Adding changes for replacement of key_protect parameter and adding th…

…e fix for 3394 (#4618) * Adding the fix for issue 3394 and 1947 * Adding documentation for kms resource * Changes to kms example ,readme and test * Addressing the PR comment for code formatting * removing unnecessary changes from datasource
IBM-Cloud · Jun 20, 2023 · 946b4bf · 946b4bf
1 parent 15f4b01
commit 946b4bf
Show file tree

Hide file tree

Showing 18 changed files with 357 additions and 28 deletions.
diff --git a/examples/ibm-cos-bucket/main.tf b/examples/ibm-cos-bucket/main.tf
@@ -304,7 +304,7 @@ resource "ibm_cos_bucket" "hpcs-enabled" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location       = var.regional_loc
   storage_class         = var.standard_storage_class
-  key_protect          = ibm_kms_key.key.id
+  kms_key_crn          = ibm_kms_key.key.id
 }
 
 //HPCS - UKO plan
@@ -314,7 +314,7 @@ resource "ibm_cos_bucket" "hpcs-uko-enabled" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location       = var.regional_loc
   storage_class         = var.standard_storage_class
-  key_protect           = var.hpcs_uko_rootkeycrn
+  kms_key_crn           = var.hpcs_uko_rootkeycrn
 }
 resource "ibm_cos_bucket_object" "plaintext" {
   bucket_crn      = ibm_cos_bucket.cos_bucket.crn

diff --git a/examples/ibm-key-protect/README.md b/examples/ibm-key-protect/README.md
@@ -4,6 +4,9 @@ This example shows how to Create a Key protect instance, generate a key and inte
 
 This sample configuration will create the key protect instance, cos-bucket instance, root key, and integrate the key with a cos bucket after creating the bucket.
 
+  **Note:**
+
+ `key_protect` attribute to associate a kms_key with a COS bucket has been renamed as `kms_key_crn` , hence it is recommended to all the new users to use `kms_key_crn`.Although the support for older attribute name `key_protect` will be continued for existing custom
 
 To run, configure your IBM Cloud provider
 
@@ -63,7 +66,7 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location      = var.location
   storage_class        = "flex"
-  key_protect          = ibm_kp_key.test.id
+  kms_key_crn          = ibm_kp_key.test.id
 }
 
 ```
@@ -81,7 +84,7 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = var.cosinstance
   region_location      = var.location
   storage_class        = "flex"
-  key_protect          = data.ibm_kp_key.test.keys.0.crn
+  kms_key_crn         = data.ibm_kp_key.test.keys.0.crn
 }
 
 ```

diff --git a/examples/ibm-key-protect/main.tf b/examples/ibm-key-protect/main.tf
@@ -32,5 +32,5 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location      = "us-south"
   storage_class        = "flex"
-  key_protect          = ibm_kp_key.test.id
+  kms_key_crn          = ibm_kp_key.test.id
 }
diff --git a/examples/ibm-kms/README.md b/examples/ibm-kms/README.md
@@ -4,6 +4,9 @@ This example shows how to Create a Key protect instance, generate a key and inte
 
 This sample configuration will create the key protect instance, cos-bucket instance, root key, and integrate the key with a cos bucket after creating the bucket.
 
+  **Note:**
+
+ `key_protect` attribute to associate a kms_key with a COS bucket has been renamed as `kms_key_crn` , hence it is recommended to all the new users to use `kms_key_crn`.Although the support for older attribute name `key_protect` will be continued for existing custom
 
 To run, configure your IBM Cloud provider
 
@@ -62,7 +65,7 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location      = var.location
   storage_class        = "flex"
-  key_protect          = ibm_kms_key.test.id
+  kms_key_crn          = ibm_kms_key.test.id
 }
 
 ```
@@ -80,11 +83,10 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = var.cosinstance
   region_location      = var.location
   storage_class        = "flex"
-  key_protect          = data.ibm_kms_keys.test.keys.0.crn
+  kms_key_crn         = data.ibm_kms_keys.test.keys.0.crn
 }
 
 ```
-
 ## Assumptions
 
 1. It's assumed that user has valid authorizations set for integrating kms keys with other services. This can be done using `ibm_iam_authorization_policy` resource

diff --git a/examples/ibm-kms/main.tf b/examples/ibm-kms/main.tf
@@ -34,5 +34,5 @@ resource "ibm_cos_bucket" "flex-us-south" {
   resource_instance_id = ibm_resource_instance.cos_instance.id
   region_location      = "us-south"
   storage_class        = "flex"
-  key_protect          = ibm_kms_key.test.id
+  kms_key_crn          = ibm_kms_key.test.id
 }
diff --git a/ibm/service/cos/data_source_ibm_cos_bucket.go b/ibm/service/cos/data_source_ibm_cos_bucket.go
@@ -75,6 +75,11 @@ func DataSourceIBMCosBucket() *schema.Resource {
 				Computed:    true,
 				Description: "CRN of the key you want to use data at rest encryption",
 			},
+			"kms_key_crn": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "CRN of the key you want to use data at rest encryption",
+			},
 			"single_site_location": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -453,6 +458,7 @@ func DataSourceIBMCosBucketValidator() *validate.ResourceValidator {
 }
 func dataSourceIBMCosBucketRead(d *schema.ResourceData, meta interface{}) error {
 	var s3Conf *aws.Config
+	var keyProtectFlag bool
 	rsConClient, err := meta.(conns.ClientSession).BluemixSession()
 	if err != nil {
 		return err
@@ -462,6 +468,9 @@ func dataSourceIBMCosBucketRead(d *schema.ResourceData, meta interface{}) error
 	bucketType := d.Get("bucket_type").(string)
 	bucketRegion := d.Get("bucket_region").(string)
 	endpointType := d.Get("endpoint_type").(string)
+	if _, ok := d.GetOk("key_protect"); ok {
+		keyProtectFlag = true
+	}
 
