Skip to content

Commit

Permalink
INTMDB-162: Fixes bug about detecting changes and make sensitive valu…
Browse files Browse the repository at this point in the history 
…es (#383)

* fix: fixes about when appearing changes when it should not and make parameters sensitives

* test: deleted check because parameters are now sensitive and cannot be read to avoid fail test

* fix: added validation to avoid changes or other similar bug for other parameters

* test: uncommented the skip part

Co-authored-by: Edgar López <[email protected]>
  • Loading branch information
@coderGo93
coderGo93 and Edgar López authored Jan 18, 2021
1 parent da751dc commit 080d3b2
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 95 deletions.
155 changes: 98 additions & 57 deletions mongodbatlas/resource_mongodbatlas_encryption_at_rest.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
ForceNew: true,
},
"aws_kms": {
Type: schema.TypeMap,
Optional: true,
Type: schema.TypeMap,
Optional: true,
Sensitive: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Expand Down Expand Up @@ -82,8 +83,9 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
},
},
"azure_key_vault": {
Type: schema.TypeMap,
Optional: true,
Type: schema.TypeMap,
Optional: true,
Sensitive: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Expand All @@ -92,61 +94,62 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
},
"client_id": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
"azure_environment": {
Type: schema.TypeString,
Required: true,
Optional: true,
},
"subscription_id": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
"resource_group_name": {
Type: schema.TypeString,
Required: true,
Optional: true,
},
"key_vault_name": {
Type: schema.TypeString,
Required: true,
Optional: true,
},
"key_identifier": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
"secret": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
"tenant_id": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
},
},
},
"google_cloud_kms": {
Type: schema.TypeMap,
Optional: true,
Type: schema.TypeMap,
Optional: true,
Sensitive: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Required: true,
Optional: true,
},
"service_account_key": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
"key_version_resource_id": {
Type: schema.TypeString,
Required: true,
Optional: true,
Sensitive: true,
},
},
Expand All @@ -160,10 +163,20 @@ func resourceMongoDBAtlasEncryptionAtRestCreate(d *schema.ResourceData, meta int
conn := meta.(*matlas.Client)

encryptionAtRestReq := &matlas.EncryptionAtRest{
GroupID: d.Get("project_id").(string),
AwsKms: expandAwsKms(d.Get("aws_kms").(map[string]interface{})),
AzureKeyVault: expandAzureKeyVault(d.Get("azure_key_vault").(map[string]interface{})),
GoogleCloudKms: expandGCPKms(d.Get("google_cloud_kms").(map[string]interface{})),
GroupID: d.Get("project_id").(string),
}

aws, awsOk := d.GetOk("aws_kms")
if awsOk {
encryptionAtRestReq.AwsKms = expandAwsKms(aws.(map[string]interface{}))
}
azure, azureOk := d.GetOk("azure_key_vault")
if azureOk {
encryptionAtRestReq.AzureKeyVault = expandAzureKeyVault(azure.(map[string]interface{}))
}
gcp, gcpOk := d.GetOk("google_cloud_kms")
if gcpOk {
encryptionAtRestReq.GoogleCloudKms = expandGCPKms(gcp.(map[string]interface{}))
}

_, _, err := conn.EncryptionsAtRest.Create(context.Background(), encryptionAtRestReq)
Expand All @@ -184,16 +197,42 @@ func resourceMongoDBAtlasEncryptionAtRestRead(d *schema.ResourceData, meta inter
return fmt.Errorf(errorReadEncryptionAtRest, err)
}

if err := d.Set("aws_kms", flattenAWSKMS(&resp.AwsKms)); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "aws_kms", d.Id(), err)
values := flattenAWSKMS(&resp.AwsKms)
if !counterEmptyValues(values) {
aws, awsOk := d.GetOk("aws_kms")
if awsOk {
aws2 := aws.(map[string]interface{})
values["secret_access_key"] = cast.ToString(aws2["secret_access_key"])
if v, sa := values["role_id"]; sa {
if v.(string) == "" {
delete(values, "role_id")
}
}
if v, sa := values["access_key_id"]; sa {
if v.(string) == "" {
delete(values, "access_key_id")
delete(values, "secret_access_key")
}
}
}

if err = d.Set("aws_kms", values); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "aws_kms", d.Id(), err)
}
}

if err := d.Set("azure_key_vault", flattenAzureVault(&resp.AzureKeyVault)); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "azure_key_vault", d.Id(), err)
values = flattenAzureVault(&resp.AzureKeyVault)
if !counterEmptyValues(values) {
if err = d.Set("azure_key_vault", values); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "azure_key_vault", d.Id(), err)
}
}

if err := d.Set("google_cloud_kms", flattenGCPKms(&resp.GoogleCloudKms)); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "google_cloud_kms", d.Id(), err)
values = flattenGCPKms(&resp.GoogleCloudKms)
if !counterEmptyValues(values) {
if err = d.Set("google_cloud_kms", values); err != nil {
return fmt.Errorf(errorAlertEncryptionAtRestSetting, "google_cloud_kms", d.Id(), err)
}
}

return nil
Expand Down Expand Up @@ -277,45 +316,47 @@ func expandGCPKms(gcpKms map[string]interface{}) matlas.GoogleCloudKms {
}

