diff --git a/apis/refs/v1beta1/kmsrefs.go b/apis/refs/v1beta1/kmsrefs.go index a1b2dbcaf1..6d70810334 100644 --- a/apis/refs/v1beta1/kmsrefs.go +++ b/apis/refs/v1beta1/kmsrefs.go @@ -58,9 +58,9 @@ func ResolveKMSCryptoKeyRef(ctx context.Context, reader client.Reader, src clien // External should be in the `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]/cryptoKeys/[key]` format if ref.External != "" { tokens := strings.Split(ref.External, "/") - if len(tokens) == 8 && tokens[0] == "project" && tokens[2] == "locations" && tokens[4] == "keyRings" && tokens[6] == "cryptoKeys" { + if len(tokens) == 8 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "keyRings" && tokens[6] == "cryptoKeys" { ref = &KMSCryptoKeyRef{ - External: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", tokens[1], tokens[3], tokens[5]), + External: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", tokens[1], tokens[3], tokens[5], tokens[7]), } return ref, nil } @@ -142,7 +142,7 @@ func ResolveKMSKeyRingRef(ctx context.Context, reader client.Reader, src client. // External should be in the `projects/[kms_project_id]/locations/[region]/keyRings/[key_ring_id]` format if ref.External != "" { tokens := strings.Split(ref.External, "/") - if len(tokens) == 6 && tokens[0] == "project" && tokens[2] == "locations" && tokens[4] == "keyRings" { + if len(tokens) == 6 && tokens[0] == "projects" && tokens[2] == "locations" && tokens[4] == "keyRings" { ref = &KMSKeyRingRef{ External: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", tokens[1], tokens[3], tokens[5]), } diff --git a/mockgcp/mocksecuresourcemanager/instance.go b/mockgcp/mocksecuresourcemanager/instance.go index e3ee82992c..d5f61b47ca 100644 --- a/mockgcp/mocksecuresourcemanager/instance.go +++ b/mockgcp/mocksecuresourcemanager/instance.go @@ -70,6 +70,10 @@ func (s *secureSourceManagerServer) CreateInstance(ctx context.Context, req *pb. // TODO: State should be Creating at first, ACTIVE once done obj.State = pb.Instance_ACTIVE + if req.GetInstance().GetKmsKey() != "" { + obj.KmsKey = req.GetInstance().GetKmsKey() + } + // TODO: Only fill in when ACTIVE prefix := fmt.Sprintf("%s-%d", name.InstanceID, name.Project.Number) domain := "." + name.Location + ".sourcemanager.dev" diff --git a/pkg/controller/direct/securesourcemanager/instance_controller.go b/pkg/controller/direct/securesourcemanager/instance_controller.go index d894ffa85f..7d66a9940c 100644 --- a/pkg/controller/direct/securesourcemanager/instance_controller.go +++ b/pkg/controller/direct/securesourcemanager/instance_controller.go @@ -74,6 +74,14 @@ func (m *secureSourceManagerInstanceModel) AdapterForObject(ctx context.Context, return nil, err } + if obj.Spec.KmsKeyRef != nil { + kmsKeyRef, err := refs.ResolveKMSCryptoKeyRef(ctx, reader, u, obj.Spec.KmsKeyRef) + if err != nil { + return nil, err + } + obj.Spec.KmsKeyRef = kmsKeyRef + } + mapCtx := &direct.MapContext{} desired := SecureSourceManagerInstanceSpec_ToProto(mapCtx, &obj.Spec) if mapCtx.Err() != nil { @@ -233,7 +241,9 @@ func (a *secureSourceManagerInstanceAdapter) Delete(ctx context.Context, deleteO err = op.Wait(ctx) if err != nil { - return false, fmt.Errorf("waiting for delete of Instance %q: %w", a.id.External, err) + if !strings.Contains(err.Error(), "(line 15:3): missing \"value\" field") { + return false, fmt.Errorf("deleting Instance %s: %w", a.id.External, err) + } } return true, nil } diff --git a/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_generated_object_securesourcemanagerinstancecmek.golden.yaml b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_generated_object_securesourcemanagerinstancecmek.golden.yaml new file mode 100644 index 0000000000..714dd6349d --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_generated_object_securesourcemanagerinstancecmek.golden.yaml @@ -0,0 +1,33 @@ +apiVersion: securesourcemanager.cnrm.cloud.google.com/v1alpha1 +kind: SecureSourceManagerInstance +metadata: + finalizers: + - cnrm.cloud.google.com/finalizer + - cnrm.cloud.google.com/deletion-defender + generation: 1 + labels: + cnrm-test: "true" + name: ssminstance-${uniqueId} + namespace: ${uniqueId} +spec: + kmsKeyRef: + name: kmscryptokey-${uniqueId} + location: us-central1 + projectRef: + external: ${projectId} +status: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: The resource is up to date + reason: UpToDate + status: "True" + type: Ready + externalRef: projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId} + observedGeneration: 1 + observedState: + hostConfig: + api: ssminstance-${uniqueId}-${projectNumber}-api.us-central1.sourcemanager.dev + gitHTTP: ssminstance-${uniqueId}-${projectNumber}-git.us-central1.sourcemanager.dev + gitSSH: ssminstance-${uniqueId}-${projectNumber}-ssh.us-central1.sourcemanager.dev + html: ssminstance-${uniqueId}-${projectNumber}.us-central1.sourcemanager.dev + state: ACTIVE diff --git a/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_http.log b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_http.log new file mode 100644 index 0000000000..e2e7b084e5 --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/_http.log @@ -0,0 +1,672 @@ +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "message": "KeyRing projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId} not found.", + "status": "NOT_FOUND" + } +} + +--- + +POST https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings?alt=json&keyRingId=key-ring-${uniqueId} +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}" +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}" +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "message": "CryptoKey projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId} not found.", + "status": "NOT_FOUND" + } +} + +--- + +POST https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys?alt=json&cryptoKeyId=kmscryptokey-${uniqueId}&skipInitialVersionCreation=false +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "labels": { + "cnrm-test": "true", + "managed-by-cnrm": "true" + }, + "purpose": "ENCRYPT_DECRYPT" +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "destroyScheduledDuration": "2592000s", + "labels": { + "cnrm-test": "true", + "managed-by-cnrm": "true" + }, + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}", + "primary": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "createTime": "2024-04-01T12:34:56.123456Z", + "generateTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1", + "protectionLevel": "SOFTWARE", + "state": "ENABLED" + }, + "purpose": "ENCRYPT_DECRYPT", + "versionTemplate": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "protectionLevel": "SOFTWARE" + } +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "destroyScheduledDuration": "2592000s", + "labels": { + "cnrm-test": "true", + "managed-by-cnrm": "true" + }, + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}", + "primary": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "createTime": "2024-04-01T12:34:56.123456Z", + "generateTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1", + "protectionLevel": "SOFTWARE", + "state": "ENABLED" + }, + "purpose": "ENCRYPT_DECRYPT", + "versionTemplate": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "protectionLevel": "SOFTWARE" + } +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:getIamPolicy?alt=json&options.requestedPolicyVersion=3&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "etag": "abcdef0123A=" +} + +--- + +POST https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:setIamPolicy?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "policy": { + "bindings": [ + { + "members": [ + "serviceAccount:service-${projectNumber}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ], + "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter" + } + ], + "etag": "abcdef0123A=", + "version": 3 + } +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-${projectNumber}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ], + "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter" + } + ], + "etag": "abcdef0123A=", + "version": 1 +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:getIamPolicy?alt=json&options.requestedPolicyVersion=3&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-${projectNumber}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ], + "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter" + } + ], + "etag": "abcdef0123A=", + "version": 1 +} + +--- + +GET https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}?%24alt=json%3Benum-encoding%3Dint +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=projects%2F${projectId}%2Flocations%2Fus-central1%2Finstances%2Fssminstance-${uniqueId} + +404 Not Found +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "error": { + "code": 404, + "message": "Resource 'projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}' was not found", + "status": "NOT_FOUND" + } +} + +--- + +POST https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/instances?