Promote Cloud SQL CMEK feature to ga (#6195) (#12039)

Co-authored-by: Krishnamoorthy Rajarathinam <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Krishnamoorthy Rajarathinam <[email protected]>

Author: modular-magician

.changelog/6195.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+sql: promoted attribute "encryption_key_name" to GA in `google_sql_database_instance` resource.
+```

google/resource_sql_database_instance.go

@@ -479,6 +479,13 @@ is set to true.`,
 				Description: `The MySQL, PostgreSQL or SQL Server (beta) version to use. Supported values include MYSQL_5_6, MYSQL_5_7, MYSQL_8_0, POSTGRES_9_6, POSTGRES_10, POSTGRES_11, POSTGRES_12, POSTGRES_13, POSTGRES_14, SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, SQLSERVER_2017_WEB. Database Version Policies includes an up-to-date reference of supported versions.`,
 			},
 
+			"encryption_key_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
+
 			"root_password": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -834,6 +841,12 @@ func resourceSqlDatabaseInstanceCreate(d *schema.ResourceData, meta interface{})
 		defer mutexKV.Unlock(instanceMutexKey(project, instance.MasterInstanceName))
 	}
 
+	if k, ok := d.GetOk("encryption_key_name"); ok {
+		instance.DiskEncryptionConfiguration = &sqladmin.DiskEncryptionConfiguration{
+			KmsKeyName: k.(string),
+		}
+	}
+
 	var patchData *sqladmin.DatabaseInstance
 
 	// BinaryLogging can be enabled on replica instances but only after creation.
@@ -1218,6 +1231,12 @@ func resourceSqlDatabaseInstanceRead(d *schema.ResourceData, meta interface{}) e
 		log.Printf("[WARN] Failed to set SQL Database Instance Settings")
 	}
 
+	if instance.DiskEncryptionConfiguration != nil {
+		if err := d.Set("encryption_key_name", instance.DiskEncryptionConfiguration.KmsKeyName); err != nil {
+			return fmt.Errorf("Error setting encryption_key_name: %s", err)
+		}
+	}
+
 	if err := d.Set("replica_configuration", flattenReplicaConfiguration(instance.ReplicaConfiguration, d)); err != nil {
 		log.Printf("[WARN] Failed to set SQL Database Instance Replica Configuration")
 	}

google/resource_sql_database_instance_test.go

@@ -1051,6 +1051,74 @@ func TestAccSqlDatabaseInstance_insights(t *testing.T) {
 	})
 }
 
+func TestAccSqlDatabaseInstance_encryptionKey(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id":    getTestProjectFromEnv(),
+		"key_name":      "tf-test-key-" + randString(t, 10),
+		"instance_name": "tf-test-sql-" + randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccSqlDatabaseInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: Nprintf(
+					testGoogleSqlDatabaseInstance_encryptionKey, context),
+			},
+			{
+				ResourceName:            "google_sql_database_instance.replica",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				ResourceName:            "google_sql_database_instance.master",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+		},
+	})
+}
+
+func TestAccSqlDatabaseInstance_encryptionKey_replicaInDifferentRegion(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id":    getTestProjectFromEnv(),
+		"key_name":      "tf-test-key-" + randString(t, 10),
+		"instance_name": "tf-test-sql-" + randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccSqlDatabaseInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: Nprintf(
+					testGoogleSqlDatabaseInstance_encryptionKey_replicaInDifferentRegion, context),
+			},
+			{
+				ResourceName:            "google_sql_database_instance.replica",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				ResourceName:            "google_sql_database_instance.master",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+		},
+	})
+}
+
 func TestAccSqlDatabaseInstance_ActiveDirectory(t *testing.T) {
 	t.Parallel()
 	databaseName := "tf-test-" + randString(t, 10)
@@ -1875,6 +1943,142 @@ resource "google_sql_database_instance" "instance" {
   }
 }
 `
+var testGoogleSqlDatabaseInstance_encryptionKey = `
+data "google_project" "project" {
+  project_id = "%{project_id}"
+}
+resource "google_kms_key_ring" "keyring" {
+  name     = "%{key_name}"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "key" {
+  name     = "%{key_name}"
+  key_ring = google_kms_key_ring.keyring.id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+  crypto_key_id = google_kms_crypto_key.key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+  "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com",
+  ]
+}
+
+resource "google_sql_database_instance" "master" {
+  name                = "%{instance_name}-master"
+  database_version    = "MYSQL_5_7"
+  region              = "us-central1"
+  deletion_protection = false
+  encryption_key_name = google_kms_crypto_key.key.id
+
+  settings {
+    tier = "db-n1-standard-1"
+
+    backup_configuration {
+      enabled            = true
+      start_time         = "00:00"
+      binary_log_enabled = true
+    }
+  }
+}
+
+resource "google_sql_database_instance" "replica" {
+  name                 = "%{instance_name}-replica"
+  database_version     = "MYSQL_5_7"
+  region               = "us-central1"
+  master_instance_name = google_sql_database_instance.master.name
+  deletion_protection  = false
+
+  settings {
+    tier = "db-n1-standard-1"
+  }
+
+  depends_on = [google_sql_database_instance.master]
+}
+`
+
+var testGoogleSqlDatabaseInstance_encryptionKey_replicaInDifferentRegion = `
+
+data "google_project" "project" {
+  project_id = "%{project_id}"
+}
+
+resource "google_kms_key_ring" "keyring" {
+  name     = "%{key_name}"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "key" {
+
+  name     = "%{key_name}"
+  key_ring = google_kms_key_ring.keyring.id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+  crypto_key_id = google_kms_crypto_key.key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com",
+  ]
+}
+
+resource "google_sql_database_instance" "master" {
+  name                = "%{instance_name}-master"
+  database_version    = "MYSQL_5_7"
+  region              = "us-central1"
+  deletion_protection = false
+  encryption_key_name = google_kms_crypto_key.key.id
+
+  settings {
+    tier = "db-n1-standard-1"
+
+    backup_configuration {
+      enabled            = true
+      start_time         = "00:00"
+      binary_log_enabled = true
+    }
+  }
+}
+
+resource "google_kms_key_ring" "keyring-rep" {
+
+  name     = "%{key_name}-rep"
+  location = "us-east1"
+}
+
+resource "google_kms_crypto_key" "key-rep" {
+
+  name     = "%{key_name}-rep"
+  key_ring = google_kms_key_ring.keyring-rep.id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key_rep" {
+  crypto_key_id = google_kms_crypto_key.key-rep.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com",
+  ]
+}
+
+resource "google_sql_database_instance" "replica" {
+  name                 = "%{instance_name}-replica"
+  database_version     = "MYSQL_5_7"
+  region               = "us-east1"
+  master_instance_name = google_sql_database_instance.master.name
+  encryption_key_name = google_kms_crypto_key.key-rep.id
+  deletion_protection  = false
+
+  settings {
+    tier = "db-n1-standard-1"
+  }
+
+  depends_on = [google_sql_database_instance.master]
+}
+`
 
 func testGoogleSqlDatabaseInstance_PointInTimeRecoveryEnabled(masterID int, pointInTimeRecoveryEnabled bool) string {
 	return fmt.Sprintf(`

website/docs/r/sql_database_instance.html.markdown

@@ -198,7 +198,7 @@ includes an up-to-date reference of supported versions.
 
 * `root_password` - (Optional) Initial root password. Required for MS SQL Server, ignored by MySQL and PostgreSQL.
 
-* `encryption_key_name` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+* `encryption_key_name` - (Optional)
     The full path to the encryption key used for the CMEK disk encryption.  Setting
     up disk encryption currently requires manual steps outside of Terraform.
     The provided key must be in the same region as the SQL instance.  In order