func flattenAWSKMS(m *matlas.AwsKms) map[string]interface{} {
if m != nil {
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"access_key_id": m.AccessKeyID,
"customer_master_key_id": m.CustomerMasterKeyID,
"region": m.Region,
"role_id": m.RoleID,
}
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"access_key_id": m.AccessKeyID,
"customer_master_key_id": m.CustomerMasterKeyID,
"region": m.Region,
"role_id": m.RoleID,
}

return map[string]interface{}{}
}

func flattenAzureVault(m *matlas.AzureKeyVault) map[string]interface{} {
if m != nil {
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"client_id": m.ClientID,
"azure_environment": m.AzureEnvironment,
"subscription_id": m.SubscriptionID,
"resource_group_name": m.ResourceGroupName,
"key_vault_name": m.KeyVaultName,
"key_identifier": m.KeyIdentifier,
"secret": m.Secret,
"tenant_id": m.TenantID,
}
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"client_id": m.ClientID,
"azure_environment": m.AzureEnvironment,
"subscription_id": m.SubscriptionID,
"resource_group_name": m.ResourceGroupName,
"key_vault_name": m.KeyVaultName,
"key_identifier": m.KeyIdentifier,
"secret": m.Secret,
"tenant_id": m.TenantID,
}

return map[string]interface{}{}
}

func flattenGCPKms(m *matlas.GoogleCloudKms) map[string]interface{} {
if m != nil {
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"service_account_key": m.ServiceAccountKey,
"key_version_resource_id": m.KeyVersionResourceID,
return map[string]interface{}{
"enabled": cast.ToString(m.Enabled),
"service_account_key": m.ServiceAccountKey,
"key_version_resource_id": m.KeyVersionResourceID,
}
}

func counterEmptyValues(values map[string]interface{}) bool {
count := 0
for i := range values {
if val, ok := values[i]; ok {
strval, okT := val.(string)
if okT && strval == "" || strval == "false" {
count++
}
}
}

return map[string]interface{}{}
return len(values) == count
}
38 changes: 0 additions & 38 deletions mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/terraform"
"github.com/mwielbut/pointy"
"github.com/spf13/cast"
matlas "go.mongodb.org/atlas/mongodbatlas"
)

Expand Down Expand Up @@ -130,23 +129,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicAWS(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKms.Enabled)),
resource.TestCheckResourceAttr(resourceName, "aws_kms.access_key_id", awsKms.AccessKeyID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.secret_access_key", awsKms.SecretAccessKey),
resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKms.CustomerMasterKeyID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKms.Region),
),
},
{
Config: testAccMongoDBAtlasEncryptionAtRestConfigAwsKms(projectID, &awsKmsUpdated),
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKmsUpdated.Enabled)),
resource.TestCheckResourceAttr(resourceName, "aws_kms.access_key_id", awsKmsUpdated.AccessKeyID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.secret_access_key", awsKmsUpdated.SecretAccessKey),
resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKmsUpdated.CustomerMasterKeyID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKmsUpdated.Region),
),
},
},
Expand Down Expand Up @@ -194,31 +183,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicAzure(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.enabled", cast.ToString(azureKeyVault.Enabled)),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.client_id", azureKeyVault.ClientID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.azure_environment", azureKeyVault.AzureEnvironment),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.subscription_id", azureKeyVault.SubscriptionID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.resource_group_name", azureKeyVault.ResourceGroupName),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_vault_name", azureKeyVault.KeyVaultName),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_identifier", azureKeyVault.KeyIdentifier),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.secret", azureKeyVault.Secret),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.tenant_id", azureKeyVault.TenantID),
),
},
{
Config: testAccMongoDBAtlasEncryptionAtRestConfigAzureKeyVault(projectID, &azureKeyVaultUpdated),
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.enabled", cast.ToString(azureKeyVaultUpdated.Enabled)),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.client_id", azureKeyVaultUpdated.ClientID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.azure_environment", azureKeyVaultUpdated.AzureEnvironment),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.subscription_id", azureKeyVaultUpdated.SubscriptionID),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.resource_group_name", azureKeyVaultUpdated.ResourceGroupName),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_vault_name", azureKeyVaultUpdated.KeyVaultName),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.key_identifier", azureKeyVaultUpdated.KeyIdentifier),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.secret", azureKeyVaultUpdated.Secret),
resource.TestCheckResourceAttr(resourceName, "azure_key_vault.tenant_id", azureKeyVaultUpdated.TenantID),
),
},
},
Expand Down Expand Up @@ -254,19 +225,13 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicGCP(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.enabled", cast.ToString(googleCloudKms.Enabled)),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.service_account_key", googleCloudKms.ServiceAccountKey),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKms.KeyVersionResourceID),
),
},
{
Config: testAccMongoDBAtlasEncryptionAtRestConfigGoogleCloudKms(projectID, &googleCloudKmsUpdated),
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.enabled", cast.ToString(googleCloudKmsUpdated.Enabled)),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.service_account_key", googleCloudKmsUpdated.ServiceAccountKey),
resource.TestCheckResourceAttr(resourceName, "google_cloud_kms.key_version_resource_id", googleCloudKmsUpdated.KeyVersionResourceID),
),
},
},
Expand Down Expand Up @@ -304,9 +269,6 @@ func TestAccResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testing.T)
Check: resource.ComposeTestCheckFunc(
testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKms.Enabled)),
resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKms.CustomerMasterKeyID),
resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKms.Region),
),
},
},
Expand Down

0 comments on commit 080d3b2

Please sign in to comment.