From 7762094e23d4902f05fb1e8b105bf395f57d650a Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 11 Sep 2023 06:31:45 -0400 Subject: [PATCH] Added support for `auto` and deprecated `automatic` field in `google_secret_manager_secret` resource (#8838) (#15793) * Added support for automatic_replication field in google_secret_manager_secret resource * Replaced deprecated field automatic with automatic_replication in terraform configs * Improved the deprecation_message * Changed the name of field from automatic_replication to auto * Adjusted white spaces * Added test case to cover the automatic field Signed-off-by: Modular Magician --- .changelog/8838.txt | 6 + ...source_cloud_run_service_generated_test.go | 4 +- .../resource_cloud_run_service_test.go | 8 +- ...esource_cloud_run_v2_job_generated_test.go | 4 +- ...rce_cloud_run_v2_service_generated_test.go | 4 +- ...rvices_edge_cache_keyset_generated_test.go | 2 +- ...rvices_edge_cache_origin_generated_test.go | 2 +- ...vices_edge_cache_service_generated_test.go | 2 +- ...cret_manager_secret_version_access_test.go | 4 +- ...urce_secret_manager_secret_version_test.go | 4 +- .../resource_secret_manager_secret.go | 139 +++++++++++- ...ce_secret_manager_secret_generated_test.go | 54 ++++- .../resource_secret_manager_secret_test.go | 206 +++++++++++++++++- ...t_manager_secret_version_generated_test.go | 2 +- ...urce_secret_manager_secret_version_test.go | 4 +- website/docs/r/cloud_run_v2_job.html.markdown | 4 +- .../docs/r/cloud_run_v2_service.html.markdown | 4 +- .../r/cloudbuildv2_connection.html.markdown | 6 +- .../r/cloudbuildv2_repository.html.markdown | 6 +- .../docs/r/dataform_repository.html.markdown | 2 +- ...rm_repository_release_config.html.markdown | 2 +- ...m_repository_workflow_config.html.markdown | 2 +- ...k_services_edge_cache_keyset.html.markdown | 2 +- ...k_services_edge_cache_origin.html.markdown | 2 +- ..._services_edge_cache_service.html.markdown | 2 +- .../r/secret_manager_secret.html.markdown | 56 ++++- ...ecret_manager_secret_version.html.markdown | 2 +- 27 files changed, 485 insertions(+), 50 deletions(-) create mode 100644 .changelog/8838.txt diff --git a/.changelog/8838.txt b/.changelog/8838.txt new file mode 100644 index 00000000000..19a7126b4ad --- /dev/null +++ b/.changelog/8838.txt @@ -0,0 +1,6 @@ +```release-note:enhancement +secretmanager: added `auto` field to `google_secret_manager_secret` resource +``` +```release-note:deprecation +secretmanager: deprecated `automatic` field on `google_secret_manager_secret`. Use `auto` instead. +``` diff --git a/google/services/cloudrun/resource_cloud_run_service_generated_test.go b/google/services/cloudrun/resource_cloud_run_service_generated_test.go index f5dfccc32cb..46c42d12665 100644 --- a/google/services/cloudrun/resource_cloud_run_service_generated_test.go +++ b/google/services/cloudrun/resource_cloud_run_service_generated_test.go @@ -306,7 +306,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret%{random_suffix}" replication { - automatic = true + auto {} } } @@ -400,7 +400,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/cloudrun/resource_cloud_run_service_test.go b/google/services/cloudrun/resource_cloud_run_service_test.go index 59cf9642947..4df15118f48 100644 --- a/google/services/cloudrun/resource_cloud_run_service_test.go +++ b/google/services/cloudrun/resource_cloud_run_service_test.go @@ -185,14 +185,14 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret1" { secret_id = "%s" replication { - automatic = true + auto {} } } resource "google_secret_manager_secret" "secret2" { secret_id = "%s" replication { - automatic = true + auto {} } } @@ -309,14 +309,14 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret1" { secret_id = "%s" replication { - automatic = true + auto {} } } resource "google_secret_manager_secret" "secret2" { secret_id = "%s" replication { - automatic = true + auto {} } } diff --git a/google/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go b/google/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go index 74861546459..01a418dff45 100644 --- a/google/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go +++ b/google/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go @@ -156,7 +156,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret%{random_suffix}" replication { - automatic = true + auto {} } } @@ -331,7 +331,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/cloudrunv2/resource_cloud_run_v2_service_generated_test.go b/google/services/cloudrunv2/resource_cloud_run_v2_service_generated_test.go index 9e6bf321c6c..1efdc34e711 100644 --- a/google/services/cloudrunv2/resource_cloud_run_v2_service_generated_test.go +++ b/google/services/cloudrunv2/resource_cloud_run_v2_service_generated_test.go @@ -152,7 +152,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "tf-test-secret-1%{random_suffix}" replication { - automatic = true + auto {} } } @@ -361,7 +361,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "tf-test-secret-1%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/networkservices/resource_network_services_edge_cache_keyset_generated_test.go b/google/services/networkservices/resource_network_services_edge_cache_keyset_generated_test.go index 674fd204803..ea0d41fc417 100644 --- a/google/services/networkservices/resource_network_services_edge_cache_keyset_generated_test.go +++ b/google/services/networkservices/resource_network_services_edge_cache_keyset_generated_test.go @@ -104,7 +104,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "tf-test-secret-name%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/networkservices/resource_network_services_edge_cache_origin_generated_test.go b/google/services/networkservices/resource_network_services_edge_cache_origin_generated_test.go index b265be7bca4..392f814dddb 100644 --- a/google/services/networkservices/resource_network_services_edge_cache_origin_generated_test.go +++ b/google/services/networkservices/resource_network_services_edge_cache_origin_generated_test.go @@ -183,7 +183,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "tf-test-secret-name%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/networkservices/resource_network_services_edge_cache_service_generated_test.go b/google/services/networkservices/resource_network_services_edge_cache_service_generated_test.go index a6d55524641..c41d7d157ad 100644 --- a/google/services/networkservices/resource_network_services_edge_cache_service_generated_test.go +++ b/google/services/networkservices/resource_network_services_edge_cache_service_generated_test.go @@ -355,7 +355,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "tf-test-secret-name%{random_suffix}" replication { - automatic = true + auto {} } } diff --git a/google/services/secretmanager/data_source_secret_manager_secret_version_access_test.go b/google/services/secretmanager/data_source_secret_manager_secret_version_access_test.go index d2e2f72e2f6..82f87a51bdf 100644 --- a/google/services/secretmanager/data_source_secret_manager_secret_version_access_test.go +++ b/google/services/secretmanager/data_source_secret_manager_secret_version_access_test.go @@ -84,7 +84,7 @@ resource "google_secret_manager_secret" "secret-basic" { label = "my-label" } replication { - automatic = true + auto {} } } @@ -114,7 +114,7 @@ resource "google_secret_manager_secret" "secret-basic" { label = "my-label" } replication { - automatic = true + auto {} } } diff --git a/google/services/secretmanager/data_source_secret_manager_secret_version_test.go b/google/services/secretmanager/data_source_secret_manager_secret_version_test.go index 99d96c30070..37d660acce6 100644 --- a/google/services/secretmanager/data_source_secret_manager_secret_version_test.go +++ b/google/services/secretmanager/data_source_secret_manager_secret_version_test.go @@ -84,7 +84,7 @@ resource "google_secret_manager_secret" "secret-basic" { label = "my-label" } replication { - automatic = true + auto {} } } @@ -114,7 +114,7 @@ resource "google_secret_manager_secret" "secret-basic" { label = "my-label" } replication { - automatic = true + auto {} } } diff --git a/google/services/secretmanager/resource_secret_manager_secret.go b/google/services/secretmanager/resource_secret_manager_secret.go index 8a53f192a52..774d6f74299 100644 --- a/google/services/secretmanager/resource_secret_manager_secret.go +++ b/google/services/secretmanager/resource_secret_manager_secret.go @@ -57,12 +57,42 @@ after the Secret has been created.`, MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "auto": { + Type: schema.TypeList, + Optional: true, + ForceNew: true, + Description: `The Secret will automatically be replicated without any restrictions.