aws: kms_key - Add support for is_enabled + enable_key_rotation
This commit is contained in:
parent
347913a3be
commit
6f8a9c0f77
|
@ -3,7 +3,9 @@ package aws
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
"github.com/hashicorp/terraform/helper/schema"
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
|
@ -51,6 +53,16 @@ func resourceAwsKmsKey() *schema.Resource {
|
||||||
Computed: true,
|
Computed: true,
|
||||||
StateFunc: normalizeJson,
|
StateFunc: normalizeJson,
|
||||||
},
|
},
|
||||||
|
"is_enabled": &schema.Schema{
|
||||||
|
Type: schema.TypeBool,
|
||||||
|
Optional: true,
|
||||||
|
Default: true,
|
||||||
|
},
|
||||||
|
"enable_key_rotation": &schema.Schema{
|
||||||
|
Type: schema.TypeBool,
|
||||||
|
Optional: true,
|
||||||
|
Default: false,
|
||||||
|
},
|
||||||
"deletion_window_in_days": &schema.Schema{
|
"deletion_window_in_days": &schema.Schema{
|
||||||
Type: schema.TypeInt,
|
Type: schema.TypeInt,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
|
@ -88,8 +100,9 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
d.SetId(*resp.KeyMetadata.KeyId)
|
d.SetId(*resp.KeyMetadata.KeyId)
|
||||||
|
d.Set("key_id", resp.KeyMetadata.KeyId)
|
||||||
|
|
||||||
return resourceAwsKmsKeyRead(d, meta)
|
return _resourceAwsKmsKeyUpdate(d, meta, true)
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
@ -110,6 +123,7 @@ func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
d.Set("key_id", metadata.KeyId)
|
d.Set("key_id", metadata.KeyId)
|
||||||
d.Set("description", metadata.Description)
|
d.Set("description", metadata.Description)
|
||||||
d.Set("key_usage", metadata.KeyUsage)
|
d.Set("key_usage", metadata.KeyUsage)
|
||||||
|
d.Set("is_enabled", metadata.Enabled)
|
||||||
|
|
||||||
p, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
|
p, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
|
||||||
KeyId: metadata.KeyId,
|
KeyId: metadata.KeyId,
|
||||||
|
@ -121,12 +135,40 @@ func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
|
||||||
d.Set("policy", normalizeJson(*p.Policy))
|
d.Set("policy", normalizeJson(*p.Policy))
|
||||||
|
|
||||||
|
krs, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
|
||||||
|
KeyId: metadata.KeyId,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
d.Set("enable_key_rotation", krs.KeyRotationEnabled)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
return _resourceAwsKmsKeyUpdate(d, meta, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
// We expect new keys to be enabled already
|
||||||
|
// but there is no easy way to differentiate between Update()
|
||||||
|
// called from Create() and regular update, so we have this wrapper
|
||||||
|
func _resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}, isFresh bool) error {
|
||||||
conn := meta.(*AWSClient).kmsconn
|
conn := meta.(*AWSClient).kmsconn
|
||||||
|
|
||||||
|
if d.HasChange("is_enabled") && d.Get("is_enabled").(bool) && !isFresh {
|
||||||
|
// Enable before any attributes will be modified
|
||||||
|
if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if d.HasChange("enable_key_rotation") {
|
||||||
|
if err := updateKmsKeyRotationStatus(conn, d); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if d.HasChange("description") {
|
if d.HasChange("description") {
|
||||||
if err := resourceAwsKmsKeyDescriptionUpdate(conn, d); err != nil {
|
if err := resourceAwsKmsKeyDescriptionUpdate(conn, d); err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -137,6 +179,15 @@ func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if d.HasChange("is_enabled") && !d.Get("is_enabled").(bool) {
|
||||||
|
// Only disable when all attributes are modified
|
||||||
|
// because we cannot modify disabled keys
|
||||||
|
if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return resourceAwsKmsKeyRead(d, meta)
|
return resourceAwsKmsKeyRead(d, meta)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -169,6 +220,108 @@ func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func updateKmsKeyStatus(conn *kms.KMS, id string, shouldBeEnabled bool) error {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
if shouldBeEnabled {
|
||||||
|
log.Printf("[DEBUG] Enabling KMS key %q", id)
|
||||||
|
_, err = conn.EnableKey(&kms.EnableKeyInput{
|
||||||
|
KeyId: aws.String(id),
|
||||||
|
})
|
||||||
|
} else {
|
||||||
|
log.Printf("[DEBUG] Disabling KMS key %q", id)
|
||||||
|
_, err = conn.DisableKey(&kms.DisableKeyInput{
