Adding DataSource for KMS Autokey Keyhandle (#12553) (#8933)

[upstream:0669054c194d06807b6f086a3019755c50f04df2]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12553.txt

@@ -0,0 +1,3 @@
+```release-note:new-datasource
+`google_kms_key_handle`
+```

google-beta/acctest/bootstrap_test_utils.go

@@ -12,6 +12,9 @@ import (
 	"testing"
 	"time"
 	// For beta tests only
+	"github.com/hashicorp/terraform-provider-google-beta/google-beta/services/kms"
+	tpgservicusage "github.com/hashicorp/terraform-provider-google-beta/google-beta/services/serviceusage"
+	resourceManagerV3 "google.golang.org/api/cloudresourcemanager/v3"
 	"net/http"
 
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar"
@@ -35,6 +38,11 @@ import (
 )
 
 var SharedKeyRing = "tftest-shared-keyring-1"
+
+var DefaultKeyHandleName = "eed58b7b-20ad-4da8-ad85-ba78a0d5ab87"
+var DefaultKeyHandleResourceType = "compute.googleapis.com/Disk"
+var CloudKmsSrviceName = "cloudkms.googleapis.com"
+
 var SharedCryptoKey = map[string]string{
 	"ENCRYPT_DECRYPT":    "tftest-shared-key-1",
 	"ASYMMETRIC_SIGN":    "tftest-shared-sign-key-1",
@@ -76,6 +84,237 @@ func BootstrapKMSKeyWithPurposeInLocation(t *testing.T, purpose, locationID stri
 	return BootstrapKMSKeyWithPurposeInLocationAndName(t, purpose, locationID, SharedCryptoKey[purpose])
 }
 
