Add 'aws_kms_ciphertext' data source. (#14691)
This commit is contained in:
parent
b8fb1b5ed9
commit
8e130b15e4
|
@ -0,0 +1,66 @@
|
|||
package aws
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"log"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/service/kms"
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
)
|
||||
|
||||
func dataSourceAwsKmsCiphetext() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Read: dataSourceAwsKmsCiphetextRead,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"plaintext": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
|
||||
"key_id": {
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
},
|
||||
|
||||
"context": &schema.Schema{
|
||||
Type: schema.TypeMap,
|
||||
Optional: true,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
},
|
||||
|
||||
"ciphertext_blob": {
|
||||
Type: schema.TypeString,
|
||||
Computed: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func dataSourceAwsKmsCiphetextRead(d *schema.ResourceData, meta interface{}) error {
|
||||
conn := meta.(*AWSClient).kmsconn
|
||||
|
||||
d.SetId(time.Now().UTC().String())
|
||||
|
||||
req := &kms.EncryptInput{
|
||||
KeyId: aws.String(d.Get("key_id").(string)),
|
||||
Plaintext: []byte(d.Get("plaintext").(string)),
|
||||
}
|
||||
|
||||
if ec := d.Get("context"); ec != nil {
|
||||
req.EncryptionContext = stringMapToPointers(ec.(map[string]interface{}))
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] KMS encrypt for key: %s", d.Get("key_id").(string))
|
||||
|
||||
resp, err := conn.Encrypt(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
d.Set("ciphertext_blob", base64.StdEncoding.EncodeToString(resp.CiphertextBlob))
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,136 @@
|
|||
package aws
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/resource"
|
||||
)
|
||||
|
||||
func TestAccDataSourceAwsKmsCiphertext_basic(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccDataSourceAwsKmsCiphertextConfig_basic,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
resource.TestCheckResourceAttrSet(
|
||||
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccDataSourceAwsKmsCiphertext_validate(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccDataSourceAwsKmsCiphertextConfig_validate,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
resource.TestCheckResourceAttrSet(
|
||||
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||
resource.TestCheckResourceAttrSet(
|
||||
"data.aws_kms_secret.foo", "plaintext"),
|
||||
resource.TestCheckResourceAttr(
|
||||
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccDataSourceAwsKmsCiphertext_validate_withContext(t *testing.T) {
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccDataSourceAwsKmsCiphertextConfig_validate_withContext,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
resource.TestCheckResourceAttrSet(
|
||||
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||
resource.TestCheckResourceAttrSet(
|
||||
"data.aws_kms_secret.foo", "plaintext"),
|
||||
resource.TestCheckResourceAttr(
|
||||
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
const testAccDataSourceAwsKmsCiphertextConfig_basic = `
|
||||
provider "aws" {
|
||||
region = "us-west-2"
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "foo" {
|
||||
description = "tf-test-acc-data-source-aws-kms-ciphertext-basic"
|
||||
is_enabled = true
|
||||
}
|
||||
|
||||
data "aws_kms_ciphertext" "foo" {
|
||||
key_id = "${aws_kms_key.foo.key_id}"
|
||||
|
||||
plaintext = "Super secret data"
|
||||
}
|
||||
`
|
||||
|
||||
const testAccDataSourceAwsKmsCiphertextConfig_validate = `
|
||||
provider "aws" {
|
||||
region = "us-west-2"
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "foo" {
|
||||
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate"
|
||||
is_enabled = true
|
||||
}
|
||||
|
||||
data "aws_kms_ciphertext" "foo" {
|
||||
key_id = "${aws_kms_key.foo.key_id}"
|
||||
|
||||
plaintext = "Super secret data"
|
||||
}
|
||||
|
||||
data "aws_kms_secret" "foo" {
|
||||
secret {
|
||||
name = "plaintext"
|
||||
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
|
||||
}
|
||||
}
|
||||
`
|
||||
|
||||
const testAccDataSourceAwsKmsCiphertextConfig_validate_withContext = `
|
||||
provider "aws" {
|
||||
region = "us-west-2"
|
||||
}
|
||||
|
||||
resource "aws_kms_key" "foo" {
|
||||
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate-with-context"
|
||||
