Skip to content

[TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey #1842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Sep 26, 2025
Merged

[TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey #1842

merged 16 commits into from
Sep 26, 2025

Conversation

dominic-retli-hashi
Copy link

@dominic-retli-hashi dominic-retli-hashi commented Sep 15, 2025
edited
Loading

Description

  • added data source for HYOKCustomerKeyVersion
  • added data source for HYOKEncryptedDataKey
  • added test coverage for the data sources (the tests rely on the presence of env variables to speicify the IDs of the records in the database).

TODO: Update the website docs for new datasources

Remember to:

Testing plan

  1. Using a version of Hold Your Own Key Support go-tfe#1201 and using an organization with access to HYOK
  2. Use a terraform configuration with outputs to read HYOK data source via terraform plan and terraform apply.
data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-<your-id>"
}

output "customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-<your-id>"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Example Output of a Terraform Run:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

customer_key_version = {
  "created_at" = "2025-09-09T17:27:14Z"
  "error" = ""
  "id" = "keyv-BWZTzt2J75DsdwH8"
  "key_version" = "10"
  "status" = "available"
  "workspaces_secured" = 2
}
tfe_hyok_encrypted_data_key = {
  "created_at" = "2025-09-09T17:27:14Z"
  "customer_key_name" = "tf-rocket-hyok-oasis"
  "encrypted_dek" = "dmF1bHQ6djEwOjdFb3gzNERXQ05zNGVNelNSb09waWp3dGE4SmlNa0JjWFRsQ25KbXlRNlZWRGpCbnFtOFBvbGkvb1ZGTkQ3UVFybDNoNzBrT2hScnlHUlZS"
  "id" = "dek-wuLiejfGtNLLuiH9"
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See testing.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.187s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.294s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.299s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.150s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

Rollback Plan

Changes to Security Controls

@dominic-retli-hashi dominic-retli-hashi marked this pull request as ready for review September 15, 2025 18:59
@dominic-retli-hashi dominic-retli-hashi requested a review from a team as a code owner September 15, 2025 18:59
helenjw
helenjw reviewed Sep 16, 2025
View reviewed changes
Copy link

@helenjw helenjw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested the data sources and they're working for me! Just a few nits and something I gotta do on the go-tfe end

helenjw
helenjw reviewed Sep 18, 2025
View reviewed changes
@iuri-slywitch-hashicorp
Copy link

iuri-slywitch-hashicorp commented Sep 18, 2025
edited
Loading

performed a terraform plan, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform plan
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Reading...
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Reading...
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Read complete after 1s [id=(redacted)]
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Read complete after 1s [id=(redacted)]

Changes to Outputs:
  + tfe_hyok_customer_key_version = {
      + created_at         = "2025-05-20T15:27:31Z"
      + error              = ""
      + id                 = "(redacted)"
      + key_version        = "(redacted)"
      + status             = "available"
      + workspaces_secured = 4
    }
  + tfe_hyok_encrypted_data_key   = {
      + created_at        = "2025-08-11T15:30:06Z"
      + customer_key_name = "aws-hyok-config"
      + encrypted_dek     = "(redacted)"
      + id                = "(redacted)"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

@iuri-slywitch-hashicorp
Copy link

also, I ran the same go test cases on my end with my HYOK_CUSTOMER_KEY_VERSION_ID and HYOK_ENCRYPTED_DATA_KEY_ID, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.419s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.413s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (2.09s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.714s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]
iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.335s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.167s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (2.06s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.395s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

@dominic-retli-hashi dominic-retli-hashi changed the base branch from main to feature/hyok September 23, 2025 20:32
iuri-slywitch-hashicorp
iuri-slywitch-hashicorp approved these changes Sep 25, 2025
View reviewed changes
Copy link

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp changed the title Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey [TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey Sep 25, 2025
@dominic-retli-hashi dominic-retli-hashi merged commit f192017 into feature/hyok Sep 26, 2025
19 checks passed
@dominic-retli-hashi dominic-retli-hashi deleted the dominicretli/TF-28674/hyok-data-objects branch September 26, 2025 17:34
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp mentioned this pull request Sep 26, 2025
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@helenjw helenjw helenjw approved these changes

@Maed223 Maed223 Maed223 approved these changes

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp iuri-slywitch-hashicorp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dominic-retli-hashi @iuri-slywitch-hashicorp @helenjw @Maed223