+type BootstrappedKMSAutokey struct {
+	*cloudkms.KeyHandle
+}
+
+func BootstrapKMSAutokeyKeyHandle(t *testing.T) BootstrappedKMSAutokey {
+	return BootstrapKMSAutokeyKeyHandleWithLocation(t, "global")
+}
+
+func BootstrapKMSAutokeyKeyHandleWithLocation(t *testing.T, locationID string) BootstrappedKMSAutokey {
+	config := BootstrapConfig(t)
+	if config == nil {
+		return BootstrappedKMSAutokey{
+			&cloudkms.KeyHandle{},
+		}
+	}
+
+	autokeyFolder, kmsProject, resourceProject := setupAutokeyTestResources(t, config)
+
+	// Enable autokey on autokey test folder
+	kmsClient := config.NewKmsClient(config.UserAgent)
+	autokeyConfigID := fmt.Sprintf("%s/autokeyConfig", autokeyFolder.Name)
+	_, err := kmsClient.Folders.UpdateAutokeyConfig(autokeyConfigID, &cloudkms.AutokeyConfig{
+		KeyProject: fmt.Sprintf("projects/%s", kmsProject.ProjectId),
+	}).UpdateMask("keyProject").Do()
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot enable autokey on autokey test folder: %s", err)
+	}
+
+	keyHandleParent := fmt.Sprintf("projects/%s/locations/%s", resourceProject.ProjectId, locationID)
+	keyHandleName := fmt.Sprintf("%s/keyHandles/%s", keyHandleParent, DefaultKeyHandleName)
+
+	// Get or Create the hard coded keyHandle for testing
+	keyHandle, err := kmsClient.Projects.Locations.KeyHandles.Get(keyHandleName).Do()
+
+	if err != nil {
+		if transport_tpg.IsGoogleApiErrorWithCode(err, 404) {
+			newKeyHandle := cloudkms.KeyHandle{
+				ResourceTypeSelector: DefaultKeyHandleResourceType,
+			}
+
+			keyHandleOp, err := kmsClient.Projects.Locations.KeyHandles.Create(keyHandleParent, &newKeyHandle).KeyHandleId(DefaultKeyHandleName).Do()
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot create new KeyHandle: %s", err)
+			}
+
+			opAsMap, err := tpgresource.ConvertToMap(keyHandleOp)
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot get operation map: %s", err)
+			}
+
+			var response map[string]interface{}
+			err = kms.KMSOperationWaitTimeWithResponse(config, opAsMap, &response, resourceProject.ProjectId, "creating keyHandle", config.UserAgent, time.Duration(5)*time.Minute)
+			if err != nil {
+				t.Errorf("unable to bootstrap KMS keyHandle. Cannot wait for create keyhandle operation: %s", err)
+			}
+			keyHandle = &cloudkms.KeyHandle{
+				Name:                 response["name"].(string),
+				KmsKey:               response["kmsKey"].(string),
+				ResourceTypeSelector: response["resourceTypeSelector"].(string),
+			}
+		} else {
+			t.Errorf("unable to bootstrap KMS keyHandle. Cannot call KeyHandle service: %s", err)
+		}
+	}
+
+	if keyHandle == nil {
+		t.Fatalf("unable to bootstrap KMS keyHandle. KeyHandle is nil!")
+	}
+
+	return BootstrappedKMSAutokey{
+		keyHandle,
+	}
+}
+
+func setupAutokeyTestResources(t *testing.T, config *transport_tpg.Config) (*resourceManagerV3.Folder, *cloudresourcemanager.Project, *cloudresourcemanager.Project) {
+	projectIDSuffix := strings.Replace(envvar.GetTestProjectFromEnv(), "ci-test-project-", "", 1)
+	defaultAutokeyTestFolderName := fmt.Sprintf("autokeytest-%s-fd", projectIDSuffix)
+	defaultAutokeyTestKmsProject := fmt.Sprintf("test-kms-%s-prj", projectIDSuffix)
+	defaultAutokeyTestResourceProject := fmt.Sprintf("test-res-%s-prj", projectIDSuffix)
+
+	curUserEmail, err := transport_tpg.GetCurrentUserEmail(config, config.UserAgent)
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot get current usr: %s", err)
+	}
+	// create a folder to configure autokey config and resource folder
+	autokeyFolder := BootstrapFolder(t, defaultAutokeyTestFolderName)
+	parent := &cloudresourcemanager.ResourceId{
+		Type: "folder",
+		Id:   strings.Split(autokeyFolder.Name, "/")[1],
+	}
+	// create and setup kms project for hosting keyring and keys for autokey
+	kmsProject := BootstrapProjectWithParent(t, defaultAutokeyTestKmsProject, envvar.GetTestBillingAccountFromEnv(t), parent, []string{CloudKmsSrviceName})
+	kmsProjectID := fmt.Sprintf("projects/%s", kmsProject.ProjectId)
+	kmsSAEmail, err := GenerateCloudKmsServiceIdentity(config, fmt.Sprintf("%v", kmsProject.ProjectNumber))
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot create cloudkms service identity: %s", err)
+	}
+	err = addFolderBinding2(config.NewResourceManagerV3Client(config.UserAgent), autokeyFolder.Name, fmt.Sprintf("user:%s", curUserEmail), []string{"roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin role to current user on autokey test folder: %s", err)
+	}
+	err = addProjectBinding(config.NewResourceManagerV3Client(config.UserAgent), kmsProjectID, fmt.Sprintf("user:%s", curUserEmail), []string{"roles/resourcemanager.projectIamAdmin", "roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin and projectIamAdmin role to current user on kms project: %s", err)
+	}
+	err = addProjectBinding(config.NewResourceManagerV3Client(config.UserAgent), kmsProjectID, fmt.Sprintf("serviceAccount:%s", kmsSAEmail), []string{"roles/cloudkms.admin"})
+	if err != nil {
+		t.Errorf("unable to bootstrap KMS keyHandle. Cannot assign cloudkms.admin role to cloudkms service identity on kms project: %s", err)
+	}
+
+	// create and setup resource folder to host keyhandle
+	resourceProject := BootstrapProjectWithParent(t, defaultAutokeyTestResourceProject, envvar.GetTestBillingAccountFromEnv(t), parent, []string{})
+	return autokeyFolder, kmsProject, resourceProject
+}
+
+// GenerateCloudKmsServiceIdentity generates cloud kms service identity within a project
+func GenerateCloudKmsServiceIdentity(config *transport_tpg.Config, projectNum string) (string, error) {
+	url := fmt.Sprintf("https://serviceusage.googleapis.com/v1beta1/projects/%s/services/%s:generateServiceIdentity", projectNum, CloudKmsSrviceName)
+
+	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "POST",
+		Project:   projectNum,
+		RawURL:    url,
+		UserAgent: config.UserAgent,
+		Timeout:   time.Minute * 4,
+	})
+	if err != nil {
+		return "", fmt.Errorf("error creating cloudkms service identity: %s", err)
+	}
+
+	var opRes map[string]interface{}
+	err = tpgservicusage.ServiceUsageOperationWaitTimeWithResponse(
+		config, res, &opRes, projectNum, "Creating cloudkms service identity", config.UserAgent,
+		time.Minute*4)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("service-%[email protected]", projectNum), nil
+}
+
+func addProjectBinding(crmService *resourceManagerV3.Service, projectID string, member string, roles []string) error {
+	return addBinding(crmService, "project", projectID, member, roles)
+}
+
+func addFolderBinding2(crmService *resourceManagerV3.Service, folderID string, member string, roles []string) error {
+	return addBinding(crmService, "folder", folderID, member, roles)
+}
+
+// addBinding adds the member to the project's IAM policy
+func addBinding(crmService *resourceManagerV3.Service, resourceType string, resourceID string, member string, roles []string) error {
+
+	policy, err := getPolicy(crmService, resourceType, resourceID)
+	if err != nil {
+		return err
+	}
+
+	// Find the policy binding for role. Only one binding can have the role.
+	var binding *resourceManagerV3.Binding
+	for _, role := range roles {
+		for _, b := range policy.Bindings {
+			if b.Role == role {
+				binding = b
+				break
+			}
+		}
+
+		if binding != nil {
+			// If the binding exists, adds the member to the binding
+			binding.Members = append(binding.Members, member)
+		} else {
+			// If the binding does not exist, adds a new binding to the policy
+			binding = &resourceManagerV3.Binding{
+				Role:    role,
+				Members: []string{member},
+			}
+			policy.Bindings = append(policy.Bindings, binding)
+		}
+	}
+	setPolicy(crmService, resourceType, resourceID, policy)
+	return nil
+}
+
+// getPolicy gets the IAM policy on input resourceID
+// resourceType can be "project" or "folder"
+func getPolicy(crmService *resourceManagerV3.Service, resourceType string, resourceID string) (*resourceManagerV3.Policy, error) {
+
+	ctx := context.Background()
+
+	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	defer cancel()
+	request := new(resourceManagerV3.GetIamPolicyRequest)
+	var policy *resourceManagerV3.Policy
+	var err error
+	if resourceType == "project" {
+		policy, err = crmService.Projects.GetIamPolicy(resourceID, request).Do()
+	} else if resourceType == "folder" {
+		policy, err = crmService.Folders.GetIamPolicy(resourceID, request).Do()
+	} else {
+		return nil, fmt.Errorf("invalid resourceType, supported values: project or folder")
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error getting iam policy: %s", err)
+	}
+	return policy, nil
+}
+
+// setPolicy sets the IAM policy on input resourceID
+// resourceType can be "project" or "folder"
+func setPolicy(crmService *resourceManagerV3.Service, resourceType string, resourceID string, policy *resourceManagerV3.Policy) error {
+
+	ctx := context.Background()
+
+	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	defer cancel()
+	request := new(resourceManagerV3.SetIamPolicyRequest)
+	request.Policy = policy
+	var err error
+	if resourceType == "project" {
+		_, err = crmService.Projects.SetIamPolicy(resourceID, request).Do()
+	} else if resourceType == "folder" {
+		_, err = crmService.Folders.SetIamPolicy(resourceID, request).Do()
+	} else {
+		return fmt.Errorf("invalid resourceType, supported values: project or folder")
+	}
+	if err != nil {
+		return fmt.Errorf("error setting iam policy: %s", err)
+	}
+	return nil
+}
+
 func BootstrapKMSKeyWithPurposeInLocationAndName(t *testing.T, purpose, locationID, keyShortName string) BootstrappedKMS {
 	config := BootstrapConfig(t)
 	if config == nil {
@@ -630,37 +869,89 @@ func BootstrapServicePerimeterProjects(t *testing.T, desiredProjects int) []*clo
 	return projects
 }
 
