From c4460da052479a2f22411f7a34b5ffed86573f79 Mon Sep 17 00:00:00 2001 From: Harshit Gupta Date: Mon, 15 Mar 2021 17:09:54 +0530 Subject: [PATCH] Key ALias Feature --amend --- go.mod | 2 +- go.sum | 19 +- ibm/data_source_ibm_kms_key.go | 104 +++++--- ibm/data_source_ibm_kms_keys.go | 100 ++++--- ibm/provider.go | 1 + ibm/resource_ibm_kms_key.go | 3 +- ibm/resource_ibm_kms_key_alias.go | 249 ++++++++++++++++++ ibm/resource_ibm_kms_key_alias_test.go | 290 +++++++++++++++++++++ website/docs/d/kms_key.html.markdown | 15 +- website/docs/d/kms_keys.html.markdown | 4 +- website/docs/r/kms_key_alias.html.markdown | 62 +++++ 11 files changed, 771 insertions(+), 78 deletions(-) create mode 100644 ibm/resource_ibm_kms_key_alias.go create mode 100644 ibm/resource_ibm_kms_key_alias_test.go create mode 100644 website/docs/r/kms_key_alias.html.markdown diff --git a/go.mod b/go.mod index c2ced283c4d..32ba71cb667 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/IBM/go-sdk-core/v4 v4.10.0 github.com/IBM/ibm-cos-sdk-go v1.3.1 github.com/IBM/ibm-cos-sdk-go-config v1.0.1 - github.com/IBM/keyprotect-go-client v0.5.2 + github.com/IBM/keyprotect-go-client v0.6.0 github.com/IBM/networking-go-sdk v0.12.1 github.com/IBM/platform-services-go-sdk v0.17.13 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 diff --git a/go.sum b/go.sum index ffdc112bb3a..49ca08ebf95 100644 --- a/go.sum +++ b/go.sum @@ -84,6 +84,10 @@ github.com/IBM/ibm-cos-sdk-go-config v1.0.1 h1:Nld42UysaZ16hPl4XMnkCgbuwW+s4OVct github.com/IBM/ibm-cos-sdk-go-config v1.0.1/go.mod h1:BAbdv1Zf8mRP6rj40Cem7KgBp+UQn9Fe2EWxIBrp5sM= github.com/IBM/keyprotect-go-client v0.5.2 h1:A4yp2Fc7mg4dtotZErZXwJb9XKpb3ONexnVB+/JqLDM= github.com/IBM/keyprotect-go-client v0.5.2/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= +github.com/IBM/keyprotect-go-client v0.5.3 h1:YGL6vHYQNH3MrtLaSl1ulohE487Jb1KkTpkNKnV4xWU= +github.com/IBM/keyprotect-go-client v0.5.3/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= +github.com/IBM/keyprotect-go-client v0.5.4-0.20210127220159-80c013ab9f46 h1:Iyq8BLsDJHkMW1wo1f57JLsfXJOYwDiatCHdUOTWY60= +github.com/IBM/keyprotect-go-client v0.5.4-0.20210127220159-80c013ab9f46/go.mod h1:SVr2ylV/fhSQPDiUjWirN9fsyWFCNNbt8GIT8hPJVjE= github.com/IBM/networking-go-sdk v0.12.1 h1:GmzrRjvAyqKMfUPM8Y/R5dce0x5AXTqmseVZ3n7eZks= github.com/IBM/networking-go-sdk v0.12.1/go.mod h1:lzkGBnw5glMB7Nxawfgu19MH4Tjy3KRQ2SYMYl2ck7o= github.com/IBM/platform-services-go-sdk v0.17.13 h1:jZ9sHtf0hutroUKqYIUHgzDetCBN52//YgH+Jq6nrUY= @@ -221,6 +225,7 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI github.com/form3tech-oss/jwt-go v3.2.1+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/frankban/quicktest v1.7.2/go.mod h1:jaStnuzAqU1AJdCO0l53JDCJrVDKcS03DbaAcR7Ks/o= github.com/frankban/quicktest v1.10.2 h1:19ARM85nVi4xH7xPXuc5eM/udya5ieh7b/Sv+d844Tk= github.com/frankban/quicktest v1.10.2/go.mod h1:K+q6oSqb0W0Ininfk863uOk1lMy69l/P6txr3mVT54s= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -545,7 +550,6 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8= github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= @@ -583,6 +587,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -688,12 +693,14 @@ github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= +github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M= github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.15.0 h1:1V1NfVQR87RtWAgp1lv9JZJ5Jap+XFGKPi00andXGi4= github.com/onsi/ginkgo v1.15.0/go.mod h1:hF8qUzuuC8DJGygJH3726JnCZX4MYbRB8yFfISqnKUg= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= github.com/onsi/gomega v1.10.5 h1:7n6FEkpFmfCoo2t+YYqXH0evK+a9ICQz0xcAy9dYcaQ= github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48= @@ -738,6 +745,7 @@ github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -764,6 +772,7 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/svanharmelen/jsonapi v0.0.0-20180618144545-0c0828c3f16d/go.mod h1:BSTlc8jOjh0niykqEGVXOLXdi9o0r0kR8tCYiMvjFgw= github.com/tencentcloud/tencentcloud-sdk-go v3.0.82+incompatible/go.mod h1:0PfYow01SHPMhKY31xa+EFz2RStxIqj6JFAJS+IkCi4= github.com/tencentyun/cos-go-sdk-v5 v0.0.0-20190808065407-f07404cefc8c/go.mod h1:wk2XFUg6egk4tSDNZtXeKfe2G6690UVyt163PuUxBZk= @@ -980,9 +989,9 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw= -golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210105210732-16f7687f5001 