Added support for CMEK in alloydb backup resource (#7829) (#14421)

* Added validation for "type" in cloud_sql_user_resource for preventing user from setting "password" or "host" for CLOUD_IAM_USER and CLOUD_IAM_SERVICE_ACCOUNT user types.

* Removed validation and added documentation to prevent setting of host or password field for CLOUD_IAM_USER and CLOUD_IAM_SERVICE_ACCOUNT

* Added support for CMEK in alloydb backup resource

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/7829.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+alloydb: added support for CMEK in `google_alloydb_backup` resource
+```

google/resource_alloydb_backup.go

@@ -68,6 +68,22 @@ func ResourceAlloydbBackup() *schema.Resource {
 				ForceNew:    true,
 				Description: `User-provided description of the backup.`,
 			},
+			"encryption_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key).`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kms_key_name": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							ForceNew:    true,
+							Description: `The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME].`,
+						},
+					},
+				},
+			},
 			"labels": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -79,6 +95,28 @@ func ResourceAlloydbBackup() *schema.Resource {
 				Computed:    true,
 				Description: `Time the Backup was created in UTC.`,
 			},
+			"encryption_info": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: `EncryptionInfo describes the encryption information of a cluster or a backup.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"encryption_type": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `Output only. Type of encryption.`,
+						},
+						"kms_key_versions": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Description: `Output only. Cloud KMS key versions that are being used to protect the database or the backup.`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
+			},
 			"etag": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -146,6 +184,12 @@ func resourceAlloydbBackupCreate(d *schema.ResourceData, meta interface{}) error
 	} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
 		obj["description"] = descriptionProp
 	}
+	encryptionConfigProp, err := expandAlloydbBackupEncryptionConfig(d.Get("encryption_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_config"); !isEmptyValue(reflect.ValueOf(encryptionConfigProp)) && (ok || !reflect.DeepEqual(v, encryptionConfigProp)) {
+		obj["encryptionConfig"] = encryptionConfigProp
+	}
 
 	obj, err = resourceAlloydbBackupEncoder(d, meta, obj)
 	if err != nil {
@@ -262,6 +306,12 @@ func resourceAlloydbBackupRead(d *schema.ResourceData, meta interface{}) error {
 	if err := d.Set("etag", flattenAlloydbBackupEtag(res["etag"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Backup: %s", err)
 	}
+	if err := d.Set("encryption_config", flattenAlloydbBackupEncryptionConfig(res["encryptionConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Backup: %s", err)
+	}
+	if err := d.Set("encryption_info", flattenAlloydbBackupEncryptionInfo(res["encryptionInfo"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Backup: %s", err)
+	}
 
 	return nil
 }
@@ -288,6 +338,12 @@ func resourceAlloydbBackupUpdate(d *schema.ResourceData, meta interface{}) error
 	} else if v, ok := d.GetOkExists("labels"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, labelsProp)) {
 		obj["labels"] = labelsProp
 	}
+	encryptionConfigProp, err := expandAlloydbBackupEncryptionConfig(d.Get("encryption_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_config"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, encryptionConfigProp)) {
+		obj["encryptionConfig"] = encryptionConfigProp
+	}
 
 	obj, err = resourceAlloydbBackupEncoder(d, meta, obj)
 	if err != nil {
@@ -305,6 +361,10 @@ func resourceAlloydbBackupUpdate(d *schema.ResourceData, meta interface{}) error
 	if d.HasChange("labels") {
 		updateMask = append(updateMask, "labels")
 	}
+
+	if d.HasChange("encryption_config") {
+		updateMask = append(updateMask, "encryptionConfig")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -441,6 +501,46 @@ func flattenAlloydbBackupEtag(v interface{}, d *schema.ResourceData, config *tra
 	return v
 }
 
+func flattenAlloydbBackupEncryptionConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["kms_key_name"] =
+		flattenAlloydbBackupEncryptionConfigKmsKeyName(original["kmsKeyName"], d, config)
+	return []interface{}{transformed}
+}
+func flattenAlloydbBackupEncryptionConfigKmsKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenAlloydbBackupEncryptionInfo(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["encryption_type"] =
+		flattenAlloydbBackupEncryptionInfoEncryptionType(original["encryptionType"], d, config)
+	transformed["kms_key_versions"] =
+		flattenAlloydbBackupEncryptionInfoKmsKeyVersions(original["kmsKeyVersions"], d, config)
+	return []interface{}{transformed}
+}
+func flattenAlloydbBackupEncryptionInfoEncryptionType(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenAlloydbBackupEncryptionInfoKmsKeyVersions(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandAlloydbBackupClusterName(v interface{}, d TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -460,6 +560,29 @@ func expandAlloydbBackupDescription(v interface{}, d TerraformResourceData, conf
 	return v, nil
 }
 
