Update tests to use bootstrapped KMS keys (#12609)

Author: shuyama1

mmv1/products/bigquery/Job.yaml

@@ -107,10 +107,11 @@ examples:
     vars:
       job_id: 'job_copy'
       account_name: 'bqowner'
-      key_name: 'example-key'
-      keyring_name: 'example-keyring'
+      kms_key_name: 'example-key'
     test_env_vars:
       project: 'PROJECT_NAME'
+    test_vars_overrides:
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-bootstrap-bigquery-job-key1").CryptoKey.Name'
     ignore_read_extra:
       - 'etag'
       - 'status.0.state'
@@ -119,10 +120,11 @@ examples:
     vars:
       job_id: 'job_copy'
       account_name: 'bqowner'
-      key_name: 'example-key'
-      keyring_name: 'example-keyring'
+      kms_key_name: 'example-key'
     test_env_vars:
       project: 'PROJECT_NAME'
+    test_vars_overrides:
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-bootstrap-bigquery-job-key2").CryptoKey.Name'
     ignore_read_extra:
       - 'etag'
       - 'copy.0.destination_table.0.table_id'

mmv1/products/dataproc/Batch.yaml

@@ -65,13 +65,13 @@ examples:
     vars:
       dataproc_batch: 'dataproc-batch'
       prevent_destroy: 'true'
-      key_name: 'example-key'
-      keyring_name: 'example-keyring'
+      kms_key_name: 'example-key'
       bucket_name: 'dataproc-bucket'
     test_env_vars:
       project_name: 'PROJECT_NAME'
     test_vars_overrides:
       'prevent_destroy': 'false'
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-dataproc-batch-key1").CryptoKey.Name'
     ignore_read_extra:
       - 'runtime_config.0.properties'
   - name: 'dataproc_batch_sparksql'

mmv1/products/metastore/Service.yaml

@@ -71,8 +71,7 @@ examples:
     primary_resource_id: 'default'
     vars:
       metastore_service_name: 'example-service'
-      key_name: 'example-key'
-      keyring_name: 'example-keyring'
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-metastore-service-key1").CryptoKey.Name'
     exclude_docs: true
     skip_vcr: true
   - name: 'dataproc_metastore_service_cmek_example'

mmv1/products/netapp/kmsconfig.yaml

@@ -60,8 +60,9 @@ examples:
     primary_resource_id: 'kmsConfig'
     vars:
       kms_name: 'kms-test'
-      key_ring_value: 'key-ring'
-      crypto_name: 'crypto-name'
+      kms_key_name: 'crypto-name'
+    test_vars_overrides:
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-netapp-kmsconfig-key1").CryptoKey.Name'
 parameters:
   - name: 'location'
     type: String

mmv1/products/securesourcemanager/Instance.yaml

@@ -68,11 +68,11 @@ examples:
     primary_resource_name: 'fmt.Sprintf("tf-test-my-instance%s", context["random_suffix"])'
     vars:
       instance_id: 'my-instance'
-      keyring_name: 'my-keyring'
-      key_name: 'my-key'
+      kms_key_name: 'my-key'
       prevent_destroy: 'true'
     test_vars_overrides:
       'prevent_destroy': 'false'
+      'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-secure-source-manager-key1").CryptoKey.Name'
     oics_vars_overrides:
       'prevent_destroy': 'false'
   - name: 'secure_source_manager_instance_private'

mmv1/templates/terraform/examples/bigquery_job_copy.tf.tmpl

@@ -66,7 +66,7 @@ resource "google_bigquery_table" "dest" {
 EOF
 
   encryption_configuration {
-    kms_key_name = google_kms_crypto_key.crypto_key.id
+    kms_key_name = "{{index $.Vars "kms_key_name"}}"
   }
 
   depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
@@ -79,22 +79,12 @@ resource "google_bigquery_dataset" "dest" {
   location      = "US"
 }
 
