feat: [PL-66266]: Adding kmsKeyId support for AWS SM secrets (#1316)

akshat-goyal-harness · Harness · commit bf4118797042 · 2025-12-10T09:00:48.000Z
* bcde9e Merge remote-tracking branch 'origin/PL-66266' into PL-66266 * 7f80d8 #uts * e11544 #fix * ab60a4 #exampleFix * 499aa1 #additionalMetaData * 25360f #uts * 8f6a8c #fix * 7a6b38 Merge remote-tracking branch 'origin/PL-66266' into PL-66266 * 729c22 #exampleFix * ad6716 #kms_key_id_support * e89252 #awsSecretManagerChanges * a70681 #exampleFix * 3e1fa6 #kms_key_id_support * 296cf7 feat: [CDS-115898]: add winrm secret in terraform (#1311) * 5dea6c fix: [CDS-115721]: Fix appset test (#1313) * 534e61 #awsSecretManagerChanges
diff --git a/examples/resources/harness_platform_secret_text/resource.tf b/examples/resources/harness_platform_secret_text/resource.tf
@@ -35,4 +35,21 @@ resource "harness_platform_secret_text" "gcp_secret_manager_reference" {
       version = "1"
     }
   }
+}
+
+resource "harness_platform_secret_text" "aws_secret_manager" {
+  identifier  = "identifier"
+  name        = "name"
+  description = "example"
+  tags        = ["foo:bar"]
+
+  secret_manager_identifier = "awsSecretManager"
+  value_type                = "Inline"
+  value                     = "secret"
+
+  additional_metadata {
+    values {
+      kms_key_id = "kmsKeyId"
+    }
+  }
 }
diff --git a/internal/service/platform/secret/file.go b/internal/service/platform/secret/file.go
@@ -34,6 +34,11 @@ func ResourceSecretFile() *schema.Resource {
 				Type:        schema.TypeString,
 				Required:    true,
 			},
+			"kms_key_id": {
+				Description: "Kms Key Id for encrypting the secret value",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
 		},
 	}
 	helpers.SetMultiLevelResourceSchema(resource.Schema)
@@ -114,7 +119,12 @@ func buildSpec(d *schema.ResourceData) string {
 		spec = spec + fmt.Sprintf(`,"tags":%[1]s`, tags_string)
 	}
 	if attr, ok := d.GetOk("secret_manager_identifier"); ok {
-		spec = spec + fmt.Sprintf(`,"spec":{"secretManagerIdentifier":"%[1]s"}`, attr.(string))
+		spec = spec + fmt.Sprintf(`,"spec":{"secretManagerIdentifier":"%[1]s"`, attr.(string))
+	}
+	if attr, ok := d.GetOk("kms_key_id"); ok {
+		spec = spec + fmt.Sprintf(`,"additionalMetadata":{"values":{"kmsKeyId":"%[1]s"}}}`, attr.(string))
+	} else {
+		spec = spec + fmt.Sprintf(`}`)
 	}
 	return spec + "}}"
 }
@@ -160,5 +170,6 @@ func readSecretFile(d *schema.ResourceData, secret *nextgen.Secret) error {
 	d.Set("org_id", secret.OrgIdentifier)
 	d.Set("project_id", secret.ProjectIdentifier)
 	d.Set("tags", helpers.FlattenTags(secret.Tags))
+
 	return nil
 }
diff --git a/internal/service/platform/secret/file_data_source.go b/internal/service/platform/secret/file_data_source.go
@@ -21,6 +21,11 @@ func DataSourceSecretFile() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
+			"kms_key_id": {
+				Description: "Kms Key Id for encrypting the secret value",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
 		},
 	}
 
diff --git a/internal/service/platform/secret/file_test.go b/internal/service/platform/secret/file_test.go
@@ -290,3 +290,65 @@ func getAbsFilePath(file_path string) string {
 	absPath, _ := filepath.Abs(file_path)
 	return absPath
 }
+
+func TestAccResourceSecretFile_AWS_SM_reference(t *testing.T) {
+	id := fmt.Sprintf("%s_%s", t.Name(), utils.RandStringBytes(5))
+	name := id
+	updatedName := fmt.Sprintf("%s_updated", name)
+	resourceName := "harness_platform_secret_file.test"
+
+	resource.UnitTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.TestAccPreCheck(t) },
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccSecretDestroy(resourceName),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceSecret_file_AWS_SM(id, name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "id", id),
