Update Customer Managed Keys & MWS workspace to match new API (#642)

alexott · web-flow · commit c84430dd95e2 · 2021-05-12T10:13:27.000+02:00
Due the changes in the Accounts API we need to do following changes: * Add required attribute `use_cases` to `databricks_mws_customer_managed_keys` resource * The `customer_managed_key_id` field in `databricks_mws_workspaces` resource is deprecated and should be replaced with `managed_services_customer_managed_key_id` (and optionally `storage_customer_managed_key_id`). The `customer_managed_key_id` field is left for compatibility, and automatically converted into `managed_services_customer_managed_key_id`. It will be completely removed in the next versions This fixes #641
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@
 * Fixed state refresh bugs in `databricks_sql_permissions` ([#620](https://github.com/databrickslabs/terraform-provider-databricks/issues/620), [#619](https://github.com/databrickslabs/terraform-provider-databricks/issues/620))
 * Fixed `workspace_ids_filter` mapping for `databricks_mws_log_delivery` ([#635](https://github.com/databrickslabs/terraform-provider-databricks/issues/635))
 
+**Behavior changes**
+
+* The `customer_managed_key_id` field in `databricks_mws_workspaces` resource is deprecated and should be replaced with `managed_services_customer_managed_key_id` (and optionally `storage_customer_managed_key_id`).  `databricks_mws_customer_managed_keys` now requires the parameter `use_cases` ([#642](https://github.com/databrickslabs/terraform-provider-databricks/pull/642))
+
 ## 0.3.3
 
 * Added resources for SQL Analytics queries and dashboards: `databricks_sql_query`, `databricks_sql_visualization`, `databricks_sql_dashboard`, `databricks_sql_widget` ([#553](https://github.com/databrickslabs/terraform-provider-databricks/pull/553))
diff --git a/docs/resources/mws_customer_managed_keys.md b/docs/resources/mws_customer_managed_keys.md
@@ -40,6 +40,7 @@ resource "databricks_mws_customer_managed_keys" "my_cmk" {
         key_arn   = aws_kms_key.customer_managed_key.arn
         key_alias = aws_kms_alias.customer_managed_key_alias.name
     }
+    use_cases = ["MANAGED_SERVICES", "STORAGE"]
 }
 ```
 
@@ -50,6 +51,9 @@ The following arguments are required:
 
 * `aws_key_info` - This field is a block and is documented below.
 * `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/)
+* `use_cases` - list of use cases for which this key will be used.  Possible values are:
+  * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
+  * `STORAGE` - for encryption of the  DBFS Storage & Cluster EBS Volumes
 
 
 ### aws_key_info Configuration Block
diff --git a/docs/resources/mws_workspaces.md b/docs/resources/mws_workspaces.md
@@ -179,7 +179,9 @@ The following arguments are available:
 * `network_id` - (Optional) `network_id` from [networks](mws_networks.md)
 * `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/).
 * `credentials_id` - `credentials_id` from [credentials](mws_credentials.md)
-* `customer_managed_key_id` - (Optional) `customer_managed_key_id` from [customer managed keys](mws_customer_managed_keys.md)
+* `customer_managed_key_id` - (Optional, **Deprecated**, see `managed_services_customer_managed_key_id` and `storage_customer_managed_key_id`) `customer_managed_key_id` from [customer managed keys](mws_customer_managed_keys.md)
+* `managed_services_customer_managed_key_id` - (Optional) `customer_managed_key_id` from [customer managed keys](mws_customer_managed_keys.md) with `use_cases` set to `MANAGED_SERVICES`. This is used to encrypt the workspace's notebook and secret data in the control plane.
+* `storage_customer_managed_key_id` - (Optional, **Deprecated**) `customer_managed_key_id` from [customer managed keys](mws_customer_managed_keys.md) with `use_cases` set to `STORAGE`. This is used to encrypt the DBFS Storage & Cluster EBS Volumes.
