Added state upgrader for CMK resource

Author: nfx

CHANGELOG.md

@@ -8,10 +8,11 @@
 * Mounting clusters are recreated now, even when they are deleted ([#637](https://github.com/databrickslabs/terraform-provider-databricks/issues/637))
 * Fixed handling of empty blocks for clusters/jobs/instance pools ([22cdf2f](https://github.com/databrickslabs/terraform-provider-databricks/commit/22cdf2fc9d50f67b14b49d11e7fbaacce0f52399))
 * Mark instance pool attributes as ForceNew when it's requited ([#629](https://github.com/databrickslabs/terraform-provider-databricks/issues/629))
+* Switched to use https://staticcheck.io/ for static code analysis ([#602](https://github.com/databrickslabs/terraform-provider-databricks/issues/602))
 
 **Behavior changes**
 
-* The `customer_managed_key_id` field in `databricks_mws_workspaces` resource is deprecated and should be replaced with `managed_services_customer_managed_key_id` (and optionally `storage_customer_managed_key_id`).  `databricks_mws_customer_managed_keys` now requires the parameter `use_cases` ([#642](https://github.com/databrickslabs/terraform-provider-databricks/pull/642))
+* The `customer_managed_key_id` field in `databricks_mws_workspaces` resource is deprecated and should be replaced with `managed_services_customer_managed_key_id` (and optionally `storage_customer_managed_key_id`). `databricks_mws_customer_managed_keys` now requires the parameter `use_cases` ([#642](https://github.com/databrickslabs/terraform-provider-databricks/pull/642)). *If you've used the resource before, please add `use_cases = ["MANAGED_SERVICES"]` to keep the behaviour.*
 
 Updated dependency versions:
 

docs/resources/mws_customer_managed_keys.md

@@ -14,6 +14,8 @@ Please follow this [complete runnable example](../guides/aws-workspace.md) with
 
 ## Example Usage
 
+-> **Note** If you've used the resource before, please add `use_cases = ["MANAGED_SERVICES"]` to keep the previous behaviour.
+
 ```hcl
 variable "databricks_account_id" {
   description = "Account Id that could be found in the bottom left corner of https://accounts.cloud.databricks.com/"
@@ -26,7 +28,9 @@ resource "aws_kms_grant" "databricks-grant" {
   name = "databricks-grant"
   key_id  = aws_kms_key.customer_managed_key.key_id
   grantee_principal = "arn:aws:iam::414351767826:root"
-  operations = ["Encrypt", "Decrypt"]
+  operations = ["Encrypt", "Decrypt", "DescribeKey", 
+    "GenerateDataKey", "ReEncryptFrom", "ReEncryptTo", 
+    "GenerateDataKeyWithoutPlaintext"]
 }
 
 resource "aws_kms_alias" "customer_managed_key_alias" {
@@ -51,7 +55,7 @@ The following arguments are required:
 
 * `aws_key_info` - This field is a block and is documented below.
 * `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/)
-* `use_cases` - list of use cases for which this key will be used.  Possible values are:
+* `use_cases` - *(since v0.3.4)* List of use cases for which this key will be used. *If you've used the resource before, please add `use_cases = ["MANAGED_SERVICES"]` to keep the previous behaviour.* Possible values are:
   * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
   * `STORAGE` - for encryption of the  DBFS Storage & Cluster EBS Volumes
 

mws/resource_customer_managed_key.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/databrickslabs/terraform-provider-databricks/common"
 
+	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -104,6 +105,60 @@ func ResourceCustomerManagedKey() *schema.Resource {
 			}
 			return NewCustomerManagedKeysAPI(ctx, c).Delete(accountID, cmkID)
 		},
-		Schema: s,
+		Schema:        s,
+		SchemaVersion: 1,
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Version: 0,
+				Type:    ResourceCustomerManagedKeyV0(),
+				Upgrade: migrateResourceCustomerManagedKeyV0,
+			},
+		},
 	}.ToResource()
 }
+
+func migrateResourceCustomerManagedKeyV0(ctx context.Context,
+	rawState map[string]interface{},
+	meta interface{}) (map[string]interface{}, error) {
+	rawState["use_cases"] = []string{"MANAGED_SERVICES"}
+	return rawState, nil
+}
+
+func ResourceCustomerManagedKeyV0() cty.Type {
+	return (&schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"account_id": {
+				Type:     schema.TypeString,
+				ForceNew: true,
+			},
+			"customer_managed_key_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"creation_time": {
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
+			"aws_key_info": {
+				Type:     schema.TypeList,
+				ForceNew: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"key_arn": {
+							Type: schema.TypeString,
+						},
+						"key_alias": {
+							Type: schema.TypeString,
+						},
+						"key_region": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+					},
+				},
+			},
+		},
+	}).CoreConfigSchema().ImpliedType()
+}

mws/resource_customer_managed_key_test.go

@@ -244,3 +244,11 @@ func TestResourceCustomerManagedKeyDelete(t *testing.T) {
 	assert.NoError(t, err, err)
 	assert.Equal(t, "abc/cmkid", d.Id())
 }
+
+func TestCmkStateUpgrader(t *testing.T) {
+	state, err := migrateResourceCustomerManagedKeyV0(context.Background(),
+		map[string]interface{}{}, nil)
+	assert.NoError(t, err)
+	_, ok := state["use_cases"]
+	assert.True(t, ok)
+}

scripts/modules/aws-mws-common/kms.tf

@@ -10,7 +10,9 @@ resource "aws_kms_grant" "databricks-grant" {
   key_id            = aws_kms_key.customer_managed_key.key_id
   grantee_principal = "arn:aws:iam::${var.databricks_aws_account_id}:root"
 
-  operations = ["Encrypt", "Decrypt"]
+  operations = ["Encrypt", "Decrypt", "DescribeKey", 
+    "GenerateDataKey", "ReEncryptFrom", "ReEncryptTo", 
+    "GenerateDataKeyWithoutPlaintext"]
 }