Slight renaming, and use key_rotation_id instead of rekey attribute

auth0 · Sep 26, 2024 · 4039d95 · 4039d95
1 parent af01f50
commit 4039d95
Show file tree

Hide file tree

Showing 7 changed files with 557 additions and 381 deletions.
diff --git a/docs/resources/encryption_key.md b/docs/resources/encryption_key.md
@@ -11,11 +11,12 @@ Resource to allow the rekeying of your tenant master key.
 ## Example Usage
 
 ```terraform
-resource "auth0_encryption_key" "my_encryption_keys_dont_rekey" {
+resource "auth0_encryption_key" "my_encryption_key_initial" {
+  key_rotation_id = "da9f2f3b-1c7e-4245-8982-9a25da8407c4"
 }
 
-resource "auth0_encryption_key" "my_encryption_keys_rekey" {
-  rekey = true
+resource "auth0_encryption_key" "my_encryption_key_rekey" {
+  key_rotation_id = "68feba2c-7768-40f3-9d71-4b91e0233abf"
 }
 ```
 
@@ -24,7 +25,7 @@ resource "auth0_encryption_key" "my_encryption_keys_rekey" {
 
 ### Optional
 
-- `rekey` (Boolean) If set to `true`, the encryption keys will be rotated.
+- `key_rotation_id` (String) If set to to a new value, the encryption keys will be rotated.
 