h1:/dSxr6gT0FNI1MO5WLJo8mTmItROeOKTkDn+7OwWBos= +golang.org/x/sys v0.0.0-20210105210732-16f7687f5001/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1131,7 +1140,6 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= @@ -1169,7 +1177,6 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= diff --git a/ibm/data_source_ibm_kms_key.go b/ibm/data_source_ibm_kms_key.go index 8d318219e45..839cd8ccc2b 100644 --- a/ibm/data_source_ibm_kms_key.go +++ b/ibm/data_source_ibm_kms_key.go @@ -25,9 +25,16 @@ func dataSourceIBMKMSkey() *schema.Resource { Description: "Key protect or hpcs instance GUID", }, "key_name": { - Type: schema.TypeString, - Required: true, - Description: "The name of the key to be fetched", + Type: schema.TypeString, + Optional: true, + Description: "The name of the key to be fetched", + ExactlyOneOf: []string{"alias", "key_name"}, + }, + "alias": { + Type: schema.TypeString, + Optional: true, + Description: "The alias associated with the key", + ExactlyOneOf: []string{"alias", "key_name"}, }, "endpoint_type": { Type: schema.TypeString, @@ -41,6 +48,11 @@ func dataSourceIBMKMSkey() *schema.Resource { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "aliases": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, "name": { Type: schema.TypeString, Computed: true, @@ -195,40 +207,72 @@ func dataSourceIBMKMSKeyRead(d *schema.ResourceData, meta interface{}) error { } api.Config.InstanceID = instanceID - keys, err := api.GetKeys(context.Background(), 100, 0) - if err != nil { - return fmt.Errorf( - "Get Keys failed with error: %s", err) - } - retreivedKeys := keys.Keys - if len(retreivedKeys) == 0 { - return fmt.Errorf("No keys in instance %s", instanceID) - } - var keyName string - var matchKeys []kp.Key + if v, ok := d.GetOk("key_name"); ok { - keyName = v.(string) - for _, keyData := range retreivedKeys { - if keyData.Name == keyName { - matchKeys = append(matchKeys, keyData) + keys, err := api.GetKeys(context.Background(), 0, 0) + if err != nil { + return fmt.Errorf( + "Get Keys failed with error: %s", err) + } + retreivedKeys := keys.Keys + if len(retreivedKeys) == 0 { + return fmt.Errorf("No keys in instance %s", instanceID) + } + var keyName string + var matchKeys []kp.Key + if v.(string) != "" { + keyName = v.(string) + for _, keyData := range retreivedKeys { + if keyData.Name == keyName { + matchKeys = append(matchKeys, keyData) + } } + } else { + matchKeys = retreivedKeys } - } else { - matchKeys = retreivedKeys - } - if len(matchKeys) == 0 { - return fmt.Errorf("No keys with name %s in instance %s", keyName, instanceID) - } + if len(matchKeys) == 0 { + return fmt.Errorf("No keys with name %s in instance %s", keyName, instanceID) + } - keyMap := make([]map[string]interface{}, 0, len(matchKeys)) + keyMap := make([]map[string]interface{}, 0, len(matchKeys)) - for _, key := range matchKeys { + for _, key := range matchKeys { + keyInstance := make(map[string]interface{}) + keyInstance["id"] = key.ID + keyInstance["name"] = key.Name + keyInstance["crn"] = key.CRN + keyInstance["standard_key"] = key.Extractable + keyInstance["aliases"] = key.Aliases + policies, err := api.GetPolicies(context.Background(), key.ID) + if err != nil { + return fmt.Errorf("Failed to read policies: %s", err) + } + if len(policies) == 0 { + log.Printf("No Policy Configurations read\n") + } else { + keyInstance["policies"] = flattenKeyPolicies(policies) + } + keyMap = append(keyMap, keyInstance) + + } + d.SetId(instanceID) + d.Set("keys", keyMap) + d.Set("instance_id", instanceID) + } else { + aliasName := d.Get("alias_name").(string) + key, err := api.GetKey(context.Background(), aliasName) + if err != nil { + return fmt.Errorf( + "Get Keys failed with error: %s", err) + } + keyMap := make([]map[string]interface{}, 0, 1) keyInstance := make(map[string]interface{}) keyInstance["id"] = key.ID keyInstance["name"] = key.Name keyInstance["crn"] = key.CRN keyInstance["standard_key"] = key.Extractable + keyInstance["aliases"] = key.Aliases policies, err := api.GetPolicies(context.Background(), key.ID) if err != nil { return fmt.Errorf("Failed to read policies: %s", err) @@ -240,12 +284,10 @@ func dataSourceIBMKMSKeyRead(d *schema.ResourceData, meta interface{}) error { } keyMap = append(keyMap, keyInstance) + d.SetId(instanceID) + d.Set("keys", keyMap) + d.Set("instance_id", instanceID) } - d.SetId(instanceID) - d.Set("keys", keyMap) - d.Set("instance_id", instanceID) - return nil - } diff --git a/ibm/data_source_ibm_kms_keys.go b/ibm/data_source_ibm_kms_keys.go index af5d9ebbc79..ef66b42d205 100644 --- a/ibm/data_source_ibm_kms_keys.go +++ b/ibm/data_source_ibm_kms_keys.go @@ -24,9 +24,16 @@ func dataSourceIBMKMSkeys() *schema.Resource { Description: "Key protect or hpcs instance GUID", }, "key_name": { - Type: schema.TypeString, - Optional: true, - Description: "The name of the key to be fetched", + Type: schema.TypeString, + Optional: true, + Description: "The name of the key to be fetched", + ConflictsWith: []string{"alias"}, + }, + "alias": { + Type: schema.TypeString, + Optional: true, + Description: "The name of the key to be fetched", + ConflictsWith: []string{"key_name"}, }, "endpoint_type": { Type: schema.TypeString, @@ -41,6 +48,11 @@ func dataSourceIBMKMSkeys() *schema.Resource { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "aliases": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, "name": { Type: schema.TypeString, Computed: true, @@ -194,46 +206,66 @@ func dataSourceIBMKMSKeysRead(d *schema.ResourceData, meta interface{}) error { } api.Config.InstanceID = instanceID - keys, err := api.GetKeys(context.Background(), 100, 0) - if err != nil { - return fmt.Errorf( - "Get Keys failed with error: %s", err) - } - retreivedKeys := keys.Keys - if len(retreivedKeys) == 0 { - return fmt.Errorf("No keys in instance %s", instanceID) - } - var keyName string - var matchKeys []kp.Key - if v, ok := d.GetOk("key_name"); ok { - keyName = v.(string) - for _, keyData := range retreivedKeys { - if keyData.Name == keyName { - matchKeys = append(matchKeys, keyData) - } + if v, ok := d.GetOk("alias"); ok { + aliasName := v.(string) + key, err := api.GetKey(context.Background(), aliasName) + if err != nil { + return fmt.Errorf( + "Get Keys failed with error: %s", err) + } else { + keyMap := make([]map[string]interface{}, 0, 1) + keyInstance := make(map[string]interface{}) + keyInstance["id"] = key.ID + keyInstance["name"] = key.Name + keyInstance["crn"] = key.CRN + keyInstance["standard_key"] = key.Extractable + keyInstance["aliases"] = key.Aliases + keyMap = append(keyMap, keyInstance) + d.Set("keys", keyMap) + } } else { - matchKeys = retreivedKeys - } + keys, err := api.GetKeys(context.Background(), 100, 0) + if err != nil { + return fmt.Errorf( + "Get Keys failed with error: %s", err) + } + retreivedKeys := keys.Keys + if len(retreivedKeys) == 0 { + return fmt.Errorf("No keys in instance %s", instanceID) + } + var keyName string + var matchKeys []kp.Key + if v, ok := d.GetOk("key_name"); ok { + keyName = v.(string) + for _, keyData := range retreivedKeys { + if keyData.Name == keyName { + matchKeys = append(matchKeys, keyData) + } + } + } else { + matchKeys = retreivedKeys + } - if len(matchKeys) == 0 { - return fmt.Errorf("No keys with name %s in instance %s", keyName, instanceID) - } + if len(matchKeys) == 0 { + return fmt.Errorf("No keys with name %s in instance %s", keyName, instanceID) + } - keyMap := make([]map[string]interface{}, 0, len(matchKeys)) + keyMap := make([]map[string]interface{}, 0, len(matchKeys)) - for _, key := range matchKeys { - keyInstance := make(map[string]interface{}) - keyInstance["id"] = key.ID - keyInstance["name"] = key.Name - keyInstance["crn"] = key.CRN - keyInstance["standard_key"] = key.Extractable - keyMap = append(keyMap, keyInstance) + for _, key := range matchKeys { + keyInstance := make(map[string]interface{}) + keyInstance["id"] = key.ID + keyInstance["name"] = key.Name + keyInstance["crn"] = key.CRN + keyInstance["standard_key"] = key.Extractable + keyMap = append(keyMap, keyInstance) + } + d.Set("keys", keyMap) } d.SetId(instanceID) - d.Set("keys", keyMap) d.Set("instance_id", instanceID) return nil diff --git a/ibm/provider.go b/ibm/provider.go index eba5688a7ed..6d6b5179bab 100644 --- a/ibm/provider.go +++ b/ibm/provider.go @@ -470,6 +470,7 @@ func Provider() *schema.Provider { "ibm_org": resourceIBMOrg(), "ibm_pn_application_chrome": resourceIBMPNApplicationChrome(), "ibm_kms_key": resourceIBMKmskey(), + "ibm_kms_key_alias": resourceIBMKmskeyAlias(), "ibm_kp_key": resourceIBMkey(), "ibm_resource_group": resourceIBMResourceGroup(), "ibm_resource_instance": resourceIBMResourceInstance(), diff --git a/ibm/resource_ibm_kms_key.go b/ibm/resource_ibm_kms_key.go index a97e606edd2..8166069b86d 100644 --- a/ibm/resource_ibm_kms_key.go +++ b/ibm/resource_ibm_kms_key.go @@ -347,7 +347,6 @@ func resourceIBMKmsKeyCreate(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf( "Error while creating Root key with payload: %s", err) } - keyCRN = stkey.CRN d.SetId(keyCRN) @@ -359,7 +358,6 @@ func resourceIBMKmsKeyCreate(d *schema.ResourceData, meta interface{}) error { } keyCRN = stkey.CRN d.SetId(keyCRN) - } } return resourceIBMKmsKeyUpdate(d, meta) @@ -594,6 +592,7 @@ func resourceIBMKmsKeyDelete(d *schema.ResourceData, meta interface{}) error { f := kp.ForceOpt{ Force: force, } + _, err1 := kpAPI.DeleteKey(context.Background(), keyid, kp.ReturnRepresentation, f) if err1 != nil { return fmt.Errorf( diff --git a/ibm/resource_ibm_kms_key_alias.go b/ibm/resource_ibm_kms_key_alias.go new file mode 100644 index 00000000000..605c2f9b0bd --- /dev/null +++ b/ibm/resource_ibm_kms_key_alias.go @@ -0,0 +1,249 @@ +package ibm + +import ( + "context" + "fmt" + "net/url" + "strings" + + kp "github.com/IBM/keyprotect-go-client" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceIBMKmskeyAlias() *schema.Resource { + return &schema.Resource{ + Create: resourceIBMKmsKeyAliasCreate, + Delete: resourceIBMKmsKeyAliasDelete, + Read: resourceIBMKmsKeyAliasRead, + Importer: &schema.ResourceImporter{}, + + Schema: map[string]*schema.Schema{ + "instance_id": { + Type: schema.TypeString, + Required: true, + Description: "Key ID", + ForceNew: true, + }, + "alias": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: "Key protect or hpcs key alias name", + }, + "key_id": { + Type: schema.TypeString, + Required: true, + Description: "Key ID", + ForceNew: true, + }, + "endpoint_type": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateAllowedStringValue([]string{"public", "private"}), + Description: "public or private", + ForceNew: true, + Default: "public", + }, + }, + } +} + +func resourceIBMKmsKeyAliasCreate(d *schema.ResourceData, meta interface{}) error { + kpAPI, err := meta.(ClientSession).keyManagementAPI() + if err != nil { + return err + } + rContollerClient, err := meta.(ClientSession).ResourceControllerAPIV2() + if err != nil { + return err + } + + instanceID := d.Get("instance_id").(string) + endpointType := d.Get("endpoint_type").(string) + + rContollerAPI := rContollerClient.ResourceServiceInstanceV2() + + instanceData, err := rContollerAPI.GetInstance(instanceID) + if err != nil { + return err + } + instanceCRN := instanceData.Crn.String() + crnData := strings.Split(instanceCRN, ":") + + var hpcsEndpointURL string + + if crnData[4] == "hs-crypto" { + hpcsEndpointAPI, err := meta.(ClientSession).HpcsEndpointAPI() + if err != nil { + return err + } + + resp, err := hpcsEndpointAPI.Endpoint().GetAPIEndpoint(instanceID) + if err != nil { + return err + } + + if endpointType == "public" { + hpcsEndpointURL = "https://" + resp.Kms.Public + "/api/v2/keys" + } else { + hpcsEndpointURL = "https://" + resp.Kms.Private + "/api/v2/keys" + } + + u, err := url.Parse(hpcsEndpointURL) + if err != nil { + return fmt.Errorf("Error Parsing hpcs EndpointURL") + } + kpAPI.URL = u + } else if crnData[4] == "kms" { + if endpointType == "private" { + if !strings.HasPrefix(kpAPI.Config.BaseURL, "private") { + kpAPI.Config.BaseURL = "private." + kpAPI.Config.BaseURL + } + } + } else { + return fmt.Errorf("Invalid or unsupported service Instance") + } + kpAPI.Config.InstanceID = instanceID + + aliasName := d.Get("alias").(string) + keyID := d.Get("key_id").(string) + stkey, err := kpAPI.CreateKeyAlias(context.Background(), aliasName, keyID) + if err != nil { + return fmt.Errorf( + "Error while creating alias name for the key: %s", err) + } + key, err := kpAPI.GetKey(context.Background(), stkey.KeyID) + if err != nil { + return fmt.Errorf("Get Key failed with error: %s", err) + } + d.SetId(fmt.Sprintf("%s:alias:%s", stkey.Alias, key.CRN)) + + return resourceIBMKmsKeyAliasRead(d, meta) +} + +func resourceIBMKmsKeyAliasRead(d *schema.ResourceData, meta interface{}) error { + kpAPI, err := meta.