Support for KMS Key deletion

Author: afedorch

CHANGELOG.md

@@ -1,4 +1,9 @@
-## 3.29.1 (Unreleased)
+## 3.30.1 (Unreleased)
+## 3.30.0 (June 19, 2019)
+
+### Added
+- Support for scheduling KMS key deletion
+
 ## 3.29.0 (June 12, 2019)
 
 ### Added

oci/kms_key_data_source.go

@@ -107,6 +107,10 @@ func (s *KmsKeyDataSourceCrud) SetData() error {
 		s.D.Set("time_created", s.Res.TimeCreated.String())
 	}
 
+	if s.Res.TimeOfDeletion != nil {
+		s.D.Set("time_of_deletion", *s.Res.TimeOfDeletion)
+	}
+
 	if s.Res.VaultId != nil {
 		s.D.Set("vault_id", *s.Res.VaultId)
 	}

oci/kms_key_resource.go

@@ -5,6 +5,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/hashicorp/terraform/helper/schema"
 
@@ -13,6 +14,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/terraform/helper/validation"
+	oci_common "github.com/oracle/oci-go-sdk/common"
 	oci_kms "github.com/oracle/oci-go-sdk/keymanagement"
 )
 
@@ -92,6 +94,11 @@ func KmsKeyResource() *schema.Resource {
 					"DISABLED",
 				}, false),
 			},
+			"time_of_deletion": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Optional: true,
+			},
 
 			// Computed
 			"current_key_version": {
@@ -174,7 +181,19 @@ func updateKmsKey(d *schema.ResourceData, m interface{}) error {
 }
 
 func deleteKmsKey(d *schema.ResourceData, m interface{}) error {
-	return nil
+	sync := &KmsKeyResourceCrud{}
+	sync.D = d
+	endpoint, ok := d.GetOkExists("management_endpoint")
+	if !ok {
+		return fmt.Errorf("management endpoint missing")
+	}
+	client, err := m.(*OracleClients).KmsManagementClient(endpoint.(string))
+	if err != nil {
+		return err
+	}
+	sync.Client = client
+
+	return DeleteResource(d, sync)
 }
 
 type KmsKeyResourceCrud struct {
@@ -362,6 +381,25 @@ func (s *KmsKeyResourceCrud) Update() error {
 	return nil
 }
 
+func (s *KmsKeyResourceCrud) Delete() error {
+	request := oci_kms.ScheduleKeyDeletionRequest{}
+
+	if timeOfDeletion, ok := s.D.GetOkExists("time_of_deletion"); ok {
+		tmpTime, err := time.Parse(time.RFC3339Nano, timeOfDeletion.(string))
+		if err != nil {
+			return err
+		}
+		request.TimeOfDeletion = &oci_common.SDKTime{Time: tmpTime}
+	}
+
+	request.RequestMetadata.RetryPolicy = getRetryPolicy(s.DisableNotFoundRetries, "kms")
+	tmp := s.D.Id()
+	request.KeyId = &tmp
+
+	_, err := s.Client.ScheduleKeyDeletion(context.Background(), request)
+	return err
+}
+
 func (s *KmsKeyResourceCrud) SetData() error {
 	if s.Res.CompartmentId != nil {
 		s.D.Set("compartment_id", *s.Res.CompartmentId)
@@ -395,6 +433,10 @@ func (s *KmsKeyResourceCrud) SetData() error {
 		s.D.Set("time_created", s.Res.TimeCreated.String())
 	}
 
+	if s.Res.TimeOfDeletion != nil {
+		s.D.Set("time_of_deletion", *s.Res.TimeOfDeletion)
+	}
+
 	if s.Res.VaultId != nil {
 		s.D.Set("vault_id", *s.Res.VaultId)
 	}

oci/kms_key_test.go

@@ -3,12 +3,16 @@
 package provider
 
 import (
+	"context"
 	"fmt"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
+	"github.com/oracle/oci-go-sdk/common"
 
+	oci_kms "github.com/oracle/oci-go-sdk/keymanagement"
 	"github.com/terraform-providers/terraform-provider-oci/httpreplay"
 )
 
@@ -33,6 +37,8 @@ var (
 		"values": Representation{repType: Required, create: []string{`${oci_kms_key.test_key.id}`}},
 	}
 
+	deletionTime = time.Now().UTC().AddDate(0, 0, 8).Truncate(time.Millisecond)
+
 	keyRepresentation = map[string]interface{}{
 		"compartment_id":      Representation{repType: Required, create: `${var.tenancy_ocid}`},
 		"display_name":        Representation{repType: Required, create: `Key C`, update: `displayName2`},
@@ -41,6 +47,7 @@ var (
 		"desired_state":       Representation{repType: Optional, create: `ENABLED`, update: `DISABLED`},
 		"defined_tags":        Representation{repType: Optional, create: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "value")}`, update: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "updatedValue")}`},
 		"freeform_tags":       Representation{repType: Optional, create: map[string]string{"bar-key": "value"}, update: map[string]string{"Department": "Accounting"}},
+		"time_of_deletion":    Representation{repType: Optional, create: deletionTime.Format(time.RFC3339Nano)},
 	}
 	keyKeyShapeRepresentation = map[string]interface{}{
 		"algorithm": Representation{repType: Required, create: `AES`},
@@ -91,7 +98,8 @@ func TestKmsKeyResource_basic(t *testing.T) {
 	var resId, resId2 string
 
 	resource.Test(t, resource.TestCase{
-		PreCheck: func() { testAccPreCheck(t) },
+		PreCheck:     func() { testAccPreCheck(t) },
+		CheckDestroy: testAccCheckKMSKeyDestroy,
 		Providers: map[string]terraform.ResourceProvider{
 			"oci": provider,
 		},
@@ -241,13 +249,63 @@ func TestKmsKeyResource_basic(t *testing.T) {
 				ImportStateIdFunc: keyImportId,
 				ImportStateVerifyIgnore: []string{
 					"desired_state",
+					"time_of_deletion",
 				},
 				ResourceName: resourceName,
 			},
 		},
 	})
 }
 
+func testAccCheckKMSKeyDestroy(s *terraform.State) error {
+	noResourceFound := true
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type == "oci_kms_key" {
+			client, err := testAccProvider.Meta().(*OracleClients).KmsManagementClient(rs.Primary.Attributes["management_endpoint"])
+			if err != nil {
+				return err
+			}
+
+			noResourceFound = false
+			request := oci_kms.GetKeyRequest{}
+
+			tmp := rs.Primary.ID
+			request.KeyId = &tmp
+
+			request.RequestMetadata.RetryPolicy = getRetryPolicy(true, "kms")
+
+			response, err := client.GetKey(context.Background(), request)
+
+			if err == nil {
+				deletedLifecycleStates := map[string]bool{
+					string(oci_kms.KeyLifecycleStateSchedulingDeletion): true,
+					string(oci_kms.KeyLifecycleStatePendingDeletion):    true,
+				}
+				if _, ok := deletedLifecycleStates[string(response.LifecycleState)]; !ok {
+					//resource lifecycle state is not in expected deleted lifecycle states.
+					return fmt.Errorf("resource lifecycle state: %s is not in expected deleted lifecycle states", response.LifecycleState)
+				}
+
+				if !response.TimeOfDeletion.Equal(deletionTime) && !httpreplay.ModeRecordReplay() {
+					return fmt.Errorf("resource time_of_deletion: %s is not set to %s", response.TimeOfDeletion.Format(time.RFC3339Nano), deletionTime.Format(time.RFC3339Nano))
+				}
+				//resource lifecycle state is in expected deleted lifecycle states. continue with next one.
+				continue
+			}
+
+			//Verify that exception is for '404 not found'.
+			if failure, isServiceError := common.IsServiceError(err); !isServiceError || failure.GetHTTPStatusCode() != 404 {
+				return err
+			}
+		}
+	}
+	if noResourceFound {
+		return fmt.Errorf("at least one resource was expected from the state file, but could not be found")
+	}
+
+	return nil
+}
+
 func keyImportId(state *terraform.State) (string, error) {
 	for _, rs := range state.RootModule().Resources {
 		if rs.Type == "oci_kms_key" {

website/docs/d/kms_key.html.markdown

@@ -45,5 +45,6 @@ The following attributes are exported:
 	* `length` - The length of the key, expressed as an integer. Values of 16, 24, or 32 are supported. 
 * `state` - The key's current state.  Example: `ENABLED` 
 * `time_created` - The date and time the key was created, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format.  Example: `2018-04-03T21:10:29.600Z` 
+* `time_of_deletion` - An optional property for the deletion time of the key, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format. Example: `2019-04-03T21:10:29.600Z` 
 * `vault_id` - The OCID of the vault that contains this key.
 

website/docs/d/kms_keys.html.markdown

@@ -51,5 +51,6 @@ The following attributes are exported:
 	* `length` - The length of the key, expressed as an integer. Values of 16, 24, or 32 are supported. 
 * `state` - The key's current state.  Example: `ENABLED` 
 * `time_created` - The date and time the key was created, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format.  Example: `2018-04-03T21:10:29.600Z` 
+* `time_of_deletion` - An optional property for the deletion time of the key, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format. Example: `2019-04-03T21:10:29.600Z` 
 * `vault_id` - The OCID of the vault that contains this key.
 

website/docs/r/kms_key.html.markdown

@@ -44,6 +44,7 @@ The following arguments are supported:
 	* `algorithm` - (Required) The algorithm used by a key's KeyVersions to encrypt or decrypt.
 	* `length` - (Required) The length of the key, expressed as an integer. Values of 16, 24, or 32 are supported. 
 * `management_endpoint` - (Required) The service endpoint to perform management operations against. Management operations include 'Create,' 'Update,' 'List,' 'Get,' and 'Delete' operations. See Vault Management endpoint.
+* `time_of_deletion` - (Required) (Updatable) An optional property for the deletion time of the key, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format. Example: `2019-04-03T21:10:29.600Z`
 
 
 ** IMPORTANT **
@@ -64,6 +65,7 @@ The following attributes are exported:
 	* `length` - The length of the key, expressed as an integer. Values of 16, 24, or 32 are supported. 
 * `state` - The key's current state.  Example: `ENABLED` 
 * `time_created` - The date and time the key was created, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format.  Example: `2018-04-03T21:10:29.600Z` 
+* `time_of_deletion` - An optional property for the deletion time of the key, expressed in [RFC 3339](https://tools.ietf.org/html/rfc3339) timestamp format. Example: `2019-04-03T21:10:29.600Z` 
 * `vault_id` - The OCID of the vault that contains this key.
 
 ## Import