+func expandAlloydbBackupEncryptionConfig(v interface{}, d TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedKmsKeyName, err := expandAlloydbBackupEncryptionConfigKmsKeyName(original["kms_key_name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !isEmptyValue(val) {
+		transformed["kmsKeyName"] = transformedKmsKeyName
+	}
+
+	return transformed, nil
+}
+
+func expandAlloydbBackupEncryptionConfigKmsKeyName(v interface{}, d TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func resourceAlloydbBackupEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
 	// The only other available type is AUTOMATED which cannot be set manually
 	obj["type"] = "ON_DEMAND"

google/resource_alloydb_backup_test.go

@@ -232,3 +232,100 @@ resource "google_service_networking_connection" "vpc_connection" {
 }
 `, context)
 }
+
+func TestAccAlloydbBackup_usingCMEK(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"network_name":  BootstrapSharedTestNetwork(t, "alloydb-update"),
+		"random_suffix": RandString(t, 10),
+		"key_name":      "tf-test-key-" + RandString(t, 10),
+	}
+
+	VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckAlloydbBackupDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAlloydbBackup_usingCMEK(context),
+			},
+			{
+				ResourceName:            "google_alloydb_backup.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"backup_id", "location", "reconciling", "update_time"},
+			},
+		},
+	})
+}
+
+func testAccAlloydbBackup_usingCMEK(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_alloydb_backup" "default" {
+	location     = "us-central1"
+	backup_id    = "tf-test-alloydb-backup%{random_suffix}"
+	cluster_name = google_alloydb_cluster.default.name
+	description = "example description"
+	labels = {
+		"label" = "updated_key"
+		"label2" = "updated_key2"
+	}
+	encryption_config {
+		kms_key_name = google_kms_crypto_key.key.id
+	}
+	depends_on = [google_alloydb_instance.default]
+}
+	  
+resource "google_alloydb_cluster" "default" {
+	cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
+	location   = "us-central1"
+	network    = data.google_compute_network.default.id
+}
+	  
+resource "google_alloydb_instance" "default" {
+	cluster       = google_alloydb_cluster.default.name
+	instance_id   = "tf-test-alloydb-instance%{random_suffix}"
+	instance_type = "PRIMARY"
+	  
+	depends_on = [google_service_networking_connection.vpc_connection]
+}
+	  
+resource "google_compute_global_address" "private_ip_alloc" {
+	name          =  "tf-test-alloydb-cluster%{random_suffix}"
+	address_type  = "INTERNAL"
+	purpose       = "VPC_PEERING"
+	prefix_length = 16
+	network       = data.google_compute_network.default.id
+}
+	  
+resource "google_service_networking_connection" "vpc_connection" {
+	network                 = data.google_compute_network.default.id
+	service                 = "servicenetworking.googleapis.com"
+	reserved_peering_ranges = [google_compute_global_address.private_ip_alloc.name]
+}
+	  
+data "google_compute_network" "default" {
+	name = "%{network_name}"
+}
+data "google_project" "project" {}
+
+resource "google_kms_key_ring" "keyring" {
+  name     = "%{key_name}"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "key" {
+  name     = "%{key_name}"
+  key_ring = google_kms_key_ring.keyring.id
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+  crypto_key_id = google_kms_crypto_key.key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  members = [
+	"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
+  ]
+}
+`, context)
+}

website/docs/r/alloydb_backup.html.markdown

@@ -160,10 +160,21 @@ The following arguments are supported:
   (Optional)
   User-provided description of the backup.
 
+* `encryption_config` -
+  (Optional)
+  EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key).
+  Structure is [documented below](#nested_encryption_config).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
 
+<a name="nested_encryption_config"></a>The `encryption_config` block supports:
+
+* `kms_key_name` -
+  (Optional)
+  The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME].
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported:
@@ -191,6 +202,20 @@ In addition to the arguments listed above, the following computed attributes are
 * `etag` -
   A hash of the resource.
 
+* `encryption_info` -
+  EncryptionInfo describes the encryption information of a cluster or a backup.
+  Structure is [documented below](#nested_encryption_info).
+
+
+<a name="nested_encryption_info"></a>The `encryption_info` block contains:
+
+* `encryption_type` -
+  (Output)
+  Output only. Type of encryption.
+
+* `kms_key_versions` -
+  (Output)
+  Output only. Cloud KMS key versions that are being used to protect the database or the backup.
 
 ## Timeouts