(ClientSession).keyManagementAPI() + if err != nil { + return err + } + id := strings.Split(d.Id(), ":alias:") + crn := id[1] + crnData := strings.Split(crn, ":") + endpointType := crnData[3] + instanceID := crnData[len(crnData)-3] + keyid := crnData[len(crnData)-1] + + var hpcsEndpointURL string + + if crnData[4] == "hs-crypto" { + hpcsEndpointAPI, err := meta.(ClientSession).HpcsEndpointAPI() + if err != nil { + return err + } + + resp, err := hpcsEndpointAPI.Endpoint().GetAPIEndpoint(instanceID) + if err != nil { + return err + } + + if endpointType == "public" { + hpcsEndpointURL = "https://" + resp.Kms.Public + "/api/v2/keys" + } else { + hpcsEndpointURL = "https://" + resp.Kms.Private + "/api/v2/keys" + } + + u, err := url.Parse(hpcsEndpointURL) + if err != nil { + return fmt.Errorf("Error Parsing hpcs EndpointURL") + + } + kpAPI.URL = u + } else if crnData[4] == "kms" { + if endpointType == "private" { + if !strings.HasPrefix(kpAPI.Config.BaseURL, "private") { + kpAPI.Config.BaseURL = "private." + kpAPI.Config.BaseURL + } + } + } else { + return fmt.Errorf("Invalid or unsupported service Instance") + } + + kpAPI.Config.InstanceID = instanceID + key, err := kpAPI.GetKey(context.Background(), keyid) + if err != nil { + kpError := err.(*kp.Error) + if kpError.StatusCode == 404 { + d.SetId("") + return nil + } else { + return fmt.Errorf("Get Key failed with error: %s", err) + } + } + d.Set("alias", id[0]) + d.Set("key_id", key.ID) + d.Set("instance_id", instanceID) + d.Set("endpoint_type", endpointType) + + return nil +} + +func resourceIBMKmsKeyAliasDelete(d *schema.ResourceData, meta interface{}) error { + kpAPI, err := meta.(ClientSession).keyManagementAPI() + if err != nil { + return err + } + id := strings.Split(d.Id(), ":alias:") + crn := id[1] + crnData := strings.Split(crn, ":") + endpointType := crnData[3] + instanceID := crnData[len(crnData)-3] + keyid := crnData[len(crnData)-1] + + var hpcsEndpointURL string + + if crnData[4] == "hs-crypto" { + hpcsEndpointAPI, err := meta.(ClientSession).HpcsEndpointAPI() + if err != nil { + return err + } + + resp, err := hpcsEndpointAPI.Endpoint().GetAPIEndpoint(instanceID) + if err != nil { + return err + } + + if endpointType == "public" { + hpcsEndpointURL = "https://" + resp.Kms.Public + "/api/v2/keys" + } else { + hpcsEndpointURL = "https://" + resp.Kms.Private + "/api/v2/keys" + } + + u, err := url.Parse(hpcsEndpointURL) + if err != nil { + return fmt.Errorf("Error Parsing hpcs EndpointURL") + + } + kpAPI.URL = u + } else if crnData[4] == "kms" { + if endpointType == "private" { + if !strings.HasPrefix(kpAPI.Config.BaseURL, "private") { + kpAPI.Config.BaseURL = "private." + kpAPI.Config.BaseURL + } + } + } else { + return fmt.Errorf("Invalid or unsupported service Instance") + } + + kpAPI.Config.InstanceID = instanceID + err1 := kpAPI.DeleteKeyAlias(context.Background(), id[0], keyid) + if err1 != nil { + kpError := err1.(*kp.Error) + if kpError.StatusCode == 404 { + return nil + } else { + return fmt.Errorf(" failed to Destroy alias with error: %s", err1) + } + } + return nil + +} diff --git a/ibm/resource_ibm_kms_key_alias_test.go b/ibm/resource_ibm_kms_key_alias_test.go new file mode 100644 index 00000000000..31c7bf8aedb --- /dev/null +++ b/ibm/resource_ibm_kms_key_alias_test.go @@ -0,0 +1,290 @@ +package ibm + +import ( + "fmt" + "regexp" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" +) + +func TestAccIBMKMSResource_Key_Alias_Name(t *testing.T) { + instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100)) + // cosInstanceName := fmt.Sprintf("cos_%d", acctest.RandIntRange(10, 100)) + // bucketName := fmt.Sprintf("bucket-test77") + aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasConfig(instanceName, keyName, aliasName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName), + resource.TestCheckResourceAttr("data.ibm_kms_keys.AliasTest", "alias", aliasName), + ), + }, + }, + }) +} +func TestAccIBMKMSResource_Key_Alias_Key(t *testing.T) { + instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100)) + // cosInstanceName := fmt.Sprintf("cos_%d", acctest.RandIntRange(10, 100)) + // bucketName := fmt.Sprintf("bucket-test77") + aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + + keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasDuplicateConfig(instanceName, keyName, aliasName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName), + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName), + ), + }, + }, + }) +} + +func