Revert "EphemeralWriteOnly: add rsaEncryptionKeyWo+rawKeyWo in `c…

…ompute_disk` / `region_compute_disk` (GoogleCloudPlatform#12783)" This reverts commit bec087e.
BBBmau · Feb 20, 2025 · 9d31a04 · 9d31a04
1 parent bec087e
commit 9d31a04
Show file tree

Hide file tree

Showing 12 changed files with 6 additions and 316 deletions.
diff --git a/mmv1/products/compute/Disk.yaml b/mmv1/products/compute/Disk.yaml
@@ -37,6 +37,7 @@ references:
 docs:
 base_url: 'projects/{{project}}/zones/{{zone}}/disks'
 has_self_link: true
+immutable: true
 timeouts:
   insert_minutes: 20
   update_minutes: 20
@@ -62,7 +63,6 @@ custom_code:
   update_encoder: 'templates/terraform/update_encoder/hyper_disk.go.tmpl'
   decoder: 'templates/terraform/decoders/disk.tmpl'
   pre_delete: 'templates/terraform/pre_delete/detach_disk.tmpl'
-  raw_resource_config_validation: 'templates/terraform/validation/compute_disk.go.tmpl'
 custom_diff:
   - 'customdiff.ForceNewIfChange("size", IsDiskShrinkage)'
   - 'hyperDiskIopsUpdateDiffSuppress'
@@ -72,11 +72,6 @@ examples:
     primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
     vars:
       disk_name: 'test-disk'
-  - name: 'disk_basic_wo'
-    primary_resource_id: 'default'
-    primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
-    vars:
-      disk_name: 'test-disk'
   - name: 'disk_async'
     primary_resource_id: 'primary'
     primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
@@ -173,62 +168,21 @@ properties:
       If you do not provide an encryption key when creating the disk, then
       the disk will be encrypted using an automatically generated key and
       you do not need to provide a key to use the disk later.
+    immutable: true
     properties:
       - name: 'rawKey'
         type: String
         description: |
           Specifies a 256-bit customer-supplied encryption key, encoded in
           RFC 4648 base64 to either encrypt or decrypt this resource.
         sensitive: true
-        immutable: true
-        custom_flatten: 'templates/terraform/custom_flatten/compute_key_flatten.go.tmpl'
-        conflicts:
-          - 'disk_encryption_key.0.rawKeyWo'
-      - name: 'rawKeyWoVersion'
-        type: Integer
-        description: |
-          Triggers update of write-only rawKey
-        immutable: true
-        default_value: 0
-        ignore_read: true
-      - name: 'rawKeyWo'
-        type: String
-        description: |
-          Specifies a 256-bit customer-supplied encryption key, encoded in
-          RFC 4648 base64 to either encrypt or decrypt this resource.
-        write_only: true
-        required_with:
-          - 'disk_encryption_key.0.rawKeyWoVersion'
-        conflicts:
-          - 'disk_encryption_key.0.rawKey'
-      - name: 'rsaEncryptedKeyWoVersion'
-        type: Integer
-        description: |
-          Triggers update of write-only rsaEncryptedKey
-        immutable: true
-        default_value: 0
-        ignore_read: true
       - name: 'rsaEncryptedKey'
         type: String
-        immutable: true
-        custom_flatten: 'templates/terraform/custom_flatten/compute_rsa_key_flatten.go.tmpl'
         description: |
           Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit
           customer-supplied encryption key to either encrypt or decrypt
           this resource. You can provide either the rawKey or the rsaEncryptedKey.
         sensitive: true
-        conflicts:
-          - 'disk_encryption_key.0.rsaEncryptedKeyWo'
-      - name: 'rsaEncryptedKeyWo'
-        type: String
-        description: |
-          Specifies a 256-bit customer-supplied encryption key, encoded in
-          RFC 4648 base64 to either encrypt or decrypt this resource.
-        write_only: true
-        required_with:
-          - 'disk_encryption_key.0.rsaEncryptedKeyWoVersion'
-        conflicts:
-          - 'disk_encryption_key.0.rsaEncryptedKey'
       - name: 'sha256'
         type: String
         description: |
@@ -237,7 +191,6 @@ properties:
         output: true
       - name: 'kmsKeySelfLink'
         type: String
-        immutable: true
         description: |
           The self link of the encryption key used to encrypt the disk. Also called KmsKeyName
           in the cloud console. Your project's Compute Engine System service account
@@ -248,7 +201,6 @@ properties:
         diff_suppress_func: 'tpgresource.CompareSelfLinkRelativePaths'
       - name: 'kmsKeyServiceAccount'
         type: String
-        immutable: true
         description: |
           The service account used for the encryption request for the given KMS key.
           If absent, the Compute Engine Service Agent service account is used.