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "customer_managed_encryption": { + Type: schema.TypeList, + Optional: true, + Description: `The customer-managed encryption configuration of the Secret. +If no configuration is provided, Google-managed default +encryption is used.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "kms_key_name": { + Type: schema.TypeString, + Required: true, + Description: `The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.`, + }, + }, + }, + }, + }, + }, + ExactlyOneOf: []string{"replication.0.automatic", "replication.0.user_managed", "replication.0.auto"}, + }, "automatic": { Type: schema.TypeBool, Optional: true, + Deprecated: "`automatic` is deprecated and will be removed in a future major release. Use `auto` instead.", ForceNew: true, Description: `The Secret will automatically be replicated without any restrictions.`, - ExactlyOneOf: []string{"replication.0.automatic", "replication.0.user_managed"}, + ExactlyOneOf: []string{"replication.0.automatic", "replication.0.user_managed", "replication.0.auto"}, }, "user_managed": { Type: schema.TypeList, @@ -106,7 +136,7 @@ after the Secret has been created.`, }, }, }, - ExactlyOneOf: []string{"replication.0.automatic", "replication.0.user_managed"}, + ExactlyOneOf: []string{"replication.0.automatic", "replication.0.user_managed", "replication.0.auto"}, }, }, }, @@ -645,8 +675,14 @@ func flattenSecretManagerSecretReplication(v interface{}, d *schema.ResourceData return nil } transformed := make(map[string]interface{}) - transformed["automatic"] = - flattenSecretManagerSecretReplicationAutomatic(original["automatic"], d, config) + _, ok := d.GetOk("replication.0.automatic") + if ok { + transformed["automatic"] = + flattenSecretManagerSecretReplicationAutomatic(original["automatic"], d, config) + } else { + transformed["auto"] = + flattenSecretManagerSecretReplicationAuto(original["automatic"], d, config) + } transformed["user_managed"] = flattenSecretManagerSecretReplicationUserManaged(original["userManaged"], d, config) return []interface{}{transformed} @@ -655,6 +691,33 @@ func flattenSecretManagerSecretReplicationAutomatic(v interface{}, d *schema.Res return v != nil } +func flattenSecretManagerSecretReplicationAuto(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + transformed := make(map[string]interface{}) + transformed["customer_managed_encryption"] = + flattenSecretManagerSecretReplicationAutoCustomerManagedEncryption(original["customerManagedEncryption"], d, config) + return []interface{}{transformed} +} +func flattenSecretManagerSecretReplicationAutoCustomerManagedEncryption(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["kms_key_name"] = + flattenSecretManagerSecretReplicationAutoCustomerManagedEncryptionKmsKeyName(original["kmsKeyName"], d, config) + return []interface{}{transformed} +} +func flattenSecretManagerSecretReplicationAutoCustomerManagedEncryptionKmsKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + func flattenSecretManagerSecretReplicationUserManaged(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { if v == nil { return nil @@ -799,11 +862,22 @@ func expandSecretManagerSecretReplication(v interface{}, d tpgresource.Terraform original := raw.(map[string]interface{}) transformed := make(map[string]interface{}) - transformedAutomatic, err := expandSecretManagerSecretReplicationAutomatic(original["automatic"], d, config) - if err != nil { - return nil, err - } else if val := reflect.ValueOf(transformedAutomatic); val.IsValid() && !tpgresource.IsEmptyValue(val) { - transformed["automatic"] = transformedAutomatic + if _, ok := d.GetOk("replication.0.automatic"); ok { + transformedAutomatic, err := expandSecretManagerSecretReplicationAutomatic(original["automatic"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAutomatic); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["automatic"] = transformedAutomatic + } + } + + if _, ok := d.GetOk("replication.0.auto"); ok { + transformedAuto, err := expandSecretManagerSecretReplicationAuto(original["auto"], d, config) + if err != nil { + return nil, err + } else { + transformed["automatic"] = transformedAuto + } } transformedUserManaged, err := expandSecretManagerSecretReplicationUserManaged(original["user_managed"], d, config) @@ -824,6 +898,53 @@ func expandSecretManagerSecretReplicationAutomatic(v interface{}, d tpgresource. return struct{}{}, nil } +func expandSecretManagerSecretReplicationAuto(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 { + return nil, nil + } + + if l[0] == nil { + transformed := make(map[string]interface{}) + return transformed, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedCustomerManagedEncryption, err := expandSecretManagerSecretReplicationAutoCustomerManagedEncryption(original["customer_managed_encryption"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedCustomerManagedEncryption); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["customerManagedEncryption"] = transformedCustomerManagedEncryption + } + + return transformed, nil +} + +func expandSecretManagerSecretReplicationAutoCustomerManagedEncryption(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedKmsKeyName, err := expandSecretManagerSecretReplicationAutoCustomerManagedEncryptionKmsKeyName(original["kms_key_name"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["kmsKeyName"] = transformedKmsKeyName + } + + return transformed, nil +} + +func expandSecretManagerSecretReplicationAutoCustomerManagedEncryptionKmsKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + func expandSecretManagerSecretReplicationUserManaged(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { l := v.([]interface{}) if len(l) == 0 || l[0] == nil { diff --git a/google/services/secretmanager/resource_secret_manager_secret_generated_test.go b/google/services/secretmanager/resource_secret_manager_secret_generated_test.go index 27dd9ca1e95..3f573bcf69c 100644 --- a/google/services/secretmanager/resource_secret_manager_secret_generated_test.go +++ b/google/services/secretmanager/resource_secret_manager_secret_generated_test.go @@ -121,12 +121,64 @@ resource "google_secret_manager_secret" "secret-with-annotations" { } replication { - automatic = true + auto {} } } `, context) } +func TestAccSecretManagerSecret_secretWithAutomaticCmekExample(t *testing.T) { + t.Parallel() + + context := map[string]interface{}{ + "kms_key_name": acctest.BootstrapKMSKey(t).CryptoKey.Name, + "random_suffix": acctest.RandString(t, 10), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckSecretManagerSecretDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccSecretManagerSecret_secretWithAutomaticCmekExample(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-with-automatic-cmek", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl", "secret_id"}, + }, + }, + }) +} + +func testAccSecretManagerSecret_secretWithAutomaticCmekExample(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" {} + +resource "google_kms_crypto_key_iam_member" "kms-secret-binding" { + crypto_key_id = "%{kms_key_name}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} + +resource "google_secret_manager_secret" "secret-with-automatic-cmek" { + secret_id = "secret%{random_suffix}" + + replication { + auto { + customer_managed_encryption { + kms_key_name = "%{kms_key_name}" + } + } + } + + depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ] +} +`, context) +} + func testAccCheckSecretManagerSecretDestroyProducer(t *testing.T) func(s *terraform.State) error { return func(s *terraform.State) error { for name, rs := range s.RootModule().Resources { diff --git a/google/services/secretmanager/resource_secret_manager_secret_test.go b/google/services/secretmanager/resource_secret_manager_secret_test.go index b91b2951f5d..ec27f0f1184 100644 --- a/google/services/secretmanager/resource_secret_manager_secret_test.go +++ b/google/services/secretmanager/resource_secret_manager_secret_test.go @@ -218,6 +218,72 @@ func TestAccSecretManagerSecret_userManagedCmekUpdate(t *testing.T) { }) } +func TestAccSecretManagerSecret_automaticCmekUpdate(t *testing.T) { + t.Parallel() + + suffix := acctest.RandString(t, 10) + key1 := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-secret-manager-automatic-key1") + key2 := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-secret-manager-automatic-key2") + context := map[string]interface{}{ + "pid": envvar.GetTestProjectFromEnv(), + "random_suffix": suffix, + "kms_key_name_1": key1.CryptoKey.Name, + "kms_key_name_2": key2.CryptoKey.Name, + } + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckSecretManagerSecretDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccSecretMangerSecret_automaticBasic(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl", "replication.0.automatic", "replication.0.auto"}, + }, + { + Config: testAccSecretMangerSecret_automaticCmekBasic(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + { + Config: testAccSecretMangerSecret_automaticCmekUpdate(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + { + Config: testAccSecretMangerSecret_automaticCmekUpdate2(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + { + Config: testAccSecretMangerSecret_automaticCmekBasic(context), + }, + { + ResourceName: "google_secret_manager_secret.secret-basic", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + func testAccSecretManagerSecret_basic(context map[string]interface{}) string { return acctest.Nprintf(` resource "google_secret_manager_secret" "secret-basic" { @@ -300,7 +366,7 @@ resource "google_secret_manager_secret" "secret-with-annotations" { } replication { - automatic = true + auto {} } } `, context) @@ -323,7 +389,7 @@ resource "google_secret_manager_secret" "secret-with-annotations" { } replication { - automatic = true + auto {} } } `, context) @@ -632,3 +698,139 @@ resource "google_secret_manager_secret" "secret-basic" { } `, context) } + +func testAccSecretMangerSecret_automaticBasic(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + project_id = "%{pid}" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-1" { + crypto_key_id = "%{kms_key_name_1}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-2" { + crypto_key_id = "%{kms_key_name_2}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "tf-test-secret-%{random_suffix}" + + labels = { + label = "my-label" + } + replication { + automatic = true + } + depends_on = [ + google_kms_crypto_key_iam_member.kms-secret-binding-1, + google_kms_crypto_key_iam_member.kms-secret-binding-2, + ] +} +`, context) +} + +func testAccSecretMangerSecret_automaticCmekBasic(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + project_id = "%{pid}" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-1" { + crypto_key_id = "%{kms_key_name_1}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-2" { + crypto_key_id = "%{kms_key_name_2}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "tf-test-secret-%{random_suffix}" + + labels = { + label = "my-label" + } + replication { + auto {} + } + depends_on = [ + google_kms_crypto_key_iam_member.kms-secret-binding-1, + google_kms_crypto_key_iam_member.kms-secret-binding-2, + ] +} +`, context) +} + +func testAccSecretMangerSecret_automaticCmekUpdate(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + project_id = "%{pid}" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-1" { + crypto_key_id = "%{kms_key_name_1}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-2" { + crypto_key_id = "%{kms_key_name_2}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "tf-test-secret-%{random_suffix}" + + labels = { + label = "my-label" + } + replication { + auto { + customer_managed_encryption { + kms_key_name = "%{kms_key_name_1}" + } + } + } + depends_on = [ + google_kms_crypto_key_iam_member.kms-secret-binding-1, + google_kms_crypto_key_iam_member.kms-secret-binding-2, + ] +} +`, context) +} + +func testAccSecretMangerSecret_automaticCmekUpdate2(context map[string]interface{}) string { + return acctest.Nprintf(` +data "google_project" "project" { + project_id = "%{pid}" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-1" { + crypto_key_id = "%{kms_key_name_1}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_kms_crypto_key_iam_member" "kms-secret-binding-2" { + crypto_key_id = "%{kms_key_name_2}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "tf-test-secret-%{random_suffix}" + + labels = { + label = "my-label" + } + replication { + auto { + customer_managed_encryption { + kms_key_name = "%{kms_key_name_2}" + } + } + } + depends_on = [ + google_kms_crypto_key_iam_member.kms-secret-binding-1, + google_kms_crypto_key_iam_member.kms-secret-binding-2, + ] +} +`, context) +} diff --git a/google/services/secretmanager/resource_secret_manager_secret_version_generated_test.go