Skip to content

Commit

Permalink
EphemeralWriteOnly: add rsaEncryptionKeyWo+rawKeyWo in `compute_d…
Browse files Browse the repository at this point in the history 
…isk` / `region_compute_disk` (GoogleCloudPlatform#12783)
  • Loading branch information
@BBBmau
BBBmau authored Feb 19, 2025
1 parent 7533392 commit bec087e
Show file tree
Hide file tree
Showing 12 changed files with 316 additions and 6 deletions.
52 changes: 50 additions & 2 deletions mmv1/products/compute/Disk.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ references:
docs:
base_url: 'projects/{{project}}/zones/{{zone}}/disks'
has_self_link: true
immutable: true
timeouts:
insert_minutes: 20
update_minutes: 20
Expand All @@ -63,6 +62,7 @@ custom_code:
update_encoder: 'templates/terraform/update_encoder/hyper_disk.go.tmpl'
decoder: 'templates/terraform/decoders/disk.tmpl'
pre_delete: 'templates/terraform/pre_delete/detach_disk.tmpl'
raw_resource_config_validation: 'templates/terraform/validation/compute_disk.go.tmpl'
custom_diff:
- 'customdiff.ForceNewIfChange("size", IsDiskShrinkage)'
- 'hyperDiskIopsUpdateDiffSuppress'
Expand All @@ -72,6 +72,11 @@ examples:
primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
vars:
disk_name: 'test-disk'
- name: 'disk_basic_wo'
primary_resource_id: 'default'
primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
vars:
disk_name: 'test-disk'
- name: 'disk_async'
primary_resource_id: 'primary'
primary_resource_name: 'fmt.Sprintf("tf-test-test-disk%s", context["random_suffix"])'
Expand Down Expand Up @@ -168,21 +173,62 @@ properties:
If you do not provide an encryption key when creating the disk, then
the disk will be encrypted using an automatically generated key and
you do not need to provide a key to use the disk later.
immutable: true
properties:
- name: 'rawKey'
type: String
description: |
Specifies a 256-bit customer-supplied encryption key, encoded in
RFC 4648 base64 to either encrypt or decrypt this resource.
sensitive: true
immutable: true
custom_flatten: 'templates/terraform/custom_flatten/compute_key_flatten.go.tmpl'
conflicts:
- 'disk_encryption_key.0.rawKeyWo'
- name: 'rawKeyWoVersion'
type: Integer
description: |
Triggers update of write-only rawKey
immutable: true
default_value: 0
ignore_read: true
- name: 'rawKeyWo'
type: String
description: |
Specifies a 256-bit customer-supplied encryption key, encoded in
RFC 4648 base64 to either encrypt or decrypt this resource.
write_only: true
required_with:
- 'disk_encryption_key.0.rawKeyWoVersion'
conflicts:
- 'disk_encryption_key.0.rawKey'
- name: 'rsaEncryptedKeyWoVersion'
type: Integer
description: |
Triggers update of write-only rsaEncryptedKey
immutable: true
default_value: 0
ignore_read: true
- name: 'rsaEncryptedKey'
type: String
immutable: true
custom_flatten: 'templates/terraform/custom_flatten/compute_rsa_key_flatten.go.tmpl'
description: |
Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit
customer-supplied encryption key to either encrypt or decrypt
this resource. You can provide either the rawKey or the rsaEncryptedKey.
sensitive: true
conflicts:
- 'disk_encryption_key.0.rsaEncryptedKeyWo'
- name: 'rsaEncryptedKeyWo'
type: String
description: |
Specifies a 256-bit customer-supplied encryption key, encoded in
RFC 4648 base64 to either encrypt or decrypt this resource.
write_only: true
required_with:
- 'disk_encryption_key.0.rsaEncryptedKeyWoVersion'
conflicts:
- 'disk_encryption_key.0.rsaEncryptedKey'
- name: 'sha256'
type: String
description: |
Expand All @@ -191,6 +237,7 @@ properties:
output: true
- name: 'kmsKeySelfLink'
type: String
immutable: true
description: |
The self link of the encryption key used to encrypt the disk. Also called KmsKeyName
