Skip to content

Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey #1842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey #1842

wants to merge 11 commits into from

Conversation

dominic-retli-hashi
Copy link

@dominic-retli-hashi dominic-retli-hashi commented Sep 15, 2025
edited
Loading

Description

  • added data source for HYOKCustomerKeyVersion
  • added data source for HYOKEncryptedDataKey
  • added test coverage for the data sources (the tests rely on the presence of env variables to speicify the IDs of the records in the database).

TODO: Update the website docs for new datasources

Remember to:

Testing plan

  1. Using a version of Hold Your Own Key Support go-tfe#1201 and using an organization with access to HYOK
  2. Use a terraform configuration with outputs to read HYOK data source via terraform plan and terraform apply.
data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-<your-id>"
}

output "customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-<your-id>"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Example Output of a Terraform Run:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

customer_key_version = {
  "created_at" = "2025-09-09T17:27:14Z"
  "error" = ""
  "id" = "keyv-BWZTzt2J75DsdwH8"
  "key_version" = "10"
  "status" = "available"
  "workspaces_secured" = 2
}
tfe_hyok_encrypted_data_key = {
  "created_at" = "2025-09-09T17:27:14Z"
  "customer_key_name" = "tf-rocket-hyok-oasis"
  "encrypted_dek" = "dmF1bHQ6djEwOjdFb3gzNERXQ05zNGVNelNSb09waWp3dGE4SmlNa0JjWFRsQ25KbXlRNlZWRGpCbnFtOFBvbGkvb1ZGTkQ3UVFybDNoNzBrT2hScnlHUlZS"
  "id" = "dek-wuLiejfGtNLLuiH9"
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See testing.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.187s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.294s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.299s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.150s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

Rollback Plan

Changes to Security Controls

@dominic-retli-hashi dominic-retli-hashi marked this pull request as ready for review September 15, 2025 18:59
@dominic-retli-hashi dominic-retli-hashi requested a review from a team as a code owner September 15, 2025 18:59
helenjw
helenjw reviewed Sep 16, 2025
View reviewed changes
Copy link

@helenjw helenjw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested the data sources and they're working for me! Just a few nits and something I gotta do on the go-tfe end

helenjw
helenjw reviewed Sep 18, 2025
View reviewed changes
internal/provider/data_source_hyok_encrypted_data_key.go
// Set the computed attributes from the API response
data.EncryptedDEK = types.StringValue(keyVersion.EncryptedDEK)
data.CustomerKeyName = types.StringValue(keyVersion.CustomerKeyName)
data.CreatedAt = types.StringValue(keyVersion.CreatedAt.Format(time.RFC3339)) // TODO DOM: Check this format
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this can probably be removed!

website/docs/d/hyok_customer_key_version.markdown

```hcl
data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
id = "keyv-<your-id>"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non blocker: but it seems like some other id examples do not include <>. (eg. website/docs/d/team_project_access.html.markdown)

So maybe something like

Suggested change
id = "keyv-<your-id>"
id = "my-key-version-id"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helen, that's because the customer key version follows the pattern "keyv-####" where # is some id.

website/docs/d/hyok_customer_key_version.markdown
Comment on lines +1 to +6
---
layout: "tfe"
page_title: "Terraform Enterprise: tfe_agent_pool"
description: |-
Get information on an agent pool.
---
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the section at website/docs/d/hyok_encrypted_data_key.markdown should probably be changed from agent pool stuff

iuri-slywitch-hashicorp
iuri-slywitch-hashicorp reviewed Sep 18, 2025
View reviewed changes
internal/provider/data_source_hyok_encrypted_data_key.go

// Make API call to fetch the HYOK customer key version
keyVersion, err := d.config.Client.HYOKEncryptedDataKeys.Read(ctx, data.ID.ValueString())
if err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we have that same condition Helen's PR for "Resource not found" if-statement?

@iuri-slywitch-hashicorp
Copy link

iuri-slywitch-hashicorp commented Sep 18, 2025
edited
Loading

performed a terraform plan, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform plan
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Reading...
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Reading...
data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1: Read complete after 1s [id=(redacted)]
data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1: Read complete after 1s [id=(redacted)]

Changes to Outputs:
  + tfe_hyok_customer_key_version = {
      + created_at         = "2025-05-20T15:27:31Z"
      + error              = ""
      + id                 = "(redacted)"
      + key_version        = "(redacted)"
      + status             = "available"
      + workspaces_secured = 4
    }
  + tfe_hyok_encrypted_data_key   = {
      + created_at        = "2025-08-11T15:30:06Z"
      + customer_key_name = "aws-hyok-config"
      + encrypted_dek     = "(redacted)"
      + id                = "(redacted)"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

@iuri-slywitch-hashicorp
Copy link

also, I ran the same go test cases on my end with my HYOK_CUSTOMER_KEY_VERSION_ID and HYOK_ENCRYPTED_DATA_KEY_ID, worked as expected, here is the result:

iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKCustomerKeyVersionDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKCustomerKeyVersionDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.419s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.413s [no tests to run]
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (2.09s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.714s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]
iurislywitch@Iuris-MacBook-Pro terraform-provider-tfe % TESTARGS="-run TestAccTFEHYOKEncryptedDataKeyDataSource" envchain STAGING_ENVCHAIN make testacc
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKEncryptedDataKeyDataSource -timeout 15m
?       github.com/hashicorp/terraform-provider-tfe     [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/client     0.335s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/logging    0.167s [no tests to run]
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (2.06s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   2.395s
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/helpers   [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/planmodifiers     [no test files]
?       github.com/hashicorp/terraform-provider-tfe/internal/provider/validators        [no test files]
?       github.com/hashicorp/terraform-provider-tfe/version     [no test files]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@helenjw helenjw helenjw left review comments

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp iuri-slywitch-hashicorp left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dominic-retli-hashi @iuri-slywitch-hashicorp @helenjw