Add support for apiConsumerDataLocation, apiConsumerDataEncryptionKeyName, and controlPlaneEncryptionKeyName in Apigee Organization. (#10412) (#7245)

[upstream:afc8edcc2789e270a220de2f39e0586a42e9f1ad]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/10412.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+apigee: add support for `api_consumer_data_location`, `api_consumer_data_encryption_key_name`, and `control_plane_encryption_key_name` in `google_apigee_organization`
+```

google-beta/services/apigee/resource_apigee_organization.go

@@ -62,6 +62,20 @@ func ResourceApigeeOrganization() *schema.Resource {
 				ForceNew:    true,
 				Description: `Primary GCP region for analytics data storage. For valid values, see [Create an Apigee organization](https://cloud.google.com/apigee/docs/api-platform/get-started/create-org).`,
 			},
+			"api_consumer_data_encryption_key_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Description: `Cloud KMS key name used for encrypting API consumer data.`,
+			},
+			"api_consumer_data_location": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Description: `This field is needed only for customers using non-default data residency regions.
+Apigee stores some control plane data only in single region.
+This field determines which single region Apigee should use.`,
+			},
 			"authorized_network": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -76,6 +90,13 @@ Valid only when 'RuntimeType' is set to CLOUD. The value can be updated only whe
 				ForceNew:    true,
 				Description: `Billing type of the Apigee organization. See [Apigee pricing](https://cloud.google.com/apigee/pricing).`,
 			},
+			"control_plane_encryption_key_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Description: `Cloud KMS key name used for encrypting control plane data that is stored in a multi region.
+Only used for the data residency region "US" or "EU".`,
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -205,6 +226,24 @@ func resourceApigeeOrganizationCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("analytics_region"); !tpgresource.IsEmptyValue(reflect.ValueOf(analyticsRegionProp)) && (ok || !reflect.DeepEqual(v, analyticsRegionProp)) {
 		obj["analyticsRegion"] = analyticsRegionProp
 	}
+	apiConsumerDataLocationProp, err := expandApigeeOrganizationApiConsumerDataLocation(d.Get("api_consumer_data_location"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("api_consumer_data_location"); !tpgresource.IsEmptyValue(reflect.ValueOf(apiConsumerDataLocationProp)) && (ok || !reflect.DeepEqual(v, apiConsumerDataLocationProp)) {
+		obj["apiConsumerDataLocation"] = apiConsumerDataLocationProp
+	}
+	apiConsumerDataEncryptionKeyNameProp, err := expandApigeeOrganizationApiConsumerDataEncryptionKeyName(d.Get("api_consumer_data_encryption_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("api_consumer_data_encryption_key_name"); !tpgresource.IsEmptyValue(reflect.ValueOf(apiConsumerDataEncryptionKeyNameProp)) && (ok || !reflect.DeepEqual(v, apiConsumerDataEncryptionKeyNameProp)) {
+		obj["apiConsumerDataEncryptionKeyName"] = apiConsumerDataEncryptionKeyNameProp
+	}