+// BootstrapFolder creates or get a folder having a input folderDisplayName within a TestOrgEnv
+func BootstrapFolder(t *testing.T, folderDisplayName string) *resourceManagerV3.Folder {
+	config := BootstrapConfig(t)
+	if config == nil {
+		return nil
+	}
+
+	crmClient := config.NewResourceManagerV3Client(config.UserAgent)
+	searchQuery := fmt.Sprintf("displayName=%s", folderDisplayName)
+	folderSearchResp, err := crmClient.Folders.Search().Query(searchQuery).Do()
+	if err != nil {
+		t.Fatalf("error searching for folder with displayName: %s", folderDisplayName)
+	}
+	var folder *resourceManagerV3.Folder
+	if len(folderSearchResp.Folders) == 0 {
+		op, err := crmClient.Folders.Create(&resourceManagerV3.Folder{
+			DisplayName: folderDisplayName,
+			Parent:      fmt.Sprintf("organizations/%s", envvar.GetTestOrgFromEnv(t)),
+		}).Do()
+		if err != nil {
+			t.Fatalf("error bootstrapping test folder: %s", err)
+		}
+
+		opAsMap, err := tpgresource.ConvertToMap(op)
+		if err != nil {
+			t.Fatalf("error converting folder operation map: %s", err)
+		}
+		var responseMap map[string]interface{}
+		err = resourcemanager.ResourceManagerOperationWaitTimeWithResponse(config, opAsMap, &responseMap, "creating folder", config.UserAgent, 4*time.Minute)
+		if err != nil {
+			t.Fatalf("error waiting for create folder operation: %s", err)
+		}
+		folder, err = crmClient.Folders.Get(responseMap["name"].(string)).Do()
+		if err != nil {
+			t.Fatalf("error getting folder: %s", err)
+		}
+	} else {
+		folder = folderSearchResp.Folders[0]
+	}
+
+	if folder.State == "DELETE_REQUESTED" {
+		_, err := crmClient.Folders.Undelete(folder.Name, &resourceManagerV3.UndeleteFolderRequest{}).Do()
+		if err != nil {
+			t.Fatalf("error undeleting folder: %s", err)
+		}
+	}
+	return folder
+}
+
 // BootstrapProject will create or get a project named
 // "<projectIDPrefix><projectIDSuffix>" that will persist across test runs,
 // where projectIDSuffix is based off of getTestProjectFromEnv(). The reason
 // for the naming is to isolate bootstrapped projects by test environment.
 // Given the existing projects being used by our team, the prefix provided to
 // this function can be no longer than 18 characters.
 func BootstrapProject(t *testing.T, projectIDPrefix, billingAccount string, services []string) *cloudresourcemanager.Project {
-	config := BootstrapConfig(t)
-	if config == nil {
-		return nil
+	org := envvar.GetTestOrgFromEnv(t)
+	parent := &cloudresourcemanager.ResourceId{
+		Type: "organization",
+		Id:   org,
 	}
-
 	projectIDSuffix := strings.Replace(envvar.GetTestProjectFromEnv(), "ci-test-project-", "", 1)
 	projectID := projectIDPrefix + projectIDSuffix
 
