From a42d662711dc241a24060948cefe568b96ad2c2b Mon Sep 17 00:00:00 2001 From: William Siew <38149204+william8siew@users.noreply.github.com> Date: Thu, 16 May 2024 00:58:26 -0500 Subject: [PATCH] update kms instance policies (#5346) * use new go sdk for kms that uses pointers for policy bools, removed kcia defaults and changed to Computed, when enabled is false, don't update any other attributes, updated resource docs to reflect not using enabled=false with any other attributes * update networking go sdk version to resolve conflict * move back to using defaults --------- Co-authored-by: wsiew --- go.mod | 4 +-- go.sum | 2 ++ ibm/flex/structures.go | 25 +++++++++++---- .../kms/resource_ibm_kms_instance_policies.go | 31 ++++++++++++++----- .../r/kms_instance_policies.html.markdown | 20 ++++++++++-- 5 files changed, 65 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 0710f99c6a7..2407e42fad3 100644 --- a/go.mod +++ b/go.mod @@ -21,9 +21,8 @@ require ( github.com/IBM/ibm-cos-sdk-go-config/v2 v2.0.4 github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1 github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta - github.com/IBM/keyprotect-go-client v0.12.2 + github.com/IBM/keyprotect-go-client v0.14.0 github.com/IBM/networking-go-sdk v0.46.1 - github.com/IBM/logs-go-sdk v0.1.1 github.com/IBM/platform-services-go-sdk v0.62.11 github.com/IBM/project-go-sdk v0.3.0 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 @@ -64,6 +63,7 @@ require ( require ( github.com/IBM-Cloud/bluemix-go v0.0.0-20240423071914-9e96525baef4 github.com/IBM/go-sdk-core v1.1.0 + github.com/IBM/logs-go-sdk v0.1.1 github.com/IBM/mqcloud-go-sdk v0.0.4 github.com/IBM/sarama v1.41.2 github.com/IBM/vmware-go-sdk v0.1.2 diff --git a/go.sum b/go.sum index d0e08ea3840..8c923c45e6b 100644 --- a/go.sum +++ b/go.sum @@ -166,6 +166,8 @@ github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta/go.mod h1:MLVNHMYoKsvovJZ4v1gQCpIYt github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ= github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= +github.com/IBM/keyprotect-go-client v0.14.0 h1:GqgK3BdczA/w7+B1RxEPLya0w9S/ZXi5YWKAxdW8vHQ= +github.com/IBM/keyprotect-go-client v0.14.0/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q= github.com/IBM/logs-go-sdk v0.1.1 h1:aiVnKHJzYcsHvQY58vLB7QbUV/kXcWTpCPqRKC2QS0A= github.com/IBM/logs-go-sdk v0.1.1/go.mod h1:yv/GCXC4/p+MZEeXl4xjZAOMvDAVRwu61WyHZFKFXQM= github.com/IBM/mqcloud-go-sdk v0.0.4 h1:gqMpoU5a0qJ0GETG4PQrkgeEEoaQLvbxRJnEe6ytvC4= diff --git a/ibm/flex/structures.go b/ibm/flex/structures.go index e2c92e969b6..f5e1c525d8e 100644 --- a/ibm/flex/structures.go +++ b/ibm/flex/structures.go @@ -3157,12 +3157,25 @@ func FlattenInstancePolicy(policyType string, policies []kp.InstancePolicy) []ma metricsMap = append(metricsMap, policyInstance) } if policy.PolicyType == "keyCreateImportAccess" { - policyInstance["enabled"] = policy.PolicyData.Enabled - policyInstance["create_root_key"] = policy.PolicyData.Attributes.CreateRootKey - policyInstance["create_standard_key"] = policy.PolicyData.Attributes.CreateStandardKey - policyInstance["import_root_key"] = policy.PolicyData.Attributes.ImportRootKey - policyInstance["import_standard_key"] = policy.PolicyData.Attributes.ImportStandardKey - policyInstance["enforce_token"] = policy.PolicyData.Attributes.EnforceToken + if policy.PolicyData.Enabled != nil { + policyInstance["enabled"] = *policy.PolicyData.Enabled + } + if policy.PolicyData.Attributes.CreateRootKey != nil { + policyInstance["create_root_key"] = *policy.PolicyData.Attributes.CreateRootKey + } + if policy.PolicyData.Attributes.CreateStandardKey != nil { + policyInstance["create_standard_key"] = *policy.PolicyData.Attributes.CreateStandardKey + } + if policy.PolicyData.Attributes.ImportRootKey != nil { + policyInstance["import_root_key"] = *policy.PolicyData.Attributes.ImportRootKey + } + if policy.PolicyData.Attributes.ImportStandardKey != nil { + policyInstance["import_standard_key"] = *policy.PolicyData.Attributes.ImportStandardKey + } + if policy.PolicyData.Attributes.EnforceToken != nil { + policyInstance["enforce_token"] = *policy.PolicyData.Attributes.EnforceToken + } + keyCreateImportAccessMap = append(keyCreateImportAccessMap, policyInstance) } } diff --git a/ibm/service/kms/resource_ibm_kms_instance_policies.go b/ibm/service/kms/resource_ibm_kms_instance_policies.go index 2c0c78f6d1f..ac8bc197179 100644 --- a/ibm/service/kms/resource_ibm_kms_instance_policies.go +++ b/ibm/service/kms/resource_ibm_kms_instance_policies.go @@ -331,13 +331,30 @@ func policyCreateOrUpdate(context context.Context, d *schema.ResourceData, kpAPI if kciaip, ok := d.GetOk("key_create_import_access"); ok { kciaipList := kciaip.([]interface{}) if len(kciaipList) != 0 { - mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{ - Enabled: kciaipList[0].(map[string]interface{})["enabled"].(bool), - CreateRootKey: kciaipList[0].(map[string]interface{})["create_root_key"].(bool), - CreateStandardKey: kciaipList[0].(map[string]interface{})["create_standard_key"].(bool), - ImportRootKey: kciaipList[0].(map[string]interface{})["import_root_key"].(bool), - ImportStandardKey: kciaipList[0].(map[string]interface{})["import_standard_key"].(bool), - EnforceToken: kciaipList[0].(map[string]interface{})["enforce_token"].(bool), + enabled := kciaipList[0].(map[string]interface{})["enabled"].(bool) + create_root_key := kciaipList[0].(map[string]interface{})["create_root_key"].(bool) + create_standard_key := kciaipList[0].(map[string]interface{})["create_standard_key"].(bool) + import_root_key := kciaipList[0].(map[string]interface{})["import_root_key"].(bool) + import_standard_key := kciaipList[0].(map[string]interface{})["import_standard_key"].(bool) + enforce_token := kciaipList[0].(map[string]interface{})["enforce_token"].(bool) + + // we must make sure not to attempt any updates on attributes when enabled is false or face input validation errors + if enabled { + mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{ + Enabled: enabled, + Attributes: &kp.KeyCreateImportAccessInstancePolicyAttributes{ + CreateRootKey: &create_root_key, + CreateStandardKey: &create_standard_key, + ImportRootKey: &import_root_key, + ImportStandardKey: &import_standard_key, + EnforceToken: &enforce_token, + }, + } + } else { + mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{ + Enabled: enabled, + Attributes: nil, + } } } } diff --git a/website/docs/r/kms_instance_policies.html.markdown b/website/docs/r/kms_instance_policies.html.markdown index 277edfea42e..314b70f4557 100644 --- a/website/docs/r/kms_instance_policies.html.markdown +++ b/website/docs/r/kms_instance_policies.html.markdown @@ -40,14 +40,30 @@ resource "ibm_kms_instance_policies" "instance_policy" { enabled = true } key_create_import_access { - enable = true + enabled = true } } ``` **NOTE** -- To create an instance policy, atleast one of the policy block as mentioned in the argument section is mandatory. +- When setting `enabled=false`, you must not specify any other attributes for that policy. The below is an example of an invalid setting + +```terraform + key_create_import_access { + enabled = false + import_root_key = false + } +``` + +The extra attributes will be ignored and will not be updated, this can also cause state drift. Users are advised to only use the `enabled` attribute when disabling a policy + +```terraform + key_create_import_access { + enabled = false + } +``` + - Policies `allowedIP` and `allowedNetwork` are not supported by instance_policies resource, and can be set using Context Based Restrictions (CBR). ## Argument reference