-resource "google_kms_crypto_key" "crypto_key" {
-  name     = "{{index $.Vars "key_name"}}"
-  key_ring = google_kms_key_ring.key_ring.id
-}
-
-resource "google_kms_key_ring" "key_ring" {
-  name     = "{{index $.Vars "keyring_name"}}"
-  location = "global"
-}
-
 data "google_project" "project" {
   project_id = "{{index $.TestEnvVars "project"}}"
 }
 
 resource "google_kms_crypto_key_iam_member" "encrypt_role" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -122,7 +112,7 @@ resource "google_bigquery_job" "{{$.PrimaryResourceId}}" {
     }
 
     destination_encryption_configuration {
-      kms_key_name = google_kms_crypto_key.crypto_key.id
+      kms_key_name = "{{index $.Vars "kms_key_name"}}"
     }
   }
 

mmv1/templates/terraform/examples/bigquery_job_copy_table_reference.tf.tmpl

@@ -67,7 +67,7 @@ resource "google_bigquery_table" "dest" {
 EOF
 
   encryption_configuration {
-    kms_key_name = google_kms_crypto_key.crypto_key.id
+    kms_key_name = "{{index $.Vars "kms_key_name"}}"
   }
 
   depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
@@ -80,22 +80,12 @@ resource "google_bigquery_dataset" "dest" {
   location      = "US"
 }
 
-resource "google_kms_crypto_key" "crypto_key" {
-  name     = "{{index $.Vars "key_name"}}"
-  key_ring = google_kms_key_ring.key_ring.id
-}
-
-resource "google_kms_key_ring" "key_ring" {
-  name     = "{{index $.Vars "keyring_name"}}"
-  location = "global"
-}
-
 data "google_project" "project" {
   project_id = "{{index $.TestEnvVars "project"}}"
 }
 
 resource "google_kms_crypto_key_iam_member" "encrypt_role" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -117,7 +107,7 @@ resource "google_bigquery_job" "{{$.PrimaryResourceId}}" {
     }
 
     destination_encryption_configuration {
-      kms_key_name = google_kms_crypto_key.crypto_key.id
+      kms_key_name = "{{index $.Vars "kms_key_name"}}"
     }
   }
 

mmv1/templates/terraform/examples/dataproc_batch_spark_full.tf.tmpl

@@ -18,7 +18,7 @@ resource "google_dataproc_batch" "{{$.PrimaryResourceId}}" {
       execution_config {
         ttl = "3600s"
         network_tags = ["tag1"]
-        kms_key = google_kms_crypto_key.crypto_key.id
+        kms_key = "{{index $.Vars "kms_key_name"}}"
         network_uri = "default"
         service_account = "${data.google_project.project.number}[email protected]"
         staging_bucket = google_storage_bucket.bucket.name
@@ -49,19 +49,8 @@ resource "google_storage_bucket" "bucket" {
   force_destroy               = true
 }
 
-resource "google_kms_crypto_key" "crypto_key" {
-  name     = "{{index $.Vars "key_name"}}"
-  key_ring = google_kms_key_ring.key_ring.id
-  purpose  = "ENCRYPT_DECRYPT"
-}
-
-resource "google_kms_key_ring" "key_ring" {
-  name     = "{{index $.Vars "keyring_name"}}"
-  location = "us-central1"
-}
-
 resource "google_kms_crypto_key_iam_member" "crypto_key_member_1" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "serviceAccount:service-${data.google_project.project.number}@dataproc-accounts.iam.gserviceaccount.com"
 }

mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.tmpl

@@ -8,7 +8,7 @@ resource "google_dataproc_metastore_service" "{{$.PrimaryResourceId}}" {
   location   = "us-central1"
 
   encryption_config {
-    kms_key = google_kms_crypto_key.crypto_key.id
+    kms_key = "{{index $.Vars "kms_key_name"}}"
   }
 
   hive_metastore_config {
@@ -21,27 +21,15 @@ resource "google_dataproc_metastore_service" "{{$.PrimaryResourceId}}" {
   ]
 }
 