+	return BootstrapProjectWithParent(t, projectID, billingAccount, parent, services)
+}
+
+func BootstrapProjectWithParent(t *testing.T, projectID string, billingAccount string, parent *cloudresourcemanager.ResourceId, services []string) *cloudresourcemanager.Project {
+	config := BootstrapConfig(t)
+	if config == nil {
+		return nil
+	}
 	crmClient := config.NewResourceManagerClient(config.UserAgent)
 
 	project, err := crmClient.Projects.Get(projectID).Do()
 	if err != nil {
 		if !transport_tpg.IsGoogleApiErrorWithCode(err, 403) {
 			t.Fatalf("Error getting bootstrapped project: %s", err)
 		}
-		org := envvar.GetTestOrgFromEnv(t)
-
 		op, err := crmClient.Projects.Create(&cloudresourcemanager.Project{
 			ProjectId: projectID,
 			Name:      "Bootstrapped Test Project",
-			Parent: &cloudresourcemanager.ResourceId{
-				Type: "organization",
-				Id:   org,
-			},
+			Parent:    parent,
 		}).Do()
 		if err != nil {
 			t.Fatalf("Error creating bootstrapped test project: %s", err)

google-beta/provider/provider_mmv1_resources.go

@@ -282,6 +282,7 @@ var handwrittenDatasources = map[string]*schema.Resource{
 	"google_kms_crypto_key_versions":                       kms.DataSourceGoogleKmsCryptoKeyVersions(),
 	"google_kms_key_ring":                                  kms.DataSourceGoogleKmsKeyRing(),
 	"google_kms_key_rings":                                 kms.DataSourceGoogleKmsKeyRings(),
+	"google_kms_key_handle":                                kms.DataSourceGoogleKmsKeyHandle(),
 	"google_kms_secret":                                    kms.DataSourceGoogleKmsSecret(),
 	"google_kms_secret_ciphertext":                         kms.DataSourceGoogleKmsSecretCiphertext(),
 	"google_kms_secret_asymmetric":                         kms.DataSourceGoogleKmsSecretAsymmetric(),