Add encryptionSpec for vertex_ai_index (#15144) (#10759)

[upstream:86a14c31368b2e5fe36aaae03ea4b6bdcc6b4656]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/15144.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+vertexai: added `kmsKeyName` field to `google_vertex_ai_index` resource
+```

google-beta/services/vertexai/resource_vertex_ai_index.go

@@ -195,6 +195,23 @@ then existing content of the Index will be replaced by the data from the content
 				Optional:    true,
 				Description: `The description of the Index.`,
 			},
+			"encryption_spec": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				ForceNew:    true,
+				Description: `Customer-managed encryption key spec for an Index. If set, this Index and all sub-resources of this Index will be secured by this key.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kms_key_name": {
+							Type:        schema.TypeString,
+							Required:    true,
+							ForceNew:    true,
+							Description: `Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: 'projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key'. The key needs to be in the same region as where the compute resource is created.`,
+						},
+					},
+				},
+			},
 			"index_update_method": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -338,6 +355,12 @@ func resourceVertexAIIndexCreate(d *schema.ResourceData, meta interface{}) error
 	} else if v, ok := d.GetOkExists("index_update_method"); !tpgresource.IsEmptyValue(reflect.ValueOf(indexUpdateMethodProp)) && (ok || !reflect.DeepEqual(v, indexUpdateMethodProp)) {
 		obj["indexUpdateMethod"] = indexUpdateMethodProp
 	}
+	encryptionSpecProp, err := expandVertexAIIndexEncryptionSpec(d.Get("encryption_spec"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_spec"); !tpgresource.IsEmptyValue(reflect.ValueOf(encryptionSpecProp)) && (ok || !reflect.DeepEqual(v, encryptionSpecProp)) {
+		obj["encryptionSpec"] = encryptionSpecProp
+	}
 	effectiveLabelsProp, err := expandVertexAIIndexEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -490,6 +513,9 @@ func resourceVertexAIIndexRead(d *schema.ResourceData, meta interface{}) error {
 	if err := d.Set("index_update_method", flattenVertexAIIndexIndexUpdateMethod(res["indexUpdateMethod"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Index: %s", err)
 	}
+	if err := d.Set("encryption_spec", flattenVertexAIIndexEncryptionSpec(res["encryptionSpec"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Index: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenVertexAIIndexTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Index: %s", err)
 	}
@@ -1001,6 +1027,23 @@ func flattenVertexAIIndexIndexUpdateMethod(v interface{}, d *schema.ResourceData
 	return v
 }
 
+func flattenVertexAIIndexEncryptionSpec(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["kms_key_name"] =
+		flattenVertexAIIndexEncryptionSpecKmsKeyName(original["kmsKeyName"], d, config)
+	return []interface{}{transformed}
+}
+func flattenVertexAIIndexEncryptionSpecKmsKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenVertexAIIndexTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -1222,6 +1265,29 @@ func expandVertexAIIndexIndexUpdateMethod(v interface{}, d tpgresource.Terraform
 	return v, nil
 }
 
+func expandVertexAIIndexEncryptionSpec(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedKmsKeyName, err := expandVertexAIIndexEncryptionSpecKmsKeyName(original["kms_key_name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["kmsKeyName"] = transformedKmsKeyName
+	}
+
+	return transformed, nil
+}
+
+func expandVertexAIIndexEncryptionSpecKmsKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandVertexAIIndexEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google-beta/services/vertexai/resource_vertex_ai_index_generated_meta.yaml

@@ -12,6 +12,7 @@ fields:
   - field: 'display_name'
   - field: 'effective_labels'
     provider_only: true
+  - field: 'encryption_spec.kms_key_name'
   - field: 'etag'
   - field: 'index_stats.shards_count'
   - field: 'index_stats.vectors_count'

google-beta/services/vertexai/resource_vertex_ai_index_generated_test.go

@@ -36,6 +36,7 @@ func TestAccVertexAIIndex_vertexAiIndexExample(t *testing.T) {
 
 	context := map[string]interface{}{
 		"project":       envvar.GetTestProjectFromEnv(),
+		"kms_key_name":  acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name,
 		"random_suffix": acctest.RandString(t, 10),
 	}
 
