Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey

[dominic-retli-hashi]

Description

• added data source for HYOKCustomerKeyVersion
• added data source for HYOKEncryptedDataKey
• added test coverage for the data sources (the tests rely on the presence of env variables to speicify the IDs of the records in the database).

TODO: Update the website docs for new datasources

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

1. Using a version of Hold Your Own Key Support go-tfe#1201 and using an organization with access to HYOK
2. Use a terraform configuration with outputs to read HYOK data source via terraform plan and terraform apply.

data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-<your-id>"
}

output "customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-<your-id>"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Example Output of a Terraform Run:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

customer_key_version = {
  "created_at" = "2025-09-09T17:27:14Z"
  "error" = ""
  "id" = "keyv-BWZTzt2J75DsdwH8"
  "key_version" = "10"
  "status" = "available"
  "workspaces_secured" = 2
}
tfe_hyok_encrypted_data_key = {
  "created_at" = "2025-09-09T17:27:14Z"
  "customer_key_name" = "tf-rocket-hyok-oasis"
  "encrypted_dek" = "dmF1bHQ6djEwOjdFb3gzNERXQ05zNGVNelNSb09waWp3dGE4SmlNa0JjWFRsQ25KbXlRNlZWRGpCbnFtOFBvbGkvb1ZGTkQ3UVFybDNoNzBrT2hScnlHUlZS"
  "id" = "dek-wuLiejfGtNLLuiH9"
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

• go-tfe documentation
• API documentation
• Related PR
  JIRA

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See testing.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.187s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.294s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.299s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.150s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

Rollback Plan

Changes to Security Controls

[helenjw]

I tested the data sources and they're working for me! Just a few nits and something I gotta do on the go-tfe end

[helenjw]

Nit: this can probably be removed!

[helenjw]

Non blocker: but it seems like some other id examples do not include <>. (eg. website/docs/d/team_project_access.html.markdown)

So maybe something like

Suggested change

	id = "keyv-<your-id>"
	id = "my-key-version-id"

[iuri-slywitch-hashicorp]

Helen, that's because the customer key version follows the pattern "keyv-####" where # is some id.

[helenjw]

This and the section at website/docs/d/hyok_encrypted_data_key.markdown should probably be changed from agent pool stuff

[iuri-slywitch-hashicorp]

should we have that same condition Helen's PR for "Resource not found" if-statement?

[iuri-slywitch-hashicorp]

performed a terraform plan, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform plan
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Reading...
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Reading...
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Read complete after 1s [id=(redacted)]
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Read complete after 1s [id=(redacted)]

Changes to Outputs:
  + tfe_hyok_customer_key_version = {
      + created_at         = "2025-05-20T15:27:31Z"
      + error              = ""
      + id                 = "(redacted)"
      + key_version        = "(redacted)"
      + status             = "available"
      + workspaces_secured = 4
    }
  + tfe_hyok_encrypted_data_key   = {
      + created_at        = "2025-08-11T15:30:06Z"
      + customer_key_name = "aws-hyok-config"
      + encrypted_dek     = "(redacted)"
      + id                = "(redacted)"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

[iuri-slywitch-hashicorp]

also, I ran the same go test cases on my end with my HYOK_CUSTOMER_KEY_VERSION_ID and HYOK_ENCRYPTED_DATA_KEY_ID, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.419s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.413s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (2.09s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.714s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]
iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.335s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.167s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (2.06s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.395s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]