Add 'aws_kms_ciphertext' data source. (#14691)
This commit is contained in:
parent
b8fb1b5ed9
commit
8e130b15e4
|
@ -0,0 +1,66 @@
|
||||||
|
package aws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"log"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
|
"github.com/aws/aws-sdk-go/service/kms"
|
||||||
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
)
|
||||||
|
|
||||||
|
func dataSourceAwsKmsCiphetext() *schema.Resource {
|
||||||
|
return &schema.Resource{
|
||||||
|
Read: dataSourceAwsKmsCiphetextRead,
|
||||||
|
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"plaintext": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"key_id": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
|
||||||
|
"context": &schema.Schema{
|
||||||
|
Type: schema.TypeMap,
|
||||||
|
Optional: true,
|
||||||
|
Elem: &schema.Schema{Type: schema.TypeString},
|
||||||
|
},
|
||||||
|
|
||||||
|
"ciphertext_blob": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func dataSourceAwsKmsCiphetextRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
conn := meta.(*AWSClient).kmsconn
|
||||||
|
|
||||||
|
d.SetId(time.Now().UTC().String())
|
||||||
|
|
||||||
|
req := &kms.EncryptInput{
|
||||||
|
KeyId: aws.String(d.Get("key_id").(string)),
|
||||||
|
Plaintext: []byte(d.Get("plaintext").(string)),
|
||||||
|
}
|
||||||
|
|
||||||
|
if ec := d.Get("context"); ec != nil {
|
||||||
|
req.EncryptionContext = stringMapToPointers(ec.(map[string]interface{}))
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("[DEBUG] KMS encrypt for key: %s", d.Get("key_id").(string))
|
||||||
|
|
||||||
|
resp, err := conn.Encrypt(req)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
d.Set("ciphertext_blob", base64.StdEncoding.EncodeToString(resp.CiphertextBlob))
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -0,0 +1,136 @@
|
||||||
|
package aws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestAccDataSourceAwsKmsCiphertext_basic(t *testing.T) {
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccDataSourceAwsKmsCiphertextConfig_basic,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
resource.TestCheckResourceAttrSet(
|
||||||
|
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAccDataSourceAwsKmsCiphertext_validate(t *testing.T) {
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccDataSourceAwsKmsCiphertextConfig_validate,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
resource.TestCheckResourceAttrSet(
|
||||||
|
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||||
|
resource.TestCheckResourceAttrSet(
|
||||||
|
"data.aws_kms_secret.foo", "plaintext"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAccDataSourceAwsKmsCiphertext_validate_withContext(t *testing.T) {
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccDataSourceAwsKmsCiphertextConfig_validate_withContext,
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
resource.TestCheckResourceAttrSet(
|
||||||
|
"data.aws_kms_ciphertext.foo", "ciphertext_blob"),
|
||||||
|
resource.TestCheckResourceAttrSet(
|
||||||
|
"data.aws_kms_secret.foo", "plaintext"),
|
||||||
|
resource.TestCheckResourceAttr(
|
||||||
|
"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
const testAccDataSourceAwsKmsCiphertextConfig_basic = `
|
||||||
|
provider "aws" {
|
||||||
|
region = "us-west-2"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_kms_key" "foo" {
|
||||||
|
description = "tf-test-acc-data-source-aws-kms-ciphertext-basic"
|
||||||
|
is_enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_ciphertext" "foo" {
|
||||||
|
key_id = "${aws_kms_key.foo.key_id}"
|
||||||
|
|
||||||
|
plaintext = "Super secret data"
|
||||||
|
}
|
||||||
|
`
|
||||||
|
|
||||||
|
const testAccDataSourceAwsKmsCiphertextConfig_validate = `
|
||||||
|
provider "aws" {
|
||||||
|
region = "us-west-2"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_kms_key" "foo" {
|
||||||
|
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate"
|
||||||
|
is_enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_ciphertext" "foo" {
|
||||||
|
key_id = "${aws_kms_key.foo.key_id}"
|
||||||
|
|
||||||
|
plaintext = "Super secret data"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_secret" "foo" {
|
||||||
|
secret {
|
||||||
|
name = "plaintext"
|
||||||
|
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`
|
||||||
|
|
||||||
|
const testAccDataSourceAwsKmsCiphertextConfig_validate_withContext = `
|
||||||
|
provider "aws" {
|
||||||
|
region = "us-west-2"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_kms_key" "foo" {
|
||||||
|
description = "tf-test-acc-data-source-aws-kms-ciphertext-validate-with-context"
|
||||||
|
is_enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_ciphertext" "foo" {
|
||||||
|
key_id = "${aws_kms_key.foo.key_id}"
|
||||||
|
|
||||||
|
plaintext = "Super secret data"
|
||||||
|
|
||||||
|
context {
|
||||||
|
name = "value"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_secret" "foo" {
|
||||||
|
secret {
|
||||||
|
name = "plaintext"
|
||||||
|
payload = "${data.aws_kms_ciphertext.foo.ciphertext_blob}"
|
||||||
|
|
||||||
|
context {
|
||||||
|
name = "value"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`
|
|
@ -183,14 +183,15 @@ func Provider() terraform.ResourceProvider {
|
||||||
"aws_eip": dataSourceAwsEip(),
|
"aws_eip": dataSourceAwsEip(),
|
||||||
"aws_elb_hosted_zone_id": dataSourceAwsElbHostedZoneId(),
|
"aws_elb_hosted_zone_id": dataSourceAwsElbHostedZoneId(),
|
||||||
"aws_elb_service_account": dataSourceAwsElbServiceAccount(),
|
"aws_elb_service_account": dataSourceAwsElbServiceAccount(),
|
||||||
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
|
|
||||||
"aws_iam_account_alias": dataSourceAwsIamAccountAlias(),
|
"aws_iam_account_alias": dataSourceAwsIamAccountAlias(),
|
||||||
"aws_iam_policy_document": dataSourceAwsIamPolicyDocument(),
|
"aws_iam_policy_document": dataSourceAwsIamPolicyDocument(),
|
||||||
"aws_iam_role": dataSourceAwsIAMRole(),
|
"aws_iam_role": dataSourceAwsIAMRole(),
|
||||||
"aws_iam_server_certificate": dataSourceAwsIAMServerCertificate(),
|
"aws_iam_server_certificate": dataSourceAwsIAMServerCertificate(),
|
||||||
"aws_instance": dataSourceAwsInstance(),
|
"aws_instance": dataSourceAwsInstance(),
|
||||||
"aws_ip_ranges": dataSourceAwsIPRanges(),
|
"aws_ip_ranges": dataSourceAwsIPRanges(),
|
||||||
|
"aws_kinesis_stream": dataSourceAwsKinesisStream(),
|
||||||
"aws_kms_alias": dataSourceAwsKmsAlias(),
|
"aws_kms_alias": dataSourceAwsKmsAlias(),
|
||||||
|
"aws_kms_ciphertext": dataSourceAwsKmsCiphetext(),
|
||||||
"aws_kms_secret": dataSourceAwsKmsSecret(),
|
"aws_kms_secret": dataSourceAwsKmsSecret(),
|
||||||
"aws_partition": dataSourceAwsPartition(),
|
"aws_partition": dataSourceAwsPartition(),
|
||||||
"aws_prefix_list": dataSourceAwsPrefixList(),
|
"aws_prefix_list": dataSourceAwsPrefixList(),
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
---
|
||||||
|
layout: "aws"
|
||||||
|
page_title: "AWS: aws_kms_ciphertext"
|
||||||
|
sidebar_current: "docs-aws-datasource-kms-ciphertext"
|
||||||
|
description: |-
|
||||||
|
Provides ciphertext encrypted using a KMS key
|
||||||
|
---
|
||||||
|
|
||||||
|
# aws\_kms\_ciphertext
|
||||||
|
|
||||||
|
The KMS ciphertext data source allows you to encrypt plaintext into ciphertext
|
||||||
|
by using an AWS KMS customer master key.
|
||||||
|
|
||||||
|
~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
|
||||||
|
[Read more about sensitive data in state](/docs/state/sensitive-data.html).
|
||||||
|
|
||||||
|
## Example Usage
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "aws_kms_key" "oauth_config" {
|
||||||
|
description = "oauth config"
|
||||||
|
is_enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
data "aws_kms_ciphertext" "oauth" {
|
||||||
|
key_id = "${aws_kms_key.oauth_config.key_id}"
|
||||||
|
plaintext = <<EOF
|
||||||
|
{
|
||||||
|
"client_id": "e587dbae22222f55da22",
|
||||||
|
"client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Argument Reference
|
||||||
|
|
||||||
|
The following arguments are supported:
|
||||||
|
|
||||||
|
* `plaintext` - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
|
||||||
|
* `key_id` - (Required) Globally unique key ID for the customer master key.
|
||||||
|
* `context` - (Optional) An optional mapping that makes up the encryption context.
|
||||||
|
|
||||||
|
## Attributes Reference
|
||||||
|
|
||||||
|
All of the argument attributes are also exported as result attributes.
|
||||||
|
|
||||||
|
* `ciphertext_blob` - Base64 encoded ciphertext
|
|
@ -52,6 +52,7 @@
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-aws-datasource-db-instance") %>>
|
<li<%= sidebar_current("docs-aws-datasource-db-instance") %>>
|
||||||
<a href="/docs/providers/aws/d/db_instance.html">aws_db_instance</a>
|
<a href="/docs/providers/aws/d/db_instance.html">aws_db_instance</a>
|
||||||
|
</li>
|
||||||
<li<%= sidebar_current("docs-aws-datasource-db-snapshot") %>>
|
<li<%= sidebar_current("docs-aws-datasource-db-snapshot") %>>
|
||||||
<a href="/docs/providers/aws/d/db_snapshot.html">aws_db_snapshot</a>
|
<a href="/docs/providers/aws/d/db_snapshot.html">aws_db_snapshot</a>
|
||||||
</li>
|
</li>
|
||||||
|
@ -85,9 +86,6 @@
|
||||||
<li<%= sidebar_current("docs-aws-datasource-elb-service-account") %>>
|
<li<%= sidebar_current("docs-aws-datasource-elb-service-account") %>>
|
||||||
<a href="/docs/providers/aws/d/elb_service_account.html">aws_elb_service_account</a>
|
<a href="/docs/providers/aws/d/elb_service_account.html">aws_elb_service_account</a>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
|
|
||||||
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
|
|
||||||
</li>
|
|
||||||
<li<%= sidebar_current("docs-aws-datasource-iam-account-alias") %>>
|
<li<%= sidebar_current("docs-aws-datasource-iam-account-alias") %>>
|
||||||
<a href="/docs/providers/aws/d/iam_account_alias.html">aws_iam_account_alias</a>
|
<a href="/docs/providers/aws/d/iam_account_alias.html">aws_iam_account_alias</a>
|
||||||
</li>
|
</li>
|
||||||
|
@ -106,9 +104,15 @@
|
||||||
<li<%= sidebar_current("docs-aws-datasource-ip_ranges") %>>
|
<li<%= sidebar_current("docs-aws-datasource-ip_ranges") %>>
|
||||||
<a href="/docs/providers/aws/d/ip_ranges.html">aws_ip_ranges</a>
|
<a href="/docs/providers/aws/d/ip_ranges.html">aws_ip_ranges</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-aws-datasource-kinesis-stream") %>>
|
||||||
|
<a href="/docs/providers/aws/d/kinesis_stream.html">aws_kinesis_stream</a>
|
||||||
|
</li>
|
||||||
<li<%= sidebar_current("docs-aws-datasource-kms-alias") %>>
|
<li<%= sidebar_current("docs-aws-datasource-kms-alias") %>>
|
||||||
<a href="/docs/providers/aws/d/kms_alias.html">aws_kms_alias</a>
|
<a href="/docs/providers/aws/d/kms_alias.html">aws_kms_alias</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-aws-datasource-kms-ciphertext") %>>
|
||||||
|
<a href="/docs/providers/aws/d/kms_ciphertext.html">aws_kms_ciphertext</a>
|
||||||
|
</li>
|
||||||
<li<%= sidebar_current("docs-aws-datasource-kms-secret") %>>
|
<li<%= sidebar_current("docs-aws-datasource-kms-secret") %>>
|
||||||
<a href="/docs/providers/aws/d/kms_secret.html">aws_kms_secret</a>
|
<a href="/docs/providers/aws/d/kms_secret.html">aws_kms_secret</a>
|
||||||
</li>
|
</li>
|
||||||
|
|
Loading…
Reference in New Issue