@@ -59,6 +60,10 @@ func TestAccVertexAIIndex_vertexAiIndexExample(t *testing.T) {
 
 func testAccVertexAIIndex_vertexAiIndexExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
+resource "google_project_service_identity" "vertexai_sa" {
+  service = "aiplatform.googleapis.com"
+}
+
 resource "google_storage_bucket" "bucket" {
   name     = "tf-test-vertex-ai-index-test%{random_suffix}"
   location = "us-central1"
@@ -76,6 +81,12 @@ resource "google_storage_bucket_object" "data" {
 EOF
 }
 
+resource "google_kms_crypto_key_iam_member" "vertexai_encrypterdecrypter" {
+  crypto_key_id = "%{kms_key_name}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        =  google_project_service_identity.vertexai_sa.member
+}
+
 resource "google_vertex_ai_index" "index" {
   labels = {
     foo = "bar"
@@ -98,7 +109,14 @@ resource "google_vertex_ai_index" "index" {
       }
     }
   }
+  encryption_spec {
+  kms_key_name = "%{kms_key_name}"
+  }
   index_update_method = "BATCH_UPDATE"
+
+  depends_on = [
+  google_kms_crypto_key_iam_member.vertexai_encrypterdecrypter,
+  ]
 }
 `, context)
 }
@@ -108,6 +126,7 @@ func TestAccVertexAIIndex_vertexAiIndexStreamingExample(t *testing.T) {
 
 	context := map[string]interface{}{
 		"project":       envvar.GetTestProjectFromEnv(),
+		"kms_key_name":  acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name,
 		"random_suffix": acctest.RandString(t, 10),
 	}
 

website/docs/r/vertex_ai_index.html.markdown

@@ -32,6 +32,10 @@ To get more information about Index, see:
 
 
 ```hcl
+resource "google_project_service_identity" "vertexai_sa" {
+  service = "aiplatform.googleapis.com"
+}
+
 resource "google_storage_bucket" "bucket" {
   name     = "vertex-ai-index-test"
   location = "us-central1"
@@ -49,6 +53,12 @@ resource "google_storage_bucket_object" "data" {
 EOF
 }
 
+resource "google_kms_crypto_key_iam_member" "vertexai_encrypterdecrypter" {
+  crypto_key_id = "kms-name"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        =  google_project_service_identity.vertexai_sa.member
+}
+
 resource "google_vertex_ai_index" "index" {
   labels = {
     foo = "bar"
@@ -71,7 +81,14 @@ resource "google_vertex_ai_index" "index" {
       }
     }
   }
+  encryption_spec {
+  kms_key_name = "kms-name"
+  }
   index_update_method = "BATCH_UPDATE"
+
+  depends_on = [
+  google_kms_crypto_key_iam_member.vertexai_encrypterdecrypter,
+  ]
 }
 ```
 ## Example Usage - Vertex Ai Index Streaming
@@ -151,6 +168,11 @@ The following arguments are supported:
   * BATCH_UPDATE: user can call indexes.patch with files on Cloud Storage of datapoints to update.
   * STREAM_UPDATE: user can call indexes.upsertDatapoints/DeleteDatapoints to update the Index and the updates will be applied in corresponding DeployedIndexes in nearly real-time.
 
+* `encryption_spec` -
+  (Optional)
+  Customer-managed encryption key spec for an Index. If set, this Index and all sub-resources of this Index will be secured by this key.
+  Structure is [documented below](#nested_encryption_spec).
+
 * `region` -
   (Optional)
   The region of the index. eg us-central1
@@ -248,6 +270,12 @@ The following arguments are supported:
   The default percentage of leaf nodes that any query may be searched. Must be in
   range 1-100, inclusive. The default value is 10 (means 10%) if not set.
 
+<a name="nested_encryption_spec"></a>The `encryption_spec` block supports:
+
+* `kms_key_name` -
+  (Required)
+  Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`. The key needs to be in the same region as where the compute resource is created.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: