Add source_machine_image_encryption_key to google_compute_instance_from_machine_image resource (#12943) (#9632)

modular-magician · web-flow · commit eda843cdb2e5 · 2025-03-25T07:41:16.000-07:00
[upstream:0d24752a661a63a3a13c5fa8aee5d09d448fcb84]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12943.txt b/.changelog/12943.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: added `source_machine_image_encryption_key` field to `google_compute_instance_from_machine_image` resource  
+```
diff --git a/google-beta/services/compute/resource_compute_instance_from_machine_image.go b/google-beta/services/compute/resource_compute_instance_from_machine_image.go
@@ -62,6 +62,43 @@ func computeInstanceFromMachineImageSchema() map[string]*schema.Schema {
 		Description: `Name or self link of a machine image to create the instance from on.`,
 	}
 
+	s["source_machine_image_encryption_key"] = &schema.Schema{
+		Type:        schema.TypeList,
+		Optional:    true,
+		MaxItems:    1,
+		Description: `Encryption key for the source machine image.`,
+		ForceNew:    true,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"raw_key": {
+					Type:      schema.TypeString,
+					Optional:  true,
+					Sensitive: true,
+				},
+				"rsa_encrypted_key": {
+					Type:      schema.TypeString,
+					Optional:  true,
+					Sensitive: true,
+					ForceNew:  true,
+				},
+				"kms_key_name": {
+					Type:     schema.TypeString,
+					Optional: true,
+					ForceNew: true,
+				},
+				"kms_key_service_account": {
+					Type:     schema.TypeString,
+					Optional: true,
+					ForceNew: true,
+				},
+				"sha256": {
+					Type:     schema.TypeString,
+					Computed: true,
+				},
+			},
+		},
+	}
+
 	// Modifying the schema to disable disk overrides, due to an API bug (b/170964971)
 	// TODO: (camthornton) Remove this when disk override functionality in the API is restored
 	for _, field := range []string{"boot_disk", "attached_disk", "scratch_disk"} {
@@ -126,6 +163,11 @@ func resourceComputeInstanceFromMachineImageCreate(d *schema.ResourceData, meta
 	src := d.Get("source_machine_image").(string)
 	instance.SourceMachineImage = src
 
+	// Add source machine image encryption key if specified
+	if encryptionKey := expandSourceMachineImageEncryptionKey(d); encryptionKey != nil {
+		instance.SourceMachineImageEncryptionKey = encryptionKey
+	}
+
 	tpl, err := tpgresource.ParseMachineImageFieldValue(src, d, config)
 	if err != nil {
 		return err
@@ -264,3 +306,65 @@ func adjustInstanceFromMachineImageDisks(d *schema.ResourceData, config *transpo
 
 	return disks, nil
 }
+
+func expandSourceMachineImageEncryptionKey(d tpgresource.TerraformResourceData) *compute.CustomerEncryptionKey {
+	if v, ok := d.GetOk("source_machine_image_encryption_key"); !ok || v == nil {
+		return nil
+	}
+
+	encryptionKeyList := d.Get("source_machine_image_encryption_key").([]interface{})
+	if len(encryptionKeyList) == 0 || encryptionKeyList[0] == nil {
+		return nil
+	}
+
+	encryptionKeyMap := encryptionKeyList[0].(map[string]interface{})
+	encryptionKey := &compute.CustomerEncryptionKey{}
+
+	if rawKey, ok := encryptionKeyMap["raw_key"]; ok && rawKey != "" {
+		encryptionKey.RawKey = rawKey.(string)
+	}
+
+	if rsaKey, ok := encryptionKeyMap["rsa_encrypted_key"]; ok && rsaKey != "" {
+		encryptionKey.RsaEncryptedKey = rsaKey.(string)
+	}
+
+	if kmsKey, ok := encryptionKeyMap["kms_key_name"]; ok && kmsKey != "" {
+		encryptionKey.KmsKeyName = kmsKey.(string)
+	}
+
+	if kmsKeyServiceAccount, ok := encryptionKeyMap["kms_key_service_account"]; ok && kmsKeyServiceAccount != "" {
+		encryptionKey.KmsKeyServiceAccount = kmsKeyServiceAccount.(string)
+	}
+
+	return encryptionKey
+}
+
+func flattenSourceMachineImageEncryptionKey(key *compute.CustomerEncryptionKey) []map[string]interface{} {
+	if key == nil {
+		return nil
+	}
+
+	m := map[string]interface{}{}
+
+	if key.RawKey != "" {
+		m["raw_key"] = key.RawKey
+	}
+
+	if key.RsaEncryptedKey != "" {
+		m["rsa_encrypted_key"] = key.RsaEncryptedKey
+	}
+
+	if key.KmsKeyName != "" {
+		m["kms_key_name"] = key.KmsKeyName
+	}
+
+	if key.KmsKeyServiceAccount != "" {
+		m["kms_key_service_account"] = key.KmsKeyServiceAccount
+	}
+
+	if key.Sha256 != "" {
+		m["sha256"] = key.Sha256
+	}
+
+	return []map[string]interface{}{m}
+}
diff --git a/google-beta/services/compute/resource_compute_instance_from_machine_image_test.go b/google-beta/services/compute/resource_compute_instance_from_machine_image_test.go
@@ -305,6 +305,36 @@ func TestAccComputeInstanceFromMachineImage_confidentialInstanceConfigMain(t *te
 	})
 }
 
