From 02f686d158c705c1aa07690f73d10a0aa08ec373 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Wed, 25 Aug 2021 09:53:57 -0700 Subject: [PATCH] Add soft deletion retention to KMS key (#5131) --- mmv1/products/kms/api.yaml | 6 ++ mmv1/products/kms/terraform.yaml | 2 + .../tests/resource_kms_crypto_key_test.go | 66 +++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/mmv1/products/kms/api.yaml b/mmv1/products/kms/api.yaml index dce70d8fa372..84901395fcd1 100644 --- a/mmv1/products/kms/api.yaml +++ b/mmv1/products/kms/api.yaml @@ -148,6 +148,12 @@ objects: description: | The time when KMS will create a new version of this Crypto Key. output: true + - !ruby/object:Api::Type::String + name: 'destroyScheduledDuration' + input: true + description: | + The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. + If not specified at creation time, the default duration is 24 hours. references: !ruby/object:Api::Resource::ReferenceLinks guides: 'Creating a key': diff --git a/mmv1/products/kms/terraform.yaml b/mmv1/products/kms/terraform.yaml index 1e2375068704..bea03049feed 100644 --- a/mmv1/products/kms/terraform.yaml +++ b/mmv1/products/kms/terraform.yaml @@ -95,6 +95,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides default_value: :SOFTWARE nextRotationTime: !ruby/object:Overrides::Terraform::PropertyOverride exclude: true + destroyScheduledDuration: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true custom_code: !ruby/object:Provider::Terraform::CustomCode custom_delete: templates/terraform/custom_delete/kms_crypto_key.erb custom_import: templates/terraform/custom_import/kms_crypto_key.go.erb diff --git a/mmv1/third_party/terraform/tests/resource_kms_crypto_key_test.go b/mmv1/third_party/terraform/tests/resource_kms_crypto_key_test.go index 8c96cb067670..a6bce4edafdb 100644 --- a/mmv1/third_party/terraform/tests/resource_kms_crypto_key_test.go +++ b/mmv1/third_party/terraform/tests/resource_kms_crypto_key_test.go @@ -300,6 +300,41 @@ func TestAccKmsCryptoKey_template(t *testing.T) { }) } +func TestAccKmsCryptoKey_destroyDuration(t *testing.T) { + t.Parallel() + + projectId := fmt.Sprintf("tf-test-%d", randInt(t)) + projectOrg := getTestOrgFromEnv(t) + location := getTestRegionFromEnv() + projectBillingAccount := getTestBillingAccountFromEnv(t) + keyRingName := fmt.Sprintf("tf-test-%s", randString(t, 10)) + cryptoKeyName := fmt.Sprintf("tf-test-%s", randString(t, 10)) + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testGoogleKmsCryptoKey_destroyDuration(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName), + }, + { + ResourceName: "google_kms_crypto_key.crypto_key", + ImportState: true, + ImportStateVerify: true, + }, + // Use a separate TestStep rather than a CheckDestroy because we need the project to still exist. + { + Config: testGoogleKmsCryptoKey_removed(projectId, projectOrg, projectBillingAccount, keyRingName), + Check: resource.ComposeTestCheckFunc( + testAccCheckGoogleKmsCryptoKeyWasRemovedFromState("google_kms_crypto_key.crypto_key"), + testAccCheckGoogleKmsCryptoKeyVersionsDestroyed(t, projectId, location, keyRingName, cryptoKeyName), + testAccCheckGoogleKmsCryptoKeyRotationDisabled(t, projectId, location, keyRingName, cryptoKeyName), + ), + }, + }, + }) +} + // KMS KeyRings cannot be deleted. This ensures that the CryptoKey resource was removed from state, // even though the server-side resource was not removed. func testAccCheckGoogleKmsCryptoKeyWasRemovedFromState(resourceName string) resource.TestCheckFunc { @@ -502,3 +537,34 @@ resource "google_kms_key_ring" "key_ring" { } `, projectId, projectId, projectOrg, projectBillingAccount, keyRingName) } + +func testGoogleKmsCryptoKey_destroyDuration(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName string) string { + return fmt.Sprintf(` +resource "google_project" "acceptance" { + name = "%s" + project_id = "%s" + org_id = "%s" + billing_account = "%s" +} + +resource "google_project_service" "acceptance" { + project = google_project.acceptance.project_id + service = "cloudkms.googleapis.com" +} + +resource "google_kms_key_ring" "key_ring" { + project = google_project_service.acceptance.project + name = "%s" + location = "us-central1" +} + +resource "google_kms_crypto_key" "crypto_key" { + name = "%s" + key_ring = google_kms_key_ring.key_ring.self_link + labels = { + key = "value" + } + destroy_scheduled_duration = "129600s" +} +`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName) +}