-resource "google_kms_crypto_key" "crypto_key" {
-  name     = "{{index $.Vars "key_name"}}"
-  key_ring = google_kms_key_ring.key_ring.id
-
-  purpose  = "ENCRYPT_DECRYPT"
-}
-
-resource "google_kms_key_ring" "key_ring" {
-  name     = "{{index $.Vars "keyring_name"}}"
-  location = "us-central1"
-}
-
 resource "google_kms_crypto_key_iam_member" "crypto_key_member_1" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com"
 }
 
 resource "google_kms_crypto_key_iam_member" "crypto_key_member_2" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
   member = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"

mmv1/templates/terraform/examples/kmsConfig_create.tf.tmpl

@@ -1,17 +1,6 @@
-resource "google_kms_key_ring" "keyring" {
-  name     = "{{index $.Vars "key_ring_value"}}"
-  location = "us-central1"
-}
-
-resource "google_kms_crypto_key" "crypto_key" {
-  name            = "{{index $.Vars "crypto_name"}}"
-  key_ring        = google_kms_key_ring.keyring.id
-  # rotation_period = "7776000s"
-}
-
 resource "google_netapp_kmsconfig" "{{$.PrimaryResourceId}}" {
   name = "{{index $.Vars "kms_name"}}"
   description="this is a test description"
-  crypto_key_name=google_kms_crypto_key.crypto_key.id
+  crypto_key_name="{{index $.Vars "kms_key_name"}}"
   location="us-central1"
 }

mmv1/templates/terraform/examples/secure_source_manager_instance_cmek.tf.tmpl

@@ -1,15 +1,5 @@
-resource "google_kms_key_ring" "key_ring" {
-  name     = "{{index $.Vars "keyring_name"}}"
-  location = "us-central1"
-}
-
-resource "google_kms_crypto_key" "crypto_key" {
-  name     = "{{index $.Vars "key_name"}}"
-  key_ring = google_kms_key_ring.key_ring.id
-}
-
 resource "google_kms_crypto_key_iam_member" "crypto_key_binding" {
-  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
@@ -18,7 +8,7 @@ resource "google_kms_crypto_key_iam_member" "crypto_key_binding" {
 resource "google_secure_source_manager_instance" "{{$.PrimaryResourceId}}" {
     location = "us-central1"
     instance_id = "{{index $.Vars "instance_id"}}"
-    kms_key = google_kms_crypto_key.crypto_key.id
+    kms_key = "{{index $.Vars "kms_key_name"}}"
 
     depends_on = [
       google_kms_crypto_key_iam_member.crypto_key_binding

mmv1/third_party/terraform/services/alloydb/resource_alloydb_backup_test.go

@@ -171,7 +171,7 @@ func TestAccAlloydbBackup_usingCMEK(t *testing.T) {
 	context := map[string]interface{}{
 		"network_name":  acctest.BootstrapSharedServiceNetworkingConnection(t, "alloydb-backup-cmek-1"),
 		"random_suffix": acctest.RandString(t, 10),
-		"key_name":      "tf-test-key-" + acctest.RandString(t, 10),
+		"kms_key_name":  acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-alloydb-backup-key1").CryptoKey.Name,
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -204,7 +204,7 @@ resource "google_alloydb_backup" "default" {
 		"label2" = "updated_key2"
 	}
 	encryption_config {
-		kms_key_name = google_kms_crypto_key.key.id
+		kms_key_name = "%{kms_key_name}"
 	}
 	depends_on = [
 		google_alloydb_instance.default,
@@ -231,18 +231,8 @@ data "google_compute_network" "default" {
 }
 data "google_project" "project" {}
 
-resource "google_kms_key_ring" "keyring" {
-  name     = "%{key_name}"
-  location = "us-central1"
-}
-
-resource "google_kms_crypto_key" "key" {
-  name     = "%{key_name}"
-  key_ring = google_kms_key_ring.keyring.id
-}
-
 resource "google_kms_crypto_key_iam_member" "crypto_key" {
-  crypto_key_id = google_kms_crypto_key.key.id
+  crypto_key_id = "%{kms_key_name}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
 }