Promote autokey resources to GA (#14202) (#23490)

[upstream:b73b0711add34806fd501319f8bf517f86eb2513]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14202.txt

@@ -0,0 +1,19 @@
+```release-note:new-resource
+`google_kms_autokey_config` (ga)
+```
+
+```release-note:new-resource
+`google_kms_key_handle` (ga)
+```
+
+```release-note:new-datasource
+`google_kms_autokey_config` (ga)
+```
+
+```release-note:new-datasource
+`google_kms_key_handle` (ga)
+```
+
+```release-note:new-datasource
+`google_kms_key_handles` (ga)
+```

google/acctest/bootstrap_test_utils.go

@@ -27,6 +27,10 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/terraform-provider-google/google/services/kms"
+	tpgservicusage "github.com/hashicorp/terraform-provider-google/google/services/serviceusage"
+	resourceManagerV3 "google.golang.org/api/cloudresourcemanager/v3"
+
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
 	tpgcompute "github.com/hashicorp/terraform-provider-google/google/services/compute"
 	"github.com/hashicorp/terraform-provider-google/google/services/privateca"
@@ -50,6 +54,10 @@ import (
 
 var SharedKeyRing = "tftest-shared-keyring-1"
 
+var DefaultKeyHandleName = "eed58b7b-20ad-4da8-ad85-ba78a0d5ab87"
+var DefaultKeyHandleResourceType = "compute.googleapis.com/Disk"
+var CloudKmsSrviceName = "cloudkms.googleapis.com"
+
 var SharedCryptoKey = map[string]string{
 	"ENCRYPT_DECRYPT":    "tftest-shared-key-1",
 	"ASYMMETRIC_SIGN":    "tftest-shared-sign-key-1",
@@ -91,6 +99,240 @@ func BootstrapKMSKeyWithPurposeInLocation(t *testing.T, purpose, locationID stri
 	return BootstrapKMSKeyWithPurposeInLocationAndName(t, purpose, locationID, SharedCryptoKey[purpose])
 }
 
