Add 'aws_kms_ciphertext' data source. (#14691)

This commit is contained in:
Kit Ewbank 2017-05-22 09:46:18 -04:00 committed by Paul Stack
parent b8fb1b5ed9
commit 8e130b15e4
5 changed files with 259 additions and 4 deletions

View File

@ -0,0 +1,66 @@
package aws
import (
"encoding/base64"
"log"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/kms"
"github.com/hashicorp/terraform/helper/schema"
)
func dataSourceAwsKmsCiphetext() *schema.Resource {
return &schema.Resource{
Read: dataSourceAwsKmsCiphetextRead,
Schema: map[string]*schema.Schema{
"plaintext": {
Type: schema.TypeString,
Required: true,
},
"key_id": {
Type: schema.TypeString,
Required: true,
},
"context": &schema.Schema{
Type: schema.TypeMap,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"ciphertext_blob": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
func dataSourceAwsKmsCiphetextRead(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).kmsconn
d.SetId(time.Now().UTC().String())
req := &kms.EncryptInput{
KeyId: aws.String(d.Get("key_id").(string)),
Plaintext: []byte(d.Get("plaintext").(string)),
}
if ec := d.Get("context"); ec != nil {
req.EncryptionContext = stringMapToPointers(ec.(map[string]interface{}))
}
log.Printf("[DEBUG] KMS encrypt for key: %s", d.Get("key_id").(string))
resp, err := conn.Encrypt(req)
if err != nil {
return err
}
d.Set("ciphertext_blob", base64.StdEncoding.EncodeToString(resp.CiphertextBlob))
return nil
}

View File

@ -0,0 +1,136 @@
package aws
import (
"testing"
"github.com/hashicorp/terraform/helper/resource"
)
func TestAccDataSourceAwsKmsCiphertext_basic(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceAwsKmsCiphertextConfig_basic,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
),
},
},
})
}
func TestAccDataSourceAwsKmsCiphertext_validate(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceAwsKmsCiphertextConfig_validate,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
resource.TestCheckResourceAttrSet(
"data.aws_kms_secret.foo", "plaintext"),
resource.TestCheckResourceAttr(
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
),
},
},
})
}
func TestAccDataSourceAwsKmsCiphertext_validate_withContext(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceAwsKmsCiphertextConfig_validate_withContext,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrSet(
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
resource.TestCheckResourceAttrSet(
"data.aws_kms_secret.foo", "plaintext"),
resource.TestCheckResourceAttr(
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
),
},
},
})
}
const testAccDataSourceAwsKmsCiphertextConfig_basic = `
provider "aws" {
region = "us-west-2"
}
resource "aws_kms_key" "foo" {
description = "tf-test-acc-data-source-aws-kms-ciphertext-basic"
is_enabled = true
}
data "aws_kms_ciphertext" "foo" {
key_id = "${aws_kms_key.foo.key_id}"
plaintext = "Super secret data"
}
`
const testAccDataSourceAwsKmsCiphertextConfig_validate = `
provider "aws" {
region = "us-west-2"
}
resource "aws_kms_key" "foo" {
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate"
is_enabled = true
}
data "aws_kms_ciphertext" "foo" {
key_id = "${aws_kms_key.foo.key_id}"
plaintext = "Super secret data"
}
data "aws_kms_secret" "foo" {
secret {
name = "plaintext"
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
}
}
`
const testAccDataSourceAwsKmsCiphertextConfig_validate_withContext = `
provider "aws" {
region = "us-west-2"
}
resource "aws_kms_key" "foo" {
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate-with-context"
is_enabled = true
}
data "aws_kms_ciphertext" "foo" {
key_id = "${aws_kms_key.foo.key_id}"
plaintext = "Super secret data"
context {
name = "value"
}
}
data "aws_kms_secret" "foo" {
secret {
name = "plaintext"
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
context {
name = "value"
}
}
}
`

View File

@ -183,14 +183,15 @@ func Provider() terraform.ResourceProvider {
"aws_eip": dataSourceAwsEip(),
"aws_elb_hosted_zone_id": dataSourceAwsElbHostedZoneId(),
"aws_elb_service_account": dataSourceAwsElbServiceAccount(),
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
"aws_iam_account_alias": dataSourceAwsIamAccountAlias(),
"aws_iam_policy_document": dataSourceAwsIamPolicyDocument(),
"aws_iam_role": dataSourceAwsIAMRole(),
"aws_iam_server_certificate": dataSourceAwsIAMServerCertificate(),
"aws_instance": dataSourceAwsInstance(),
"aws_ip_ranges": dataSourceAwsIPRanges(),
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
"aws_kms_alias": dataSourceAwsKmsAlias(),
"aws_kms_ciphertext": dataSourceAwsKmsCiphetext(),
"aws_kms_secret": dataSourceAwsKmsSecret(),
"aws_partition": dataSourceAwsPartition(),
"aws_prefix_list": dataSourceAwsPrefixList(),

View File

@ -0,0 +1,48 @@
---
layout: "aws"
page_title: "AWS: aws_kms_ciphertext"
sidebar_current: "docs-aws-datasource-kms-ciphertext"
description: |-
Provides ciphertext encrypted using a KMS key
---
# aws\_kms\_ciphertext
The KMS ciphertext data source allows you to encrypt plaintext into ciphertext
by using an AWS KMS customer master key.
~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
[Read more about sensitive data in state](/docs/state/sensitive-data.html).
## Example Usage
```hcl
resource "aws_kms_key" "oauth_config" {
description = "oauth config"
is_enabled = true
}
data "aws_kms_ciphertext" "oauth" {
key_id = "${aws_kms_key.oauth_config.key_id}"
plaintext = <<EOF
{
"client_id": "e587dbae22222f55da22",
"client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
EOF
}
```
## Argument Reference
The following arguments are supported:
* `plaintext` - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
* `key_id` - (Required) Globally unique key ID for the customer master key.
* `context` - (Optional) An optional mapping that makes up the encryption context.
## Attributes Reference
All of the argument attributes are also exported as result attributes.
* `ciphertext_blob` - Base64 encoded ciphertext

View File

@ -52,6 +52,7 @@
</li>
<li<%= sidebar_current("docs-aws-datasource-db-instance") %>>
<a href="/docs/providers/aws/d/db_instance.html">aws_db_instance</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-db-snapshot") %>>
<a href="/docs/providers/aws/d/db_snapshot.html">aws_db_snapshot</a>
</li>
@ -85,9 +86,6 @@
<li<%= sidebar_current("docs-aws-datasource-elb-service-account") %>>
<a href="/docs/providers/aws/d/elb_service_account.html">aws_elb_service_account</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-iam-account-alias") %>>
<a href="/docs/providers/aws/d/iam_account_alias.html">aws_iam_account_alias</a>
</li>
@ -106,9 +104,15 @@
<li<%= sidebar_current("docs-aws-datasource-ip_ranges") %>>
<a href="/docs/providers/aws/d/ip_ranges.html">aws_ip_ranges</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-kms-alias") %>>
<a href="/docs/providers/aws/d/kms_alias.html">aws_kms_alias</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-kms-ciphertext") %>>
<a href="/docs/providers/aws/d/kms_ciphertext.html">aws_kms_ciphertext</a>
</li>
<li<%= sidebar_current("docs-aws-datasource-kms-secret") %>>
<a href="/docs/providers/aws/d/kms_secret.html">aws_kms_secret</a>
</li>