From d34e24fb21b1de9a41f1e0c22a5fc9c8ffcf7274 Mon Sep 17 00:00:00 2001 From: The Magician Date: Wed, 8 Feb 2023 14:13:00 -0800 Subject: [PATCH] Provide a support for `rsaEncryptedkey` in `compute_disk` (#7026) (#13685) * provide a support for rsaEncryptedkey in compute disk * minor changes * added test for RSA_Encrypted_Key * fixing the test failure * reverting ruby version Signed-off-by: Modular Magician --- .changelog/7026.txt | 4 +++ google/resource_compute_disk.go | 27 ++++++++++++++ google/resource_compute_disk_test.go | 44 +++++++++++++++++++++++ google/resource_compute_region_disk.go | 1 + website/docs/r/compute_disk.html.markdown | 9 ++++- 5 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 .changelog/7026.txt diff --git a/.changelog/7026.txt b/.changelog/7026.txt new file mode 100644 index 00000000000..11e38bd43c0 --- /dev/null +++ b/.changelog/7026.txt @@ -0,0 +1,4 @@ +```release-note:enhancement +compute: added field `rsaEncryptedKey` to resource `disk` + +``` diff --git a/google/resource_compute_disk.go b/google/resource_compute_disk.go index 7eee441fcdc..2f8b4acfda1 100644 --- a/google/resource_compute_disk.go +++ b/google/resource_compute_disk.go @@ -354,6 +354,15 @@ If absent, the Compute Engine Service Agent service account is used.`, RFC 4648 base64 to either encrypt or decrypt this resource.`, Sensitive: true, }, + "rsa_encrypted_key": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Description: `Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit +customer-supplied encryption key to either encrypt or decrypt +this resource. You can provide either the rawKey or the rsaEncryptedKey.`, + Sensitive: true, + }, "sha256": { Type: schema.TypeString, Computed: true, @@ -1274,6 +1283,8 @@ func flattenComputeDiskDiskEncryptionKey(v interface{}, d *schema.ResourceData, transformed := make(map[string]interface{}) transformed["raw_key"] = flattenComputeDiskDiskEncryptionKeyRawKey(original["rawKey"], d, config) + transformed["rsa_encrypted_key"] = + flattenComputeDiskDiskEncryptionKeyRsaEncryptedKey(original["rsaEncryptedKey"], d, config) transformed["sha256"] = flattenComputeDiskDiskEncryptionKeySha256(original["sha256"], d, config) transformed["kms_key_self_link"] = @@ -1286,6 +1297,10 @@ func flattenComputeDiskDiskEncryptionKeyRawKey(v interface{}, d *schema.Resource return v } +func flattenComputeDiskDiskEncryptionKeyRsaEncryptedKey(v interface{}, d *schema.ResourceData, config *Config) interface{} { + return v +} + func flattenComputeDiskDiskEncryptionKeySha256(v interface{}, d *schema.ResourceData, config *Config) interface{} { return v } @@ -1475,6 +1490,13 @@ func expandComputeDiskDiskEncryptionKey(v interface{}, d TerraformResourceData, transformed["rawKey"] = transformedRawKey } + transformedRsaEncryptedKey, err := expandComputeDiskDiskEncryptionKeyRsaEncryptedKey(original["rsa_encrypted_key"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedRsaEncryptedKey); val.IsValid() && !isEmptyValue(val) { + transformed["rsaEncryptedKey"] = transformedRsaEncryptedKey + } + transformedSha256, err := expandComputeDiskDiskEncryptionKeySha256(original["sha256"], d, config) if err != nil { return nil, err @@ -1503,6 +1525,10 @@ func expandComputeDiskDiskEncryptionKeyRawKey(v interface{}, d TerraformResource return v, nil } +func expandComputeDiskDiskEncryptionKeyRsaEncryptedKey(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { + return v, nil +} + func expandComputeDiskDiskEncryptionKeySha256(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) { return v, nil } @@ -1626,6 +1652,7 @@ func resourceComputeDiskDecoder(d *schema.ResourceData, meta interface{}, res ma transformed := make(map[string]interface{}) // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key") + transformed["rsaEncryptedKey"] = d.Get("disk_encryption_key.0.rsa_encrypted_key") transformed["sha256"] = original["sha256"] if