 * `deployment_name` - part of URL: `https://<deployment-name>.cloud.databricks.com`
 * `workspace_name` - name of the workspace, will appear on UI
 * `aws_region` - AWS region of VPC
@@ -214,4 +216,4 @@ You can reset local DNS caches before provisioning new workspaces with one of th
 * Mac OS Sierra, X El Capitan, X Mavericks, X Mountain Lion, or X Lion - `sudo killall -HUP mDNSResponder`
 * Mac OS X Yosemite - `sudo discoveryutil udnsflushcaches`
 * Mac OS X Snow Leopard - `sudo dscacheutil -flushcache`
-* Mac OS X Leopard and below - `sudo lookupd -flushcache`
+* Mac OS X Leopard and below - `sudo lookupd -flushcache`
diff --git a/mws/acceptance/cmk_test.go b/mws/acceptance/cmk_test.go
@@ -25,6 +25,7 @@ func TestMwsAccCustomerManagedKeys(t *testing.T) {
 					key_arn   = "{env.TEST_KMS_KEY_ARN}"
 					key_alias = "{env.TEST_KMS_KEY_ALIAS}"
 				}
+				use_cases = ["MANAGED_SERVICES"]
 			}`,
 		},
 	})
diff --git a/mws/acceptance/workspace_test.go b/mws/acceptance/workspace_test.go
@@ -26,6 +26,7 @@ func TestMwsAccWorkspaces(t *testing.T) {
 					key_arn   = "{env.TEST_KMS_KEY_ARN}"
 					key_alias = "{env.TEST_KMS_KEY_ALIAS}"
 				}
+                use_cases = ["STORAGE", "MANAGED_SERVICES"]
 			}
 			resource "databricks_mws_storage_configurations" "this" {
 				account_id                 = "{env.DATABRICKS_ACCOUNT_ID}"
@@ -52,7 +53,7 @@ func TestMwsAccWorkspaces(t *testing.T) {
 		
 				credentials_id = databricks_mws_credentials.this.credentials_id
 				storage_configuration_id = databricks_mws_storage_configurations.this.storage_configuration_id
-				customer_managed_key_id = databricks_mws_customer_managed_keys.this.customer_managed_key_id
+				managed_services_customer_managed_key_id = databricks_mws_customer_managed_keys.this.customer_managed_key_id
 				network_id = databricks_mws_networks.this.network_id
 			}`,
 		},
diff --git a/mws/mws.go b/mws/mws.go
@@ -75,22 +75,24 @@ var WorkspaceStatusesNonRunnable = []string{WorkspaceStatusCanceled, WorkspaceSt
 
 // Workspace is the object that contains all the information for deploying a workspace
 type Workspace struct {
-	AccountID               string `json:"account_id"`
-	WorkspaceName           string `json:"workspace_name"`
-	DeploymentName          string `json:"deployment_name"`
-	AwsRegion               string `json:"aws_region"`
-	CredentialsID           string `json:"credentials_id"`
-	StorageConfigurationID  string `json:"storage_configuration_id"`
-	CustomerManagedKeyID    string `json:"customer_managed_key_id,omitempty"`
-	PricingTier             string `json:"pricing_tier,omitempty" tf:"computed"`
-	PrivateAccessSettingsID string `json:"private_access_settings_id,omitempty"`
-	NetworkID               string `json:"network_id,omitempty"`
-	IsNoPublicIPEnabled     bool   `json:"is_no_public_ip_enabled,omitempty"`
-	WorkspaceID             int64  `json:"workspace_id,omitempty" tf:"computed"`
-	WorkspaceURL            string `json:"workspace_url,omitempty" tf:"computed"`
-	WorkspaceStatus         string `json:"workspace_status,omitempty" tf:"computed"`
-	WorkspaceStatusMessage  string `json:"workspace_status_message,omitempty" tf:"computed"`
-	CreationTime            int64  `json:"creation_time,omitempty" tf:"computed"`
+	AccountID                           string `json:"account_id"`
+	WorkspaceName                       string `json:"workspace_name"`