+	controlPlaneEncryptionKeyNameProp, err := expandApigeeOrganizationControlPlaneEncryptionKeyName(d.Get("control_plane_encryption_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("control_plane_encryption_key_name"); !tpgresource.IsEmptyValue(reflect.ValueOf(controlPlaneEncryptionKeyNameProp)) && (ok || !reflect.DeepEqual(v, controlPlaneEncryptionKeyNameProp)) {
+		obj["controlPlaneEncryptionKeyName"] = controlPlaneEncryptionKeyNameProp
+	}
 	authorizedNetworkProp, err := expandApigeeOrganizationAuthorizedNetwork(d.Get("authorized_network"), d, config)
 	if err != nil {
 		return err
@@ -355,6 +394,15 @@ func resourceApigeeOrganizationRead(d *schema.ResourceData, meta interface{}) er
 	if err := d.Set("analytics_region", flattenApigeeOrganizationAnalyticsRegion(res["analyticsRegion"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Organization: %s", err)
 	}
+	if err := d.Set("api_consumer_data_location", flattenApigeeOrganizationApiConsumerDataLocation(res["apiConsumerDataLocation"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Organization: %s", err)
+	}
+	if err := d.Set("api_consumer_data_encryption_key_name", flattenApigeeOrganizationApiConsumerDataEncryptionKeyName(res["apiConsumerDataEncryptionKeyName"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Organization: %s", err)
+	}
+	if err := d.Set("control_plane_encryption_key_name", flattenApigeeOrganizationControlPlaneEncryptionKeyName(res["controlPlaneEncryptionKeyName"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Organization: %s", err)
+	}
 	if err := d.Set("authorized_network", flattenApigeeOrganizationAuthorizedNetwork(res["authorizedNetwork"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Organization: %s", err)
 	}
@@ -414,6 +462,24 @@ func resourceApigeeOrganizationUpdate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("analytics_region"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, analyticsRegionProp)) {
 		obj["analyticsRegion"] = analyticsRegionProp
 	}
+	apiConsumerDataLocationProp, err := expandApigeeOrganizationApiConsumerDataLocation(d.Get("api_consumer_data_location"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("api_consumer_data_location"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, apiConsumerDataLocationProp)) {
+		obj["apiConsumerDataLocation"] = apiConsumerDataLocationProp
+	}
+	apiConsumerDataEncryptionKeyNameProp, err := expandApigeeOrganizationApiConsumerDataEncryptionKeyName(d.Get("api_consumer_data_encryption_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("api_consumer_data_encryption_key_name"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, apiConsumerDataEncryptionKeyNameProp)) {
+		obj["apiConsumerDataEncryptionKeyName"] = apiConsumerDataEncryptionKeyNameProp
+	}
+	controlPlaneEncryptionKeyNameProp, err := expandApigeeOrganizationControlPlaneEncryptionKeyName(d.Get("control_plane_encryption_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("control_plane_encryption_key_name"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, controlPlaneEncryptionKeyNameProp)) {
+		obj["controlPlaneEncryptionKeyName"] = controlPlaneEncryptionKeyNameProp
+	}
 	authorizedNetworkProp, err := expandApigeeOrganizationAuthorizedNetwork(d.Get("authorized_network"), d, config)
 	if err != nil {
 		return err
@@ -598,6 +664,18 @@ func flattenApigeeOrganizationAnalyticsRegion(v interface{}, d *schema.ResourceD
 	return v
 }
 
