IAM resources for KMS KeyRIng and CryptoKey (#781)

* Add IAM bindings and member resources for KMS KeyRings * Add IAM bindings and member resources for KMS CryptoKeys * Docs for key ring and crypto key IAM resources * Exctract KMS policy conversions to helper functions * Split iam_binding and iam_member tests for KMS * Docs for kms IAM member resources * Run KMS IAM tests in own project
hashicorp · Nov 23, 2017 · 6f4a792 · 6f4a792
1 parent 7a080b8
commit 6f4a792
Show file tree

Hide file tree

Showing 10 changed files with 927 additions and 0 deletions.
diff --git a/google/iam_kms_crypto_key.go b/google/iam_kms_crypto_key.go
@@ -0,0 +1,81 @@
+package google
+
+import (
+	"fmt"
+	"github.com/hashicorp/terraform/helper/schema"
+	"google.golang.org/api/cloudkms/v1"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+var IamKmsCryptoKeySchema = map[string]*schema.Schema{
+	"crypto_key_id": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+}
+
+type KmsCryptoKeyIamUpdater struct {
+	resourceId string
+	Config     *Config
+}
+
+func NewKmsCryptoKeyIamUpdater(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
+	cryptoKey := d.Get("crypto_key_id").(string)
+	cryptoKeyId, err := parseKmsCryptoKeyId(cryptoKey, config)
+
+	if err != nil {
+		return nil, fmt.Errorf("Error parsing resource ID for for %s: %s", cryptoKey, err)
+	}
+
+	return &KmsCryptoKeyIamUpdater{
+		resourceId: cryptoKeyId.cryptoKeyId(),
+		Config:     config,
+	}, nil
+}
+
+func (u *KmsCryptoKeyIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).Do()
+
+	if err != nil {
+		return nil, fmt.Errorf("Error retrieving IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	cloudResourcePolicy, err := kmsToResourceManagerPolicy(p)
+
+	if err != nil {
+		return nil, fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	return cloudResourcePolicy, nil
+}
+
+func (u *KmsCryptoKeyIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	kmsPolicy, err := resourceManagerToKmsPolicy(policy)
+
+	if err != nil {
+		return fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	_, err = u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.SetIamPolicy(u.resourceId, &cloudkms.SetIamPolicyRequest{
+		Policy: kmsPolicy,
+	}).Do()
+
+	if err != nil {
+		return fmt.Errorf("Error setting IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	return nil
+}
+
+func (u *KmsCryptoKeyIamUpdater) GetResourceId() string {
+	return u.resourceId
+}
+
+func (u *KmsCryptoKeyIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-kms-crypto-key-%s", u.resourceId)
+}
+
+func (u *KmsCryptoKeyIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("KMS CryptoKey %q", u.resourceId)
+}
diff --git a/google/iam_kms_key_ring.go b/google/iam_kms_key_ring.go
@@ -0,0 +1,97 @@
+package google
+
+import (
+	"fmt"
+	"github.com/hashicorp/terraform/helper/schema"
+	"google.golang.org/api/cloudkms/v1"
+	"google.golang.org/api/cloudresourcemanager/v1"
+)
+
+var IamKmsKeyRingSchema = map[string]*schema.Schema{
+	"key_ring_id": {
+		Type:     schema.TypeString,
+		Required: true,
+		ForceNew: true,
+	},
+}
+
+type KmsKeyRingIamUpdater struct {
+	resourceId string
+	Config     *Config
+}
+
+func NewKmsKeyRingIamUpdater(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
+	keyRing := d.Get("key_ring_id").(string)
+	keyRingId, err := parseKmsKeyRingId(keyRing, config)
+
+	if err != nil {
+		return nil, fmt.Errorf("Error parsing resource ID for for %s: %s", keyRing, err)
+	}
+
+	return &KmsKeyRingIamUpdater{
+		resourceId: keyRingId.keyRingId(),
+		Config:     config,
+	}, nil
+}
+
+func resourceManagerToKmsPolicy(p *cloudresourcemanager.Policy) (policy *cloudkms.Policy, err error) {
+	policy = &cloudkms.Policy{}
+
+	err = Convert(p, policy)
+
+	return
+}
+
+func kmsToResourceManagerPolicy(p *cloudkms.Policy) (policy *cloudresourcemanager.Policy, err error) {
+	policy = &cloudresourcemanager.Policy{}
+
+	err = Convert(p, policy)
+
+	return
+}
+
+func (u *KmsKeyRingIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
+	p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).Do()
+
+	if err != nil {
+		return nil, fmt.Errorf("Error retrieving IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	cloudResourcePolicy, err := kmsToResourceManagerPolicy(p)
+
+	if err != nil {
+		return nil, fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	return cloudResourcePolicy, nil
+}
+
+func (u *KmsKeyRingIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
+	kmsPolicy, err := resourceManagerToKmsPolicy(policy)
+
+	if err != nil {
+		return fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	_, err = u.Config.clientKms.Projects.Locations.KeyRings.SetIamPolicy(u.resourceId, &cloudkms.SetIamPolicyRequest{
+		Policy: kmsPolicy,
+	}).Do()
+
+	if err != nil {
+		return fmt.Errorf("Error setting IAM policy for %s: %s", u.DescribeResource(), err)
+	}
+
+	return nil
+}
+
+func (u *KmsKeyRingIamUpdater) GetResourceId() string {
+	return u.resourceId
+}
+
+func (u *KmsKeyRingIamUpdater) GetMutexKey() string {
+	return fmt.Sprintf("iam-kms-key-ring-%s", u.resourceId)
+}
+
+func (u *KmsKeyRingIamUpdater) DescribeResource() string {
+	return fmt.Sprintf("KMS KeyRing %q", u.resourceId)
+}
diff --git a/google/provider.go b/google/provider.go
@@ -122,7 +122,11 @@ func Provider() terraform.ResourceProvider {
 			"google_logging_folder_sink":                   resourceLoggingFolderSink(),
 			"google_logging_project_sink":                  resourceLoggingProjectSink(),
 			"google_kms_key_ring":                          resourceKmsKeyRing(),
+			"google_kms_key_ring_iam_binding":              ResourceIamBinding(IamKmsKeyRingSchema, NewKmsKeyRingIamUpdater),
+			"google_kms_key_ring_iam_member":               ResourceIamMember(IamKmsKeyRingSchema, NewKmsKeyRingIamUpdater),
 			"google_kms_crypto_key":                        resourceKmsCryptoKey(),
+			"google_kms_crypto_key_iam_binding":            ResourceIamBinding(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater),
+			"google_kms_crypto_key_iam_member":             ResourceIamMember(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater),
 			"google_sourcerepo_repository":                 resourceSourceRepoRepository(),
 			"google_spanner_instance":                      resourceSpannerInstance(),
 			"google_spanner_database":                      resourceSpannerDatabase(),