diff --git a/mmv1/products/compute/RegionDisk.yaml b/mmv1/products/compute/RegionDisk.yaml
@@ -61,7 +61,6 @@ custom_code:
   encoder: 'templates/terraform/encoders/disk.tmpl'
   decoder: 'templates/terraform/decoders/disk.tmpl'
   pre_delete: 'templates/terraform/pre_delete/detach_disk.tmpl'
-  raw_resource_config_validation: 'templates/terraform/validation/compute_region_disk.go.tmpl'
 custom_diff:
   - 'customdiff.ForceNewIfChange("size", IsDiskShrinkage)'
   - 'hyperDiskIopsUpdateDiffSuppress'
@@ -73,13 +72,6 @@ examples:
       region_disk_name: 'my-region-disk'
       disk_name: 'my-disk'
       snapshot_name: 'my-snapshot'
-  - name: 'region_disk_disk_encryption_key_wo'
-    primary_resource_id: 'regiondisk'
-    primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
-    vars:
-      region_disk_name: 'my-region-disk'
-      disk_name: 'my-disk'
-      snapshot_name: 'my-snapshot'
   - name: 'region_disk_async'
     primary_resource_id: 'primary'
     primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
@@ -132,34 +124,14 @@ properties:
       If you do not provide an encryption key when creating the disk, then
       the disk will be encrypted using an automatically generated key and
       you do not need to provide a key to use the disk later.
+    immutable: true
     properties:
       - name: 'rawKey'
         type: String
         description: |
           Specifies a 256-bit customer-supplied encryption key, encoded in
           RFC 4648 base64 to either encrypt or decrypt this resource.
         sensitive: true
-        immutable: true
-        custom_flatten: 'templates/terraform/custom_flatten/compute_key_flatten.go.tmpl'
-        conflicts:
-          - 'disk_encryption_key.0.rawKeyWo'
-      - name: 'rawKeyWo'
-        type: String
-        description: |
-          Specifies a 256-bit customer-supplied encryption key, encoded in
-          RFC 4648 base64 to either encrypt or decrypt this resource.
-        write_only: true
-        required_with:
-          - 'disk_encryption_key.0.rawKeyWoVersion'
-        conflicts:
-          - 'disk_encryption_key.0.rawKey'
-      - name: 'rawKeyWoVersion'
-        type: Integer
-        description: |
-          Triggers update of write-only rawKey
-        ignore_read: true
-        default_value: 0
-        immutable: true
       - name: 'sha256'
         type: String
         description: |
@@ -169,7 +141,6 @@ properties:
         # TODO(chrisst) Change to ResourceRef once KMS is in Magic Modules
       - name: 'kmsKeyName'
         type: String
-        immutable: true
         description: |
           The name of the encryption key that is stored in Google Cloud KMS.
   - name: 'sourceSnapshotEncryptionKey'

diff --git a/mmv1/templates/terraform/custom_flatten/compute_key_flatten.go.tmpl b/mmv1/templates/terraform/custom_flatten/compute_key_flatten.go.tmpl
diff --git a/mmv1/templates/terraform/custom_flatten/compute_rsa_key_flatten.go.tmpl b/mmv1/templates/terraform/custom_flatten/compute_rsa_key_flatten.go.tmpl
diff --git a/mmv1/templates/terraform/decoders/disk.tmpl b/mmv1/templates/terraform/decoders/disk.tmpl
@@ -5,6 +5,7 @@ if v, ok := res["diskEncryptionKey"]; ok {
   transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key")
   transformed["rsaEncryptedKey"] = d.Get("disk_encryption_key.0.rsa_encrypted_key")
   transformed["sha256"] = original["sha256"]
+
   if kmsKeyName, ok := original["kmsKeyName"]; ok {
     // The response for crypto keys often includes the version of the key which needs to be removed
     // format: projects/<project>/locations/<region>/keyRings/<keyring>/cryptoKeys/<key>/cryptoKeyVersions/1

