add secret manager cmek (#4752)

Co-authored-by: Sarath Kaul <kaul.sarath@gmail.com> Co-authored-by: Cameron Thornton <camthornton@google.com> Co-authored-by: Sarath Kaul <kaul.sarath@gmail.com>
GoogleCloudPlatform · Apr 30, 2021 · 69373f7 · 69373f7
1 parent dd85260
commit 69373f7
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/mmv1/products/secretmanager/api.yaml b/mmv1/products/secretmanager/api.yaml
@@ -115,6 +115,16 @@ objects:
                       required: true
                       description: |
                         The canonical IDs of the location to replicate data. For example: "us-east1".
+                    - !ruby/object:Api::Type::NestedObject
+                      name: customerManagedEncryption
+                      description: |
+                        Customer Managed Encryption for the secret.
+                      properties:
+                        - !ruby/object:Api::Type::String
+                          name: kmsKeyName
+                          required: true
+                          description: |
+                            Describes the Cloud KMS encryption key that will be used to protect destination secret.  
   - !ruby/object:Api::Resource
     name: SecretVersion
     base_url: '{{name}}'

diff --git a/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb b/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb
@@ -34,6 +34,34 @@ func TestAccSecretManagerSecret_import(t *testing.T) {
 	})
 }
 
+func TestAccSecretManagerSecret_cmek(t *testing.T) {
+	t.Parallel()
+
+	kmscentral := BootstrapKMSKeyInLocation(t, "us-central1")
+	kmseast := BootstrapKMSKeyInLocation(t, "us-east1")
+	context1 := map[string]interface{}{
+		"pid":                  getTestProjectFromEnv(),
+		"random_suffix":        randString(t, 10),
+		"kms_key_name_central": kmscentral.CryptoKey.Name,
+		"kms_key_name_east":    kmseast.CryptoKey.Name,
+	}
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSecretManagerSecretDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSecretMangerSecret_cmek(context1),
+			},
+			{
+				ResourceName:      "google_secret_manager_secret.secret-basic",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccSecretManagerSecret_basic(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_secret_manager_secret" "secret-basic" {
@@ -56,3 +84,41 @@ resource "google_secret_manager_secret" "secret-basic" {
 }
 `, context)
 }
+
+func testAccSecretMangerSecret_cmek(context map[string]interface{}) string {
+	return Nprintf(`
+data "google_project" "project" {
+  project_id = "%{pid}"
+}
+resource "google_project_iam_member" "kms-secret-binding" {
+  project = data.google_project.project.project_id
+  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
+}
+resource "google_secret_manager_secret" "secret-basic" {
+  secret_id = "tf-test-secret-%{random_suffix}"
+
+  labels = {
+    label = "my-label"
+  }
+  replication {
+    user_managed {
+      replicas {
+		location = "us-central1"
+		customer_managed_encryption {
+			kms_key_name = "%{kms_key_name_central}"
+		}
+	  }
+	replicas {
+		location = "us-east1"
+		customer_managed_encryption {
+			kms_key_name = "%{kms_key_name_east}"
+		}
+      }
+
+    }
+  }
+  project   = google_project_iam_member.kms-secret-binding.project
+}
+`, context)
+}