+func TestAccComputeInstanceFromMachineImage_withSourceMachineImageEncryptionKey(t *testing.T) {
+	t.Parallel()
+
+	var instance compute.Instance
+	var instanceName = fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	var resourceName = "google_compute_instance_from_machine_image.foobar"
+	var machineImageName = fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	bootDiskID := "tf-instance-from-mi-test-disk"
+	serviceAccountEmail := fmt.Sprintf("%s@%s.iam.gserviceaccount.com", "tf-test-sa", envvar.GetTestProjectFromEnv())
+	keyRingSuffix := acctest.RandString(t, 10)
+	keyNameSuffix := acctest.RandString(t, 10)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeInstanceFromMachineImage_withSourceMachineImageEncryptionKey(instanceName, machineImageName, bootDiskID, serviceAccountEmail, keyRingSuffix, keyNameSuffix),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeInstanceExists(t, resourceName, &instance),
+					resource.TestCheckResourceAttr(resourceName,
+						"source_machine_image_encryption_key.0.kms_key_name",
+						fmt.Sprintf("projects/%s/locations/global/keyRings/tf-test-keyring-%s/cryptoKeys/tf-test-key-%s", envvar.GetTestProjectFromEnv(), keyRingSuffix, keyNameSuffix)),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckComputeInstanceFromMachineImageDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		config := acctest.GoogleProviderConfig(t)
@@ -1104,3 +1134,88 @@ resource "google_compute_instance_from_machine_image" "foobar" {
 }
 `, projectID, projectID, org, billingId, instance, instance, newInstance)
 }
+
+func testAccComputeInstanceFromMachineImage_withSourceMachineImageEncryptionKey(instanceName, machineImageName, bootDiskID, serviceAccountEmail, keyRingSuffix, keyNameSuffix string) string {
+	return fmt.Sprintf(`
+data "google_compute_image" "my_image" {
+  family  = "debian-11"
+  project = "debian-cloud"
+}
+
+resource "google_service_account" "test_service_account" {
+  account_id   = "tf-test-sa"
+  display_name = "Test Service Account"
+}
+
+resource "google_kms_key_ring" "keyring" {
+  name     = "tf-test-keyring-%s"
+  location = "global"
+}
+
+resource "google_kms_crypto_key" "key" {
+  name            = "tf-test-key-%s"
+  key_ring        = google_kms_key_ring.keyring.id
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}
+
+resource "google_kms_crypto_key_iam_member" "crypto_key" {
+  crypto_key_id = google_kms_crypto_key.key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:${google_service_account.test_service_account.email}"
+}
+
+resource "google_compute_machine_image" "foobar" {
+  name                   = "%s"
+  source_instance        = google_compute_instance.mi-source.id
+  machine_image_encryption_key {
+    kms_key_name = google_kms_crypto_key.key.id
+    kms_key_service_account = google_service_account.test_service_account.email
+  }
+}
+
+resource "google_compute_instance" "mi-source" {
+  name           = "%s-source"
+  machine_type   = "e2-medium"
+  zone           = "us-central1-a"
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.my_image.self_link
+    }
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  service_account {
+    email  = google_service_account.test_service_account.email
+    scopes = ["cloud-platform"]
+  }
+
+  scheduling {
+    automatic_restart = true
+  }
+}
+
+resource "google_compute_instance_from_machine_image" "foobar" {
+  name = "%s"
+  zone = "us-central1-a"
+  
+  source_machine_image = google_compute_machine_image.foobar.self_link
+  
+  source_machine_image_encryption_key {
+    kms_key_name = google_kms_crypto_key.key.id
+    kms_key_service_account = google_service_account.test_service_account.email
+  }
+  
+  service_account {
+    email  = google_service_account.test_service_account.email
+    scopes = ["cloud-platform"]
+  }
+}
+`, keyRingSuffix, keyNameSuffix, machineImageName, instanceName, instanceName)
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+compute: added `source_machine_image_encryption_key` field to `google_compute_instance_from_machine_image` resource
	`3`	+```