b/google/services/secretmanager/resource_secret_manager_secret_version_generated_test.go index e5d06bb4183..33e9a1c8208 100644 --- a/google/services/secretmanager/resource_secret_manager_secret_version_generated_test.go +++ b/google/services/secretmanager/resource_secret_manager_secret_version_generated_test.go @@ -65,7 +65,7 @@ resource "google_secret_manager_secret" "secret-basic" { } replication { - automatic = true + auto {} } } diff --git a/google/services/secretmanager/resource_secret_manager_secret_version_test.go b/google/services/secretmanager/resource_secret_manager_secret_version_test.go index be56ee7771c..61757a4f544 100644 --- a/google/services/secretmanager/resource_secret_manager_secret_version_test.go +++ b/google/services/secretmanager/resource_secret_manager_secret_version_test.go @@ -62,7 +62,7 @@ resource "google_secret_manager_secret" "secret-basic" { } replication { - automatic = true + auto {} } } @@ -85,7 +85,7 @@ resource "google_secret_manager_secret" "secret-basic" { } replication { - automatic = true + auto {} } } diff --git a/website/docs/r/cloud_run_v2_job.html.markdown b/website/docs/r/cloud_run_v2_job.html.markdown index b8ca6baf8d6..95d71dda83d 100644 --- a/website/docs/r/cloud_run_v2_job.html.markdown +++ b/website/docs/r/cloud_run_v2_job.html.markdown @@ -115,7 +115,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret" replication { - automatic = true + auto {} } } @@ -250,7 +250,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/cloud_run_v2_service.html.markdown b/website/docs/r/cloud_run_v2_service.html.markdown index 246150418b3..33ea6c12fcb 100644 --- a/website/docs/r/cloud_run_v2_service.html.markdown +++ b/website/docs/r/cloud_run_v2_service.html.markdown @@ -111,7 +111,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret-1" replication { - automatic = true + auto {} } } @@ -260,7 +260,7 @@ data "google_project" "project" { resource "google_secret_manager_secret" "secret" { secret_id = "secret-1" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/cloudbuildv2_connection.html.markdown b/website/docs/r/cloudbuildv2_connection.html.markdown index 2690035d24a..71830a48e65 100644 --- a/website/docs/r/cloudbuildv2_connection.html.markdown +++ b/website/docs/r/cloudbuildv2_connection.html.markdown @@ -28,7 +28,7 @@ resource "google_secret_manager_secret" "private-key-secret" { secret_id = "ghe-pk-secret" replication { - automatic = true + auto {} } } @@ -41,7 +41,7 @@ resource "google_secret_manager_secret" "webhook-secret-secret" { secret_id = "github-token-secret" replication { - automatic = true + auto {} } } @@ -95,7 +95,7 @@ resource "google_secret_manager_secret" "github-token-secret" { secret_id = "github-token-secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/cloudbuildv2_repository.html.markdown b/website/docs/r/cloudbuildv2_repository.html.markdown index 66165e7b74d..d43f573bde9 100644 --- a/website/docs/r/cloudbuildv2_repository.html.markdown +++ b/website/docs/r/cloudbuildv2_repository.html.markdown @@ -28,7 +28,7 @@ resource "google_secret_manager_secret" "private-key-secret" { secret_id = "ghe-pk-secret" replication { - automatic = true + auto {} } } @@ -41,7 +41,7 @@ resource "google_secret_manager_secret" "webhook-secret-secret" { secret_id = "github-token-secret" replication { - automatic = true + auto {} } } @@ -102,7 +102,7 @@ resource "google_secret_manager_secret" "github-token-secret" { secret_id = "github-token-secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/dataform_repository.html.markdown b/website/docs/r/dataform_repository.html.markdown index 276e0becffc..c0636af7095 100644 --- a/website/docs/r/dataform_repository.html.markdown +++ b/website/docs/r/dataform_repository.html.markdown @@ -49,7 +49,7 @@ resource "google_secret_manager_secret" "secret" { secret_id = "secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/dataform_repository_release_config.html.markdown b/website/docs/r/dataform_repository_release_config.html.markdown index 28d773bffad..78d82fa367f 100644 --- a/website/docs/r/dataform_repository_release_config.html.markdown +++ b/website/docs/r/dataform_repository_release_config.html.markdown @@ -49,7 +49,7 @@ resource "google_secret_manager_secret" "secret" { secret_id = "my_secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/dataform_repository_workflow_config.html.markdown b/website/docs/r/dataform_repository_workflow_config.html.markdown index 013a74af0e6..e1ba5b0622a 100644 --- a/website/docs/r/dataform_repository_workflow_config.html.markdown +++ b/website/docs/r/dataform_repository_workflow_config.html.markdown @@ -49,7 +49,7 @@ resource "google_secret_manager_secret" "secret" { secret_id = "my_secret" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/network_services_edge_cache_keyset.html.markdown b/website/docs/r/network_services_edge_cache_keyset.html.markdown index 4ff8fb0071e..53cf0a7bcce 100644 --- a/website/docs/r/network_services_edge_cache_keyset.html.markdown +++ b/website/docs/r/network_services_edge_cache_keyset.html.markdown @@ -68,7 +68,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "secret-name" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/network_services_edge_cache_origin.html.markdown b/website/docs/r/network_services_edge_cache_origin.html.markdown index 60aff8fe8af..31e2c25cdb3 100644 --- a/website/docs/r/network_services_edge_cache_origin.html.markdown +++ b/website/docs/r/network_services_edge_cache_origin.html.markdown @@ -118,7 +118,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "secret-name" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/network_services_edge_cache_service.html.markdown b/website/docs/r/network_services_edge_cache_service.html.markdown index 8e5a0e8aeeb..ed88025b5bb 100644 --- a/website/docs/r/network_services_edge_cache_service.html.markdown +++ b/website/docs/r/network_services_edge_cache_service.html.markdown @@ -292,7 +292,7 @@ resource "google_secret_manager_secret" "secret-basic" { secret_id = "secret-name" replication { - automatic = true + auto {} } } diff --git a/website/docs/r/secret_manager_secret.html.markdown b/website/docs/r/secret_manager_secret.html.markdown index 93712eda357..190b6358900 100644 --- a/website/docs/r/secret_manager_secret.html.markdown +++ b/website/docs/r/secret_manager_secret.html.markdown @@ -79,10 +79,41 @@ resource "google_secret_manager_secret" "secret-with-annotations" { } replication { - automatic = true + auto {} } } ``` +
+ + Open in Cloud Shell + +
+## Example Usage - Secret With Automatic Cmek + + +```hcl +data "google_project" "project" {} + +resource "google_kms_crypto_key_iam_member" "kms-secret-binding" { + crypto_key_id = "kms-key" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com" +} + +resource "google_secret_manager_secret" "secret-with-automatic-cmek" { + secret_id = "secret" + + replication { + auto { + customer_managed_encryption { + kms_key_name = "kms-key" + } + } + } + + depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ] +} +``` ## Argument Reference @@ -103,8 +134,15 @@ The following arguments are supported: The `replication` block supports: * `automatic` - + (Optional, Deprecated) + The Secret will automatically be replicated without any restrictions. + + ~> **Warning:** `automatic` is deprecated and will be removed in a future major release. Use `auto` instead. + +* `auto` - (Optional) The Secret will automatically be replicated without any restrictions. + Structure is [documented below](#nested_auto). * `user_managed` - (Optional) @@ -112,6 +150,22 @@ The following arguments are supported: Structure is [documented below](#nested_user_managed). +The `auto` block supports: + +* `customer_managed_encryption` - + (Optional) + The customer-managed encryption configuration of the Secret. + If no configuration is provided, Google-managed default + encryption is used. + Structure is [documented below](#nested_customer_managed_encryption). + + +The `customer_managed_encryption` block supports: + +* `kms_key_name` - + (Required) + The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. + The `user_managed` block supports: * `replicas` - diff --git a/website/docs/r/secret_manager_secret_version.html.markdown b/website/docs/r/secret_manager_secret_version.html.markdown index 4b400b044fe..73ab8b3c33e 100644 --- a/website/docs/r/secret_manager_secret_version.html.markdown +++ b/website/docs/r/secret_manager_secret_version.html.markdown @@ -44,7 +44,7 @@ resource "google_secret_manager_secret" "secret-basic" { } replication { - automatic = true + auto {} } }