Skip to content

Commit

Permalink
Add EKM_VPC tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
@tdbhacks
tdbhacks committed Mar 14, 2024
1 parent 575e876 commit 917c875
Showing 1 changed file with 160 additions and 4 deletions.
164 changes: 160 additions & 4 deletions mmv1/third_party/terraform/services/kms/resource_kms_crypto_key_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,13 +546,62 @@ func TestAccKmsCryptoKeyVersion_externalProtectionLevelOptions(t *testing.T) {
projectBillingAccount := envvar.GetTestBillingAccountFromEnv(t)
keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
keyUri := "data.google_secret_manager_secret_version.key_uri.secret_data"
updatedKeyUri := "data.google_secret_manager_secret_version.key_path.secret_data"

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptions(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName),
Config: testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptions(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, keyUri),
},
{
ResourceName: "google_kms_crypto_key_version.crypto_key_version",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
},
{
Config: testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptions(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, updatedKeyUri),
},
{
ResourceName: "google_kms_crypto_key_version.crypto_key_version",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
},
},
})
}

func TestAccKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc(t *testing.T) {
t.Parallel()

projectId := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
projectOrg := envvar.GetTestOrgFromEnv(t)
projectBillingAccount := envvar.GetTestBillingAccountFromEnv(t)
keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
ekmConnectionName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
keyPath := "data.google_secret_manager_secret_version.key_path.secret_data"
updatedKeyPath := "data.google_secret_manager_secret_version.key_uri.secret_data"

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
Steps: []resource.TestStep{
{
Config: testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, ekmConnectionName, keyPath),
},
{
ResourceName: "google_kms_crypto_key_version.crypto_key_version",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
},
{
Config: testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, ekmConnectionName, updatedKeyPath),
},
{
ResourceName: "google_kms_crypto_key_version.crypto_key_version",
Expand Down Expand Up @@ -980,7 +1029,7 @@ resource "google_kms_crypto_key_version" "crypto_key_version" {
`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, preventDestroy, state)
}

func testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptions(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName string) string {
func testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptions(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, keyUri string) string {
return fmt.Sprintf(`
resource "google_project" "acceptance" {
name = "%s"
Expand Down Expand Up @@ -1019,12 +1068,119 @@ data "google_secret_manager_secret_version" "key_uri" {
secret = "external-full-key-uri"
project = "315636579862"
}
data "google_secret_manager_secret_version" "key_path" {
secret = "external-keypath"
project = "315636579862"
}
resource "google_kms_crypto_key_version" "crypto_key_version" {
crypto_key = google_kms_crypto_key.crypto_key.id
external_protection_level_options {
external_key_uri = data.google_secret_manager_secret_version.key_uri.secret_data
external_key_uri = %s
}
}
`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)
`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, keyUri)
}

// EkmConnection setup and creation is based off of resource_kms_ekm_connection_test.go
func testGoogleKmsCryptoKeyVersion_externalProtectionLevelOptionsVpc(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, ekmConnectionName, keyPath string) string {
return fmt.Sprintf(`
resource "google_project" "acceptance" {
name = "%s"
project_id = "%s"
org_id = "%s"
billing_account = "%s"
}
resource "google_project_service" "acceptance" {
project = google_project.acceptance.project_id
service = "cloudkms.googleapis.com"
}
resource "google_kms_key_ring" "key_ring" {
project = google_project_service.acceptance.project
name = "%s"
location = "us-central1"
}
data "google_project" "vpc-project" {
project_id = "cloud-ekm-refekm-playground"
}
data "google_project" "project" {
project_id = google_project.acceptance.project_id
}
data "google_secret_manager_secret_version" "raw_der" {
secret = "playground-cert"
project = "315636579862"
}
data "google_secret_manager_secret_version" "hostname" {
secret = "external-uri"
project = "315636579862"
}
data "google_secret_manager_secret_version" "servicedirectoryservice" {
secret = "external-servicedirectoryservice"
project = "315636579862"
}
resource "google_project_iam_member" "add_sdviewer" {
project = data.google_project.vpc-project.number
role = "roles/servicedirectory.viewer"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-ekms.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "add_pscAuthorizedService" {
project = data.google_project.vpc-project.number
role = "roles/servicedirectory.pscAuthorizedService"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-ekms.iam.gserviceaccount.com"
}
resource "google_kms_ekm_connection" "example-ekmconnection" {
name = "%s"
location = "us-central1"
key_management_mode = "MANUAL"
service_resolvers {
service_directory_service = data.google_secret_manager_secret_version.servicedirectoryservice.secret_data
hostname = data.google_secret_manager_secret_version.hostname.secret_data
server_certificates {
raw_der = data.google_secret_manager_secret_version.raw_der.secret_data
}
}
depends_on = [
google_project_iam_member.add_pscAuthorizedService,
google_project_iam_member.add_sdviewer
]
}
resource "google_kms_crypto_key" "crypto_key" {
name = "%s"
key_ring = google_kms_key_ring.key_ring.id
version_template {
algorithm = "EXTERNAL_SYMMETRIC_ENCRYPTION"
protection_level = "EXTERNAL_VPC"
}
labels = {
key = "value"
}
crypto_key_backend = google_kms_ekm_connection.example-ekmconnection.name
skip_initial_version_creation = true
}
data "google_secret_manager_secret_version" "key_uri" {
secret = "external-full-key-uri"
project = "315636579862"
}
data "google_secret_manager_secret_version" "key_path" {
secret = "external-keypath"
project = "315636579862"
}
resource "google_kms_crypto_key_version" "crypto_key_version" {
crypto_key = google_kms_crypto_key.crypto_key.id
external_protection_level_options {
ekm_connection_key_path = %s
}
}
`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, ekmConnectionName, cryptoKeyName, keyPath)
}

0 comments on commit 917c875

Please sign in to comment.