TestAccIBMKMSResource_Key_Alias_Key_Duplicacy(t *testing.T) { + instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100)) + // cosInstanceName := fmt.Sprintf("cos_%d", acctest.RandIntRange(10, 100)) + // bucketName := fmt.Sprintf("bucket-test77") + aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasDuplicateConfig(instanceName, keyName, aliasName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName), + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName), + ), + }, + }, + }) +} + +func TestAccIBMKMSResource_Key_Alias_Key_Check(t *testing.T) { + instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100)) + // cosInstanceName := fmt.Sprintf("cos_%d", acctest.RandIntRange(10, 100)) + // bucketName := fmt.Sprintf("bucket-test77") + aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName2 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + keyName2 := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasTwo(instanceName, keyName, aliasName, aliasName2), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName), + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName), + ), + }, + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasOne(instanceName, keyName, aliasName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName), + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName), + ), + }, + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasOne(instanceName, keyName2, aliasName2), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName2), + resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName2), + ), + }, + }, + }) +} + +func TestAccIBMKMSResource_Key_Alias_Key_Limit(t *testing.T) { + instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100)) + // cosInstanceName := fmt.Sprintf("cos_%d", acctest.RandIntRange(10, 100)) + // bucketName := fmt.Sprintf("bucket-test77") + aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName2 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName3 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName4 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName5 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + aliasName6 := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100)) + keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMKmsResourceAliasLimitConfig(instanceName, keyName, aliasName, aliasName2, aliasName3, aliasName4, aliasName5, aliasName6), + ExpectError: regexp.MustCompile("(KEY_ALIAS_QUOTA_ERR)"), + }, + }, + }) +} + +func testAccCheckIBMKmsResourceAliasConfig(instanceName, KeyName, aliasName string) string { + return fmt.Sprintf(` + resource "ibm_resource_instance" "kms_instance" { + name = "%s" + service = "kms" + plan = "tiered-pricing" + location = "us-south" + } + resource "ibm_kms_key" "test" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + key_name = "%s" + standard_key = true + force_delete = true + } + resource "ibm_kms_key_alias" "testAlias" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + data "ibm_kms_keys" "AliasTest" { + instance_id = ibm_kms_key_alias.testAlias.instance_id + alias = "${ibm_kms_key_alias.testAlias.alias}" + } +`, instanceName, KeyName, aliasName) +} + +func testAccCheckIBMKmsResourceAliasDuplicateConfig(instanceName, KeyName, aliasName string) string { + return fmt.Sprintf(` + resource "ibm_resource_instance" "kms_instance" { + name = "%s" + service = "kms" + plan = "tiered-pricing" + location = "us-south" + } + resource "ibm_kms_key" "test" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + key_name = "%s" + standard_key = true + force_delete = true + } + resource "ibm_kms_key_alias" "testAlias" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias2" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "${ibm_kms_key_alias.testAlias2.alias}" + key_id = "${ibm_kms_key.test.key_id}" + } + +`, instanceName, KeyName, aliasName) +} + +func testAccCheckIBMKmsResourceAliasTwo(instanceName, KeyName, aliasName, aliasName2 string) string { + return fmt.Sprintf(` + resource "ibm_resource_instance" "kms_instance" { + name = "%s" + service = "kms" + plan = "tiered-pricing" + location = "us-south" + } + resource "ibm_kms_key" "test" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + key_name = "%s" + standard_key = true + force_delete = true + } + resource "ibm_kms_key_alias" "testAlias" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias2" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + +`, instanceName, KeyName, aliasName, aliasName2) +} + +func testAccCheckIBMKmsResourceAliasOne(instanceName, KeyName, aliasName string) string { + return fmt.Sprintf(` + resource "ibm_resource_instance" "kms_instance" { + name = "%s" + service = "kms" + plan = "tiered-pricing" + location = "us-south" + } + resource "ibm_kms_key" "test" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + key_name = "%s" + standard_key = true + force_delete = true + } + resource "ibm_kms_key_alias" "testAlias" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + +`, instanceName, KeyName, aliasName) +} + +func testAccCheckIBMKmsResourceAliasLimitConfig(instanceName, KeyName, aliasName, aliasName2, aliasName3, aliasName4, aliasName5, aliasName6 string) string { + return fmt.Sprintf(` + resource "ibm_resource_instance" "kms_instance" { + name = "%s" + service = "kms" + plan = "tiered-pricing" + location = "us-south" + } + resource "ibm_kms_key" "test" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + key_name = "%s" + standard_key = true + force_delete = true + } + resource "ibm_kms_key_alias" "testAlias" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias2" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias3" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias4" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias5" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } + resource "ibm_kms_key_alias" "testAlias6" { + instance_id = "${ibm_resource_instance.kms_instance.guid}" + alias = "%s" + key_id = "${ibm_kms_key.test.key_id}" + } +`, instanceName, KeyName, aliasName, aliasName2, aliasName3, aliasName4, aliasName5, aliasName6) +} diff --git a/website/docs/d/kms_key.html.markdown b/website/docs/d/kms_key.html.markdown index 855d9fc58f3..7d33bebd222 100644 --- a/website/docs/d/kms_key.html.markdown +++ b/website/docs/d/kms_key.html.markdown @@ -8,7 +8,7 @@ description: |- # ibm\_kms_key -Import the details of existing hs-crypto or key-protect keys as a read-only data source. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. Retreives a list of keys from the hs-crypto or key-protect instance for the provided key name. Configuration of an ibm_kms_key datasource requires that the region parameter is set for the IBM provider in the provider block to be the same as the target key protect instance location/region. If not specified it will default to us-south. A terraform apply will fail if the key protect instance location is set differently. +Import the details of existing hs-crypto or key-protect keys as a read-only data source. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. Retreives a list of keys from the hs-crypto or key-protect instance for the provided key name or alias name (if created for the key). Configuration of an ibm_kms_key datasource requires that the region parameter is set for the IBM provider in the provider block to be the same as the target key protect instance location/region. If not specified it will default to us-south. A terraform apply will fail if the key protect instance location is set differently. ## Example Usage @@ -17,6 +17,11 @@ data "ibm_kms_key" "test" { instance_id = "guid-of-keyprotect-or hs-crypto-instance" key_name = "name-of-key" } +OR +data "ibm_kms_key" "test" { + instance_id = "guid-of-keyprotect-or hs-crypto-instance" + alias = "alias_name" +} resource "ibm_cos_bucket" "flex-us-south" { bucket_name = "atest-bucket" resource_instance_id = "cos-instance-id" @@ -26,13 +31,16 @@ resource "ibm_cos_bucket" "flex-us-south" { } ``` +**NOTE : Data of the key can be retrieved either using a key name or an alias name (if created for the key or keys) . + ## Argument Reference The following arguments are supported: * `instance_id` - (Required, string) The keyprotect instance guid. -* `key_name` - (Required, string) The name of the key. Only the keys with matching name will be retreived. -* `endpoint_type` - (Optional, string) The type of the endpoint (public or private) to be used for fetching keys. +* `key_name` - (Required, In conflict with alias_name, string) The name of the key. Only the