+	DeploymentName                      string `json:"deployment_name"`
+	AwsRegion                           string `json:"aws_region"`
+	CredentialsID                       string `json:"credentials_id"`
+	CustomerManagedKeyID                string `json:"customer_managed_key_id,omitempty"` // just for compatibility, will be removed
+	StorageConfigurationID              string `json:"storage_configuration_id"`
+	ManagedServicesCustomerManagedKeyID string `json:"managed_services_customer_managed_key_id,omitempty"`
+	StoragexCustomerManagedKeyID        string `json:"storage_customer_managed_key_id,omitempty"`
+	PricingTier                         string `json:"pricing_tier,omitempty" tf:"computed"`
+	PrivateAccessSettingsID             string `json:"private_access_settings_id,omitempty"`
+	NetworkID                           string `json:"network_id,omitempty"`
+	IsNoPublicIPEnabled                 bool   `json:"is_no_public_ip_enabled,omitempty"`
+	WorkspaceID                         int64  `json:"workspace_id,omitempty" tf:"computed"`
+	WorkspaceURL                        string `json:"workspace_url,omitempty" tf:"computed"`
+	WorkspaceStatus                     string `json:"workspace_status,omitempty" tf:"computed"`
+	WorkspaceStatusMessage              string `json:"workspace_status_message,omitempty" tf:"computed"`
+	CreationTime                        int64  `json:"creation_time,omitempty" tf:"computed"`
 }
 
 // VPCEndpoint is the object that contains all the information for registering an VPC endpoint
diff --git a/mws/resource_customer_managed_key.go b/mws/resource_customer_managed_key.go
@@ -22,6 +22,7 @@ type CustomerManagedKey struct {
 	AwsKeyInfo           *AwsKeyInfo `json:"aws_key_info"`
 	AccountID            string      `json:"account_id"`
 	CreationTime         int64       `json:"creation_time,omitempty" tf:"computed"`
+	UseCases             []string    `json:"use_cases"`
 }
 
 // NewCustomerManagedKeysAPI creates CustomerManagedKeysAPI instance from provider meta
diff --git a/mws/resource_customer_managed_key_test.go b/mws/resource_customer_managed_key_test.go
@@ -29,6 +29,7 @@ func TestMwsAccCustomerManagedKeys(t *testing.T) {
 			KeyAlias: kmsKeyAlias,
 		},
 		AccountID: acctID,
+		UseCases:  []string{"MANAGED_SERVICES"},
 	})
 	assert.NoError(t, err, err)
 
@@ -56,6 +57,7 @@ func TestResourceCustomerManagedKeyCreate(t *testing.T) {
 						KeyArn:   "key-arn",
 						KeyAlias: "key-alias",
 					},
+					UseCases: []string{"MANAGED_SERVICES"},
 				},
 				Response: CustomerManagedKey{
 					CustomerManagedKeyID: "cmkid",
@@ -72,6 +74,7 @@ func TestResourceCustomerManagedKeyCreate(t *testing.T) {
 						KeyRegion: "us-east-1",
 					},
 					AccountID:    "abc",
+					UseCases:     []string{"MANAGED_SERVICES"},
 					CreationTime: 123,
 				},
 			},
@@ -84,6 +87,7 @@ func TestResourceCustomerManagedKeyCreate(t *testing.T) {
 				key_arn   = "key-arn"
 				key_alias = "key-alias"
 			}
+			use_cases = ["MANAGED_SERVICES"]
 		`,
 		Create: true,
 	}.Apply(t)
@@ -105,6 +109,7 @@ func TestResourceCustomerManagedKeyCreate_Error(t *testing.T) {
 						KeyArn:   "key-arn",
 						KeyAlias: "key-alias",
 					},
+					UseCases: []string{"MANAGED_SERVICE"},
 				},
 				Response: common.APIErrorBody{
 					ErrorCode: "INVALID_REQUEST",
@@ -122,6 +127,7 @@ func TestResourceCustomerManagedKeyCreate_Error(t *testing.T) {
 						KeyAlias:  "key-alias",
 						KeyRegion: "us-east-1",
 					},
+					UseCases:     []string{"MANAGED_SERVICE"},
 					AccountID:    "abc",
 					CreationTime: 123,
 				},
@@ -135,6 +141,7 @@ func TestResourceCustomerManagedKeyCreate_Error(t *testing.T) {
 				key_arn   = "key-arn"
 				key_alias = "key-alias"
 			}
+			use_cases = ["MANAGED_SERVICE"]
 		`,
 		Create: true,
 	}.Apply(t)
@@ -154,6 +161,7 @@ func TestResourceCustomerManagedKeyRead(t *testing.T) {
 						KeyAlias:  "key-alias",
 						KeyRegion: "us-east-1",
 					},
+					UseCases:     []string{"MANAGED_SERVICES"},
 					AccountID:    "abc",
 					CreationTime: 123,
 				},
@@ -167,6 +175,7 @@ func TestResourceCustomerManagedKeyRead(t *testing.T) {
 				key_arn   = "key-arn"
 				key_alias = "key-alias"
 			}
+			use_cases = ["MANAGED_SERVICES"]
 		`,
 		ID:   "abc/cmkid",
 		Read: true,
@@ -176,6 +185,7 @@ func TestResourceCustomerManagedKeyRead(t *testing.T) {
 	assert.Equal(t, "key-arn", d.Get("aws_key_info.0.key_arn"))
 	assert.Equal(t, "key-alias", d.Get("aws_key_info.0.key_alias"))
 	assert.Equal(t, "us-east-1", d.Get("aws_key_info.0.key_region"))
+	assert.Equal(t, []interface{}{"MANAGED_SERVICES"}, d.Get("use_cases"))
 	assert.Equal(t, "abc", d.Get("account_id"))
 	assert.Equal(t, 123, d.Get("creation_time"))
 	assert.Equal(t, "cmkid", d.Get("customer_managed_key_id"))
@@ -201,6 +211,7 @@ func TestResourceCustomerManagedKeyRead_NotFound(t *testing.T) {
 				key_arn   = "key-arn"
 				key_alias = "key-alias"
 			}
+			use_cases = ["MANAGED_SERVICES"]
 		`,
 		ID:      "abc/cmkid",
 		Read:    true,
@@ -225,6 +236,7 @@ func TestResourceCustomerManagedKeyDelete(t *testing.T) {
 				key_arn   = "key-arn"
 				key_alias = "key-alias"
 			}
+			use_cases = ["MANAGED_SERVICES"]
 		`,
 		ID:     "abc/cmkid",
 		Delete: true,
diff --git a/mws/resource_workspace.go b/mws/resource_workspace.go
@@ -108,12 +108,13 @@ func (a WorkspacesAPI) WaitForRunning(ws Workspace, timeout time.Duration) error
 func (a WorkspacesAPI) Patch(ws Workspace, timeout time.Duration) error {
 	workspacesAPIPath := fmt.Sprintf("/accounts/%s/workspaces/%d", ws.AccountID, ws.WorkspaceID)
 	err := a.client.Patch(a.context, workspacesAPIPath, Workspace{
-		AwsRegion:              ws.AwsRegion,
-		CredentialsID:          ws.CredentialsID,
-		StorageConfigurationID: ws.StorageConfigurationID,
-		IsNoPublicIPEnabled:    ws.IsNoPublicIPEnabled,
-		NetworkID:              ws.NetworkID,
-		CustomerManagedKeyID:   ws.CustomerManagedKeyID,
+		AwsRegion:                           ws.AwsRegion,
+		CredentialsID:                       ws.CredentialsID,
+		StorageConfigurationID:              ws.StorageConfigurationID,
+		IsNoPublicIPEnabled:                 ws.IsNoPublicIPEnabled,
+		NetworkID:                           ws.NetworkID,
+		ManagedServicesCustomerManagedKeyID: ws.ManagedServicesCustomerManagedKeyID,
+		StoragexCustomerManagedKeyID:        ws.StoragexCustomerManagedKeyID,
 	})
 	if err != nil {
 		return err
@@ -178,6 +179,10 @@ func ResourceWorkspace() *schema.Resource {
 			return !strings.HasSuffix(new, old)
 		}
 		s["is_no_public_ip_enabled"].Default = false
+		s["customer_managed_key_id"].Deprecated = "Use managed_services_customer_managed_key_id instead"