%24alt=json%3Benum-encoding%3Dint&instanceId=ssminstance-${uniqueId} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: parent=projects%2F${projectId}%2Flocations%2Fus-central1 + +{ + "kmsKey": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}" +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "metadata": { + "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "target": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "verb": "create" + }, + "name": "projects/${projectId}/locations/us-central1/operations/${operationID}" +} + +--- + +GET https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=projects%2F${projectId}%2Flocations%2Fus-central1%2Foperations%2F${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "done": true, + "metadata": { + "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "endTime": "2024-04-01T12:34:56.123456Z", + "target": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "verb": "create" + }, + "name": "projects/${projectId}/locations/us-central1/operations/${operationID}", + "response": { + "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.Instance", + "createTime": "2024-04-01T12:34:56.123456Z", + "hostConfig": { + "api": "ssminstance-${uniqueId}-${projectNumber}-api.us-central1.sourcemanager.dev", + "gitHttp": "ssminstance-${uniqueId}-${projectNumber}-git.us-central1.sourcemanager.dev", + "gitSsh": "ssminstance-${uniqueId}-${projectNumber}-ssh.us-central1.sourcemanager.dev", + "html": "ssminstance-${uniqueId}-${projectNumber}.us-central1.sourcemanager.dev" + }, + "kmsKey": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}", + "name": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "state": "ACTIVE", + "updateTime": "2024-04-01T12:34:56.123456Z" + } +} + +--- + +GET https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}?%24alt=json%3Benum-encoding%3Dint +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=projects%2F${projectId}%2Flocations%2Fus-central1%2Finstances%2Fssminstance-${uniqueId} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "hostConfig": { + "api": "ssminstance-${uniqueId}-${projectNumber}-api.us-central1.sourcemanager.dev", + "gitHttp": "ssminstance-${uniqueId}-${projectNumber}-git.us-central1.sourcemanager.dev", + "gitSsh": "ssminstance-${uniqueId}-${projectNumber}-ssh.us-central1.sourcemanager.dev", + "html": "ssminstance-${uniqueId}-${projectNumber}.us-central1.sourcemanager.dev" + }, + "kmsKey": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}", + "name": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "state": 2, + "updateTime": "2024-04-01T12:34:56.123456Z" +} + +--- + +DELETE https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}?%24alt=json%3Benum-encoding%3Dint +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=projects%2F${projectId}%2Flocations%2Fus-central1%2Finstances%2Fssminstance-${uniqueId} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "metadata": { + "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "target": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "verb": "delete" + }, + "name": "projects/${projectId}/locations/us-central1/operations/${operationID}" +} + +--- + +GET https://securesourcemanager.googleapis.com/v1/projects/${projectId}/locations/us-central1/operations/${operationID} +Content-Type: application/json +User-Agent: kcc/controller-manager +x-goog-request-params: name=projects%2F${projectId}%2Flocations%2Fus-central1%2Foperations%2F${operationID} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "done": true, + "metadata": { + "@type": "type.googleapis.com/google.cloud.securesourcemanager.v1.OperationMetadata", + "apiVersion": "v1", + "createTime": "2024-04-01T12:34:56.123456Z", + "endTime": "2024-04-01T12:34:56.123456Z", + "target": "projects/${projectId}/locations/us-central1/instances/ssminstance-${uniqueId}", + "verb": "delete" + }, + "name": "projects/${projectId}/locations/us-central1/operations/${operationID}", + "response": { + "@type": "type.googleapis.com/google.protobuf.Empty" + } +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:getIamPolicy?alt=json&options.requestedPolicyVersion=3&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-${projectNumber}@gcp-sa-sourcemanager.iam.gserviceaccount.com" + ], + "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter" + } + ], + "etag": "abcdef0123A=", + "version": 1 +} + +--- + +POST https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:setIamPolicy?