 ### Read-Only
 
@@ -54,5 +55,5 @@ Import is supported using the following syntax:
 # We recommend [Version 4 UUID](https://www.uuidgenerator.net/version4)
 #
 # Example:
-terraform import auth0_encryption_key.my_keys "6f0519ad-ea35-44a3-9b0e-ac9c631612c2"
+terraform import auth0_encryption_key.my_key "6f0519ad-ea35-44a3-9b0e-ac9c631612c2"
 ```
diff --git a/examples/resources/auth0_encryption_key/import.sh b/examples/resources/auth0_encryption_key/import.sh
@@ -4,4 +4,4 @@
 # We recommend [Version 4 UUID](https://www.uuidgenerator.net/version4)
 #
 # Example:
-terraform import auth0_encryption_key.my_keys "6f0519ad-ea35-44a3-9b0e-ac9c631612c2"
+terraform import auth0_encryption_key.my_key "6f0519ad-ea35-44a3-9b0e-ac9c631612c2"
diff --git a/examples/resources/auth0_encryption_key/resource.tf b/examples/resources/auth0_encryption_key/resource.tf
@@ -1,7 +1,8 @@
-resource "auth0_encryption_key" "my_encryption_keys_dont_rekey" {
+resource "auth0_encryption_key" "my_encryption_key_initial" {
+  key_rotation_id = "da9f2f3b-1c7e-4245-8982-9a25da8407c4"
 }
 
-resource "auth0_encryption_key" "my_encryption_keys_rekey" {
-  rekey = true
+resource "auth0_encryption_key" "my_encryption_key_rekey" {
+  key_rotation_id = "68feba2c-7768-40f3-9d71-4b91e0233abf"
 }
 
diff --git a/internal/auth0/encryptionkey/resource.go b/internal/auth0/encryptionkey/resource.go
@@ -13,16 +13,16 @@ import (
 // NewEncryptionKeyResource will return a new auth0_encryption_keys resource.
 func NewEncryptionKeyResource() *schema.Resource {
 	return &schema.Resource{
-		CreateContext: createEncryptionKeys,
-		UpdateContext: updateEncryptionKeys,
-		ReadContext:   readEncryptionKeys,
-		DeleteContext: deleteEncryptionKeys,
+		CreateContext: createEncryptionKey,
+		UpdateContext: updateEncryptionKey,
+		ReadContext:   readEncryptionKey,
+		DeleteContext: deleteEncryptionKey,
 		Description:   "Resource to allow the rekeying of your tenant master key.",
 		Schema: map[string]*schema.Schema{
-			"rekey": {
-				Type:        schema.TypeBool,
+			"key_rotation_id": {
+				Type:        schema.TypeString,
 				Optional:    true,
-				Description: "If set to `true`, the encryption keys will be rotated.",
+				Description: "If set to to a new value, the encryption keys will be rotated.",
 			},
 			"encryption_keys": {
 				Type:        schema.TypeList,
@@ -70,28 +70,28 @@ func NewEncryptionKeyResource() *schema.Resource {
 	}
 }
 
-func createEncryptionKeys(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+func createEncryptionKey(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	data.SetId(id.UniqueId())
 
-	return updateEncryptionKeys(ctx, data, meta)
+	return updateEncryptionKey(ctx, data, meta)
 }
 
-func updateEncryptionKeys(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+func updateEncryptionKey(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	api := meta.(*config.Config).GetAPI()
 
-	if data.IsNewResource() || data.HasChange("rekey") {
-		rekey := data.GetRawConfig().GetAttr("rekey")
-		if !rekey.IsNull() && rekey.True() {
+	if data.IsNewResource() || data.HasChange("key_rotation_id") {
+		keyRotationID := data.GetRawConfig().GetAttr("key_rotation_id")
+		if !keyRotationID.IsNull() && len(keyRotationID.AsString()) > 0 {
 			if err := api.EncryptionKey.Rekey(ctx); err != nil {
 				return diag.FromErr(err)
 			}
 		}
 	}
 
-	return readEncryptionKeys(ctx, data, meta)
+	return readEncryptionKey(ctx, data, meta)
 }
 
-func readEncryptionKeys(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+func readEncryptionKey(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	api := meta.(*config.Config).GetAPI()
 
 	encryptionKeys, err := api.EncryptionKey.List(ctx)
@@ -104,6 +104,6 @@ func readEncryptionKeys(ctx context.Context, data *schema.ResourceData, meta int
 	return diag.FromErr(data.Set("encryption_keys", flattenEncryptionKeys(encryptionKeys.Keys)))
 }
 
-func deleteEncryptionKeys(_ context.Context, _ *schema.ResourceData, _ interface{}) diag.Diagnostics {
+func deleteEncryptionKey(_ context.Context, _ *schema.ResourceData, _ interface{}) diag.Diagnostics {
 	return nil
 }
diff --git a/internal/auth0/encryptionkey/resource_test.go b/internal/auth0/encryptionkey/resource_test.go
@@ -14,82 +14,116 @@ import (
 	"github.com/auth0/terraform-provider-auth0/internal/acctest"
 )
 
-const testAccEncryptionKeysCreate = `
-resource "auth0_encryption_key" "my_keys" { }
+const testAccEncryptionKeyCreate = `
+resource "auth0_encryption_key" "my_key" { }
 `
 
-const testAccEncryptionKeysRekey = `
-resource "auth0_encryption_key" "my_keys" {
-	rekey = true
+const testAccEncryptionKeyFirstRotation = `
+resource "auth0_encryption_key" "my_key" {
+	key_rotation_id = "initial_value"
 }
 `
 
-func TestAccEncryptionKeys(t *testing.T) {
-	oldKey := make(map[string]string)
-	newKey := make(map[string]string)
-	newerKey := make(map[string]string)
+const testAccEncryptionKeySecondRotation = `
+resource "auth0_encryption_key" "my_key" {
+	key_rotation_id = "changed_value"
+}
+`
+
+const testAccEncryptionKeyUnsetRotation = `
+resource "auth0_encryption_key" "my_key" {
+}
+`
+
+func TestAccEncryptionKey(t *testing.T) {
+	initialKey := make(map[string]string)
+	firstRotationKey := make(map[string]string)
+	secondRotationKey := make(map[string]string)
+	unsetRotationKey := make(map[string]string)
 
 	acctest.Test(t, resource.TestCase{
 		Steps: []resource.TestStep{
 			{
-				Config: testAccEncryptionKeysCreate,
+				Config: testAccEncryptionKeyCreate,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr("auth0_encryption_key.my_key", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
+					extractActiveKey("auth0_encryption_key.my_key", "encryption_keys", "tenant-master-key", &initialKey),
+					func(_ *terraform.State) error {
