From a88dafa64aec2cae99bc768547542588b24b3d7b Mon Sep 17 00:00:00 2001 From: Cameron Thornton Date: Fri, 30 Apr 2021 11:58:15 -0500 Subject: [PATCH] add secret manager cmek Co-authored-by: Sarath Kaul Co-authored-by: Cameron Thornton --- mmv1/products/secretmanager/api.yaml | 10 +++ ...resource_secret_manager_secret_test.go.erb | 66 +++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/mmv1/products/secretmanager/api.yaml b/mmv1/products/secretmanager/api.yaml index b95627263345..6160864cf831 100644 --- a/mmv1/products/secretmanager/api.yaml +++ b/mmv1/products/secretmanager/api.yaml @@ -115,6 +115,16 @@ objects: required: true description: | The canonical IDs of the location to replicate data. For example: "us-east1". + - !ruby/object:Api::Type::NestedObject + name: customerManagedEncryption + description: | + Customer Managed Encryption for the secret. + properties: + - !ruby/object:Api::Type::String + name: kmsKeyName + required: true + description: | + Describes the Cloud KMS encryption key that will be used to protect destination secret. - !ruby/object:Api::Resource name: SecretVersion base_url: '{{name}}' diff --git a/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb b/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb index 3d7c0d018f13..31a716b8bfcc 100644 --- a/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_secret_manager_secret_test.go.erb @@ -34,6 +34,34 @@ func TestAccSecretManagerSecret_import(t *testing.T) { }) } +func TestAccSecretManagerSecret_cmek(t *testing.T) { + t.Parallel() + + kmscentral := BootstrapKMSKeyInLocation(t, "us-central1") + kmseast := BootstrapKMSKeyInLocation(t, "us-east1") + context1 := map[string]interface{}{ + "pid": getTestProjectFromEnv(), + "random_suffix": randString(t, 10), + "kms_key_name_central": kmscentral.CryptoKey.Name, + "kms_key_name_east": kmseast.CryptoKey.Name, + } + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckSecretManagerSecretDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccSecretMangerSecret_cmek(context1), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccSecretManagerSecret_basic(context map[string]interface{}) string { return Nprintf(` resource "google_secret_manager_secret" "secret-basic" { @@ -56,3 +84,41 @@ resource "google_secret_manager_secret" "secret-basic" { } `, context) } + +func testAccSecretMangerSecret_cmek(context map[string]interface{}) string { + return Nprintf(` +data "google_project" "project" { + project_id = "%{pid}" +} +resource "google_project_iam_member" "kms-secret-binding" { + project = data.google_project.project.project_id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "tf-test-secret-%{random_suffix}" + + labels = { + label = "my-label" + } + replication { + user_managed { + replicas { + location = "us-central1" + customer_managed_encryption { + kms_key_name = "%{kms_key_name_central}" + } + } + replicas { + location = "us-east1" + customer_managed_encryption { + kms_key_name = "%{kms_key_name_east}" + } + } + + } + } + project = google_project_iam_member.kms-secret-binding.project +} +`, context) +} \ No newline at end of file