update for support of CMEK for vertex ai resource (#6460) (#4643)

* update for support of CMEK for vertex ai resource

* kms key as a resource added

* Bootstrapped kms-key-name

Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6460.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+vertexai: added `encryption_spec` field to `google_vertex_ai_featurestore` resource (beta)
+```

google-beta/resource_vertex_ai_dataset.go

@@ -61,7 +61,7 @@ func resourceVertexAIDataset() *schema.Resource {
 							Type:     schema.TypeString,
 							Optional: true,
 							ForceNew: true,
-							Description: `Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. 
+							Description: `Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource.
 Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the resource is created.`,
 						},
 					},

google-beta/resource_vertex_ai_featurestore.go

@@ -42,6 +42,21 @@ func resourceVertexAIFeaturestore() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"encryption_spec": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `If set, both of the online and offline data storage will be secured by this key.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kms_key_name": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: `The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the compute resource is created.`,
+						},
+					},
+				},
+			},
 			"labels": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -127,6 +142,12 @@ func resourceVertexAIFeaturestoreCreate(d *schema.ResourceData, meta interface{}
 	} else if v, ok := d.GetOkExists("online_serving_config"); !isEmptyValue(reflect.ValueOf(onlineServingConfigProp)) && (ok || !reflect.DeepEqual(v, onlineServingConfigProp)) {
 		obj["onlineServingConfig"] = onlineServingConfigProp
 	}
+	encryptionSpecProp, err := expandVertexAIFeaturestoreEncryptionSpec(d.Get("encryption_spec"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_spec"); !isEmptyValue(reflect.ValueOf(encryptionSpecProp)) && (ok || !reflect.DeepEqual(v, encryptionSpecProp)) {
+		obj["encryptionSpec"] = encryptionSpecProp
+	}
 
 	url, err := replaceVars(d, config, "{{VertexAIBasePath}}projects/{{project}}/locations/{{region}}/featurestores?featurestoreId={{name}}")
 	if err != nil {
@@ -235,6 +256,9 @@ func resourceVertexAIFeaturestoreRead(d *schema.ResourceData, meta interface{})
 	if err := d.Set("online_serving_config", flattenVertexAIFeaturestoreOnlineServingConfig(res["onlineServingConfig"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Featurestore: %s", err)
 	}
+	if err := d.Set("encryption_spec", flattenVertexAIFeaturestoreEncryptionSpec(res["encryptionSpec"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Featurestore: %s", err)
+	}
 
 	return nil
 }
@@ -267,6 +291,12 @@ func resourceVertexAIFeaturestoreUpdate(d *schema.ResourceData, meta interface{}
 	} else if v, ok := d.GetOkExists("online_serving_config"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, onlineServingConfigProp)) {
 		obj["onlineServingConfig"] = onlineServingConfigProp
 	}
+	encryptionSpecProp, err := expandVertexAIFeaturestoreEncryptionSpec(d.Get("encryption_spec"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_spec"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, encryptionSpecProp)) {
+		obj["encryptionSpec"] = encryptionSpecProp
+	}
 
 	url, err := replaceVars(d, config, "{{VertexAIBasePath}}projects/{{project}}/locations/{{region}}/featurestores/{{name}}")
 	if err != nil {
@@ -283,6 +313,10 @@ func resourceVertexAIFeaturestoreUpdate(d *schema.ResourceData, meta interface{}
 	if d.HasChange("online_serving_config") {
 		updateMask = append(updateMask, "onlineServingConfig")
 	}
+
+	if d.HasChange("encryption_spec") {
+		updateMask = append(updateMask, "encryptionSpec")
+	}
 	// updateMask is a URL parameter but not present in the schema, so replaceVars
 	// won't set it
 	url, err = addQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -434,6 +468,23 @@ func flattenVertexAIFeaturestoreOnlineServingConfigFixedNodeCount(v interface{},
 	return v // let terraform core handle it otherwise
 }
 
+func flattenVertexAIFeaturestoreEncryptionSpec(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["kms_key_name"] =
+		flattenVertexAIFeaturestoreEncryptionSpecKmsKeyName(original["kmsKeyName"], d, config)
+	return []interface{}{transformed}
+}
+func flattenVertexAIFeaturestoreEncryptionSpecKmsKeyName(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func expandVertexAIFeaturestoreLabels(v interface{}, d TerraformResourceData, config *Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil
@@ -467,3 +518,26 @@ func expandVertexAIFeaturestoreOnlineServingConfig(v interface{}, d TerraformRes
 func expandVertexAIFeaturestoreOnlineServingConfigFixedNodeCount(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandVertexAIFeaturestoreEncryptionSpec(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedKmsKeyName, err := expandVertexAIFeaturestoreEncryptionSpecKmsKeyName(original["kms_key_name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !isEmptyValue(val) {
+		transformed["kmsKeyName"] = transformedKmsKeyName
+	}
+
+	return transformed, nil
+}
+
+func expandVertexAIFeaturestoreEncryptionSpecKmsKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}

