const testAccDataSourceRedisCloudPaymentMethod = `
-data "rediscloud_payment_method" "foo" {
-  card_type = "Visa"
+data "rediscloud_payment_method" "card" {
+	card_type = "Visa"
+	last_four_numbers = "5556"
 }
 `

provider/datasource_rediscloud_pro_database_test.go

@@ -69,8 +69,10 @@ func TestAccDataSourceRedisCloudProDatabase_basic(t *testing.T) {
 
 const testAccDatasourceRedisCloudProDatabase = `
 data "rediscloud_payment_method" "card" {
-  card_type = "Visa"
+	card_type = "Visa"
+	last_four_numbers = "5556"
 }
+
 data "rediscloud_cloud_account" "account" {
   exclude_internal_account = true
   provider_type = "AWS" 

provider/datasource_rediscloud_pro_subscription_test.go

@@ -81,8 +81,10 @@ func TestAccDataSourceRedisCloudProSubscription_ignoresAA(t *testing.T) {
 
 const testAccDatasourceRedisCloudProSubscription = `
 data "rediscloud_payment_method" "card" {
-  card_type = "Visa"
+	card_type = "Visa"
+	last_four_numbers = "5556"
 }
+
 data "rediscloud_cloud_account" "account" {
   exclude_internal_account = true
   provider_type = "AWS"
@@ -132,7 +134,9 @@ data "rediscloud_subscription" "example" {
 const testAccDatasourceRedisCloudAADatabaseWithProDataSource = `
 data "rediscloud_payment_method" "card" {
 	card_type = "Visa"
+	last_four_numbers = "5556"
 }
+
 resource "rediscloud_active_active_subscription" "example" {
 	name = "%s"
 	payment_method_id = data.rediscloud_payment_method.card.id

provider/datasource_rediscloud_subscription_peerings_test.go

@@ -60,7 +60,8 @@ func TestAccDataSourceRedisCloudSubscriptionPeerings_basic(t *testing.T) {
 
 const testAccDatasourceRedisCloudSubscriptionPeeringsDataSource = `
 data "rediscloud_payment_method" "card" {
-  card_type = "Visa"
+	card_type = "Visa"
+	last_four_numbers = "5556"
 }
 
 data "rediscloud_cloud_account" "account" {