+type BootstrappedKMSAutokey struct {
+	*cloudkms.AutokeyConfig
+	*cloudkms.KeyHandle
+}
+
+func BootstrapKMSAutokeyKeyHandle(t *testing.T) BootstrappedKMSAutokey {
+	return BootstrapKMSAutokeyKeyHandleWithLocation(t, "global")
+}
+
+func BootstrapKMSAutokeyKeyHandleWithLocation(t *testing.T, locationID string) BootstrappedKMSAutokey {
+	config := BootstrapConfig(t)
+	if config == nil {
+		return BootstrappedKMSAutokey{
+			&cloudkms.AutokeyConfig{},
+			&cloudkms.KeyHandle{},
+		}
+	}
+
+	autokeyFolder, kmsProject, resourceProject := setupAutokeyTestResources(t, config)
+
+	// Enable autokey on autokey test folder
+	kmsClient := config.NewKmsClient(config.UserAgent)
+	autokeyConfigID := fmt.Sprintf("%s/autokeyConfig", autokeyFolder.Name)
+	autokeyConfig, err := kmsClient.Folders.UpdateAutokeyConfig(autokeyConfigID, &cloudkms.AutokeyConfig{
+		KeyProject: fmt.Sprintf("projects/%s", kmsProject.ProjectId),
+	}).UpdateMask("keyProject").Do()
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot enable autokey on autokey test folder: %s", err)
+	}
+
+	keyHandleParent := fmt.Sprintf("projects/%s/locations/%s", resourceProject.ProjectId, locationID)
+	keyHandleName := fmt.Sprintf("%s/keyHandles/%s", keyHandleParent, DefaultKeyHandleName)
+
+	// Get or Create the hard coded keyHandle for testing
+	keyHandle, err := kmsClient.Projects.Locations.KeyHandles.Get(keyHandleName).Do()
+
+	if err != nil {
+		if transport_tpg.IsGoogleApiErrorWithCode(err, 404) {
+			newKeyHandle := cloudkms.KeyHandle{
+				ResourceTypeSelector: DefaultKeyHandleResourceType,
+			}
+
+			keyHandleOp, err := kmsClient.Projects.Locations.KeyHandles.Create(keyHandleParent, &newKeyHandle).KeyHandleId(DefaultKeyHandleName).Do()
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot create new KeyHandle: %s", err)
+			}
+
+			opAsMap, err := tpgresource.ConvertToMap(keyHandleOp)
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot get operation map: %s", err)
+			}
+
+			var response map[string]interface{}
+			err = kms.KMSOperationWaitTimeWithResponse(config, opAsMap, &response, resourceProject.ProjectId, "creating keyHandle", config.UserAgent, time.Duration(5)*time.Minute)
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot wait for create keyhandle operation: %s", err)
+			}
+			keyHandle = &cloudkms.KeyHandle{
+				Name:                 response["name"].(string),
+				KmsKey:               response["kmsKey"].(string),
+				ResourceTypeSelector: response["resourceTypeSelector"].(string),
+			}
+		} else {
+			t.Errorf("unable to bootstrap KMS keyHandle. Cannot call KeyHandle service: %s", err)
+		}
+	}
+
+	if keyHandle == nil {
+		t.Fatalf("unable to bootstrap KMS keyHandle. KeyHandle is nil!")
+	}
+
+	return BootstrappedKMSAutokey{
+		autokeyConfig,
+		keyHandle,
+	}
+}
+
+func setupAutokeyTestResources(t *testing.T, config *transport_tpg.Config) (*resourceManagerV3.Folder, *cloudresourcemanager.Project, *cloudresourcemanager.Project) {
+	projectIDSuffix := strings.Replace(envvar.GetTestProjectFromEnv(), "ci-test-project-", "", 1)
+	defaultAutokeyTestFolderName := fmt.Sprintf("autokeytest-%s-fd", projectIDSuffix)
+	defaultAutokeyTestKmsProject := fmt.Sprintf("test-kms-%s-prj", projectIDSuffix)
+	defaultAutokeyTestResourceProject := fmt.Sprintf("test-res-%s-prj", projectIDSuffix)
+
+	curUserEmail, err := transport_tpg.GetCurrentUserEmail(config, config.UserAgent)
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot get current usr: %s", err)
+	}
+	// create a folder to configure autokey config and resource folder
+	autokeyFolder := BootstrapFolder(t, defaultAutokeyTestFolderName)
+	parent := &cloudresourcemanager.ResourceId{
+		Type: "folder",
+		Id:   strings.Split(autokeyFolder.Name, "/")[1],
+	}
+	// create and setup kms project for hosting keyring and keys for autokey
+	kmsProject := BootstrapProjectWithParent(t, defaultAutokeyTestKmsProject, envvar.GetTestBillingAccountFromEnv(t), parent, []string{CloudKmsSrviceName})
+	kmsProjectID := fmt.Sprintf("projects/%s", kmsProject.ProjectId)
+	kmsSAEmail, err := GenerateCloudKmsServiceIdentity(config, fmt.Sprintf("%v", kmsProject.ProjectNumber))
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot create cloudkms service identity: %s", err)
+	}
+	err = addFolderBinding2(config.NewResourceManagerV3Client(config.UserAgent), autokeyFolder.Name, fmt.Sprintf("user:%s", curUserEmail), []string{"roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin role to current user on autokey test folder: %s", err)
+	}
+	err = addProjectBinding(config.NewResourceManagerV3Client(config.UserAgent), kmsProjectID, fmt.Sprintf("user:%s", curUserEmail), []string{"roles/resourcemanager.projectIamAdmin", "roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin and projectIamAdmin role to current user on kms project: %s", err)
+	}
+	err = addProjectBinding(config.NewResourceManagerV3Client(config.UserAgent), kmsProjectID, fmt.Sprintf("serviceAccount:%s", kmsSAEmail), []string{"roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin role to cloudkms service identity on kms project: %s", err)
+	}
+
+	// create and setup resource folder to host keyhandle
+	resourceProject := BootstrapProjectWithParent(t, defaultAutokeyTestResourceProject, envvar.GetTestBillingAccountFromEnv(t), parent, []string{})
+	return autokeyFolder, kmsProject, resourceProject
+}
+
+// GenerateCloudKmsServiceIdentity generates cloud kms service identity within a project
+func GenerateCloudKmsServiceIdentity(config *transport_tpg.Config, projectNum string) (string, error) {
+	url := fmt.Sprintf("https://serviceusage.googleapis.com/v1beta1/projects/%s/services/%s:generateServiceIdentity", projectNum, CloudKmsSrviceName)
+
+	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "POST",
+		Project:   projectNum,
+		RawURL:    url,
+		UserAgent: config.UserAgent,
+		Timeout:   time.Minute * 4,
+	})
+	if err != nil {
+		return "", fmt.Errorf("error creating cloudkms service identity: %s", err)
+	}
+
+	var opRes map[string]interface{}
+	err = tpgservicusage.ServiceUsageOperationWaitTimeWithResponse(
+		config, res, &opRes, projectNum, "Creating cloudkms service identity", config.UserAgent,
+		time.Minute*4)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("service-%[email protected]", projectNum), nil
+}
+
+func addProjectBinding(crmService *resourceManagerV3.Service, projectID string, member string, roles []string) error {
+	return addBinding(crmService, "project", projectID, member, roles)
+}
+
+func addFolderBinding2(crmService *resourceManagerV3.Service, folderID string, member string, roles []string) error {
+	return addBinding(crmService, "folder", folderID, member, roles)
+}
+
+// addBinding adds the member to the project's IAM policy
+func addBinding(crmService *resourceManagerV3.Service, resourceType string, resourceID string, member string, roles []string) error {
+
+	policy, err := getPolicy(crmService, resourceType, resourceID)
+	if err != nil {
+		return err
+	}
+
+	// Find the policy binding for role. Only one binding can have the role.
+	var binding *resourceManagerV3.Binding
+	for _, role := range roles {
+		for _, b := range policy.Bindings {
+			if b.Role == role {
+				binding = b
+				break
+			}
+		}
+
+		if binding != nil {
+			// If the binding exists, adds the member to the binding
+			binding.Members = append(binding.Members, member)
+		} else {
+			// If the binding does not exist, adds a new binding to the policy
+			binding = &resourceManagerV3.Binding{
+				Role:    role,
+				Members: []string{member},
+			}
+			policy.Bindings = append(policy.Bindings, binding)
+		}
+	}
+	setPolicy(crmService, resourceType, resourceID, policy)
+	return nil
+}
+
+// getPolicy gets the IAM policy on input resourceID
+// resourceType can be "project" or "folder"
+func getPolicy(crmService *resourceManagerV3.Service, resourceType string, resourceID string) (*resourceManagerV3.Policy, error) {
+
+	ctx := context.Background()
+
+	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	defer cancel()
+	request := new(resourceManagerV3.GetIamPolicyRequest)
+	var policy *resourceManagerV3.Policy
+	var err error
+	if resourceType == "project" {
+		policy, err = crmService.Projects.GetIamPolicy(resourceID, request).Do()
+	} else if resourceType == "folder" {
+		policy, err = crmService.Folders.GetIamPolicy(resourceID, request).Do()
+	} else {
+		return nil, fmt.Errorf("invalid resourceType, supported values: project or folder")
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error getting iam policy: %s", err)
+	}
+	return policy, nil
+}
+
+// setPolicy sets the IAM policy on input resourceID
+// resourceType can be "project" or "folder"
+func setPolicy(crmService *resourceManagerV3.Service, resourceType string, resourceID string, policy *resourceManagerV3.Policy) error {
+
+	ctx := context.Background()
+
+	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	defer cancel()
+	request := new(resourceManagerV3.SetIamPolicyRequest)
+	request.Policy = policy
+	var err error
+	if resourceType == "project" {
+		_, err = crmService.Projects.SetIamPolicy(resourceID, request).Do()
+	} else if resourceType == "folder" {
+		_, err = crmService.Folders.SetIamPolicy(resourceID, request).Do()
+	} else {
+		return fmt.Errorf("invalid resourceType, supported values: project or folder")
+	}
+	if err != nil {
+		return fmt.Errorf("error setting iam policy: %s", err)
+	}
+	return nil
+}
+
 func BootstrapKMSKeyWithPurposeInLocationAndName(t *testing.T, purpose, locationID, keyShortName string) BootstrappedKMS {
 	config := BootstrapConfig(t)
 	if config == nil {
@@ -645,6 +887,55 @@ func BootstrapServicePerimeterProjects(t *testing.T, desiredProjects int) []*clo
 	return projects
 }
 