 	var satlc_id, apiEndpoint, apiEndpointPrivate, directApiEndpoint string
 
@@ -557,7 +566,14 @@ func dataSourceIBMCosBucketRead(d *schema.ResourceData, meta interface{}) error
 	}
 	bucketID := fmt.Sprintf("%s:%s:%s:meta:%s:%s:%s", strings.Replace(serviceID, "::", "", -1), "bucket", bucketName, bucketLocationConvert(bucketType), bucketRegion, endpointType)
 	d.SetId(bucketID)
-	d.Set("key_protect", head.IBMSSEKPCrkId)
+	if *head.IBMSSEKPEnabled == true {
+		if keyProtectFlag == true {
+			d.Set("key_protect", head.IBMSSEKPCrkId)
+		} else {
+			d.Set("kms_key_crn", head.IBMSSEKPCrkId)
+		}
+	}
+
 	bucketCRN := fmt.Sprintf("%s:%s:%s", strings.Replace(serviceID, "::", "", -1), "bucket", bucketName)
 	d.Set("crn", bucketCRN)
 	d.Set("resource_instance_id", serviceID)

diff --git a/ibm/service/cos/resource_ibm_cos_bucket.go b/ibm/service/cos/resource_ibm_cos_bucket.go
@@ -95,10 +95,18 @@ func ResourceIBMCOSBucket() *schema.Resource {
 				Description: "CRN of resource instance",
 			},
 			"key_protect": {
-				Type:        schema.TypeString,
-				ForceNew:    true,
-				Optional:    true,
-				Description: "CRN of the key you want to use data at rest encryption",
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				ConflictsWith: []string{"kms_key_crn"},
+				Description:   "CRN of the key you want to use data at rest encryption",
+			},
+			"kms_key_crn": {
+				Type:          schema.TypeString,
+				ForceNew:      true,
+				Optional:      true,
+				ConflictsWith: []string{"key_protect"},
+				Description:   "CRN of the key you want to use data at rest encryption",
 			},
 			"satellite_location_id": {
 				Type:          schema.TypeString,
@@ -1016,6 +1024,7 @@ func resourceIBMCOSBucketUpdate(d *schema.ResourceData, meta interface{}) error
 
 func resourceIBMCOSBucketRead(d *schema.ResourceData, meta interface{}) error {
 	var s3Conf *aws.Config
+	var keyProtectFlag bool
 	rsConClient, err := meta.(conns.ClientSession).BluemixSession()
 	if err != nil {
 		return err
@@ -1026,6 +1035,10 @@ func resourceIBMCOSBucketRead(d *schema.ResourceData, meta interface{}) error {
 	apiType := parseBucketId(d.Id(), "apiType")
 	bLocation := parseBucketId(d.Id(), "bLocation")
 
+	if _, ok := d.GetOk("key_protect"); ok {
+		keyProtectFlag = true
+	}
+
 	//split satellite resource instance id to get the 1st value
 	if apiType == "sl" {
 		satloc_guid := strings.Split(serviceID, ":")
@@ -1152,6 +1165,17 @@ func resourceIBMCOSBucketRead(d *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		return fmt.Errorf("[ERROR] Error in getting bucket info rule: %s\n%s", err, response)
 	}
+	head, err := s3Client.HeadBucket(headInput)
+	if err != nil {
+		return err
+	}
+	if *head.IBMSSEKPEnabled == true {
+		if keyProtectFlag == true {
+			d.Set("key_protect", head.IBMSSEKPCrkId)
+		} else {
+			d.Set("kms_key_crn", head.IBMSSEKPCrkId)
+		}
+	}
 
 	if bucketPtr != nil {
 
@@ -1351,6 +1375,9 @@ func resourceIBMCOSBucketCreate(d *schema.ResourceData, meta interface{}) error
 	if keyprotect, ok := d.GetOk("key_protect"); ok {
 		create.IBMSSEKPCustomerRootKeyCrn = aws.String(keyprotect.(string))
 		create.IBMSSEKPEncryptionAlgorithm = aws.String(keyAlgorithm)
+	} else if kmsKeyCrn, ok := d.GetOk("kms_key_crn"); ok {
+		create.IBMSSEKPCustomerRootKeyCrn = aws.String(kmsKeyCrn.(string))
+		create.IBMSSEKPEncryptionAlgorithm = aws.String(keyAlgorithm)
 	}
 
 	authEndpoint, err := rsConClient.Config.EndpointLocator.IAMEndpoint()