diff --git a/build/terraform b/build/terraform index c2e94bc894f4..03cf878c8f8c 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit c2e94bc894f4abf0116bf9557c03d4a9b400c5f5 +Subproject commit 03cf878c8f8c6367354d3d0657a102a019172d28 diff --git a/build/terraform-beta b/build/terraform-beta index 368e3a54f07d..266aa875a139 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit 368e3a54f07dee6e9f1fd23c01b29b342ffd28cc +Subproject commit 266aa875a139da1e21188055ee37bfa46238b7c4 diff --git a/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go b/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go index 46e80637acc2..1a78e450bf5c 100644 --- a/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go +++ b/third_party/terraform/data_sources/data_source_google_kms_secret_ciphertext.go @@ -5,9 +5,10 @@ import ( "encoding/base64" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "log" "time" + + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" ) func dataSourceGoogleKmsSecretCiphertext() *schema.Resource { @@ -46,7 +47,11 @@ func dataSourceGoogleKmsSecretCiphertextRead(d *schema.ResourceData, meta interf Plaintext: plaintext, } - encryptResponse, err := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest).Do() + encryptCall := config.clientKms.Projects.Locations.KeyRings.CryptoKeys.Encrypt(cryptoKeyId.cryptoKeyId(), kmsEncryptRequest) + if config.UserProjectOverride { + encryptCall.Header().Set("X-Goog-User-Project", cryptoKeyId.KeyRingId.Project) + } + encryptResponse, err := encryptCall.Do() if err != nil { return fmt.Errorf("Error encrypting plaintext: %s", err) diff --git a/third_party/terraform/utils/provider_test.go.erb b/third_party/terraform/utils/provider_test.go.erb index 77c9e7f40339..c91e6d80cb05 100644 --- a/third_party/terraform/utils/provider_test.go.erb +++ b/third_party/terraform/utils/provider_test.go.erb @@ -446,6 +446,12 @@ resource "google_project_iam_member" "project-2-kms" { member = "serviceAccount:${google_service_account.project-1.email}" } +resource "google_project_iam_member" "project-2-kms-encrypt" { + project = google_project.project-2.project_id + role = "roles/cloudkms.cryptoKeyEncrypter" + member = "serviceAccount:${google_service_account.project-1.email}" +} + data "google_client_openid_userinfo" "me" {} // Enable the test runner to get an access token on behalf of @@ -479,6 +485,12 @@ resource "google_kms_crypto_key" "project-2-key" { name = "%s" key_ring = google_kms_key_ring.project-2-keyring.self_link } + +data "google_kms_secret_ciphertext" "project-2-ciphertext" { + provider = google.project-1-token + crypto_key = google_kms_crypto_key.project-2-key.self_link + plaintext = "my-secret" +} `, testAccProviderIndirectUserProjectOverride_step3(pid, name, org, billing, sa, override), pid, pid) } diff --git a/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown b/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown index 40e85ab43bc3..98b97989bd7a 100644 --- a/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown +++ b/third_party/terraform/website/docs/d/google_kms_secret_ciphertext.html.markdown @@ -97,3 +97,7 @@ The following arguments are supported: The following attribute is exported: * `ciphertext` - Contains the result of encrypting the provided plaintext, encoded in base64. + +## User Project Overrides + +This data source supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).