Merge pull request #34739 from hashicorp/app-config-deploy-kms

r/appconfig_deployment: add `kms_key_identifier` attribute
hashicorp · Dec 5, 2023 · 10d4a2f · 10d4a2f
2 parents 8a5d84d + 96c9dca
commit 10d4a2f
Show file tree

Hide file tree

Showing 4 changed files with 123 additions and 0 deletions.
diff --git a/.changelog/34739.txt b/.changelog/34739.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_appconfig_deployment: Add `kms_key_identifier` attribute
+```
diff --git a/internal/service/appconfig/deployment.go b/internal/service/appconfig/deployment.go
@@ -82,6 +82,18 @@ func ResourceDeployment() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validation.StringMatch(regexache.MustCompile(`[0-9a-z]{4,7}`), ""),
 			},
+			"kms_key_arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"kms_key_identifier": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				ValidateFunc: validation.Any(
+					verify.ValidARN,
+					validation.StringLenBetween(1, 256)),
+			},
 			"state": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -107,6 +119,10 @@ func resourceDeploymentCreate(ctx context.Context, d *schema.ResourceData, meta
 		Tags:                   getTagsIn(ctx),
 	}
 
+	if v, ok := d.GetOk("kms_key_identifier"); ok {
+		input.KmsKeyIdentifier = aws.String(v.(string))
+	}
+
 	output, err := conn.StartDeploymentWithContext(ctx, input)
 
 	if err != nil {
@@ -174,6 +190,8 @@ func resourceDeploymentRead(ctx context.Context, d *schema.ResourceData, meta in
 	d.Set("deployment_strategy_id", output.DeploymentStrategyId)
 	d.Set("description", output.Description)
 	d.Set("environment_id", output.EnvironmentId)
+	d.Set("kms_key_arn", output.KmsKeyArn)
+	d.Set("kms_key_identifier", output.KmsKeyIdentifier)
 	d.Set("state", output.State)
 
 	return diags

diff --git a/internal/service/appconfig/deployment_test.go b/internal/service/appconfig/deployment_test.go
@@ -62,6 +62,45 @@ func TestAccAppConfigDeployment_basic(t *testing.T) {
 	})
 }
 
+func TestAccAppConfigDeployment_kms(t *testing.T) {
+	ctx := acctest.Context(t)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_appconfig_deployment.test"
+	appResourceName := "aws_appconfig_application.test"
+	confProfResourceName := "aws_appconfig_configuration_profile.test"
+	depStrategyResourceName := "aws_appconfig_deployment_strategy.test"
+	envResourceName := "aws_appconfig_environment.test"
+	confVersionResourceName := "aws_appconfig_hosted_configuration_version.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, appconfig.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		// AppConfig Deployments cannot be destroyed, but we want to ensure
+		// the Application and its dependents are removed.
+		CheckDestroy: testAccCheckApplicationDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDeploymentConfig_kms(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDeploymentExists(ctx, resourceName),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "appconfig", regexache.MustCompile(`application/[0-9a-z]{4,7}/environment/[0-9a-z]{4,7}/deployment/1`)),
+					resource.TestCheckResourceAttrPair(resourceName, "application_id", appResourceName, "id"),
+					resource.TestCheckResourceAttrPair(resourceName, "configuration_profile_id", confProfResourceName, "configuration_profile_id"),
+					resource.TestCheckResourceAttrPair(resourceName, "configuration_version", confVersionResourceName, "version_number"),
+					resource.TestCheckResourceAttr(resourceName, "deployment_number", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "deployment_strategy_id", depStrategyResourceName, "id"),
+					resource.TestCheckResourceAttr(resourceName, "description", rName),
+					resource.TestCheckResourceAttrPair(resourceName, "environment_id", envResourceName, "environment_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "kms_key_identifier"),
+					resource.TestCheckResourceAttrSet(resourceName, "state"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAppConfigDeployment_predefinedStrategy(t *testing.T) {
 	ctx := acctest.Context(t)
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -219,6 +258,50 @@ resource "aws_appconfig_hosted_configuration_version" "test" {
 `, rName)
 }
 
