Data Sources for KMS Key Ring and Key

[ghost]

---

[all]

Adding datasources to KMS key ring and crypto key for the sake of not having to import them once they've been created and making it easier to manage them in case the state needs to be rolled back after initial create.

This is a bit tricky because tests require creating non-destructible resources.
There's no yaml-based template for these yet so I just added plain go code.

The tests expect specific environment variables to run, so I was only able to verify by hardcoding my own account/etc.

• I verified this by building my own copy of terraform-provider and running against my own project:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 <= read (data resources)

Terraform will perform the following actions:

 <= data.google_kms_key_ring.kms-key-ring
      id:       <computed>
      location: "us-west1"
      name:     "tf-state-key-ring"


Plan: 0 to add, 0 to change, 0 to destroy.

• Outputs of data:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

2019-01-11T18:15:17.040-0700 [DEBUG] plugin.terraform-provider-google:                                                  
test-key = projects/my-project/locations/us-west1/keyRings/tf-state-key-ring/cryptoKeys/tf-state-key
test-ring = projects/my-project/locations/us-west1/keyRings/tf-state-key-ring

Related issue: hashicorp/terraform-provider-google#2847

[terraform]

[terraform-beta]

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here (e.g. I signed it!) and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

[ghost]

I signed it!

[googlebot]

CLAs look good, thanks!

[ghost]

the resource-related tests/func for this do not have google in the name: don't know if you have a standard, but I just went with how other data sources are named

[chrisst]

I think consistency with the other data sources is just fine.

[ghost]

not sure how this is parsed in a data source

[nat-henderson]

Thanks for your contribution! Can you elaborate a little on your use case, or link a related issue?

[chrisst]

Looks like this duplicates work in hashicorp/terraform-provider-google#2804 as well as adding the key_ring data source

[ghost]

Dangit, missed that other PR :( I was told to look here if I wanted to make changes to the provider

I asked about this feature in this issue: hashicorp/terraform-provider-google#2847 ( I think the link is buried at the bottom of the original PR template)

My current use case is outline there and here's how I am getting about without these data sources currently: https://github.com/kierachell/k8s-in-gcp/blob/master/tf/setup.sh#L48

Basically, this would allow me to roll all of my terraform config forward and back in its entirety. (with resource blocks I run into errors since the 2nd+ create requires me importing resource that were made on the first run)

[chrisst]

No worries, I was mostly commenting to make sure the 2 get linked and followed up with appropriately.

[chrisst]

Thanks so much for all the work!

There are a couple of breaking issues related to the current schema. However I think they should be fixed if you inherit the schema instead of duplicating it. I've tried to review the rest of the changes not related to the schema (docs, etc) but I'll run the tests and finish the review when you've address the schema issues.

[chrisst]

This looks like you've duplicated the schema from the resource. This was how we used to do things but we've added a convenience method in our newer data sources that just inherits the schema from the resource so that we don't have to maintain it in two different places.

Check out the cloud functions data source for an example

[chrisst]

Similar to the comment above, you should reuse the Read method from the resource so you don't have to set all the properties manually. Again see cloud functions for an example.

[chrisst]

Thanks for adding full tests! I recently added a test helper that will rely on a shared project for KMS tests that don't explicitly need to test key creation/deletion. See https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_compute_disk_test.go#L319 for an example using this pattern. This helps us cut down on superfluous project creation which slows down our test suite and creates a bog of projects that are partially deleted.

[chrisst]

Inheriting from the resource will also help catch typos like this :)

[ghost]

🤦‍♂️ somehow that still built and ran... Thank you for all the suggestions, I'll get it updated tonight

[ghost]

nvm, found that my symlinks got all wonky with gomodules

[chrisst]

I think consistency with the other data sources is just fine.

[chrisst]

Can you change this to "The self_link of..." This helps user's differentiate between using a name or self_link here when referencing a key_ring specified elsewhere in a terraform config. We also encourage people not to rely on the terraform id as it's not a consistent experience between resources as to what it actually contains.

[chrisst]

should this anchor tag be #key ?

[ghost]

Yes, it should and should be updated in the resource doc 😲

[chrisst]

Can you change the side_bar to docs-google-datasource-kms-crypto-key. Also feel free to add the 2 new docs files to website/google.erb . This is so that the links show up in the side bar, and when clicked they will highlight the current page in purple and the parent section based on a prefix match of the sidebar_current field (hence adding the -datasource- in there).
example here

[chrisst]

rename to docs-google-datasource-kms-key-ring

[ghost]

@chrisst Thank you for detailed comments . I think I covered all of them; and double checked all the links and rebuilt the provider and it still works on my own project 😰 .

Let me know if there is anything else to update - I think I'm getting a hang of the build/test/run process 😄

PROOF:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
2019/01/17 09:18:46 [DEBUG] plugin: waiting for all plugin processes to complete...

Outputs:

key = tf-state-key
ring = projects/proj/locations/us-central1/keyRings/tf-state-key-ring

[chrisst]

I have a couple more comments, but mostly around paring down the amount of work your tests need to do. Since you've already done a ton of work here and I think people want this I'm going to just push up my changes to the tests and get it running through our build system. Thanks again for adding this!

[chrisst]

This doesn't need to be a reference, you can just use a plain struct.

Suggested change

	cryptoKeyId := &kmsCryptoKeyId{
	cryptoKeyId := kmsCryptoKeyId{

[ghost]

Yeah, I saw it being a reference in other files and it didn't quite make sense but I followed the "common denominator"

[chrisst]

same

Suggested change

	keyRingId := &kmsKeyRingId{
	keyRingId := kmsKeyRingId{

[chrisst]

Instead of capturing and returning the error or nil separately, you can just shortcut and return the call to read. This way if the call returns an error, this method will return that error and vice versa. So it's equivalent to what you have here.
eg:

return resourceKmsKeyRingRead(d, meta)

[ghost]

Gah, I left that from when I was trying to make the method fail and debug what the error would be, sorry.

[chrisst]

This is closer to what I imagined using bootstrapKMS would be, but you can still exclude a ton of the resource building so that this test only focuses on the datasource functionality (which is test that an existing resource can be imported).

[ghost]

I did wonder about that but it make more sense now that the read function is shared.

[chrisst]

Suggested change

	Check: resource.TestMatchResourceAttr("data.google_kms_crypto_key", "name", regexp.MustCompile(kms.CryptoKey.Name)),
	Check: resource.TestMatchResourceAttr("data.google_kms_crypto_key.kms_crypto_key", "name", regexp.MustCompile(kms.CryptoKey.Name)),

[chrisst]

If you have any questions on the changes I've made I'm happy to explain them.

[modular-magician]

I am a robot that works on MagicModules PRs!

I built this PR into one or more PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#359
depends: hashicorp/terraform-provider-google#2891
depends: modular-magician/inspec-gcp#78