Add data source for keyhandle list (#12708) (#9105)

[upstream:e055e09e6a5644b159da84f94759af5ee5b0d047]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12708.txt

@@ -0,0 +1,3 @@
+```release-note:new-datasource
+`google_kms_key_handles`
+```

google-beta/provider/provider_mmv1_resources.go

@@ -289,6 +289,7 @@ var handwrittenDatasources = map[string]*schema.Resource{
 	"google_kms_key_rings":                                 kms.DataSourceGoogleKmsKeyRings(),
 	"google_kms_key_handle":                                kms.DataSourceGoogleKmsKeyHandle(),
 	"google_kms_autokey_config":                            kms.DataSourceGoogleKmsAutokeyConfig(),
+	"google_kms_key_handles":                               kms.DataSourceGoogleKmsKeyHandles(),
 	"google_kms_secret":                                    kms.DataSourceGoogleKmsSecret(),
 	"google_kms_secret_ciphertext":                         kms.DataSourceGoogleKmsSecretCiphertext(),
 	"google_kms_secret_asymmetric":                         kms.DataSourceGoogleKmsSecretAsymmetric(),

google-beta/services/kms/data_source_google_kms_key_handles.go

@@ -0,0 +1,164 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package kms
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/tpgresource"
+	transport_tpg "github.com/hashicorp/terraform-provider-google-beta/google-beta/transport"
+)
+
+func DataSourceGoogleKmsKeyHandles() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceGoogleKmsKeyHandlesRead,
+		Schema: map[string]*schema.Schema{
+			"project": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Project ID of the project.`,
+			},
+			"location": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `The canonical id for the location. For example: "us-east1".`,
+			},
+			"resource_type_selector": {
+				Type:     schema.TypeString,
+				Required: true,
+				Description: `
+					The resource_type_selector argument is used to add a filter query parameter that limits which key handles are retrieved by the data source: ?filter=resource_type_selector="{{resource_type_selector}}".
+					Example values:
+					* resource_type_selector="{SERVICE}.googleapis.com/{TYPE}".
+					[See the documentation about using filters](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyHandles/list)
+				`,
+			},
+			"key_handles": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "A list of all the retrieved key handles",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"kms_key": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"resource_type_selector": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+		},
+	}
+
+}
+
+func dataSourceGoogleKmsKeyHandlesRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*transport_tpg.Config)
+	project, err := tpgresource.GetProject(d, config)
+	if err != nil {
+		return err
+	}
+	resourceTypeSelector := ""
+	if fl, ok := d.GetOk("resource_type_selector"); ok {
+		resourceTypeSelector = strings.Replace(fl.(string), "\"", "%22", -1)
+	}
+
+	billingProject := project
+	if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
+		billingProject = bp
+	}
+
+	url, err := tpgresource.ReplaceVars(d, config, "{{KMSBasePath}}projects/{{project}}/locations/{{location}}/keyHandles")
+	if err != nil {
+		return err
+	}
+	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	params := make(map[string]string)
+	var keyHandles []interface{}
+	for {
+		newUrl, err := addQueryParams(url, resourceTypeSelector, params)
+		if err != nil {
+			return err
+		}
+		res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+			Config:               config,
+			Method:               "GET",
+			Project:              billingProject,
+			RawURL:               newUrl,
+			UserAgent:            userAgent,
+			ErrorRetryPredicates: []transport_tpg.RetryErrorPredicateFunc{transport_tpg.Is429RetryableQuotaError},
+		})
+		if err != nil {
+			return fmt.Errorf("Error retrieving keyhandles: %s", err)
+		}
+
+		if res["keyHandles"] == nil {
+			break
+		}
+		pageKeyHandles, err := flattenKMSKeyHandlesList(config, res["keyHandles"])
+		if err != nil {
+			return fmt.Errorf("error flattening key handle list: %s", err)
+		}
+		keyHandles = append(keyHandles, pageKeyHandles...)
+
+		pToken, ok := res["nextPageToken"]
+		if ok && pToken != nil && pToken.(string) != "" {
+			params["pageToken"] = pToken.(string)
+		} else {
+			break
+		}
+	}
+	log.Printf("[DEBUG] Found %d key handles", len(keyHandles))
+	if err := d.Set("key_handles", keyHandles); err != nil {
+		return fmt.Errorf("error setting key handles: %s", err)
+	}
+	d.SetId(fmt.Sprintf("projects/%s/locations/%s/keyHandles?filter=resource_type_selector=%s", project, d.Get("location"), resourceTypeSelector))
+	return nil
+}
+
+// transport_tpg.AddQueryParams() encodes the filter=resource_type_selector="value" into
+// filter=resource_type_selector%3D%22value%22
+// The encoding of '=' into %3D is currently causing issue with ListKeyHandle api.
+// To to handle this case currently, as part of this function,
+// we are manually adding filter as a query param to the url
+func addQueryParams(url string, resourceTypeSelector string, params map[string]string) (string, error) {
+	quoteEncoding := "%22"
+	if len(params) == 0 {
+		return fmt.Sprintf("%s?filter=resource_type_selector=%s%s%s", url, quoteEncoding, resourceTypeSelector, quoteEncoding), nil
+	} else {
+		url, err := transport_tpg.AddQueryParams(url, params)
+		if err != nil {
+			return "", nil
+		}
+		return fmt.Sprintf("%s&filter=resource_type_selector=%s%s%s", url, quoteEncoding, resourceTypeSelector, quoteEncoding), nil
+	}
+}
+
+// flattenKMSKeyHandlesList flattens a list of key handles
+func flattenKMSKeyHandlesList(config *transport_tpg.Config, keyHandlesList interface{}) ([]interface{}, error) {
+	var keyHandles []interface{}
+	for _, k := range keyHandlesList.([]interface{}) {
+		keyHandle := k.(map[string]interface{})
+
+		data := map[string]interface{}{}
+		data["name"] = keyHandle["name"]
+		data["kms_key"] = keyHandle["kmsKey"]
+		data["resource_type_selector"] = keyHandle["resourceTypeSelector"]
+
+		keyHandles = append(keyHandles, data)
+	}
+
+	return keyHandles, nil
+}