+func flattenApigeeOrganizationApiConsumerDataLocation(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenApigeeOrganizationApiConsumerDataEncryptionKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenApigeeOrganizationControlPlaneEncryptionKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenApigeeOrganizationAuthorizedNetwork(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -684,6 +762,18 @@ func expandApigeeOrganizationAnalyticsRegion(v interface{}, d tpgresource.Terraf
 	return v, nil
 }
 
+func expandApigeeOrganizationApiConsumerDataLocation(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandApigeeOrganizationApiConsumerDataEncryptionKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandApigeeOrganizationControlPlaneEncryptionKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandApigeeOrganizationAuthorizedNetwork(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google-beta/services/apigee/resource_apigee_organization_generated_test.go

@@ -593,6 +593,157 @@ resource "google_apigee_organization" "org" {
 `, context)
 }
 
+func TestAccApigeeOrganization_apigeeOrganizationDrzTestExample(t *testing.T) {
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":          envvar.GetTestOrgFromEnv(t),
+		"billing_account": envvar.GetTestBillingAccountFromEnv(t),
+		"random_suffix":   acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckApigeeOrganizationDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccApigeeOrganization_apigeeOrganizationDrzTestExample(context),
+			},
+			{
+				ResourceName:            "google_apigee_organization.org",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"project_id", "retention"},
+			},
+		},
+	})
+}
+
+func testAccApigeeOrganization_apigeeOrganizationDrzTestExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+provider "google-beta" {
+  apigee_custom_endpoint = "https://eu-apigee.googleapis.com/v1/"
+}
+
+resource "google_project" "project" {
+  provider = google-beta
+
+  project_id      = "tf-test%{random_suffix}"
+  name            = "tf-test%{random_suffix}"
+  org_id          = "%{org_id}"
+  billing_account = "%{billing_account}"
+}
+
+resource "google_project_service" "apigee" {
+  provider = google-beta
+
+  project = google_project.project.project_id
+  service = "apigee.googleapis.com"
+}
+
+resource "google_project_service" "compute" {
+  provider = google-beta
+
+  project = google_project.project.project_id
+  service = "compute.googleapis.com"
+}
+
+resource "google_project_service" "servicenetworking" {
+  provider = google-beta
+
+  project = google_project.project.project_id
+  service = "servicenetworking.googleapis.com"
+}
+
+resource "google_project_service" "kms" {
+  provider = google-beta
+
+  project = google_project.project.project_id
+  service = "cloudkms.googleapis.com"
+}
+
+resource "google_compute_network" "apigee_network" {
+  provider = google-beta
+
+  name       = "apigee-network"
+  project    = google_project.project.project_id
+  depends_on = [google_project_service.compute]
+}
+
+resource "google_compute_global_address" "apigee_range" {
+  provider = google-beta
+
+  name          = "apigee-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  prefix_length = 16
+  network       = google_compute_network.apigee_network.id
+  project       = google_project.project.project_id
+}
+
+resource "google_service_networking_connection" "apigee_vpc_connection" {
+  provider = google-beta
+
+  network                 = google_compute_network.apigee_network.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.apigee_range.name]
+  depends_on              = [google_project_service.servicenetworking]
+}
+
+resource "google_kms_key_ring" "apigee_keyring" {
+  provider = google-beta
+
+  name       = "apigee-keyring"
+  location   = "europe-central2"
+  project    = google_project.project.project_id
+  depends_on = [google_project_service.kms]
+}
+
+resource "google_kms_crypto_key" "apigee_key" {
+  provider = google-beta
+
+  name            = "apigee-key"
+  key_ring        = google_kms_key_ring.apigee_keyring.id
+}
+
+resource "google_project_service_identity" "apigee_sa" {
+  provider = google-beta
+
+  project = google_project.project.project_id
+  service = google_project_service.apigee.service
+}
+
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
+  provider = google-beta
+
+  crypto_key_id = google_kms_crypto_key.apigee_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
+}
+
+resource "google_apigee_organization" "org" {
+  provider = google-beta
+
+  api_consumer_data_location            = "europe-central2"
+  project_id                            = google_project.project.project_id
+  authorized_network                    = google_compute_network.apigee_network.id
+  billing_type                          = "PAYG"
+  runtime_database_encryption_key_name  = google_kms_crypto_key.apigee_key.id
+  api_consumer_data_encryption_key_name = google_kms_crypto_key.apigee_key.id
+  retention                             = "MINIMUM"
+
+  depends_on = [
+    google_service_networking_connection.apigee_vpc_connection,
+    google_project_service.apigee,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
+  ]
+}
+`, context)
+}
+
 func testAccCheckApigeeOrganizationDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/apigee_organization.html.markdown

@@ -209,6 +209,21 @@ The following arguments are supported:
   (Optional)
   Primary GCP region for analytics data storage. For valid values, see [Create an Apigee organization](https://cloud.google.com/apigee/docs/api-platform/get-started/create-org).
 
+* `api_consumer_data_location` -
+  (Optional)
+  This field is needed only for customers using non-default data residency regions.
+  Apigee stores some control plane data only in single region.
+  This field determines which single region Apigee should use.
+
+* `api_consumer_data_encryption_key_name` -
+  (Optional)
+  Cloud KMS key name used for encrypting API consumer data.
+
+* `control_plane_encryption_key_name` -
+  (Optional)
+  Cloud KMS key name used for encrypting control plane data that is stored in a multi region.
+  Only used for the data residency region "US" or "EU".
+
 * `authorized_network` -
   (Optional)
   Compute Engine network used for Service Networking to be peered with Apigee runtime instances.