Key rings

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/IBM/go-sdk-core/v5 v5.2.0
 	github.com/IBM/ibm-cos-sdk-go v1.3.1
 	github.com/IBM/ibm-cos-sdk-go-config v1.0.1
-	github.com/IBM/keyprotect-go-client v0.6.0
+	github.com/IBM/keyprotect-go-client v0.7.0
 	github.com/IBM/networking-go-sdk v0.12.1
 	github.com/IBM/platform-services-go-sdk v0.17.17
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5

go.sum

@@ -84,12 +84,10 @@ github.com/IBM/ibm-cos-sdk-go-config v1.0.1 h1:Nld42UysaZ16hPl4XMnkCgbuwW+s4OVct
 github.com/IBM/ibm-cos-sdk-go-config v1.0.1/go.mod h1:BAbdv1Zf8mRP6rj40Cem7KgBp+UQn9Fe2EWxIBrp5sM=
 github.com/IBM/keyprotect-go-client v0.5.2 h1:A4yp2Fc7mg4dtotZErZXwJb9XKpb3ONexnVB+/JqLDM=
 github.com/IBM/keyprotect-go-client v0.5.2/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.5.3 h1:YGL6vHYQNH3MrtLaSl1ulohE487Jb1KkTpkNKnV4xWU=
-github.com/IBM/keyprotect-go-client v0.5.3/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.5.4-0.20210127220159-80c013ab9f46 h1:Iyq8BLsDJHkMW1wo1f57JLsfXJOYwDiatCHdUOTWY60=
-github.com/IBM/keyprotect-go-client v0.5.4-0.20210127220159-80c013ab9f46/go.mod h1:SVr2ylV/fhSQPDiUjWirN9fsyWFCNNbt8GIT8hPJVjE=
 github.com/IBM/keyprotect-go-client v0.6.0 h1:jZExoYSaoQ5TrfEzPOmBLc1vJ0VWA0RfKC+Bx39IeGo=
 github.com/IBM/keyprotect-go-client v0.6.0/go.mod h1:SVr2ylV/fhSQPDiUjWirN9fsyWFCNNbt8GIT8hPJVjE=
+github.com/IBM/keyprotect-go-client v0.7.0 h1:JstSHD14Lp6ihwQseyPuGcs1AjOBjAmcisP0dTBA6A0=
+github.com/IBM/keyprotect-go-client v0.7.0/go.mod h1:SVr2ylV/fhSQPDiUjWirN9fsyWFCNNbt8GIT8hPJVjE=
 github.com/IBM/networking-go-sdk v0.12.1 h1:GmzrRjvAyqKMfUPM8Y/R5dce0x5AXTqmseVZ3n7eZks=
 github.com/IBM/networking-go-sdk v0.12.1/go.mod h1:lzkGBnw5glMB7Nxawfgu19MH4Tjy3KRQ2SYMYl2ck7o=
 github.com/IBM/platform-services-go-sdk v0.17.17 h1:VXiC6C7h0AsYcsuVVQWKzBhEZ6mM963NbKMUBTkIEvw=

ibm/data_source_ibm_kms_key.go

@@ -57,6 +57,11 @@ func dataSourceIBMKMSkey() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						"key_ring_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The key ring id of the key to be fetched",
+						},
 						"crn": {
 							Type:     schema.TypeString,
 							Computed: true,
@@ -146,7 +151,6 @@ func dataSourceIBMKMSkey() *schema.Resource {
 			},
 		},
 	}
-
 }
 
 func dataSourceIBMKMSKeyRead(d *schema.ResourceData, meta interface{}) error {
@@ -244,6 +248,7 @@ func dataSourceIBMKMSKeyRead(d *schema.ResourceData, meta interface{}) error {
 			keyInstance["crn"] = key.CRN
 			keyInstance["standard_key"] = key.Extractable
 			keyInstance["aliases"] = key.Aliases
+			keyInstance["key_ring_id"] = key.KeyRingID
 			policies, err := api.GetPolicies(context.Background(), key.ID)
 			if err != nil {
 				return fmt.Errorf("Failed to read policies: %s", err)
@@ -273,6 +278,7 @@ func dataSourceIBMKMSKeyRead(d *schema.ResourceData, meta interface{}) error {
 		keyInstance["crn"] = key.CRN
 		keyInstance["standard_key"] = key.Extractable
 		keyInstance["aliases"] = key.Aliases
+		keyInstance["key_ring_id"] = key.KeyRingID
 		policies, err := api.GetPolicies(context.Background(), key.ID)
 		if err != nil {
 			return fmt.Errorf("Failed to read policies: %s", err)