+// BootstrapFolder creates or get a folder having a input folderDisplayName within a TestOrgEnv
+func BootstrapFolder(t *testing.T, folderDisplayName string) *resourceManagerV3.Folder {
+	config := BootstrapConfig(t)
+	if config == nil {
+		return nil
+	}
+
+	crmClient := config.NewResourceManagerV3Client(config.UserAgent)
+	searchQuery := fmt.Sprintf("displayName=%s", folderDisplayName)
+	folderSearchResp, err := crmClient.Folders.Search().Query(searchQuery).Do()
+	if err != nil {
+		t.Fatalf("error searching for folder with displayName: %s", folderDisplayName)
+	}
+	var folder *resourceManagerV3.Folder
+	if len(folderSearchResp.Folders) == 0 {
+		op, err := crmClient.Folders.Create(&resourceManagerV3.Folder{
+			DisplayName: folderDisplayName,
+			Parent:      fmt.Sprintf("organizations/%s", envvar.GetTestOrgFromEnv(t)),
+		}).Do()
+		if err != nil {
+			t.Fatalf("error bootstrapping test folder: %s", err)
+		}
+
+		opAsMap, err := tpgresource.ConvertToMap(op)
+		if err != nil {
+			t.Fatalf("error converting folder operation map: %s", err)
+		}
+		var responseMap map[string]interface{}
+		err = resourcemanager.ResourceManagerOperationWaitTimeWithResponse(config, opAsMap, &responseMap, "creating folder", config.UserAgent, 4*time.Minute)
+		if err != nil {
+			t.Fatalf("error waiting for create folder operation: %s", err)
+		}
+		folder, err = crmClient.Folders.Get(responseMap["name"].(string)).Do()
+		if err != nil {
+			t.Fatalf("error getting folder: %s", err)
+		}
+	} else {
+		folder = folderSearchResp.Folders[0]
+	}
+
+	if folder.State == "DELETE_REQUESTED" {
+		_, err := crmClient.Folders.Undelete(folder.Name, &resourceManagerV3.UndeleteFolderRequest{}).Do()
+		if err != nil {
+			t.Fatalf("error undeleting folder: %s", err)
+		}
+	}
+	return folder
+}
+
 // BootstrapProject will create or get a project named
 // "<projectIDPrefix><projectIDSuffix>" that will persist across test runs,
 // where projectIDSuffix is based off of getTestProjectFromEnv(). The reason

