Merge pull request hashicorp#45020 from jackroberts-gh/f-aws-backup-lag-vault-kms-key-support

r/aws_backup_logically_air_gapped_vault: add encryption_key_arn attr

Author: ewbankkit

.changelog/45020.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_backup_logically_air_gapped_vault: Add `encryption_key_arn` argument
+```

internal/service/backup/logically_air_gapped_vault.go

@@ -31,6 +31,7 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/fwdiag"
 	"github.com/hashicorp/terraform-provider-aws/internal/framework"
 	fwflex "github.com/hashicorp/terraform-provider-aws/internal/framework/flex"
+	fwtypes "github.com/hashicorp/terraform-provider-aws/internal/framework/types"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 	"github.com/hashicorp/terraform-provider-aws/names"
@@ -57,7 +58,15 @@ func (r *logicallyAirGappedVaultResource) Schema(ctx context.Context, request re
 	response.Schema = schema.Schema{
 		Attributes: map[string]schema.Attribute{
 			names.AttrARN: framework.ARNAttributeComputedOnly(),
-			names.AttrID:  framework.IDAttribute(),
+			"encryption_key_arn": schema.StringAttribute{
+				CustomType: fwtypes.ARNType,
+				Optional:   true,
+				Computed:   true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			names.AttrID: framework.IDAttribute(),
 			"max_retention_days": schema.Int64Attribute{
 				Required: true,
 				PlanModifiers: []planmodifier.Int64{
@@ -102,9 +111,9 @@ func (r *logicallyAirGappedVaultResource) Create(ctx context.Context, request re
 
 	conn := r.Meta().BackupClient(ctx)
 
-	name := data.BackupVaultName.ValueString()
-	input := &backup.CreateLogicallyAirGappedBackupVaultInput{}
-	response.Diagnostics.Append(fwflex.Expand(ctx, data, input)...)
+	name := fwflex.StringValueFromFramework(ctx, data.BackupVaultName)
+	var input backup.CreateLogicallyAirGappedBackupVaultInput
+	response.Diagnostics.Append(fwflex.Expand(ctx, data, &input)...)
 	if response.Diagnostics.HasError() {
 		return
 	}
@@ -113,7 +122,7 @@ func (r *logicallyAirGappedVaultResource) Create(ctx context.Context, request re
 	input.BackupVaultTags = getTagsIn(ctx)
 	input.CreatorRequestId = aws.String(sdkid.UniqueId())
 
-	output, err := conn.CreateLogicallyAirGappedBackupVault(ctx, input)
+	output, err := conn.CreateLogicallyAirGappedBackupVault(ctx, &input)
 
 	if err != nil {
 		response.Diagnostics.AddError(fmt.Sprintf("creating Backup Logically Air Gapped Vault (%s)", name), err.Error())
@@ -123,15 +132,21 @@ func (r *logicallyAirGappedVaultResource) Create(ctx context.Context, request re
 
 	// Set values for unknowns.
 	data.BackupVaultARN = fwflex.StringToFramework(ctx, output.BackupVaultArn)
-	data.ID = fwflex.StringToFramework(ctx, output.BackupVaultName)
+	data.ID = fwflex.StringValueToFramework(ctx, name)
 
-	if _, err := waitLogicallyAirGappedVaultCreated(ctx, conn, data.ID.ValueString(), r.CreateTimeout(ctx, data.Timeouts)); err != nil {
+	vault, err := waitLogicallyAirGappedVaultCreated(ctx, conn, name, r.CreateTimeout(ctx, data.Timeouts))
+	if err != nil {
 		response.State.SetAttribute(ctx, path.Root(names.AttrID), data.ID) // Set 'id' so as to taint the resource.
-		response.Diagnostics.AddError(fmt.Sprintf("waiting for Backup Logically Air Gapped Vault (%s) create", data.ID.ValueString()), err.Error())
+		response.Diagnostics.AddError(fmt.Sprintf("waiting for Backup Logically Air Gapped Vault (%s) create", name), err.Error())
 
 		return
 	}
 
+	response.Diagnostics.Append(fwflex.Flatten(ctx, vault, &data)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
 	response.Diagnostics.Append(response.State.Set(ctx, data)...)
 }
 
@@ -144,7 +159,8 @@ func (r *logicallyAirGappedVaultResource) Read(ctx context.Context, request reso
 
 	conn := r.Meta().BackupClient(ctx)
 
-	output, err := findLogicallyAirGappedBackupVaultByName(ctx, conn, data.ID.ValueString())
+	name := fwflex.StringValueFromFramework(ctx, data.ID)
+	output, err := findLogicallyAirGappedBackupVaultByName(ctx, conn, name)
 
 	if tfresource.NotFound(err) {
 		response.Diagnostics.Append(fwdiag.NewResourceNotFoundWarningDiagnostic(err))
@@ -154,7 +170,7 @@ func (r *logicallyAirGappedVaultResource) Read(ctx context.Context, request reso
 	}
 
 	if err != nil {
-		response.Diagnostics.AddError(fmt.Sprintf("reading Backup Logically Air Gapped Vault (%s)", data.ID.ValueString()), err.Error())
+		response.Diagnostics.AddError(fmt.Sprintf("reading Backup Logically Air Gapped Vault (%s)", name), err.Error())
 
 		return
 	}
@@ -177,8 +193,9 @@ func (r *logicallyAirGappedVaultResource) Delete(ctx context.Context, request re
 
 	conn := r.Meta().BackupClient(ctx)
 