ibm/data_source_ibm_kms_key_rings.go

@@ -0,0 +1,152 @@
+// Copyright IBM Corp. 2017, 2021 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package ibm
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"strings"
+
+	//kp "github.com/IBM/keyprotect-go-client"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceIBMKMSkeyRings() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceIBMKMSKeyRingsRead,
+
+		Schema: map[string]*schema.Schema{
+			"instance_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "Key protect or hpcs instance GUID",
+			},
+			"endpoint_type": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validateAllowedStringValue([]string{"public", "private"}),
+				Description:  "public or private",
+				Default:      "public",
+			},
+			"key_rings": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "Key Rings for a particualer instance",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"creation_date": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"created_by": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func dataSourceIBMKMSKeyRingsRead(d *schema.ResourceData, meta interface{}) error {
+	api, err := meta.(ClientSession).keyManagementAPI()
+	if err != nil {
+		return err
+	}
+
+	rContollerClient, err := meta.(ClientSession).ResourceControllerAPIV2()
+	if err != nil {
+		return err
+	}
+
+	instanceID := d.Get("instance_id").(string)
+	endpointType := d.Get("endpoint_type").(string)
+
+	rContollerApi := rContollerClient.ResourceServiceInstanceV2()
+
+	instanceData, err := rContollerApi.GetInstance(instanceID)
+	if err != nil {
+		return err
+	}
+	instanceCRN := instanceData.Crn.String()
+
+	var hpcsEndpointURL string
+	crnData := strings.Split(instanceCRN, ":")
+
+	if crnData[4] == "hs-crypto" {
+
+		hpcsEndpointApi, err := meta.(ClientSession).HpcsEndpointAPI()
+		if err != nil {
+			return err
+		}
+		resp, err := hpcsEndpointApi.Endpoint().GetAPIEndpoint(instanceID)
+		if err != nil {
+			return err
+		}
+
+		if endpointType == "public" {
+			hpcsEndpointURL = "https://" + resp.Kms.Public + "/api/v2/keys"
+		} else {
+			hpcsEndpointURL = "https://" + resp.Kms.Private + "/api/v2/keys"
+		}
+
+		u, err := url.Parse(hpcsEndpointURL)
+		if err != nil {
+			return fmt.Errorf("Error Parsing hpcs EndpointURL")
+		}
+		api.URL = u
+	} else if crnData[4] == "kms" {
+		if endpointType == "private" {
+			if !strings.HasPrefix(api.Config.BaseURL, "private") {
+				api.Config.BaseURL = "private." + api.Config.BaseURL
+			}
+		}
+	} else {
+		return fmt.Errorf("Invalid or unsupported service Instance")
+	}
+
+	api.Config.InstanceID = instanceID
+	keys, err := api.GetKeyRings(context.Background())
+	if err != nil {
+		return fmt.Errorf(
+			"Get Key Rings failed with error: %s", err)
+	}
+	retreivedKeyRings := keys.KeyRings
+	if keys == nil || len(retreivedKeyRings) == 0 {
+		return fmt.Errorf("No key Rings in instance  %s", instanceID)
+	}
+	var keyRingName string
+
+	if len(retreivedKeyRings) == 0 {
+		return fmt.Errorf("No key Ring with name %s in instance  %s", keyRingName, instanceID)
+	}
+
+	keyRingMap := make([]map[string]interface{}, 0, len(retreivedKeyRings))
+
+	for _, keyRing := range retreivedKeyRings {
+		keyInstance := make(map[string]interface{})
+
+		keyInstance["id"] = keyRing.ID
+		keyInstance["created_by"] = keyRing.CreatedBy
+		if keyRing.CreationDate != nil {
+			keyInstance["creation_date"] = keyRing.CreationDate.String()
+		}
+		keyRingMap = append(keyRingMap, keyInstance)
+
+	}
+
+	d.SetId(instanceID)
+	d.Set("key_rings", keyRingMap)
+	d.Set("instance_id", instanceID)
+	d.Set("endpoint_type", endpointType)
+
+	return nil
+
+}

ibm/data_source_ibm_kms_key_rings_test.go

@@ -0,0 +1,49 @@
+// Copyright IBM Corp. 2017, 2021 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package ibm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccIBMKMSKeyRingDataSource_basic(t *testing.T) {
+	instanceName := fmt.Sprintf("tf_kms_%d", acctest.RandIntRange(10, 100))
+	// bucketName := fmt.Sprintf("bucket", acctest.RandIntRange(10, 100))
+	keyRing := fmt.Sprintf("keyRing%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccCheckIBMKmsKeyRingDataSourceConfig(instanceName, keyRing),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("ibm_kms_key_rings.test", "key_ring_id", keyRing),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckIBMKmsKeyRingDataSourceConfig(instanceName, keyRing string) string {
+	return fmt.Sprintf(`
+	resource "ibm_resource_instance" "kms_instance" {
+		name              = "%s"
+		service           = "kms"
+		plan              = "tiered-pricing"
+		location          = "us-south"
+	  }
+	  resource "ibm_kms_key_rings" "test" {
+		instance_id = "${ibm_resource_instance.kms_instance.guid}"
+		key_ring_id = "%s"
+	}
+	data "ibm_kms_key_rings" "test2" {
+		instance_id = "${ibm_kms_key_rings.test.instance_id}"
+	}
+`, instanceName, keyRing)
+}