+						keyID, ok := initialKey["key_id"]
+						assert.True(t, ok && len(keyID) > 0, "key_id should exist")
+						parentKeyID, ok := initialKey["parent_key_id"]
+						assert.True(t, ok && len(parentKeyID) > 0, "parent_key_id should exist")
+						assert.Equal(t, initialKey["type"], "tenant-master-key")
+						assert.Equal(t, initialKey["state"], "active")
+						createdAt, ok := initialKey["created_at"]
+						assert.True(t, ok && len(createdAt) > 0, "created_at should exist")
+						updatedAt, ok := initialKey["updated_at"]
+						assert.True(t, ok && len(updatedAt) > 0, "updated_at should exist")
+
+						return nil
+					},
+				),
+			},
+			{
+				Config: testAccEncryptionKeyFirstRotation,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestMatchResourceAttr("auth0_encryption_key.my_keys", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
-					extractActiveKey("auth0_encryption_key.my_keys", "encryption_keys", "tenant-master-key", &oldKey),
+					resource.TestMatchResourceAttr("auth0_encryption_key.my_key", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
+					extractActiveKey("auth0_encryption_key.my_key", "encryption_keys", "tenant-master-key", &firstRotationKey),
 					func(_ *terraform.State) error {
-						keyID, ok := oldKey["key_id"]
+						keyID, ok := firstRotationKey["key_id"]
 						assert.True(t, ok && len(keyID) > 0, "key_id should exist")
-						parentKeyID, ok := oldKey["parent_key_id"]
+						assert.NotEqual(t, firstRotationKey["key_id"], initialKey["key_id"])
+						parentKeyID, ok := firstRotationKey["parent_key_id"]
 						assert.True(t, ok && len(parentKeyID) > 0, "parent_key_id should exist")
-						assert.Equal(t, oldKey["type"], "tenant-master-key")
-						assert.Equal(t, oldKey["state"], "active")
-						createdAt, ok := oldKey["created_at"]
+						assert.Equal(t, firstRotationKey["type"], "tenant-master-key")
+						assert.Equal(t, firstRotationKey["state"], "active")
+						createdAt, ok := firstRotationKey["created_at"]
 						assert.True(t, ok && len(createdAt) > 0, "created_at should exist")
-						updatedAt, ok := oldKey["updated_at"]
+						updatedAt, ok := firstRotationKey["updated_at"]
 						assert.True(t, ok && len(updatedAt) > 0, "updated_at should exist")
 
 						return nil
 					},
 				),
 			},
 			{
-				Config: testAccEncryptionKeysRekey,
+				Config: testAccEncryptionKeySecondRotation,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestMatchResourceAttr("auth0_encryption_key.my_keys", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
-					extractActiveKey("auth0_encryption_key.my_keys", "encryption_keys", "tenant-master-key", &newKey),
+					resource.TestMatchResourceAttr("auth0_encryption_key.my_key", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
+					extractActiveKey("auth0_encryption_key.my_key", "encryption_keys", "tenant-master-key", &secondRotationKey),
 					func(_ *terraform.State) error {
-						keyID, ok := newKey["key_id"]
+						keyID, ok := secondRotationKey["key_id"]
 						assert.True(t, ok && len(keyID) > 0, "key_id should exist")
-						assert.NotEqual(t, newKey["key_id"], oldKey["key_id"])
-						parentKeyID, ok := newKey["parent_key_id"]
+						assert.NotEqual(t, secondRotationKey["key_id"], firstRotationKey["key_id"])
+						parentKeyID, ok := secondRotationKey["parent_key_id"]
 						assert.True(t, ok && len(parentKeyID) > 0, "parent_key_id should exist")
-						assert.Equal(t, newKey["type"], "tenant-master-key")
-						assert.Equal(t, newKey["state"], "active")
-						createdAt, ok := newKey["created_at"]
+						assert.Equal(t, secondRotationKey["type"], "tenant-master-key")
+						assert.Equal(t, secondRotationKey["state"], "active")
+						createdAt, ok := secondRotationKey["created_at"]
 						assert.True(t, ok && len(createdAt) > 0, "created_at should exist")
-						updatedAt, ok := newKey["updated_at"]
+						updatedAt, ok := secondRotationKey["updated_at"]
 						assert.True(t, ok && len(updatedAt) > 0, "updated_at should exist")
 
 						return nil
 					},
 				),
 			},
 			{
-				Config: testAccEncryptionKeysCreate,
+				Config: testAccEncryptionKeyUnsetRotation,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestMatchResourceAttr("auth0_encryption_key.my_keys", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
-					extractActiveKey("auth0_encryption_key.my_keys", "encryption_keys", "tenant-master-key", &newerKey),
+					resource.TestMatchResourceAttr("auth0_encryption_key.my_key", "encryption_keys.#", regexp.MustCompile("^[1-9][0-9]*")),
+					extractActiveKey("auth0_encryption_key.my_key", "encryption_keys", "tenant-master-key", &unsetRotationKey),
 					func(_ *terraform.State) error {
-						keyID, ok := newerKey["key_id"]
+						keyID, ok := unsetRotationKey["key_id"]
 						assert.True(t, ok && len(keyID) > 0, "key_id should exist")
-						assert.Equal(t, newerKey["key_id"], newKey["key_id"])
-						parentKeyID, ok := newerKey["parent_key_id"]
+						assert.Equal(t, unsetRotationKey["key_id"], secondRotationKey["key_id"])
+						parentKeyID, ok := unsetRotationKey["parent_key_id"]
 						assert.True(t, ok && len(parentKeyID) > 0, "parent_key_id should exist")
-						assert.Equal(t, newerKey["type"], "tenant-master-key")
-						assert.Equal(t, newerKey["state"], "active")
-						createdAt, ok := newerKey["created_at"]
+						assert.Equal(t, unsetRotationKey["type"], "tenant-master-key")
+						assert.Equal(t, unsetRotationKey["state"], "active")
+						createdAt, ok := unsetRotationKey["created_at"]
 						assert.True(t, ok && len(createdAt) > 0, "created_at should exist")
-						updatedAt, ok := newerKey["updated_at"]
+						updatedAt, ok := unsetRotationKey["updated_at"]
 						assert.True(t, ok && len(updatedAt) > 0, "updated_at should exist")
 
 						return nil