keys with matching name will be retreived. +* `alias` - (Required, In conflict with key_name, string) The alias name associated with the key. Only the key with matching alias name will be retreived. +* `endpoint_type` - (Optional, string) The type of the endpoint (public or private) to be used for fetching keys. ## Attribute Reference @@ -40,6 +48,7 @@ The following attributes are exported: * `keys` - List of all Keys in the IBM hs-crypto or Key-protect instance. * `name` - The name for the key. + * `aliases` - List of all the alias associated with the keys. * `id` - The unique identifier for this key * `crn` - The crn of the key. * `standard_key` - This flag is true in case of standard key, else false for root key. diff --git a/website/docs/d/kms_keys.html.markdown b/website/docs/d/kms_keys.html.markdown index 5659621b032..d5ba825365d 100644 --- a/website/docs/d/kms_keys.html.markdown +++ b/website/docs/d/kms_keys.html.markdown @@ -31,7 +31,8 @@ The following arguments are supported: * `instance_id` - (Required, string) The keyprotect instance guid. * `key_name` - (Optional, string) The name of the key. Only the keys with matching name will be retreived. -* `endpoint_type` - (Optional, string) The type of the endpoint (public or private) to be used for fetching keys. +* `alias` - (Optional, string) The alias name associated with the key. Only the key with matching alias name will be retreived. +* `endpoint_type` - (Optional, string) The type of the endpoint (public or private) to be used for fetching keys. ## Attribute Reference @@ -39,6 +40,7 @@ The following attributes are exported: * `keys` - List of all Keys in the IBM hs-crypto or Key-protect instance. * `name` - The name for the key. + * `aliases` - List of all the alias associated with the keys. * `id` - The unique identifier for this key * `crn` - The crn of the key. * `standard_key` - This flag is true in case of standard key, else false for root key. diff --git a/website/docs/r/kms_key_alias.html.markdown b/website/docs/r/kms_key_alias.html.markdown new file mode 100644 index 00000000000..20709073490 --- /dev/null +++ b/website/docs/r/kms_key_alias.html.markdown @@ -0,0 +1,62 @@ +--- + +subcategory: "Key Management Service" +layout: "ibm" +page_title: "IBM : kms-key-alias" +description: |- + Manages IBM hs-crypto and kms key alias. +--- + +# ibm\_kms_key_alias + +Provides a key management resource for hs-crypto and key-protect services. This allows aliases for the keys to be created, and deleted. + +## Example usage to provision Key Protect service and Key Management With Alias + +```hcl +resource "ibm_resource_instance" "kms_instance" { + name = "instance-name" + service = "kms" + plan = "tiered-pricing" + location = "us-south" +} +resource "ibm_kms_key" "test" { + instance_id = ibm_resource_instance.kms_instance.guid + key_name = "key-name" + standard_key = false + force_delete =true +} +resource "ibm_kms_key_alias" "key_alias" { + instance_id = ibm_kms_key.test.instance_id + alias = "alias" + key_id = "ibm_kms_key.test.key_id" +} +resource "ibm_cos_bucket" "flex-us-south" { + bucket_name = "atest-bucket" + resource_instance_id = "cos-instance-id" + region_location = "us-south" + storage_class = "flex" + key_protect = ibm_kms_key.test.id +} +``` + +Note : An alias that identifies a key. Each alias is unique only within the given instance and is not reserved across the Key Protect service. Each key can have up to five aliases. There is a limit of 1000 aliases per instance. Alias must be alphanumeric and cannot contain spaces or special characters other than '-' or '_'. + +## Argument Reference + +The following arguments are supported: + +* `instance_id` - (Required, Forces new resource, string) The hs-crypto or key-protect instance guid. +* `alias` - (Required, Forces new resource, string) The alias name of the key. +* `key_id` - (Required, string) The key_id of the key for which alias has to be created. +* `endpoint_type` - (Optional, Forces new resource, string) The type of the endpoint (public or private) to be used for creating keys. + +## Attribute Reference + +The following attributes are exported: + +* `id` - The crn of the key. +* `alias` - The crn of the key. +* `key_id` - The id of the key. +* `instance_id` - The instance id. +* `endpoint_type` - The type of endpoint.