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{ + "policy": { + "etag": "abcdef0123A=", + "version": 1 + } +} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "etag": "abcdef0123A=", + "version": 1 +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}:getIamPolicy?alt=json&options.requestedPolicyVersion=3&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "etag": "abcdef0123A=", + "version": 1 +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "destroyScheduledDuration": "2592000s", + "labels": { + "cnrm-test": "true", + "managed-by-cnrm": "true" + }, + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}", + "primary": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "createTime": "2024-04-01T12:34:56.123456Z", + "generateTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1", + "protectionLevel": "SOFTWARE", + "state": "ENABLED" + }, + "purpose": "ENCRYPT_DECRYPT", + "versionTemplate": { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "protectionLevel": "SOFTWARE" + } +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions?alt=json&prettyPrint=false +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "cryptoKeyVersions": [ + { + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "createTime": "2024-04-01T12:34:56.123456Z", + "generateTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1", + "protectionLevel": "SOFTWARE", + "state": "ENABLED" + } + ], + "totalSize": 1 +} + +--- + +POST https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1:destroy?alt=json&prettyPrint=false +Content-Type: application/json +User-Agent: google-api-go-client/0.5 Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +{} + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", + "createTime": "2024-04-01T12:34:56.123456Z", + "destroyTime": "2024-04-01T12:34:56.123456Z", + "generateTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}/cryptoKeys/kmscryptokey-${uniqueId}/cryptoKeyVersions/1", + "protectionLevel": "SOFTWARE", + "state": "DESTROY_SCHEDULED" +} + +--- + +GET https://cloudkms.googleapis.com/v1/projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}?alt=json +Content-Type: application/json +User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google-beta/kcc/controller-manager + +200 OK +Cache-Control: private +Content-Type: application/json; charset=UTF-8 +Server: ESF +Vary: Origin +Vary: X-Origin +Vary: Referer +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +X-Xss-Protection: 0 + +{ + "createTime": "2024-04-01T12:34:56.123456Z", + "name": "projects/${projectId}/locations/us-central1/keyRings/key-ring-${uniqueId}" +} \ No newline at end of file diff --git a/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/create.yaml b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/create.yaml new file mode 100644 index 0000000000..54d664de89 --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/create.yaml @@ -0,0 +1,24 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: securesourcemanager.cnrm.cloud.google.com/v1alpha1 +kind: SecureSourceManagerInstance +metadata: + name: ssminstance-${uniqueId} +spec: + location: us-central1 + projectRef: + external: ${projectId} + kmsKeyRef: + name: kmscryptokey-${uniqueId} diff --git a/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/dependencies.yaml b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/dependencies.yaml new file mode 100644 index 0000000000..e0383ba1fc --- /dev/null +++ b/pkg/test/resourcefixture/testdata/basic/securesourcemanager/securesourcemanagerinstance/securesourcemanagerinstancecmek/dependencies.yaml @@ -0,0 +1,42 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kms.cnrm.cloud.google.com/v1beta1 +kind: KMSKeyRing +metadata: + name: key-ring-${uniqueId} +spec: + location: us-central1 +--- +apiVersion: kms.cnrm.cloud.google.com/v1beta1 +kind: KMSCryptoKey +metadata: + name: kmscryptokey-${uniqueId} + annotations: + cnrm.cloud.google.com/project-id: ${projectId} +spec: + keyRingRef: + name: key-ring-${uniqueId} +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: iampolicymember-${uniqueId} +spec: + member: serviceAccount:service-${projectNumber}@gcp-sa-sourcemanager.iam.gserviceaccount.com + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + resourceRef: + apiVersion: kms.cnrm.cloud.google.com/v1beta1 + kind: KMSCryptoKey + name: kmscryptokey-${uniqueId} \ No newline at end of file