+func testAccDeploymentKMSConfig(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+}
+
+resource "aws_appconfig_application" "test" {
+  name = %[1]q
+}
+
+resource "aws_appconfig_environment" "test" {
+  name           = %[1]q
+  application_id = aws_appconfig_application.test.id
+}
+
+resource "aws_appconfig_configuration_profile" "test" {
+  application_id     = aws_appconfig_application.test.id
+  name               = %[1]q
+  location_uri       = "hosted"
+  kms_key_identifier = aws_kms_key.test.arn
+}
+
+resource "aws_appconfig_deployment_strategy" "test" {
+  name                           = %[1]q
+  deployment_duration_in_minutes = 3
+  growth_factor                  = 10
+  replicate_to                   = "NONE"
+}
+
+resource "aws_appconfig_hosted_configuration_version" "test" {
+  application_id           = aws_appconfig_application.test.id
+  configuration_profile_id = aws_appconfig_configuration_profile.test.configuration_profile_id
+  content_type             = "application/json"
+
+  content = jsonencode({
+    foo = "bar"
+  })
+
+  description = %[1]q
+}
+`, rName)
+}
+
 func testAccDeploymentConfig_name(rName string) string {
 	return acctest.ConfigCompose(
 		testAccDeploymentBaseConfig(rName),
@@ -234,6 +317,22 @@ resource "aws_appconfig_deployment" "test"{
 `, rName))
 }
 
+func testAccDeploymentConfig_kms(rName string) string {
+	return acctest.ConfigCompose(
+		testAccDeploymentKMSConfig(rName),
+		fmt.Sprintf(`
+resource "aws_appconfig_deployment" "test"{
+  application_id           = aws_appconfig_application.test.id
+  configuration_profile_id = aws_appconfig_configuration_profile.test.configuration_profile_id
+  configuration_version    = aws_appconfig_hosted_configuration_version.test.version_number
+  description              = %[1]q
+  deployment_strategy_id   = aws_appconfig_deployment_strategy.test.id
+  environment_id           = aws_appconfig_environment.test.environment_id
+  kms_key_identifier       = aws_kms_key.test.arn
+}
+`, rName))
+}
+
 func testAccDeploymentConfig_predefinedStrategy(rName, strategy string) string {
 	return acctest.ConfigCompose(
 		testAccDeploymentBaseConfig(rName),

diff --git a/website/docs/r/appconfig_deployment.html.markdown b/website/docs/r/appconfig_deployment.html.markdown
@@ -20,6 +20,7 @@ resource "aws_appconfig_deployment" "example" {
   deployment_strategy_id   = aws_appconfig_deployment_strategy.example.id
   description              = "My example deployment"
   environment_id           = aws_appconfig_environment.example.environment_id
+  kms_key_identifier       = aws_kms_key.example.arn
 
   tags = {
     Type = "AppConfig Deployment"
@@ -37,6 +38,7 @@ This resource supports the following arguments:
 * `deployment_strategy_id` - (Required, Forces new resource) Deployment strategy ID or name of a predefined deployment strategy. See [Predefined Deployment Strategies](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-deployment-strategy.html#appconfig-creating-deployment-strategy-predefined) for more details.
 * `description` - (Optional, Forces new resource) Description of the deployment. Can be at most 1024 characters.
 * `environment_id` - (Required, Forces new resource) Environment ID. Must be between 4 and 7 characters in length.
+* `kms_key_identifier` - (Optional, Forces new resource) The KMS key identifier (key ID, key alias, or key ARN). AppConfig uses this to encrypt the configuration data using a customer managed key.
 * `tags` - (Optional) Map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
 ## Attribute Reference
@@ -46,6 +48,7 @@ This resource exports the following attributes in addition to the arguments abov
 * `id` - AppConfig application ID, environment ID, and deployment number separated by a slash (`/`).
 * `arn` - ARN of the AppConfig Deployment.
 * `deployment_number` - Deployment number.
+* `kms_key_arn` - ARN of the KMS key used to encrypt configuration data.
 * `state` - State of the deployment.
 * `tags_all` - Map of tags assigned to the resource, including those inherited from the provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block).