google-beta/resource_vertex_ai_featurestore_entitytype_generated_test.go

@@ -27,7 +27,10 @@ func TestAccVertexAIFeaturestoreEntitytype_vertexAiFeaturestoreEntitytypeExample
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"random_suffix": randString(t, 10),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+		"kms_key_name":    BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name,
+		"random_suffix":   randString(t, 10),
 	}
 
 	vcrTest(t, resource.TestCase{
@@ -60,6 +63,9 @@ resource "google_vertex_ai_featurestore" "featurestore" {
   online_serving_config {
     fixed_node_count = 2
   }
+  encryption_spec {
+    kms_key_name = "%{kms_key_name}"
+  }
 }
 
 resource "google_vertex_ai_featurestore_entitytype" "entity" {

google-beta/resource_vertex_ai_featurestore_generated_test.go

@@ -27,7 +27,10 @@ func TestAccVertexAIFeaturestore_vertexAiFeaturestoreExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"random_suffix": randString(t, 10),
+		"org_id":          getTestOrgFromEnv(t),
+		"billing_account": getTestBillingAccountFromEnv(t),
+		"kms_key_name":    BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name,
+		"random_suffix":   randString(t, 10),
 	}
 
 	vcrTest(t, resource.TestCase{
@@ -60,6 +63,9 @@ resource "google_vertex_ai_featurestore" "featurestore" {
   online_serving_config {
     fixed_node_count = 2
   }
+  encryption_spec {
+    kms_key_name = "%{kms_key_name}"
+  }
   force_destroy = true
 }
 `, context)

google-beta/resource_vertex_ai_metadata_store.go

@@ -57,7 +57,7 @@ func resourceVertexAIMetadataStore() *schema.Resource {
 							Type:     schema.TypeString,
 							Optional: true,
 							ForceNew: true,
-							Description: `Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. 
+							Description: `Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource.
 Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the resource is created.`,
 						},
 					},

website/docs/r/vertex_ai_dataset.html.markdown

@@ -83,7 +83,7 @@ The following arguments are supported:
 
 * `kms_key_name` -
   (Optional)
-  Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. 
+  Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource.
   Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the resource is created.
 
 ## Attributes Reference

website/docs/r/vertex_ai_featurestore.html.markdown

@@ -31,11 +31,6 @@ To get more information about Featurestore, see:
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/vertex-ai/docs)
 
-<div class = "oics-button" style="float: right; margin: 0 0 -15px">
-  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=vertex_ai_featurestore&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
-    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
-  </a>
-</div>
 ## Example Usage - Vertex Ai Featurestore
 
 
@@ -50,6 +45,9 @@ resource "google_vertex_ai_featurestore" "featurestore" {
   online_serving_config {
     fixed_node_count = 2
   }
+  encryption_spec {
+    kms_key_name = "kms-name"
+  }
   force_destroy = true
 }
 ```
@@ -76,6 +74,11 @@ The following arguments are supported:
   Config for online serving resources.
   Structure is [documented below](#nested_online_serving_config).
 
+* `encryption_spec` -
+  (Optional)
+  If set, both of the online and offline data storage will be secured by this key.
+  Structure is [documented below](#nested_encryption_spec).
+
 * `region` -
   (Optional)
   The region of the dataset. eg us-central1
@@ -91,6 +94,12 @@ The following arguments are supported:
   (Required)
   The number of nodes for each cluster. The number of nodes will not scale automatically but can be scaled manually by providing different values when updating.
 
+<a name="nested_encryption_spec"></a>The `encryption_spec` block supports:
+
+* `kms_key_name` -
+  (Required)
+  The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the compute resource is created.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported:

website/docs/r/vertex_ai_featurestore_entitytype.html.markdown

@@ -31,11 +31,6 @@ To get more information about FeaturestoreEntitytype, see:
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/vertex-ai/docs)
 
-<div class = "oics-button" style="float: right; margin: 0 0 -15px">
-  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=vertex_ai_featurestore_entitytype&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
-    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
-  </a>
-</div>
 ## Example Usage - Vertex Ai Featurestore Entitytype
 
 
@@ -50,6 +45,9 @@ resource "google_vertex_ai_featurestore" "featurestore" {
   online_serving_config {
     fixed_node_count = 2
   }
+  encryption_spec {
+    kms_key_name = "kms-name"
+  }
 }
 
 resource "google_vertex_ai_featurestore_entitytype" "entity" {

website/docs/r/vertex_ai_metadata_store.html.markdown

@@ -76,7 +76,7 @@ The following arguments are supported:
 
 * `kms_key_name` -
   (Optional)
-  Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource. 
+  Required. The Cloud KMS resource identifier of the customer managed encryption key used to protect a resource.
   Has the form: projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key. The key needs to be in the same region as where the resource is created.
 
 ## Attributes Reference