+					resource.TestCheckResourceAttr(resourceName, "identifier", id),
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, "description", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "secret_manager_identifier", "harnessSecretManager"),
+					resource.TestCheckResourceAttr(resourceName, "kms_key_id", "awsKMSKeyId"),
+				),
+			},
+			{
+				Config: testAccResourceSecret_file_AWS_SM(id, updatedName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "id", id),
+					resource.TestCheckResourceAttr(resourceName, "identifier", id),
+					resource.TestCheckResourceAttr(resourceName, "name", updatedName),
+					resource.TestCheckResourceAttr(resourceName, "description", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "secret_manager_identifier", "harnessSecretManager"),
+					resource.TestCheckResourceAttr(resourceName, "kms_key_id", "awsKMSKeyId"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"file_path",
+					"kms_key_id",
+				},
+			},
+		},
+	})
+}
+
+func testAccResourceSecret_file_AWS_SM(id string, name string) string {
+	return fmt.Sprintf(`
+	resource "harness_platform_secret_file" "test" {
+		identifier = "%[1]s"
+		name = "%[2]s"
+		description = "test"
+		tags = ["foo:bar"]
+		file_path = "%[3]s"
+		secret_manager_identifier = "harnessSecretManager"
+		kms_key_id = "awsKMSKeyId"
+	}
+		`, id, name, getAbsFilePath("../../../acctest/secret_files/secret.txt"))
+}
diff --git a/internal/service/platform/secret/text.go b/internal/service/platform/secret/text.go
@@ -53,6 +53,10 @@ func ResourceSecretText() *schema.Resource {
 										Type:     schema.TypeString,
 										Optional: true,
 									},
+									"kms_key_id": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
 									// Add other fields for the inner map as needed
 								},
 							},
@@ -153,6 +157,9 @@ func readAdditionalMetadata(metadata interface{}) nextgen.AdditionalMetadata {
 				if version, ok := valueMap["version"].(string); ok {
 					result.Values["version"] = version
 				}
+				if kmsKeyId, ok := valueMap["kms_key_id"].(string); ok {
+					result.Values["kmsKeyId"] = kmsKeyId
+				}
 				// Add other fields as needed
 			}
 		}
@@ -161,37 +168,31 @@ func readAdditionalMetadata(metadata interface{}) nextgen.AdditionalMetadata {
 	return result
 }
 
-func importAdditionalMetadata(data map[string]string) []map[string]interface{} {
-	var result []map[string]interface{}
-
-	for _, value := range data {
-		entry := map[string]interface{}{
-			"version": value,
-			// Add other fields for the inner map as needed
-		}
-
-		result = append(result, entry)
-	}
-
-	return result
-}
-
 func importAdditionalMetadata_2(additionalMetadata *nextgen.AdditionalMetadata) []interface{} {
 	response := make([]interface{}, 0)
 	data := map[string]interface{}{}
 	if additionalMetadata != nil && len(additionalMetadata.Values) > 0 {
-		var valuesList []interface{}
-
-		for _, value := range additionalMetadata.Values {
-			entry := map[string]string{
-				"version": value,
-				// Add other fields for the inner map as needed
+		entry := make(map[string]interface{})
+		for k, v := range additionalMetadata.Values {
+			switch k {
+			case "version":
+				entry["version"] = v
+			case "kmsKeyId":
+				entry["kms_key_id"] = v
 			}
-
-			valuesList = append(valuesList, entry)
 		}
-
-		data["values"] = valuesList
+		data["values"] = schema.NewSet(schema.HashResource(&schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"version": {
+					Type:     schema.TypeString,
+					Optional: true,
+				},
+				"kms_key_id": {
+					Type:     schema.TypeString,
+					Optional: true,
+				},
+			},
+		}), []interface{}{entry})
 	}
 	return append(response, data)
 }
diff --git a/internal/service/platform/secret/text_data_source.go b/internal/service/platform/secret/text_data_source.go
@@ -42,6 +42,10 @@ func DataSourceSecretText() *schema.Resource {
 										Type:     schema.TypeString,
 										Optional: true,
 									},
+									"kms_key_id": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
 									// Add other fields for the inner map as needed
 								},
 							},
diff --git a/internal/service/platform/secret/text_test.go b/internal/service/platform/secret/text_test.go
@@ -350,6 +350,25 @@ func testAccResourceSecret_text_inline(id string, name string, secretValue strin
 `, id, name, secretValue)
 }
 
+func testAccResourceSecret_text_inline_AWS_SM(id string, name string, secretValue, secretManagerIdentifier string) string {
+	return fmt.Sprintf(`
+		resource "harness_platform_secret_text" "test" {
+			identifier = "%[1]s"
+			name = "%[2]s"
+			description = "test"
+			tags = ["foo:bar"]
+			secret_manager_identifier = "%[4]s"
+			value_type = "Inline"
+			value = "%[3]s"
+			additional_metadata {
+				values {
+					kms_key_id = "awsKMSKeyId"
+				}
+			}
+		}
+`, id, name, secretValue, secretManagerIdentifier)
+}
+
 func testAccResourceSecret_text_reference(id string, name string, secretValue string, secretManagerIdentifier string) string {
 	return fmt.Sprintf(`
 		resource "harness_platform_secret_text" "test" {
@@ -529,3 +548,55 @@ func TestAccResourceSecretText_GCP_SM_reference(t *testing.T) {
 		},
 	})
 }
+
+func TestAccResourceSecretText_AWS_SM_reference(t *testing.T) {
+	id := fmt.Sprintf("%s_%s", t.Name(), utils.RandStringBytes(5))
+	name := id
+	updatedName := fmt.Sprintf("%s_updated", name)
+	secretValue := fmt.Sprintf("%s_%s", t.Name(), utils.RandStringBytes(5))
+	updatedValue := secretValue + "updated"
+	resourceName := "harness_platform_secret_text.test"
+
+	resource.UnitTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.TestAccPreCheck(t) },
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccSecretDestroy(resourceName),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceSecret_text_inline_AWS_SM(id, name, secretValue, "harnessSecretManager"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "id", id),
+					resource.TestCheckResourceAttr(resourceName, "identifier", id),
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, "description", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "secret_manager_identifier", "harnessSecretManager"),
+					resource.TestCheckResourceAttr(resourceName, "value_type", "Inline"),
+					resource.TestCheckResourceAttr(resourceName, "value", secretValue),
+					resource.TestCheckResourceAttr(resourceName, "additional_metadata.0.values.0.kms_key_id", "awsKMSKeyId"),
+				),
+			},
+			{
+				Config: testAccResourceSecret_text_inline_AWS_SM(id, updatedName, updatedValue, "harnessSecretManager"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "id", id),
+					resource.TestCheckResourceAttr(resourceName, "identifier", id),
+					resource.TestCheckResourceAttr(resourceName, "name", updatedName),
+					resource.TestCheckResourceAttr(resourceName, "description", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "secret_manager_identifier", "harnessSecretManager"),
+					resource.TestCheckResourceAttr(resourceName, "value_type", "Inline"),
+					resource.TestCheckResourceAttr(resourceName, "value", updatedValue),
+					resource.TestCheckResourceAttr(resourceName, "additional_metadata.0.values.0.kms_key_id", "awsKMSKeyId"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateIdFunc:       acctest.AccountLevelResourceImportStateIdFunc(resourceName),
+				ImportStateVerifyIgnore: []string{"value"},
+			},
+		},
+	})
+}