is_enabled = true
|
||||
}
|
||||
|
||||
data "aws_kms_ciphertext" "foo" {
|
||||
key_id = "${aws_kms_key.foo.key_id}"
|
||||
|
||||
plaintext = "Super secret data"
|
||||
|
||||
context {
|
||||
name = "value"
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_kms_secret" "foo" {
|
||||
secret {
|
||||
name = "plaintext"
|
||||
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
|
||||
|
||||
context {
|
||||
name = "value"
|
||||
}
|
||||
}
|
||||
}
|
||||
`
|
|
@ -183,14 +183,15 @@ func Provider() terraform.ResourceProvider {
|
|||
"aws_eip": dataSourceAwsEip(),
|
||||
"aws_elb_hosted_zone_id": dataSourceAwsElbHostedZoneId(),
|
||||
"aws_elb_service_account": dataSourceAwsElbServiceAccount(),
|
||||
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
|
||||
"aws_iam_account_alias": dataSourceAwsIamAccountAlias(),
|
||||
"aws_iam_policy_document": dataSourceAwsIamPolicyDocument(),
|
||||
"aws_iam_role": dataSourceAwsIAMRole(),
|
||||
"aws_iam_server_certificate": dataSourceAwsIAMServerCertificate(),
|
||||
"aws_instance": dataSourceAwsInstance(),
|
||||
"aws_ip_ranges": dataSourceAwsIPRanges(),
|
||||
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
|
||||
"aws_kms_alias": dataSourceAwsKmsAlias(),
|
||||
"aws_kms_ciphertext": dataSourceAwsKmsCiphetext(),
|
||||
"aws_kms_secret": dataSourceAwsKmsSecret(),
|
||||
"aws_partition": dataSourceAwsPartition(),
|
||||
"aws_prefix_list": dataSourceAwsPrefixList(),
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
layout: "aws"
|
||||
page_title: "AWS: aws_kms_ciphertext"
|
||||
sidebar_current: "docs-aws-datasource-kms-ciphertext"
|
||||
description: |-
|
||||
Provides ciphertext encrypted using a KMS key
|
||||
---
|
||||
|
||||
# aws\_kms\_ciphertext
|
||||
|
||||
The KMS ciphertext data source allows you to encrypt plaintext into ciphertext
|
||||
by using an AWS KMS customer master key.
|
||||
|
||||
~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
|
||||
[Read more about sensitive data in state](/docs/state/sensitive-data.html).
|
||||
|
||||
## Example Usage
|
||||
|
||||
```hcl
|
||||
resource "aws_kms_key" "oauth_config" {
|
||||
description = "oauth config"
|
||||
is_enabled = true
|
||||
}
|
||||
|
||||
data "aws_kms_ciphertext" "oauth" {
|
||||
key_id = "${aws_kms_key.oauth_config.key_id}"
|
||||
plaintext = <<EOF
|
||||
{
|
||||
"client_id": "e587dbae22222f55da22",
|
||||
"client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
|
||||
}
|
||||
EOF
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
* `plaintext` - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
|
||||
* `key_id` - (Required) Globally unique key ID for the customer master key.
|
||||
* `context` - (Optional) An optional mapping that makes up the encryption context.
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
All of the argument attributes are also exported as result attributes.
|
||||
|
||||
* `ciphertext_blob` - Base64 encoded ciphertext
|
|
@ -52,6 +52,7 @@
|
|||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-db-instance") %>>
|
||||
<a href="/docs/providers/aws/d/db_instance.html">aws_db_instance</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-db-snapshot") %>>
|
||||
<a href="/docs/providers/aws/d/db_snapshot.html">aws_db_snapshot</a>
|
||||
</li>
|
||||
|
@ -85,9 +86,6 @@
|
|||
<li<%= sidebar_current("docs-aws-datasource-elb-service-account") %>>
|
||||
<a href="/docs/providers/aws/d/elb_service_account.html">aws_elb_service_account</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
|
||||
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-iam-account-alias") %>>
|
||||
<a href="/docs/providers/aws/d/iam_account_alias.html">aws_iam_account_alias</a>
|
||||
</li>
|
||||
|
@ -106,9 +104,15 @@
|
|||
<li<%= sidebar_current("docs-aws-datasource-ip_ranges") %>>
|
||||
<a href="/docs/providers/aws/d/ip_ranges.html">aws_ip_ranges</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
|
||||
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-kms-alias") %>>
|
||||
<a href="/docs/providers/aws/d/kms_alias.html">aws_kms_alias</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-kms-ciphertext") %>>
|
||||
<a href="/docs/providers/aws/d/kms_ciphertext.html">aws_kms_ciphertext</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-aws-datasource-kms-secret") %>>
|
||||
<a href="/docs/providers/aws/d/kms_secret.html">aws_kms_secret</a>
|
||||
</li>
|
||||
|
|
Loading…
Reference in New Issue