kmsKeyName, ok := original["kmsKeyName"]; ok { diff --git a/google/resource_compute_disk_test.go b/google/resource_compute_disk_test.go index c2e89cd14d8..ec315f0385d 100644 --- a/google/resource_compute_disk_test.go +++ b/google/resource_compute_disk_test.go @@ -922,3 +922,47 @@ func testAccComputeDisk_diskClone(diskName, refSelector string) string { } `, diskName, diskName+"-clone", refSelector) } + +func TestAccComputeDisk_encryptionWithRSAEncryptedKey(t *testing.T) { + t.Parallel() + + diskName := fmt.Sprintf("tf-test-%s", randString(t, 10)) + var disk compute.Disk + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeDiskDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeDisk_encryptionWithRSAEncryptedKey(diskName), + Check: resource.ComposeTestCheckFunc( + testAccCheckComputeDiskExists( + t, "google_compute_disk.foobar-1", getTestProjectFromEnv(), &disk), + testAccCheckEncryptionKey( + t, "google_compute_disk.foobar-1", &disk), + ), + }, + }, + }) +} + +func testAccComputeDisk_encryptionWithRSAEncryptedKey(diskName string) string { + return fmt.Sprintf(` +data "google_compute_image" "my_image" { + family = "debian-11" + project = "debian-cloud" +} + +resource "google_compute_disk" "foobar-1" { + name = "%s" + image = data.google_compute_image.my_image.self_link + size = 50 + type = "pd-ssd" + zone = "us-central1-a" + disk_encryption_key { + rsa_encrypted_key = "fB6BS8tJGhGVDZDjGt1pwUo2wyNbkzNxgH1avfOtiwB9X6oPG94gWgenygitnsYJyKjdOJ7DyXLmxwQOSmnCYCUBWdKCSssyLV5907HL2mb5TfqmgHk5JcArI/t6QADZWiuGtR+XVXqiLa5B9usxFT2BTmbHvSKfkpJ7McCNc/3U0PQR8euFRZ9i75o/w+pLHFMJ05IX3JB0zHbXMV173PjObiV3ItSJm2j3mp5XKabRGSA5rmfMnHIAMz6stGhcuom6+bMri2u/axmPsdxmC6MeWkCkCmPjaKsVz1+uQUNCJkAnzesluhoD+R6VjFDm4WI7yYabu4MOOAOTaQXdEg==" + } +} +`, diskName) +} diff --git a/google/resource_compute_region_disk.go b/google/resource_compute_region_disk.go index 1337b1822f2..64f141632fc 100644 --- a/google/resource_compute_region_disk.go +++ b/google/resource_compute_region_disk.go @@ -1112,6 +1112,7 @@ func resourceComputeRegionDiskDecoder(d *schema.ResourceData, meta interface{}, transformed := make(map[string]interface{}) // The raw key won't be returned, so we need to use the original. transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key") + transformed["rsaEncryptedKey"] = d.Get("disk_encryption_key.0.rsa_encrypted_key") transformed["sha256"] = original["sha256"] if kmsKeyName, ok := original["kmsKeyName"]; ok { diff --git a/website/docs/r/compute_disk.html.markdown b/website/docs/r/compute_disk.html.markdown index 911b9db8783..6def52ff082 100644 --- a/website/docs/r/compute_disk.html.markdown +++ b/website/docs/r/compute_disk.html.markdown @@ -43,7 +43,7 @@ To get more information about Disk, see: * How-to Guides * [Adding a persistent disk](https://cloud.google.com/compute/docs/disks/add-persistent-disk) -~> **Warning:** All arguments including `disk_encryption_key.raw_key` will be stored in the raw +~> **Warning:** All arguments including `disk_encryption_key.raw_key` and `disk_encryption_key.rsa_encrypted_key` will be stored in the raw state as plain-text. [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
@@ -243,6 +243,13 @@ The following arguments are supported: RFC 4648 base64 to either encrypt or decrypt this resource. **Note**: This property is sensitive and will not be displayed in the plan. +* `rsa_encrypted_key` - + (Optional) + Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit + customer-supplied encryption key to either encrypt or decrypt + this resource. You can provide either the rawKey or the rsaEncryptedKey. + **Note**: This property is sensitive and will not be displayed in the plan. + * `sha256` - The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.