Support BYOK in Terraform provider

auth0 · Oct 4, 2024 · e0f8b55 · e0f8b55
1 parent 1a3b628
commit e0f8b55
Show file tree

Hide file tree

Showing 11 changed files with 3,309 additions and 499 deletions.
diff --git a/docs/resources/encryption_key_manager.md b/docs/resources/encryption_key_manager.md
@@ -25,13 +25,33 @@ resource "auth0_encryption_key_manager" "my_encryption_key_manager_rekey" {
 
 ### Optional
 
+- `customer_provided_root_key` (Block List, Max: 1) This attribute is used for provisioning the customer provided root key. To initiate the provisioning process, create a new empty `customer_provided_root_key` block. After applying this, the `public_wrapping_key` can be retreived from the resource, and the new root key should be generated by the customer and wrapped with the wrapping key, then base64-encoded and added as the `wrapped_key` attribute. (see [below for nested schema](#nestedblock--customer_provided_root_key))
 - `key_rotation_id` (String) If this value is changed, the encryption keys will be rotated. A UUID is recommended for the `key_rotation_id`.
 
 ### Read-Only
 
 - `encryption_keys` (List of Object) All encryption keys. (see [below for nested schema](#nestedatt--encryption_keys))
 - `id` (String) The ID of this resource.
 
+<a id="nestedblock--customer_provided_root_key"></a>
+### Nested Schema for `customer_provided_root_key`
+
+Optional:
+
+- `wrapped_key` (String) The base64-encoded customer provided root key, wrapped using the `public_wrapping_key`. This can be removed after the wrapped key has been applied.
+
+Read-Only:
+
+- `created_at` (String) The ISO 8601 formatted date the customer provided root key was created.
+- `key_id` (String) The key ID of the customer provided root key.
+- `parent_key_id` (String) The key ID of the parent wrapping key.
+- `public_wrapping_key` (String) The public wrapping key in PEM format.
+- `state` (String) The state of the encryption key. One of `pre-activation`, `active`, `deactivated`, or `destroyed`.
+- `type` (String) The type of the customer provided root key. Should be `customer-provided-root-key`.
+- `updated_at` (String) The ISO 8601 formatted date the customer provided root key was updated.
+- `wrapping_algorithm` (String) The algorithm that should be used to wrap the customer provided root key. Should be `CKM_RSA_AES_KEY_WRAP`.
+
+
 <a id="nestedatt--encryption_keys"></a>
 ### Nested Schema for `encryption_keys`
 

diff --git a/examples/resources/auth0_encryption_key_manager/import.sh b/examples/resources/auth0_encryption_key_manager/import.sh
diff --git a/examples/resources/auth0_encryption_key_manager/resource.tf b/examples/resources/auth0_encryption_key_manager/resource.tf
@@ -1,8 +1,33 @@
-resource "auth0_encryption_key_manager" "my_encryption_key_manager_initial" {
+# Modifying the key_rotation_id causes the keys to be rotated/rekeyed.
+resource "auth0_encryption_key_manager" "my_key_manager_initial" {
   key_rotation_id = "da9f2f3b-1c7e-4245-8982-9a25da8407c4"
 }
 
-resource "auth0_encryption_key_manager" "my_encryption_key_manager_rekey" {
+resource "auth0_encryption_key_manager" "my_key_manager_rekey" {
   key_rotation_id = "68feba2c-7768-40f3-9d71-4b91e0233abf"
 }
 