+		s["customer_managed_key_id"].ConflictsWith = []string{"managed_services_customer_managed_key_id", "storage_customer_managed_key_id"}
+		s["managed_services_customer_managed_key_id"].ConflictsWith = []string{"customer_managed_key_id"}
+		s["storage_customer_managed_key_id"].ConflictsWith = []string{"customer_managed_key_id"}
 		return s
 	})
 	p := common.NewPairSeparatedID("account_id", "workspace_id", "/").Schema(
@@ -193,6 +198,11 @@ func ResourceWorkspace() *schema.Resource {
 			if err := common.DataToStructPointer(d, s, &workspace); err != nil {
 				return err
 			}
+			if len(workspace.CustomerManagedKeyID) > 0 && len(workspace.ManagedServicesCustomerManagedKeyID) == 0 {
+				log.Print("[INFO] Using existing customer_managed_key_id as value for new managed_services_customer_managed_key_id")
+				workspace.ManagedServicesCustomerManagedKeyID = workspace.CustomerManagedKeyID
+				workspace.CustomerManagedKeyID = ""
+			}
 			if err := workspacesAPI.Create(&workspace, d.Timeout(schema.TimeoutCreate)); err != nil {
 				return err
 			}
@@ -222,6 +232,11 @@ func ResourceWorkspace() *schema.Resource {
 			if err := common.DataToStructPointer(d, s, &workspace); err != nil {
 				return err
 			}
+			if len(workspace.CustomerManagedKeyID) > 0 && len(workspace.ManagedServicesCustomerManagedKeyID) == 0 {
+				log.Print("[INFO] Using existing customer_managed_key_id as value for new managed_services_customer_managed_key_id")
+				workspace.ManagedServicesCustomerManagedKeyID = workspace.CustomerManagedKeyID
+				workspace.CustomerManagedKeyID = ""
+			}
 			return workspacesAPI.Patch(workspace, d.Timeout(schema.TimeoutUpdate))
 		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
diff --git a/mws/resource_workspace_test.go b/mws/resource_workspace_test.go

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ resource "databricks_mws_customer_managed_keys" "my_cmk" {`
`40`	`40`	`key_arn = aws_kms_key.customer_managed_key.arn`
`41`	`41`	`key_alias = aws_kms_alias.customer_managed_key_alias.name`
`42`	`42`	`}`
	`43`	`+ use_cases = ["MANAGED_SERVICES", "STORAGE"]`
`43`	`44`	`}`
`44`	`45`	```
`45`	`46`
`@@ -50,6 +51,9 @@ The following arguments are required:`
`50`	`51`
`51`	`52`	* `aws_key_info` - This field is a block and is documented below.
`52`	`53`	* `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/)
	`54`	+* `use_cases` - list of use cases for which this key will be used. Possible values are:
	`55`	+ * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
	`56`	+ * `STORAGE` - for encryption of the DBFS Storage & Cluster EBS Volumes
`53`	`57`
`54`	`58`
`55`	`59`	`### aws_key_info Configuration Block`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ func TestMwsAccCustomerManagedKeys(t *testing.T) {`
`25`	`25`	`key_arn = "{env.TEST_KMS_KEY_ARN}"`
`26`	`26`	`key_alias = "{env.TEST_KMS_KEY_ALIAS}"`
`27`	`27`	`}`
	`28`	`+ use_cases = ["MANAGED_SERVICES"]`
`28`	`29`	}`,
`29`	`30`	`},`
`30`	`31`	`})`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ type CustomerManagedKey struct {`
`22`	`22`	AwsKeyInfo *AwsKeyInfo `json:"aws_key_info"`
`23`	`23`	AccountID string `json:"account_id"`
`24`	`24`	CreationTime int64 `json:"creation_time,omitempty" tf:"computed"`
	`25`	+ UseCases []string `json:"use_cases"`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`// NewCustomerManagedKeysAPI creates CustomerManagedKeysAPI instance from provider meta`