|
||||||
|
KeyId: aws.String(id),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed to set KMS key %q status to %t: %q",
|
||||||
|
id, shouldBeEnabled, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wait for propagation since KMS is eventually consistent
|
||||||
|
wait := resource.StateChangeConf{
|
||||||
|
Pending: []string{fmt.Sprintf("%t", !shouldBeEnabled)},
|
||||||
|
Target: []string{fmt.Sprintf("%t", shouldBeEnabled)},
|
||||||
|
Timeout: 20 * time.Minute,
|
||||||
|
MinTimeout: 2 * time.Second,
|
||||||
|
ContinuousTargetOccurence: 10,
|
||||||
|
Refresh: func() (interface{}, string, error) {
|
||||||
|
log.Printf("[DEBUG] Checking if KMS key %s enabled status is %t",
|
||||||
|
id, shouldBeEnabled)
|
||||||
|
resp, err := conn.DescribeKey(&kms.DescribeKeyInput{
|
||||||
|
KeyId: aws.String(id),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return resp, "FAILED", err
|
||||||
|
}
|
||||||
|
status := fmt.Sprintf("%t", *resp.KeyMetadata.Enabled)
|
||||||
|
log.Printf("[DEBUG] KMS key %s status received: %s, retrying", id, status)
|
||||||
|
|
||||||
|
return resp, status, nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = wait.WaitForState()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed setting KMS key status to %t: %s", shouldBeEnabled, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error {
|
||||||
|
var err error
|
||||||
|
shouldEnableRotation := d.Get("enable_key_rotation").(bool)
|
||||||
|
if shouldEnableRotation {
|
||||||
|
log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id())
|
||||||
|
_, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{
|
||||||
|
KeyId: aws.String(d.Id()),
|
||||||
|
})
|
||||||
|
} else {
|
||||||
|
log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id())
|
||||||
|
_, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{
|
||||||
|
KeyId: aws.String(d.Id()),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed to set key rotation for %q to %t: %q",
|
||||||
|
d.Id(), shouldEnableRotation, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wait for propagation since KMS is eventually consistent
|
||||||
|
wait := resource.StateChangeConf{
|
||||||
|
Pending: []string{fmt.Sprintf("%t", !shouldEnableRotation)},
|
||||||
|
Target: []string{fmt.Sprintf("%t", shouldEnableRotation)},
|
||||||
|
Timeout: 5 * time.Minute,
|
||||||
|
MinTimeout: 1 * time.Second,
|
||||||
|
ContinuousTargetOccurence: 5,
|
||||||
|
Refresh: func() (interface{}, string, error) {
|
||||||
|
log.Printf("[DEBUG] Checking if KMS key %s rotation status is %t",
|
||||||
|
d.Id(), shouldEnableRotation)
|
||||||
|
resp, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
|
||||||
|
KeyId: aws.String(d.Id()),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return resp, "FAILED", err
|
||||||
|
}
|
||||||
|
status := fmt.Sprintf("%t", *resp.KeyRotationEnabled)
|
||||||
|
log.Printf("[DEBUG] KMS key %s rotation status received: %s, retrying", d.Id(), status)
|
||||||
|
|
||||||
|
return resp, status, nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = wait.WaitForState()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed setting KMS key rotation status to %t: %s", shouldEnableRotation, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func resourceAwsKmsKeyDelete(d *schema.ResourceData, meta interface{}) error {
|
func resourceAwsKmsKeyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||||
conn := meta.(*AWSClient).kmsconn
|
conn := meta.(*AWSClient).kmsconn
|
||||||
keyId := d.Get("key_id").(string)
|
keyId := d.Get("key_id").(string)
|
||||||
|
|
|
@ -12,6 +12,8 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestAccAWSKmsKey_basic(t *testing.T) {
|
func TestAccAWSKmsKey_basic(t *testing.T) {
|
||||||
|
var keyBefore, keyAfter kms.KeyMetadata
|
||||||
|
|
||||||
resource.Test(t, resource.TestCase{
|
resource.Test(t, resource.TestCase{
|
||||||
PreCheck: func() { testAccPreCheck(t) },
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
Providers: testAccProviders,
|
Providers: testAccProviders,
|
||||||
|
@ -20,13 +22,52 @@ func TestAccAWSKmsKey_basic(t *testing.T) {
|
||||||
resource.TestStep{
|
resource.TestStep{
|
||||||
Config: testAccAWSKmsKey,
|
Config: testAccAWSKmsKey,
|
||||||
Check: resource.ComposeTestCheckFunc(
|
Check: resource.ComposeTestCheckFunc(
|
||||||
testAccCheckAWSKmsKeyExists("aws_kms_key.foo"),
|
testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore),
|
||||||
),
|
),
|
||||||
},
|
},
|
||||||
resource.TestStep{
|
resource.TestStep{
|
||||||
Config: testAccAWSKmsKey_removedPolicy,
|
Config: testAccAWSKmsKey_removedPolicy,
|
||||||
Check: resource.ComposeTestCheckFunc(
|
Check: resource.ComposeTestCheckFunc(
|
||||||
testAccCheckAWSKmsKeyExists("aws_kms_key.foo"),
|
testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAccAWSKmsKey_isEnabled(t *testing.T) {
|
||||||
|
var key1, key2, key3 kms.KeyMetadata
|
||||||
|
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
CheckDestroy: testAccCheckAWSKmsKeyDestroy,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccAWSKmsKey_enabledRotation,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
|
||||||
|
testAccCheckAWSKmsKeyIsEnabled(&key1, true),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccAWSKmsKey_disabled,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"),
|
||||||
|
testAccCheckAWSKmsKeyIsEnabled(&key2, false),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccAWSKmsKey_enabled,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
|
||||||
|
testAccCheckAWSKmsKeyIsEnabled(&key3, true),
|
||||||
|
resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
|
||||||
),
|
),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -55,13 +96,39 @@ func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func testAccCheckAWSKmsKeyExists(name string) resource.TestCheckFunc {
|
func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc {
|
||||||
return func(s *terraform.State) error {
|
return func(s *terraform.State) error {
|
||||||
_, ok := s.RootModule().Resources[name]
|
rs, ok := s.RootModule().Resources[name]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Not found: %s", name)
|
return fmt.Errorf("Not found: %s", name)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if rs.Primary.ID == "" {
|
||||||
|
return fmt.Errorf("No KMS Key ID is set")
|
||||||
|
}
|
||||||
|
|
||||||
|
conn := testAccProvider.Meta().(*AWSClient).kmsconn
|
||||||
|
|
||||||
|
out, err := conn.DescribeKey(&kms.DescribeKeyInput{
|
||||||
|
KeyId: aws.String(rs.Primary.ID),
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
*key = *out.KeyMetadata
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
if *key.Enabled != isEnabled {
|
||||||
|
return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t",
|
||||||
|
*key.Arn, isEnabled, *key.Enabled)
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -95,3 +162,24 @@ resource "aws_kms_key" "foo" {
|
||||||
description = "Terraform acc test %s"
|
description = "Terraform acc test %s"
|
||||||
deletion_window_in_days = 7
|
deletion_window_in_days = 7
|
||||||
}`, kmsTimestamp)
|
}`, kmsTimestamp)
|
||||||
|
|
||||||
|
var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(`
|
||||||
|
resource "aws_kms_key" "bar" {
|
||||||
|
description = "Terraform acc test is_enabled %s"
|
||||||
|
deletion_window_in_days = 7
|
||||||
|
enable_key_rotation = true
|
||||||
|
}`, kmsTimestamp)
|
||||||
|
var testAccAWSKmsKey_disabled = fmt.Sprintf(`
|
||||||
|
resource "aws_kms_key" "bar" {
|
||||||
|
description = "Terraform acc test is_enabled %s"
|
||||||
|
deletion_window_in_days = 7
|
||||||
|
enable_key_rotation = false
|
||||||
|
is_enabled = false
|
||||||
|
}`, kmsTimestamp)
|
||||||
|
var testAccAWSKmsKey_enabled = fmt.Sprintf(`
|
||||||
|
resource "aws_kms_key" "bar" {
|
||||||
|
description = "Terraform acc test is_enabled %s"
|
||||||
|
deletion_window_in_days = 7
|
||||||
|
enable_key_rotation = true
|
||||||
|
is_enabled = true
|
||||||
|
}`, kmsTimestamp)
|
||||||
|
|
|
@ -29,6 +29,9 @@ The following arguments are supported:
|
||||||
* `policy` - (Optional) A valid policy JSON document.
|
* `policy` - (Optional) A valid policy JSON document.
|
||||||
* `deletion_window_in_days` - (Optional) Duration in days after which the key is deleted
|
* `deletion_window_in_days` - (Optional) Duration in days after which the key is deleted
|
||||||
after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
|
after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
|
||||||
|
* `is_enabled` - (Optional) Specifies whether the key is enabled. Defaults to true.
|
||||||
|
* `enable_key_rotation` - (Optional) Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
|
||||||
|
is enabled. Defaults to false.
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue