Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM resources for KMS KeyRIng and CryptoKey #781

Merged
merged 7 commits into from
Nov 23, 2017
Merged

IAM resources for KMS KeyRIng and CryptoKey #781

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8d93950
Add IAM bindings and member resources for KMS KeyRings
Nov 22, 2017
ef04cb1
Add IAM bindings and member resources for KMS CryptoKeys
Nov 22, 2017
ecb856b
Docs for key ring and crypto key IAM resources
Nov 22, 2017
2247fe7
Exctract KMS policy conversions to helper functions
Nov 23, 2017
79508c7
Split iam_binding and iam_member tests for KMS
Nov 23, 2017
975a031
Docs for kms IAM member resources
Nov 23, 2017
ecbe5ca
Run KMS IAM tests in own project
Nov 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions google/iam_kms_crypto_key.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package google

import (
"fmt"
"github.com/hashicorp/terraform/helper/schema"
"google.golang.org/api/cloudkms/v1"
"google.golang.org/api/cloudresourcemanager/v1"
)

var IamKmsCryptoKeySchema = map[string]*schema.Schema{
"crypto_key_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
}

type KmsCryptoKeyIamUpdater struct {
resourceId string
Config *Config
}

func NewKmsCryptoKeyIamUpdater(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
cryptoKey := d.Get("crypto_key_id").(string)
cryptoKeyId, err := parseKmsCryptoKeyId(cryptoKey, config)

if err != nil {
return nil, fmt.Errorf("Error parsing resource ID for for %s: %s", cryptoKey, err)
}

return &KmsCryptoKeyIamUpdater{
resourceId: cryptoKeyId.cryptoKeyId(),
Config: config,
}, nil
}

func (u *KmsCryptoKeyIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
p, err := u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.GetIamPolicy(u.resourceId).Do()

if err != nil {
return nil, fmt.Errorf("Error retrieving IAM policy for %s: %s", u.DescribeResource(), err)
}

cloudResourcePolicy := &cloudresourcemanager.Policy{}

err = Convert(p, cloudResourcePolicy)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider extracting the conversion logic in a function and reuse it for the keys and the rings. See:
https://github.com/terraform-providers/terraform-provider-google/blob/master/google/iam_folder.go#L85


if err != nil {
return nil, fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
}

return cloudResourcePolicy, nil
}

func (u *KmsCryptoKeyIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
kmsPolicy := &cloudkms.Policy{}
err := Convert(policy, kmsPolicy)

if err != nil {
return fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
}

_, err = u.Config.clientKms.Projects.Locations.KeyRings.CryptoKeys.SetIamPolicy(u.resourceId, &cloudkms.SetIamPolicyRequest{
Policy: kmsPolicy,
}).Do()

if err != nil {
return fmt.Errorf("Error setting IAM policy for %s: %s", u.DescribeResource(), err)
}

return nil
}

func (u *KmsCryptoKeyIamUpdater) GetResourceId() string {
return u.resourceId
}

func (u *KmsCryptoKeyIamUpdater) GetMutexKey() string {
return fmt.Sprintf("iam-kms-crypto-key-%s", u.resourceId)
}

func (u *KmsCryptoKeyIamUpdater) DescribeResource() string {
return fmt.Sprintf("KMS CryptoKey %q", u.resourceId)
}
84 changes: 84 additions & 0 deletions google/iam_kms_key_ring.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package google

import (
"fmt"
"github.com/hashicorp/terraform/helper/schema"
"google.golang.org/api/cloudkms/v1"
"google.golang.org/api/cloudresourcemanager/v1"
)

var IamKmsKeyRingSchema = map[string]*schema.Schema{
"key_ring_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
}

type KmsKeyRingIamUpdater struct {
resourceId string
Config *Config
}

func NewKmsKeyRingIamUpdater(d *schema.ResourceData, config *Config) (ResourceIamUpdater, error) {
keyRing := d.Get("key_ring_id").(string)
keyRingId, err := parseKmsKeyRingId(keyRing, config)

if err != nil {
return nil, fmt.Errorf("Error parsing resource ID for for %s: %s", keyRing, err)
}

return &KmsKeyRingIamUpdater{
resourceId: keyRingId.keyRingId(),
Config: config,
}, nil
}

func (u *KmsKeyRingIamUpdater) GetResourceIamPolicy() (*cloudresourcemanager.Policy, error) {
p, err := u.Config.clientKms.Projects.Locations.KeyRings.GetIamPolicy(u.resourceId).Do()

if err != nil {
return nil, fmt.Errorf("Error retrieving IAM policy for %s: %s", u.DescribeResource(), err)
}

cloudResourcePolicy := &cloudresourcemanager.Policy{}

err = Convert(p, cloudResourcePolicy)

if err != nil {
return nil, fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
}

return cloudResourcePolicy, nil
}

func (u *KmsKeyRingIamUpdater) SetResourceIamPolicy(policy *cloudresourcemanager.Policy) error {
kmsPolicy := &cloudkms.Policy{}
err := Convert(policy, kmsPolicy)

if err != nil {
return fmt.Errorf("Invalid IAM policy for %s: %s", u.DescribeResource(), err)
}

_, err = u.Config.clientKms.Projects.Locations.KeyRings.SetIamPolicy(u.resourceId, &cloudkms.SetIamPolicyRequest{
Policy: kmsPolicy,
}).Do()

if err != nil {
return fmt.Errorf("Error setting IAM policy for %s: %s", u.DescribeResource(), err)
}

return nil
}

func (u *KmsKeyRingIamUpdater) GetResourceId() string {
return u.resourceId
}

func (u *KmsKeyRingIamUpdater) GetMutexKey() string {
return fmt.Sprintf("iam-kms-key-ring-%s", u.resourceId)
}

func (u *KmsKeyRingIamUpdater) DescribeResource() string {
return fmt.Sprintf("KMS KeyRing %q", u.resourceId)
}
4 changes: 4 additions & 0 deletions google/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,11 @@ func Provider() terraform.ResourceProvider {
"google_logging_folder_sink": resourceLoggingFolderSink(),
"google_logging_project_sink": resourceLoggingProjectSink(),
"google_kms_key_ring": resourceKmsKeyRing(),
"google_kms_key_ring_iam_binding": ResourceIamBinding(IamKmsKeyRingSchema, NewKmsKeyRingIamUpdater),
"google_kms_key_ring_iam_member": ResourceIamMember(IamKmsKeyRingSchema, NewKmsKeyRingIamUpdater),
"google_kms_crypto_key": resourceKmsCryptoKey(),
"google_kms_crypto_key_iam_binding": ResourceIamBinding(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater),
"google_kms_crypto_key_iam_member": ResourceIamMember(IamKmsCryptoKeySchema, NewKmsCryptoKeyIamUpdater),
"google_sourcerepo_repository": resourceSourceRepoRepository(),
"google_spanner_instance": resourceSpannerInstance(),
"google_spanner_database": resourceSpannerDatabase(),
Expand Down
Loading