Skip to content

Hold Your Own Key Support #1862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 23 commits into
base: main
Choose a base branch
from
Open

Hold Your Own Key Support #1862

wants to merge 23 commits into from

Conversation

iuri-slywitch-hashicorp
Copy link

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp commented Sep 26, 2025
edited
Loading

Description

This particular PR is a combination of a series of PRs that have been approved before. See the Related PRs.

Add the following resources to manage OIDC configurations:

  • tfe_vault_oidc_configuration
  • tfe_aws_oidc_configuration
  • tfe_gcp_oidc_configuration
  • tfe_azure_oidc_configuration

Add the HYOK configuration resource:

  • tfe_hyok_configuration

Add the following data sources for managing HYOK keys:

  • hyok_customer_key_version
  • hyok_encrypted_data_key

Updating the attributes of the following objects to support HYOK related attributes:

  • Workspace, added read-only hyok_enabled attribute for data source and resource.
  • Organization, added enforce-hyok attribute for data source and resource.

Remember to:

Testing plan

Testing HYOK OIDC Configurations:

  • Use a terraform configuration with resources to create, update, read and delete OIDC Configurations:
resource "tfe_aws_oidc_configuration" "aws_oidc_tfe_provider" {
  role_arn = "arn:aws:iam::111111111111:role/example-role-arn"
}

resource "tfe_gcp_oidc_configuration" "gcp_oidc_tfe_provider" {
  service_account_email     = "[email protected]"
  project_number            = "11111111"
  workload_provider_name    = "projects/1/locations/global/workloadIdentityPools/1/providers/1"
}

resource "tfe_azure_oidc_configuration" "azure_oidc_tfe_provider" {
  client_id         = "application-id1"
  subscription_id   = "subscription-id1"
  tenant_id         = "tenant-id1"
}

resource "tfe_vault_oidc_configuration" "vault_oidc_tfe_provider" {
  address           = "https://my-vault-cluster-public-vault-token.token.z1.hashicorp.cloud:port"
  role_name         = "vault-role-name"
  namespace         = "admin"
  auth_path         = "jwt-auth-path"
}

Testing HYOK Configurations:

  • Use a terraform configuration with resources to create, update, read and delete HYOK Configurations:
resource "tfe_hyok_configuration" "aws_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "aws_hyok_config_provider_test"
  kek_id = "arn:aws:kms:rocket:key/21z"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_aws_oidc_configuration.aws_oidc_tfe_provider.id}"
  oidc_configuration_type = "aws"

  kms_options {
    key_region = "us-east-1"
  }
}

resource "tfe_hyok_configuration" "gcp_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "gcp_hyok_config_provider_test"
  kek_id = "rocket_key_id5"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider.id}"
  oidc_configuration_type = "gcp"

  kms_options {
    key_ring_id = "YOUR-KEY-RING-ID2"
    key_location = "global"
  }
}

resource "tfe_hyok_configuration" "azure_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "azure_hyok_config_provider_test"
  kek_id = "https://coolvaule.vault.azure.net/keys/cool-key2"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_azure_oidc_configuration.azure_oidc_tfe_provider.id}"
  oidc_configuration_type = "azure"
}

resource "tfe_hyok_configuration" "vault_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "vault_hyok_config_provider_test"
  kek_id = "rocket_key_id3"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_vault_oidc_configuration.vault_oidc_tfe_provider.id}"
  oidc_configuration_type = "vault"
}

Testing HYOK customer key version and encrypted data key:

  • Use a terraform configuration with data sources to read customer key versions and encrypted data keys:
data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-YOUR-KEY-ID"
}

output "tfe_hyok_customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-YOUR-KEY-ID"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Testing HYOK Attributes:

  • Use a terraform configuration with resources to create and update Organizations and read Workspaces with HYOK options via terraform plan, and terraform apply:
resource "tfe_organization" "provider-tfe-hyok-test" {
  name         = "provider-tfe-hyok-test"
  email        = "YOUR-EMAIL"
  enforce_hyok = true
}

resource "tfe_workspace" "test-workspace-hyok-enabled" {
  organization = "YOUR-ORG"
  name         = "test-workspace-hyok-enabled"
}
  • Use a terraform configuration with data sources to read Organizations and Workspaces with HYOK options via terraform plan, and terraform apply:
data "tfe_organization" "tfe_organization_test" {
  name = "YOUR-ORG"
}

output "tfe_organization" {
  value = data.tfe_organization.tfe_organization_test
}

data "tfe_workspace" "tfe_workspace_test" {
  organization = "YOUR-ORG"
  name = "YOUR-NAME"
}

output "tfe_workspace" {
  value = data.tfe_workspace.tfe_workspace_test
}

External links

Output from acceptance tests

HYOK OIDC Configurations:

  • TestAccTFEVaultOIDCConfiguration_basic:
=== RUN   TestAccTFEVaultOIDCConfiguration_basic
--- PASS: TestAccTFEVaultOIDCConfiguration_basic (3.01s)
PASS
  • TestAccTFEAWSOIDCConfiguration_basic:
=== RUN   TestAccTFEAWSOIDCConfiguration_basic
--- PASS: TestAccTFEAWSOIDCConfiguration_basic (3.28s)
PASS
  • TestAccTFEGCPOIDCConfiguration_basic:
=== RUN   TestAccTFEGCPOIDCConfiguration_basic
--- PASS: TestAccTFEGCPOIDCConfiguration_basic (3.16s)
PASS
  • TestAccTFEAzureOIDCConfiguration_basic:
=== RUN   TestAccTFEAzureOIDCConfiguration_basic
--- PASS: TestAccTFEAzureOIDCConfiguration_basic (2.82s)
PASS

HYOK Configuration:

  • TestAccTFEHYOKConfiguration_basic:
=== RUN   TestAccTFEHYOKConfiguration_basic
--- PASS: TestAccTFEHYOKConfiguration_basic (21.41s)
PASS

HYOK customer key version and encrypted data key:

  • TestAccTFEHYOKCustomerKeyVersionDataSource_basic:
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s
  • TestAccTFEHYOKEncryptedDataKeyDataSource_basic:
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s

HYOK Attributes:

  • TestAccTFEOrganizationDataSource_readEnforceHYOK:
=== RUN   TestAccTFEOrganizationDataSource_readEnforceHYOK
--- PASS: TestAccTFEOrganizationDataSource_readEnforceHYOK (2.85s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.246s
  • TestAccTFEWorkspaceDataSource_readHYOKEnabled:
=== RUN   TestAccTFEWorkspaceDataSource_readHYOKEnabled
--- PASS: TestAccTFEWorkspaceDataSource_readHYOKEnabled (2.38s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.008s
  • TestAccTFEWorkspace_HYOKEnabled:
=== RUN   TestAccTFEWorkspace_HYOKEnabled
--- PASS: TestAccTFEWorkspace_HYOKEnabled (3.43s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   4.094s
  • TestAccTFEOrganization_EnforceHYOK:
=== RUN   TestAccTFEOrganization_EnforceHYOK
    resource_tfe_organization_test.go:211: Skipping test until HYOK configurations can be promoted to primary through the provider. Currently,even if promotion is possible, primary configurations cannot be deleted and leaves dangling resources.
--- SKIP: TestAccTFEOrganization_EnforceHYOK (0.00s)
PASS