in the cloud console. Your project's Compute Engine System service account
Expand All @@ -201,6 +248,7 @@ properties:
diff_suppress_func: 'tpgresource.CompareSelfLinkRelativePaths'
- name: 'kmsKeyServiceAccount'
type: String
immutable: true
description: |
The service account used for the encryption request for the given KMS key.
If absent, the Compute Engine Service Agent service account is used.
Expand Down
31 changes: 30 additions & 1 deletion mmv1/products/compute/RegionDisk.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ custom_code:
encoder: 'templates/terraform/encoders/disk.tmpl'
decoder: 'templates/terraform/decoders/disk.tmpl'
pre_delete: 'templates/terraform/pre_delete/detach_disk.tmpl'
raw_resource_config_validation: 'templates/terraform/validation/compute_region_disk.go.tmpl'
custom_diff:
- 'customdiff.ForceNewIfChange("size", IsDiskShrinkage)'
- 'hyperDiskIopsUpdateDiffSuppress'
Expand All @@ -72,6 +73,13 @@ examples:
region_disk_name: 'my-region-disk'
disk_name: 'my-disk'
snapshot_name: 'my-snapshot'
- name: 'region_disk_disk_encryption_key_wo'
primary_resource_id: 'regiondisk'
primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
vars:
region_disk_name: 'my-region-disk'
disk_name: 'my-disk'
snapshot_name: 'my-snapshot'
- name: 'region_disk_async'
primary_resource_id: 'primary'
primary_resource_name: 'fmt.Sprintf("tf-test-my-region-disk%s", context["random_suffix"])'
Expand Down Expand Up @@ -124,14 +132,34 @@ properties:
If you do not provide an encryption key when creating the disk, then
the disk will be encrypted using an automatically generated key and
you do not need to provide a key to use the disk later.
immutable: true
properties:
- name: 'rawKey'
type: String
description: |
Specifies a 256-bit customer-supplied encryption key, encoded in
RFC 4648 base64 to either encrypt or decrypt this resource.
sensitive: true
immutable: true
custom_flatten: 'templates/terraform/custom_flatten/compute_key_flatten.go.tmpl'
conflicts:
- 'disk_encryption_key.0.rawKeyWo'
- name: 'rawKeyWo'
type: String
description: |
Specifies a 256-bit customer-supplied encryption key, encoded in
RFC 4648 base64 to either encrypt or decrypt this resource.
write_only: true
required_with:
- 'disk_encryption_key.0.rawKeyWoVersion'
conflicts:
- 'disk_encryption_key.0.rawKey'
- name: 'rawKeyWoVersion'
type: Integer
description: |
Triggers update of write-only rawKey
ignore_read: true
default_value: 0
immutable: true
- name: 'sha256'
type: String
description: |
Expand All @@ -141,6 +169,7 @@ properties:
# TODO(chrisst) Change to ResourceRef once KMS is in Magic Modules
- name: 'kmsKeyName'
type: String
immutable: true
description: |
The name of the encryption key that is stored in Google Cloud KMS.
- name: 'sourceSnapshotEncryptionKey'
Expand Down
6 changes: 6 additions & 0 deletions mmv1/templates/terraform/custom_flatten/compute_key_flatten.go.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if d.Get("disk_encryption_key.0.raw_key").(string) == "" {
return nil
}
return v
}
6 changes: 6 additions & 0 deletions mmv1/templates/terraform/custom_flatten/compute_rsa_key_flatten.go.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if d.Get("disk_encryption_key.0.rsa_encrypted_key").(string) == "" {
return nil
}
return v
}
1 change: 0 additions & 1 deletion mmv1/templates/terraform/decoders/disk.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ if v, ok := res["diskEncryptionKey"]; ok {
transformed["rawKey"] = d.Get("disk_encryption_key.0.raw_key")
transformed["rsaEncryptedKey"] = d.Get("disk_encryption_key.0.rsa_encrypted_key")
transformed["sha256"] = original["sha256"]