google-beta/services/kms/data_source_google_kms_key_handles_test.go

@@ -0,0 +1,74 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+package kms_test
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
+)
+
+func TestAccDataSourceGoogleKmsKeyHandles_basic(t *testing.T) {
+	kmsAutokey := acctest.BootstrapKMSAutokeyKeyHandle(t)
+	keyParts := strings.Split(kmsAutokey.KeyHandle.Name, "/")
+	project := keyParts[1]
+	location := keyParts[3]
+	diskFilter := fmt.Sprintf("compute.googleapis.com/Disk")
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceGoogleKmsKeyHandles_basic(project, location, diskFilter),
+				Check: resource.ComposeTestCheckFunc(
+					validateKeyHandleName(
+						"data.google_kms_key_handles.mykeyhandles", kmsAutokey.KeyHandle.Name,
+					),
+				),
+			},
+		},
+	})
+}
+func validateKeyHandleName(dataSourceName string, expectedKeyHandleName string) func(*terraform.State) error {
+	return func(s *terraform.State) error {
+		ds, ok := s.RootModule().Resources[dataSourceName]
+		if !ok {
+			return fmt.Errorf("can't find %s in state", dataSourceName)
+		}
+
+		var dsAttr map[string]string
+		dsAttr = ds.Primary.Attributes
+
+		totalKeyHandles, err := strconv.Atoi(dsAttr["key_handles.#"])
+		if err != nil {
+			return errors.New("Couldn't convert length of key_handles list to integer")
+		}
+		if totalKeyHandles != 1 {
+			return errors.New(fmt.Sprintf("want 1 keyhandle, found %d", totalKeyHandles))
+		}
+		actualKeyHandleName := dsAttr["key_handles.0.name"]
+		if actualKeyHandleName != expectedKeyHandleName {
+			return errors.New(fmt.Sprintf("want keyhandle name %s, got: %s", expectedKeyHandleName, actualKeyHandleName))
+		}
+		return nil
+	}
+}
+func testAccDataSourceGoogleKmsKeyHandles_basic(project string, location string, filter string) string {
+	str := fmt.Sprintf(`
+data "google_kms_key_handles" "mykeyhandles" {
+  project = "%s"
+  location = "%s"
+  resource_type_selector = "%s"
+}
+`, project, location, filter)
+	return str
+}

website/docs/d/kms_key_handles.html.markdown

@@ -0,0 +1,59 @@
+---
+subcategory: "Cloud Key Management Service"
+description: |-
+ Provides access to KMS key handle data with Google Cloud KMS.
+---
+
+# google_kms_key_handles
+
+Provides access to Google Cloud Platform KMS KeyHandle. A key handle is a Cloud KMS resource that helps you safely span the separation of duties to create new Cloud KMS keys for CMEK using Autokey.
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+For more information see
+[the official documentation](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles)
+and
+[API](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyHandles/list).
+
+
+## Example Usage
+
+```hcl
+data "google_kms_key_handles" "my_key_handles" {
+  project = "resource-project-id"
+  location = "us-central1"
+  resource_type_selector = "storage.googleapis.com/Bucket" 
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `location` - (Required) The Google Cloud Platform location for the KeyHandle.
+    A full list of valid locations can be found by running `gcloud kms locations list`.
+
+* `resource_type_selector` - (Required) The resource type by which to filter KeyHandle e.g. {SERVICE}.googleapis.com/{TYPE}. See documentation for supported resource types. 
+
+- - -
+
+* `project` - (Optional) The project in which the resource belongs. If it
+    is not provided, the provider project is used.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `name` - The name of the KeyHandle. Its format is `projects/{projectId}/locations/{location}/keyHandles/{keyHandleName}`.
+
+* `kms_key` - The identifier of the KMS Key created for the KeyHandle. Its format is `projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}`.
+
+* `location` - The location of the KMS Key and KeyHandle.
+
+* `project`  - The identifier of the project where KMS KeyHandle is created.
+
+* `resource_type_selector` - Indicates the resource type that the resulting CryptoKey is meant to protect, e.g. {SERVICE}.googleapis.com/{TYPE}. See documentation for supported resource types.
+
+