+	name := fwflex.StringValueFromFramework(ctx, data.ID)
 	input := backup.DeleteBackupVaultInput{
-		BackupVaultName: fwflex.StringFromFramework(ctx, data.ID),
+		BackupVaultName: aws.String(name),
 	}
 	_, err := conn.DeleteBackupVault(ctx, &input)
 
@@ -187,7 +204,7 @@ func (r *logicallyAirGappedVaultResource) Delete(ctx context.Context, request re
 	}
 
 	if err != nil {
-		response.Diagnostics.AddError(fmt.Sprintf("deleting Backup Logically Air Gapped Vault (%s)", data.ID.ValueString()), err.Error())
+		response.Diagnostics.AddError(fmt.Sprintf("deleting Backup Logically Air Gapped Vault (%s)", name), err.Error())
 
 		return
 	}
@@ -197,6 +214,7 @@ type logicallyAirGappedVaultResourceModel struct {
 	framework.WithRegionModel
 	BackupVaultARN   types.String   `tfsdk:"arn"`
 	BackupVaultName  types.String   `tfsdk:"name"`
+	EncryptionKeyARN fwtypes.ARN    `tfsdk:"encryption_key_arn"`
 	ID               types.String   `tfsdk:"id"`
 	MaxRetentionDays types.Int64    `tfsdk:"max_retention_days"`
 	MinRetentionDays types.Int64    `tfsdk:"min_retention_days"`
@@ -245,7 +263,6 @@ func waitLogicallyAirGappedVaultCreated(ctx context.Context, conn *backup.Client
 	}
 
 	outputRaw, err := stateConf.WaitForStateContext(ctx)
-
 	if output, ok := outputRaw.(*backup.DescribeBackupVaultOutput); ok {
 		return output, err
 	}

internal/service/backup/logically_air_gapped_vault_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/service/backup"
+	"github.com/hashicorp/terraform-plugin-testing/compare"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
@@ -88,6 +89,41 @@ func TestAccBackupLogicallyAirGappedVault_disappears(t *testing.T) {
 	})
 }
 
+func TestAccBackupLogicallyAirGappedVault_encryptionKeyARN(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v backup.DescribeBackupVaultOutput
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_backup_logically_air_gapped_vault.test"
+	kmsKeyResourceName := "aws_kms_key.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckPartitionHasService(t, names.BackupEndpointID)
+			testAccPreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.BackupServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckLogicallyAirGappedVaultDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLogicallyAirGappedVaultConfig_encryptionKeyARN(rName),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.CompareValuePairs(resourceName, tfjsonpath.New("encryption_key_arn"), kmsKeyResourceName, tfjsonpath.New(names.AttrARN), compare.ValuesSame()),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLogicallyAirGappedVaultExists(ctx, resourceName, &v),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccBackupLogicallyAirGappedVault_tags(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v backup.DescribeBackupVaultOutput
@@ -202,6 +238,22 @@ resource "aws_backup_logically_air_gapped_vault" "test" {
 `, rName)
 }
 
+func testAccLogicallyAirGappedVaultConfig_encryptionKeyARN(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+}
+
+resource "aws_backup_logically_air_gapped_vault" "test" {
+  name               = %[1]q
+  max_retention_days = 10
+  min_retention_days = 7
+  encryption_key_arn = aws_kms_key.test.arn
+}
+`, rName)
+}
+
 func testAccLogicallyAirGappedVaultConfig_tags1(rName, tagKey1, tagValue1 string) string {
 	return fmt.Sprintf(`
 resource "aws_backup_logically_air_gapped_vault" "test" {

internal/service/backup/vault.go

@@ -218,11 +218,11 @@ func findBackupVaultByName(ctx context.Context, conn *backup.Client, name string
 }
 
 func findVaultByName(ctx context.Context, conn *backup.Client, name string) (*backup.DescribeBackupVaultOutput, error) {
-	input := &backup.DescribeBackupVaultInput{
+	input := backup.DescribeBackupVaultInput{
 		BackupVaultName: aws.String(name),
 	}
 
-	output, err := findVault(ctx, conn, input)
+	output, err := findVault(ctx, conn, &input)
 
 	if err != nil {
 		return nil, err

website/docs/r/backup_logically_air_gapped_vault.html.markdown

@@ -30,6 +30,7 @@ This resource supports the following arguments:
 * `name` - (Required) Name of the Logically Air Gapped Backup Vault to create.
 * `max_retention_days` - (Required) Maximum retention period that the Logically Air Gapped Backup Vault retains recovery points.
 * `min_retention_days` - (Required) Minimum retention period that the Logically Air Gapped Backup Vault retains recovery points.
+* `encryption_key_arn` - (Optional) The AWS KMS key identifier (ARN) used to encrypt the backups in the logically air-gapped vault.
 * `tags` - (Optional) Metadata that you can assign to help organize the resources that you create. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
 ## Attribute Reference