Rollback Plan

Changes to Security Controls

Related PRs

dominic-retli-hashi and others added 19 commits September 9, 2025 13:54
@dominic-retli-hashi
WIP testing new hyok customer key version resource
202a208
@dominic-retli-hashi
added data source for hyok encrypted data key and hyok customer key v…
4060a6a 
…ersion, with some baseline tests that pass for me locally but need to be genericised
@dominic-retli-hashi
maded tests generic and dependent on env var
81ad65c
@dominic-retli-hashi
added mention of the env vars needed for the hyok data source tests i…
34dae45 
…n testing.md
@dominic-retli-hashi
updated change log
8b846dc
@dominic-retli-hashi
Merge branch 'main' into dominicretli/TF-28674/hyok-data-objects
2713372
@dominic-retli-hashi
Merge remote-tracking branch 'origin/main' into dominicretli/TF-28674…
5a1c9b2 
…/hyok-data-objects
@dominic-retli-hashi
Added website docs for hyok data sources
49d4a3a
@dominic-retli-hashi
Added workspaces secured, general cleanup
6abdd35
@dominic-retli-hashi
updated docs
8457a54
@dominic-retli-hashi
test cleanup
66f2a61
@dominic-retli-hashi
misc cleanup
44add6a
@dominic-retli-hashi
Merge branch 'feature/hyok' into dominicretli/TF-28674/hyok-data-objects
afa401b
@dominic-retli-hashi
renamed variable for lint
9a469a4
@dominic-retli-hashi
Merge branch 'dominicretli/TF-28674/hyok-data-objects' of github.com:…
a7622dd 
…hashicorp/terraform-provider-tfe into dominicretli/TF-28674/hyok-data-objects
@helenjw
[TF-28672] Add Vault, AWS, GCP, and Azure OIDC configuration resources (
91036d7 
#1835)
@helenjw
[TF-28671] Add HYOK configuration resources (#1841)
c83b4ba
@iuri-slywitch-hashicorp
Merge branch 'feature/hyok' into dominicretli/TF-28674/hyok-data-objects
8a2e80c
@dominic-retli-hashi
Merge pull request #1842 from hashicorp/dominicretli/TF-28674/hyok-da…
f192017 
…ta-objects

[TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp mentioned this pull request Sep 26, 2025
Merged
@helenjw
Add skipUnlessHYOKEnabled check before performing tests in data_sourc…
1609917 
…e_hyok_customer_key_version_test.go, data_source_hyok_encrypted_data_key_test.go, and resource_tfe_hyok_configuration_test.go
iuri-slywitch-hashicorp
iuri-slywitch-hashicorp commented Oct 1, 2025
View reviewed changes
helenjw and others added 2 commits October 1, 2025 13:27
@helenjw
Update CHANGELOG.md formatting
550a5ba
@iuri-slywitch-hashicorp @helenjw @ctrombley
[TF-28673] Adding HYOK related attributes to Organizations and Worksp…
12c21fd 
…aces (#1863)

* WIP, almost finishing up tests.

* Updating documentation.

* Removing create and update options for hyok_enabled. Updating test cases.

* Updated documentation.

* Update website/docs/r/organization.html.markdown

Co-authored-by: Helen Jiang <[email protected]>

* Removed Default argument since attribute is read-only

* Changed documentation for organization data source.

* Moved changes to Attributes Reference

* Updating CHANGELOG.md

* Updated function name in data source organization test.

* Update CHANGELOG.md

Co-authored-by: Chris Trombley <[email protected]>

* Update CHANGELOG.md

Co-authored-by: Chris Trombley <[email protected]>

* Updated test case for tfe_workspace

* Removing orgEmail.

* Updating test cases. Removing HYOK_WORKSPACE_NAME

* Refactor HYOK tests to use createPremiumOrganization function and remove environment variable dependency where possible

* Remove HYOK_ORGANIZATION_NAME env variable entirely

* Wait for test_failed before attempting to revoke HYOK config

---------

Co-authored-by: Helen Jiang <[email protected]>
Co-authored-by: Chris Trombley <[email protected]>
Co-authored-by: Helen Jiang <[email protected]>
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp marked this pull request as ready for review October 7, 2025 17:57
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp requested a review from a team as a code owner October 7, 2025 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dominic-retli-hashi dominic-retli-hashi Awaiting requested review from dominic-retli-hashi

@helenjw helenjw Awaiting requested review from helenjw

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iuri-slywitch-hashicorp @helenjw @dominic-retli-hashi