+# To initialize the process of providing root key by the customer, create a
+# `customer_provided_root_key` block.
+resource "auth0_encryption_key_manager" "my_key_manager" {
+  customer_provided_root_key {
+  }
+}
+
+# The public_wrapping_key and wrapping_algorithm should be available to
+# be used to wrap the new key by the customer
+output "key_manager" {
+  depends_on = [ auth0_encryption_key_manager.my_key_manager ]
+  value = {
+    public_wrapping_key = auth0_encryption_key_manager.my_key_manager.customer_provided_root_key.*.public_wrapping_key
+    wrapping_algorithm = auth0_encryption_key_manager.my_key_manager.customer_provided_root_key.*.wrapping_algorithm
+  }
+}
+
+# The root key should be wrapped using the specified algorithm by the customer and Base64 encoded.
+resource "auth0_encryption_key_manager" "my_key_manager" {
+  customer_provided_root_key {
+    wrapped_key = "miw4MHtx9BriXv4FDNOT930z0+MaK8HXvLI8clu0bS7LgfeLmAW8e59QP2QD1VfNTB7uvD5lYgsK92G3X5G95qNWJjZ8euEk1fM1+vtONQptqQyBdTWW4ZcJadaodASsJrSMXfSD+xJ3Lh45yEmkeENSDi60ZxKu5qUYuZmPWpEXeohPakJSm5X1qNVNLCOzBhNNG+OMEp8FVXtXnZTZVNtjbG2peVRpLlNGQkGfCWSY2VjpJkMcqf7DTRTF+USv9G1GHirRYkdVmlAOLfn/iwAHhIJlOqWYEhwkglIctMzX8mxW6VHCS3gptvcRk2j3eYNcw7BBrumuF+DE0NgQmmKaz0nRkHFRlv9RMRhk0qweHWPrp5Y2gCv+6du/m9FVMsNOSR0+4eSWsgOQw5B8gRs+4NfHm2N5sK2CRfzJ3mVNJjysaaag6TrTPbQjwlmcg5+DzeSc87Af5lwUvWT/kXPOGzVUNv9cF0FX7JM06UBQv5vfuU5zL/6VvszqCyjdxvbLgtGU1j/Hev++gKCfTQ8UcpegYxM6Ea60y4Qb3OezfdFE8R8eZg=="
+  }
+}
+
diff --git a/internal/auth0/encryptionkeymanager/flatten.go b/internal/auth0/encryptionkeymanager/flatten.go
@@ -2,21 +2,64 @@ package encryptionkeymanager
 
 import (
 	"github.com/auth0/go-auth0/management"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
+func flattenCustomerProvidedRootKey(data *schema.ResourceData, rootKey *management.EncryptionKey, wrappingKey *management.WrappingKey) []interface{} {
+	const timeRFC3339WithMilliseconds = "2006-01-02T15:04:05.000Z07:00"
+
+	originalValue := data.Get("customer_provided_root_key").([]interface{})
+	result := make(map[string]interface{})
+	if len(originalValue) > 0 && originalValue[0] != nil {
+		result = originalValue[0].(map[string]interface{})
+	}
+	if rootKey != nil {
+		result["key_id"] = rootKey.GetKID()
+		result["parent_key_id"] = rootKey.GetParentKID()
+		result["type"] = rootKey.GetType()
+		result["state"] = rootKey.GetState()
+		result["created_at"] = rootKey.GetCreatedAt().Format(timeRFC3339WithMilliseconds)
+		result["updated_at"] = rootKey.GetUpdatedAt().Format(timeRFC3339WithMilliseconds)
+		if rootKey.GetState() != "pre-activation" {
+			result["public_wrapping_key"] = nil
+			result["wrapping_algorithm"] = nil
+		}
+	}
+	if wrappingKey != nil {
+		result["public_wrapping_key"] = wrappingKey.GetPublicKey()
+		result["wrapping_algorithm"] = wrappingKey.GetAlgorithm()
+	}
+
+	return []interface{}{result}
+}
+
 func flattenEncryptionKeys(keys []*management.EncryptionKey) []interface{} {
-	var result []interface{}
+	var flattenedKeys []interface{}
+	for _, key := range keys {
+		flattenedKeys = append(flattenedKeys, flattenKey(key))
+	}
+
+	return flattenedKeys
+}
+
+func flattenKey(key *management.EncryptionKey) interface{} {
 	const timeRFC3339WithMilliseconds = "2006-01-02T15:04:05.000Z07:00"
 
+	return map[string]interface{}{
+		"key_id":        key.GetKID(),
+		"parent_key_id": key.GetParentKID(),
+		"type":          key.GetType(),
+		"state":         key.GetState(),
+		"created_at":    key.GetCreatedAt().Format(timeRFC3339WithMilliseconds),
+		"updated_at":    key.GetUpdatedAt().Format(timeRFC3339WithMilliseconds),
+	}
+}
+
+func getKeyByTypeAndState(keyType, keyState string, keys []*management.EncryptionKey) *management.EncryptionKey {
 	for _, key := range keys {
-		result = append(result, map[string]interface{}{
-			"key_id":        key.GetKID(),
-			"parent_key_id": key.GetParentKID(),
-			"type":          key.GetType(),
-			"state":         key.GetState(),
-			"created_at":    key.GetCreatedAt().Format(timeRFC3339WithMilliseconds),
-			"updated_at":    key.GetUpdatedAt().Format(timeRFC3339WithMilliseconds),
-		})
+		if key.GetType() == keyType && key.GetState() == keyState {
+			return key
+		}
 	}
-	return result
+	return nil
 }