if kmsKeyName, ok := original["kmsKeyName"]; ok {
// The response for crypto keys often includes the version of the key which needs to be removed
// format: projects/<project>/locations/<region>/keyRings/<keyring>/cryptoKeys/<key>/cryptoKeyVersions/1
Expand Down
13 changes: 13 additions & 0 deletions mmv1/templates/terraform/encoders/disk.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,5 +50,18 @@ if v, ok := d.GetOk("image"); ok {
obj["sourceImage"] = imageUrl
log.Printf("[DEBUG] Image name resolved to: %s", imageUrl)
}
{{- if ne $.Compiler "terraformgoogleconversion-codegen" }}
if rawKey, diags := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("raw_key_wo")); !diags.HasError() && rawKey.IsKnown() && !rawKey.IsNull() {
obj["diskEncryptionKey"] = map[string]interface{}{
"rawKey": rawKey.AsString(),
}
}

if rsaEncryptedKey, diags := d.GetRawConfigAt(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rsa_encrypted_key_wo")); !diags.HasError() && rsaEncryptedKey.IsKnown() && !rsaEncryptedKey.IsNull() {
obj["diskEncryptionKey"] = map[string]interface{}{
"rsaEncryptedKey": rsaEncryptedKey.AsString(),
}
}
{{- end }}

return obj, nil
14 changes: 14 additions & 0 deletions mmv1/templates/terraform/examples/disk_basic_wo.tf.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
resource "google_compute_disk" "default" {
name = "{{index $.Vars "disk_name"}}"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-11-bullseye-v20220719"
labels = {
environment = "dev"
}
disk_encryption_key {
raw_key_wo = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
raw_key_wo_version = 1
}
physical_block_size_bytes = 4096
}
27 changes: 27 additions & 0 deletions mmv1/templates/terraform/examples/region_disk_disk_encryption_key_wo.tf.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
resource "google_compute_region_disk" "regiondisk" {
name = "{{index $.Vars "region_disk_name"}}"
snapshot = google_compute_snapshot.snapdisk.id
type = "pd-ssd"
region = "us-central1"
physical_block_size_bytes = 4096
disk_encryption_key {
raw_key_wo = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
raw_key_wo_version = 1
}

replica_zones = ["us-central1-a", "us-central1-f"]
}

resource "google_compute_disk" "disk" {
name = "{{index $.Vars "disk_name"}}"
image = "debian-cloud/debian-11"
size = 50
type = "pd-ssd"
zone = "us-central1-a"
}

resource "google_compute_snapshot" "snapdisk" {
name = "{{index $.Vars "snapshot_name"}}"
source_disk = google_compute_disk.disk.name
zone = "us-central1-a"
}
2 changes: 2 additions & 0 deletions mmv1/templates/terraform/validation/compute_disk.go.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
validation.PreferWriteOnlyAttribute(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("raw_key"),cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("raw_key_wo")),
validation.PreferWriteOnlyAttribute(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rsa_encrypted_key"),cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rsa_encrypted_key_wo"))
1 change: 1 addition & 0 deletions mmv1/templates/terraform/validation/compute_region_disk.go.tmpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
validation.PreferWriteOnlyAttribute(cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rawKey"),cty.GetAttrPath("disk_encryption_key").IndexInt(0).GetAttr("rawKeyWo"))
57 changes: 57 additions & 0 deletions mmv1/third_party/terraform/services/compute/resource_compute_disk_test.go.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -849,6 +849,39 @@ func TestAccComputeDisk_multiWriter(t *testing.T) {
}
{{- end }}


func TestAccComputeDisk_update_wo(t *testing.T) {
t.Parallel()

diskName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
diskType := "pd-ssd"

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testAccComputeDisk_basic(diskName, diskType),
},
{
ResourceName: "google_compute_disk.foobar",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"disk_encryption_key.0.raw_key_wo_version", "labels", "terraform_labels"},
},
{
Config: testAccComputeDisk_basic_updated_wo(diskName, diskType),
},
{
ResourceName: "google_compute_disk.foobar",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"disk_encryption_key.0.raw_key_wo_version", "labels", "terraform_labels"},
},
},
})
}

func testAccCheckComputeDiskExists(t *testing.T, n, p string, disk *compute.Disk) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
Expand Down Expand Up @@ -977,6 +1010,30 @@ resource "google_compute_disk" "foobar" {
`, diskName, diskType)
}

func testAccComputeDisk_basic_updated_wo(diskName string, diskType string) string {
return fmt.Sprintf(`
data "google_compute_image" "my_image" {
family = "debian-11"
project = "debian-cloud"
}

resource "google_compute_disk" "foobar" {
name = "%s"
image = data.google_compute_image.my_image.self_link
size = 50
type = "%s"
zone = "us-central1-a"
disk_encryption_key {
raw_key_wo = "DWw8Owgk6uhjgXXuATTZ1d9v9OwXXT8/lMYoZsblkM8="
raw_key_wo_version = 1
}
labels = {
my-label = "my-label-value"
}
}
`, diskName, diskType)
}

func testAccComputeDisk_updated(diskName string, diskType string) string {
return fmt.Sprintf(`
data "google_compute_image" "my_image" {
Expand Down
Loading

0 comments on commit bec087e

Please sign in to comment.