ibm/data_source_ibm_kms_keys.go

@@ -65,6 +65,11 @@ func dataSourceIBMKMSkeys() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						"key_ring_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The key ring id of the key to be fetched",
+						},
 						"standard_key": {
 							Type:     schema.TypeBool,
 							Computed: true,
@@ -220,6 +225,7 @@ func dataSourceIBMKMSKeysRead(d *schema.ResourceData, meta interface{}) error {
 			keyInstance["crn"] = key.CRN
 			keyInstance["standard_key"] = key.Extractable
 			keyInstance["aliases"] = key.Aliases
+			keyInstance["key_ring_id"] = key.KeyRingID
 			keyMap = append(keyMap, keyInstance)
 			d.Set("keys", keyMap)
 
@@ -259,6 +265,8 @@ func dataSourceIBMKMSKeysRead(d *schema.ResourceData, meta interface{}) error {
 			keyInstance["name"] = key.Name
 			keyInstance["crn"] = key.CRN
 			keyInstance["standard_key"] = key.Extractable
+			keyInstance["aliases"] = key.Aliases
+			keyInstance["key_ring_id"] = key.KeyRingID
 			keyMap = append(keyMap, keyInstance)
 
 		}

ibm/provider.go

@@ -275,6 +275,7 @@ func Provider() *schema.Provider {
 			"ibm_org":                                dataSourceIBMOrg(),
 			"ibm_org_quota":                          dataSourceIBMOrgQuota(),
 			"ibm_kp_key":                             dataSourceIBMkey(),
+			"ibm_kms_key_rings":                      dataSourceIBMKMSkeyRings(),
 			"ibm_kms_keys":                           dataSourceIBMKMSkeys(),
 			"ibm_pn_application_chrome":              dataSourceIBMPNApplicationChrome(),
 			"ibm_kms_key":                            dataSourceIBMKMSkey(),
@@ -479,6 +480,7 @@ func Provider() *schema.Provider {
 			"ibm_pn_application_chrome":                          resourceIBMPNApplicationChrome(),
 			"ibm_kms_key":                                        resourceIBMKmskey(),
 			"ibm_kms_key_alias":                                  resourceIBMKmskeyAlias(),
+			"ibm_kms_key_rings":                                  resourceIBMKmskeyRings(),
 			"ibm_kp_key":                                         resourceIBMkey(),
 			"ibm_resource_group":                                 resourceIBMResourceGroup(),
 			"ibm_resource_instance":                              resourceIBMResourceInstance(),
@@ -600,6 +602,7 @@ func Validator() ValidatorDict {
 				"ibm_is_vpc_routing_table_route":       resourceIBMISVPCRoutingTableRouteValidator(),
 				"ibm_is_vpn_gateway_connection":        resourceIBMISVPNGatewayConnectionValidator(),
 				"ibm_is_vpn_gateway":                   resourceIBMISVPNGatewayValidator(),
+				"ibm_kms_key_rings":                    resourceIBMKeyRingValidator(),
 				"ibm_dns_glb_monitor":                  resourceIBMPrivateDNSGLBMonitorValidator(),
 				"ibm_dns_glb_pool":                     resourceIBMPrivateDNSGLBPoolValidator(),
 			},

ibm/resource_ibm_kms_key.go

@@ -36,6 +36,13 @@ func resourceIBMKmskey() *schema.Resource {
 				ForceNew:    true,
 				Description: "Key protect or hpcs instance GUID",
 			},
+			"key_ring_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Default:     "default",
+				Description: "Key Ring for the Key",
+			},
 			"key_id": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -297,6 +304,9 @@ func resourceIBMKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("Invalid or unsupported service Instance")
 	}
 	kpAPI.Config.InstanceID = instanceID
+
+	kpAPI.Config.KeyRing = d.Get("key_ring_id").(string)
+
 	name := d.Get("key_name").(string)
 	standardKey := d.Get("standard_key").(bool)
 
@@ -440,6 +450,7 @@ func resourceIBMKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("endpoint_type", endpointType)
 	d.Set("type", instanceType)
 	d.Set("force_delete", d.Get("force_delete").(bool))
+	d.Set("key_ring_id", key.KeyRingID)
 	if key.Expiration != nil {
 		expiration := key.Expiration
 		d.Set("expiration_date", expiration.Format(time.RFC3339))