From fc0e7447f88ba8127f3ec6bc455e68b5eec47faf Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Fri, 22 Nov 2019 16:56:10 -0800 Subject: [PATCH] add user project override support for data.google_kms_secret_ciphertext --- .../data_source_google_kms_secret_ciphertext.go | 9 +++++++-- third_party/terraform/utils/provider_test.go.erb | 12 ++++++++++++ .../d/google_kms_secret_ciphertext.html.markdown | 4 ++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go b/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go index 46e80637acc2..1a78e450bf5c 100644 --- a/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go +++ b/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go @@ -5,9 +5,10 @@ import ( "encoding/base64" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "log" "time" + + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" ) func dataSourceGoogleKmsSecretCiphertext() *schema.Resource { @@ -46,7 +47,11 @@ func dataSourceGoogleKmsSecretCiphertextRead(d *schema.ResourceData, meta interf Plaintext: plaintext, } - encryptResponse, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest).Do() + encryptCall := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest) + if config.UserProjectOverride { + encryptCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project) + } + encryptResponse, err := encryptCall.Do() if err != nil { return fmt.Errorf("Error encrypting plaintext: %s", err) diff --git a/third_party/terraform/utils/provider_test.go.erb b/third_party/terraform/utils/provider_test.go.erb index 77c9e7f40339..c91e6d80cb05 100644 --- a/third_party/terraform/utils/provider_test.go.erb +++ b/third_party/terraform/utils/provider_test.go.erb @@ -446,6 +446,12 @@ resource "google_project_iam_member" "project-2-kms" { member = "serviceAccount:${google_service_account.project-1.email}" } +resource "google_project_iam_member" "project-2-kms-encrypt" { + project = google_project.project-2.project_id + role = "roles/cloudkms.cryptoKeyEncrypter" + member = "serviceAccount:${google_service_account.project-1.email}" +} + data "google_client_openid_userinfo" "me" {} // Enable the test runner to get an access token on behalf of @@ -479,6 +485,12 @@ resource "google_kms_crypto_key" "project-2-key" { name = "%s" key_ring = google_kms_key_ring.project-2-keyring.self_link } + +data "google_kms_secret_ciphertext" "project-2-ciphertext" { + provider = google.project-1-token + crypto_key = google_kms_crypto_key.project-2-key.self_link + plaintext = "my-secret" +} `, testAccProviderIndirectUserProjectOverride_step3(pid, name, org, billing, sa, override), pid, pid) } diff --git a/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown b/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown index 40e85ab43bc3..98b97989bd7a 100644 --- a/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown +++ b/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown @@ -97,3 +97,7 @@ The following arguments are supported: The following attribute is exported: * `ciphertext` - Contains the result of encrypting the provided plaintext, encoded in base64. + +## User Project Overrides + +This data source supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).