Hold Your Own Key Support

[iuri-slywitch-hashicorp]

Description

This particular PR is a combination of a series of PRs that have been approved before. See the Related PRs.

Add the following resources to manage OIDC configurations:

• tfe_vault_oidc_configuration
• tfe_aws_oidc_configuration
• tfe_gcp_oidc_configuration
• tfe_azure_oidc_configuration

Add the HYOK configuration resource:

• tfe_hyok_configuration

Add the following data sources for managing HYOK keys:

• hyok_customer_key_version
• hyok_encrypted_data_key

Updating the attributes of the following objects to support HYOK related attributes:

• Workspace, added read-only hyok_enabled attribute for data source and resource.
• Organization, added enforce-hyok attribute for data source and resource.

Remember to:

• Update the Change Log
• Update the Documentation

Testing plan

Testing HYOK OIDC Configurations:

• Use a terraform configuration with resources to create, update, read and delete OIDC Configurations:

resource "tfe_aws_oidc_configuration" "aws_oidc_tfe_provider" {
  role_arn = "arn:aws:iam::111111111111:role/example-role-arn"
}

resource "tfe_gcp_oidc_configuration" "gcp_oidc_tfe_provider" {
  service_account_email     = "[email protected]"
  project_number            = "11111111"
  workload_provider_name    = "projects/1/locations/global/workloadIdentityPools/1/providers/1"
}

resource "tfe_azure_oidc_configuration" "azure_oidc_tfe_provider" {
  client_id         = "application-id1"
  subscription_id   = "subscription-id1"
  tenant_id         = "tenant-id1"
}

resource "tfe_vault_oidc_configuration" "vault_oidc_tfe_provider" {
  address           = "https://my-vault-cluster-public-vault-token.token.z1.hashicorp.cloud:port"
  role_name         = "vault-role-name"
  namespace         = "admin"
  auth_path         = "jwt-auth-path"
}

Testing HYOK Configurations:

• Use a terraform configuration with resources to create, update, read and delete HYOK Configurations:

resource "tfe_hyok_configuration" "aws_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "aws_hyok_config_provider_test"
  kek_id = "arn:aws:kms:rocket:key/21z"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_aws_oidc_configuration.aws_oidc_tfe_provider.id}"
  oidc_configuration_type = "aws"

  kms_options {
    key_region = "us-east-1"
  }
}

resource "tfe_hyok_configuration" "gcp_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "gcp_hyok_config_provider_test"
  kek_id = "rocket_key_id5"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider.id}"
  oidc_configuration_type = "gcp"

  kms_options {
    key_ring_id = "YOUR-KEY-RING-ID2"
    key_location = "global"
  }
}

resource "tfe_hyok_configuration" "azure_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "azure_hyok_config_provider_test"
  kek_id = "https://coolvaule.vault.azure.net/keys/cool-key2"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_azure_oidc_configuration.azure_oidc_tfe_provider.id}"
  oidc_configuration_type = "azure"
}

resource "tfe_hyok_configuration" "vault_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "vault_hyok_config_provider_test"
  kek_id = "rocket_key_id3"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_vault_oidc_configuration.vault_oidc_tfe_provider.id}"
  oidc_configuration_type = "vault"
}

Testing HYOK customer key version and encrypted data key:

• Use a terraform configuration with data sources to read customer key versions and encrypted data keys:

data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-YOUR-KEY-ID"
}

output "tfe_hyok_customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-YOUR-KEY-ID"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Testing HYOK Attributes:

• Use a terraform configuration with resources to create and update Organizations and read Workspaces with HYOK options via terraform plan, and terraform apply:

resource "tfe_organization" "provider-tfe-hyok-test" {
  name         = "provider-tfe-hyok-test"
  email        = "YOUR-EMAIL"
  enforce_hyok = true
}

resource "tfe_workspace" "test-workspace-hyok-enabled" {
  organization = "YOUR-ORG"
  name         = "test-workspace-hyok-enabled"
}

• Use a terraform configuration with data sources to read Organizations and Workspaces with HYOK options via terraform plan, and terraform apply:

data "tfe_organization" "tfe_organization_test" {
  name = "YOUR-ORG"
}

output "tfe_organization" {
  value = data.tfe_organization.tfe_organization_test
}

data "tfe_workspace" "tfe_workspace_test" {
  organization = "YOUR-ORG"
  name = "YOUR-NAME"
}

output "tfe_workspace" {
  value = data.tfe_workspace.tfe_workspace_test
}

External links

• Pull Request for Hold Your Own Key Support for hashicorp/go-tfe
  • Hold Your Own Key Support go-tfe#1201
• JIRA
  • HYOK Configurations
  • OIDC Configurations
  • Customer Key Version, Encrypted Data Key
  • HYOK Attributes
  • TF-30985
• HYOK Documentation
  • Configurations
  • Key Version API documentation
  • Encrypted Data Keys API documentation
  • OIDC Configurations:
    • Vault
    • AWS
    • Azure
    • GCP

Output from acceptance tests

HYOK OIDC Configurations:

• TestAccTFEVaultOIDCConfiguration_basic:

=== RUN   TestAccTFEVaultOIDCConfiguration_basic
--- PASS: TestAccTFEVaultOIDCConfiguration_basic (3.01s)
PASS

• TestAccTFEAWSOIDCConfiguration_basic:

=== RUN   TestAccTFEAWSOIDCConfiguration_basic
--- PASS: TestAccTFEAWSOIDCConfiguration_basic (3.28s)
PASS

• TestAccTFEGCPOIDCConfiguration_basic:

=== RUN   TestAccTFEGCPOIDCConfiguration_basic
--- PASS: TestAccTFEGCPOIDCConfiguration_basic (3.16s)
PASS

• TestAccTFEAzureOIDCConfiguration_basic:

=== RUN   TestAccTFEAzureOIDCConfiguration_basic
--- PASS: TestAccTFEAzureOIDCConfiguration_basic (2.82s)
PASS

HYOK Configuration:

• TestAccTFEHYOKConfiguration_basic:

=== RUN   TestAccTFEHYOKConfiguration_basic
--- PASS: TestAccTFEHYOKConfiguration_basic (21.41s)
PASS

HYOK customer key version and encrypted data key:

• TestAccTFEHYOKCustomerKeyVersionDataSource_basic:

=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s

• TestAccTFEHYOKEncryptedDataKeyDataSource_basic:

=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s

HYOK Attributes:

• TestAccTFEOrganizationDataSource_readEnforceHYOK:

=== RUN   TestAccTFEOrganizationDataSource_readEnforceHYOK
--- PASS: TestAccTFEOrganizationDataSource_readEnforceHYOK (2.85s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.246s

• TestAccTFEWorkspaceDataSource_readHYOKEnabled:

=== RUN   TestAccTFEWorkspaceDataSource_readHYOKEnabled
--- PASS: TestAccTFEWorkspaceDataSource_readHYOKEnabled (2.38s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.008s

• TestAccTFEWorkspace_HYOKEnabled:

=== RUN   TestAccTFEWorkspace_HYOKEnabled
--- PASS: TestAccTFEWorkspace_HYOKEnabled (3.43s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   4.094s

Rollback Plan

Changes to Security Controls

Related PRs

• [TF-28672] Add Vault, AWS, GCP, and Azure OIDC configuration resources #1835
• [TF-28671] Add HYOK configuration resources #1841
• [TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey #1842
• [TF-28673] Adding HYOK related attributes to Organizations and Workspaces #1863