[CC-8720]CMEK resource (#67)

docs/data-sources/cluster.md

@@ -3,12 +3,12 @@
 page_title: "cockroach_cluster Data Source - terraform-provider-cockroach"
 subcategory: ""
 description: |-
-  clusterSourceType Data Source
+  Cluster Data Source
 ---
 
 # cockroach_cluster (Data Source)
 
-clusterSourceType Data Source
+Cluster Data Source
 
 
 
@@ -39,6 +39,7 @@ Read-Only:
 - `machine_type` (String)
 - `memory_gib` (Number)
 - `num_virtual_cpus` (Number)
+- `private_network_visibility` (Boolean)
 - `storage_gib` (Number)
 
 

docs/resources/cluster.md

@@ -61,6 +61,7 @@ Optional:
 - `disk_iops` (Number)
 - `machine_type` (String)
 - `num_virtual_cpus` (Number)
+- `private_network_visibility` (Boolean) Set to true to assign private IP addresses to nodes. Required for CMEK, PrivateLink, and other advanced features.
 - `storage_gib` (Number)
 
 Read-Only:

docs/resources/cmek.md

@@ -0,0 +1,74 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_cmek Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  Customer-managed encryption keys (CMEK) resource for a single cluster
+---
+
+# cockroach_cmek (Resource)
+
+Customer-managed encryption keys (CMEK) resource for a single cluster
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) Cluster ID
+- `regions` (Attributes List) (see [below for nested schema](#nestedatt--regions))
+
+### Optional
+
+- `additional_regions` (Attributes List) Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead. (see [below for nested schema](#nestedatt--additional_regions))
+- `status` (String) Aggregated status of the cluster's encryption key(s)
+
+<a id="nestedatt--regions"></a>
+### Nested Schema for `regions`
+
+Required:
+
+- `key` (Attributes) (see [below for nested schema](#nestedatt--regions--key))
+- `region` (String)
+
+Read-Only:
+
+- `status` (String)
+
+<a id="nestedatt--regions--key"></a>
+### Nested Schema for `regions.key`
+
+Required:
+
+- `auth_principal` (String)
+- `type` (String) Current allowed values are 'AWS_KMS' and 'GCP_CLOUD_KMS'
+- `uri` (String)
+
+Read-Only:
+
+- `created_at` (String)
+- `status` (String)
+- `updated_at` (String)
+- `user_message` (String)
+
+
+
+<a id="nestedatt--additional_regions"></a>
+### Nested Schema for `additional_regions`
+
+Required:
+
+- `name` (String)
+
+Optional:
+
+- `node_count` (Number)
+
+Read-Only:
+
+- `sql_dns` (String)
+- `ui_dns` (String)
+
+

examples/workflows/cockroach_cmek/main.tf

@@ -0,0 +1,170 @@
+# Your Organization ID can be found at https://cockroachlabs.cloud/information
+variable "org_id" {
+  type     = string
+  nullable = false
+}
+
+# Required to assign yourself permission to update the key.
+variable "iam_user" {
+  type     = string
+  nullable = false
+}
+
+variable "cluster_name" {
+  type     = string
+  nullable = false
+}
+
+variable "aws_region" {
+  type     = string
+  nullable = false
+  default  = "us-west-2"
+}
+
+variable "additional_regions" {
+  type     = list(string)
+  nullable = false
+}
+
+variable "cluster_node_count" {
+  type     = number
+  nullable = false
+  default  = 3
+}
+
+variable "storage_gib" {
+  type     = number
+  nullable = false
+  default  = 15
+}
+
+variable "machine_type" {
+  type     = string
+  nullable = false
+  default  = "m5.large"
+}
+
+terraform {
+  required_providers {
+    cockroach = {
+      source = "cockroachdb/cockroach"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+provider "cockroach" {
+  # export COCKROACH_API_KEY with the cockroach cloud API Key
+}
+
+provider "aws" {
+  # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs
+  # for configuration steps.
+
+  # Please don't use a variable for region in production! The AWS provider won't
+  # be able to find any resources if this value changes and you'll get
+  # into a weird state. Be sure to run `terraform destroy` before changing
+  # this value.
+  region = var.aws_region
+}
+
+resource "cockroach_cluster" "example" {
+  name           = var.cluster_name
+  cloud_provider = "AWS"
+  dedicated = {
+    storage_gib                = var.storage_gib
+    machine_type               = var.machine_type
+    private_network_visibility = true
+  }
+  regions = [{
+    name       = var.aws_region,
+    node_count = var.cluster_node_count
+    }
+  ]
+}
+
+resource "aws_iam_role" "example" {
+  name = "cmek_test_role"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "sts:AssumeRole",
+        "Principal" : {
+          "AWS" : cockroach_cluster.example.account_id
+        },
+        "Condition" : {
+          "StringEquals" : {
+            "sts:ExternalId" : var.org_id
+          }
+        }
+      }
+    ]
+  })
+}
+
+data "aws_iam_user" "example" {
+  user_name = var.iam_user
+}
+
+resource "aws_kms_key" "example" {
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "kms:*",
+        "Principal" : {
+          "AWS" : [
+            aws_iam_role.example.arn,
+            data.aws_iam_user.example.arn
+          ]
+        },
+        "Resource" : "*"
+      }
+    ]
+  })
+  multi_region = true
+}
+
+resource "cockroach_cmek" "example" {
+  id = cockroach_cluster.example.id
+  regions = /*concat(*/ [
+    {
+      region : var.aws_region
+      key : {
+        auth_principal : aws_iam_role.example.arn
+        type : "AWS_KMS"
+        uri : aws_kms_key.example.arn
+      }
+    }
+  ] #,
+  #
+  # Additional regions can be added after CMEK is enabled by updating
+  # the `region` attribute and adding their name and node count to
+  # `additional_regions`. These regions will be managed separately from
+  # the parent cluster, but will otherwise behave the same. Cluster data
+  # sources will always show the entire list of regions, regardless of
+  # whether they're managed by the cluster or CMEK resource.
+  #
+  # These should be concatenated with the current region(s).
+  #[for r in var.additional_regions : {
+  #  region: r,
+  #  key: {
+  #    auth_principal: aws_iam_role.example.arn
+  #    type: "AWS_KMS"
+  #    uri: aws_kms_key.example.arn
+  #  }
+  #}])
+
+  #additional_regions = [for r in var.additional_regions :
+  #  {
+  #    name = r
+  #    node_count = var.cluster_node_count
+  #  }
+  #]
+}

go.mod

@@ -3,7 +3,7 @@ module github.com/cockroachdb/terraform-provider-cockroach
 go 1.18
 
 require (
-	github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.1
+	github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.3
 	github.com/golang/mock v1.6.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0
 	github.com/hashicorp/terraform-plugin-framework v0.17.0

go.sum

@@ -34,6 +34,8 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.1 h1:PaqggGcqDV8/T9AQMXzSC+xjhtLo92eDpqLi76yIeNg=
 github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.1/go.mod h1:zVVtMKMcPkwrYgrZ/hv73HiGSsWId3BorWlSpRWc7tM=
+github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.3 h1:Dk6ACbo0UgxIzwqoXiMS7zbM/L2f5z8INU3pHUOinXs=
+github.com/cockroachdb/cockroach-cloud-sdk-go v0.3.3/go.mod h1:zVVtMKMcPkwrYgrZ/hv73HiGSsWId3BorWlSpRWc7tM=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=