diff --git a/mmv1/templates/terraform/encoders/disk.tmpl b/mmv1/templates/terraform/encoders/disk.tmpl
@@ -50,18 +50,5 @@ if v, ok := d.GetOk("image"); ok {
 	obj["sourceImage"] = imageUrl
 	log.Printf("[DEBUG] Image name resolved to: %s", imageUrl)
 }
-{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
-if rawKey, diags := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("raw_key_wo")); !diags.HasError() && rawKey.IsKnown() && !rawKey.IsNull() {
-	obj["diskEncryptionKey"] = map[string]interface{}{
-		"rawKey": rawKey.AsString(),
-	}
-}
-
-if rsaEncryptedKey, diags := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rsa_encrypted_key_wo")); !diags.HasError() && rsaEncryptedKey.IsKnown() && !rsaEncryptedKey.IsNull() {
-	obj["diskEncryptionKey"] = map[string]interface{}{
-		"rsaEncryptedKey": rsaEncryptedKey.AsString(),
-	}
-}
-{{- end }}
 
 return obj, nil
diff --git a/mmv1/templates/terraform/examples/disk_basic_wo.tf.tmpl b/mmv1/templates/terraform/examples/disk_basic_wo.tf.tmpl
diff --git a/mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl b/mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl
diff --git a/mmv1/templates/terraform/validation/compute_disk.go.tmpl b/mmv1/templates/terraform/validation/compute_disk.go.tmpl
diff --git a/mmv1/templates/terraform/validation/compute_region_disk.go.tmpl b/mmv1/templates/terraform/validation/compute_region_disk.go.tmpl
diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_disk_test.go.tmpl b/mmv1/third_party/terraform/services/compute/resource_compute_disk_test.go.tmpl
@@ -849,39 +849,6 @@ func TestAccComputeDisk_multiWriter(t *testing.T) {
 }
 {{- end }}
 
-
-func TestAccComputeDisk_update_wo(t *testing.T) {
-	t.Parallel()
-
-	diskName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
-	diskType := "pd-ssd"
-
-	acctest.VcrTest(t, resource.TestCase{
-		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
-		Steps: []resource.TestStep{
-			{
-				Config: testAccComputeDisk_basic(diskName, diskType),
-			},
-			{
-				ResourceName:      "google_compute_disk.foobar",
-				ImportState:       true,
-				ImportStateVerify: true,
-				ImportStateVerifyIgnore: []string{"disk_encryption_key.0.raw_key_wo_version", "labels", "terraform_labels"},
-			},
-			{
-				Config: testAccComputeDisk_basic_updated_wo(diskName, diskType),
-			},
-			{
-				ResourceName:      "google_compute_disk.foobar",
-				ImportState:       true,
-				ImportStateVerify: true,
-				ImportStateVerifyIgnore: []string{"disk_encryption_key.0.raw_key_wo_version", "labels", "terraform_labels"},
-			},
-		},
-	})
-}
-
 func testAccCheckComputeDiskExists(t *testing.T, n, p string, disk *compute.Disk) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -1010,30 +977,6 @@ resource "google_compute_disk" "foobar" {
 `, diskName, diskType)
 }
 
-func testAccComputeDisk_basic_updated_wo(diskName string, diskType string) string {
-	return fmt.Sprintf(`
-data "google_compute_image" "my_image" {
-  family  = "debian-11"
-  project = "debian-cloud"
-}
-
-resource "google_compute_disk" "foobar" {
-  name  = "%s"
-  image = data.google_compute_image.my_image.self_link
-  size  = 50
-  type  = "%s"
-  zone  = "us-central1-a"
-  disk_encryption_key {
-    raw_key_wo = "DWw8Owgk6uhjgXXuATTZ1d9v9OwXXT8/lMYoZsblkM8="
-    raw_key_wo_version = 1
-  }
-  labels = {
-    my-label = "my-label-value"
-  }
-}
-`, diskName, diskType)
-}
-
 func testAccComputeDisk_updated(diskName string, diskType string) string {
 	return fmt.Sprintf(`
 data "google_compute_image" "my_image" {