google/provider/provider_mmv1_resources.go

@@ -307,6 +307,9 @@ var handwrittenDatasources = map[string]*schema.Resource{
 	"google_kms_crypto_key_versions":                             kms.DataSourceGoogleKmsCryptoKeyVersions(),
 	"google_kms_key_ring":                                        kms.DataSourceGoogleKmsKeyRing(),
 	"google_kms_key_rings":                                       kms.DataSourceGoogleKmsKeyRings(),
+	"google_kms_key_handle":                                      kms.DataSourceGoogleKmsKeyHandle(),
+	"google_kms_autokey_config":                                  kms.DataSourceGoogleKmsAutokeyConfig(),
+	"google_kms_key_handles":                                     kms.DataSourceGoogleKmsKeyHandles(),
 	"google_kms_secret":                                          kms.DataSourceGoogleKmsSecret(),
 	"google_kms_secret_ciphertext":                               kms.DataSourceGoogleKmsSecretCiphertext(),
 	"google_folder":                                              resourcemanager.DataSourceGoogleFolder(),
@@ -544,9 +547,9 @@ var handwrittenIAMDatasources = map[string]*schema.Resource{
 }
 
 // Resources
-// Generated resources: 626
+// Generated resources: 628
 // Generated IAM resources: 309
-// Total generated resources: 935
+// Total generated resources: 937
 var generatedResources = map[string]*schema.Resource{
 	"google_folder_access_approval_settings":                                     accessapproval.ResourceAccessApprovalFolderSettings(),
 	"google_organization_access_approval_settings":                               accessapproval.ResourceAccessApprovalOrganizationSettings(),
@@ -1179,12 +1182,14 @@ var generatedResources = map[string]*schema.Resource{
 	"google_integration_connectors_managed_zone":                                 integrationconnectors.ResourceIntegrationConnectorsManagedZone(),
 	"google_integrations_auth_config":                                            integrations.ResourceIntegrationsAuthConfig(),
 	"google_integrations_client":                                                 integrations.ResourceIntegrationsClient(),
+	"google_kms_autokey_config":                                                  kms.ResourceKMSAutokeyConfig(),
 	"google_kms_crypto_key":                                                      kms.ResourceKMSCryptoKey(),
 	"google_kms_crypto_key_version":                                              kms.ResourceKMSCryptoKeyVersion(),
 	"google_kms_ekm_connection":                                                  kms.ResourceKMSEkmConnection(),
 	"google_kms_ekm_connection_iam_binding":                                      tpgiamresource.ResourceIamBinding(kms.KMSEkmConnectionIamSchema, kms.KMSEkmConnectionIamUpdaterProducer, kms.KMSEkmConnectionIdParseFunc),
 	"google_kms_ekm_connection_iam_member":                                       tpgiamresource.ResourceIamMember(kms.KMSEkmConnectionIamSchema, kms.KMSEkmConnectionIamUpdaterProducer, kms.KMSEkmConnectionIdParseFunc),
 	"google_kms_ekm_connection_iam_policy":                                       tpgiamresource.ResourceIamPolicy(kms.KMSEkmConnectionIamSchema, kms.KMSEkmConnectionIamUpdaterProducer, kms.KMSEkmConnectionIdParseFunc),
+	"google_kms_key_handle":                                                      kms.ResourceKMSKeyHandle(),
 	"google_kms_key_ring":                                                        kms.ResourceKMSKeyRing(),
 	"google_kms_key_ring_import_job":                                             kms.ResourceKMSKeyRingImportJob(),
 	"google_kms_secret_ciphertext":                                               kms.ResourceKMSSecretCiphertext(),