Add CMEK support for Workflows (#7727) (#5509)

* Add CMEK support for Workflows * Fix Sprintf argument referrences * Fix Sprintf format * Update Workflows CMEK test to use bootstrapping * Format tests * Empty commit - Retry VCR test * Add location to bootstrapped KMS key Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Apr 19, 2023 · 6ee2967 · 6ee2967
1 parent e269974
commit 6ee2967
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 0 deletions.
diff --git a/.changelog/7727.txt b/.changelog/7727.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+workflows: added `crypto_key_name` field to `google_workflows_workflow` resource
+```
diff --git a/google-beta/resource_workflows_workflow.go b/google-beta/resource_workflows_workflow.go
@@ -49,6 +49,13 @@ func ResourceWorkflowsWorkflow() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"crypto_key_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: `The KMS key used to encrypt workflow and execution data.
+
+Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}`,
+			},
 			"description": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -165,6 +172,12 @@ func resourceWorkflowsWorkflowCreate(d *schema.ResourceData, meta interface{}) e
 	} else if v, ok := d.GetOkExists("source_contents"); !isEmptyValue(reflect.ValueOf(sourceContentsProp)) && (ok || !reflect.DeepEqual(v, sourceContentsProp)) {
 		obj["sourceContents"] = sourceContentsProp
 	}
+	cryptoKeyNameProp, err := expandWorkflowsWorkflowCryptoKeyName(d.Get("crypto_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("crypto_key_name"); !isEmptyValue(reflect.ValueOf(cryptoKeyNameProp)) && (ok || !reflect.DeepEqual(v, cryptoKeyNameProp)) {
+		obj["cryptoKeyName"] = cryptoKeyNameProp
+	}
 
 	obj, err = resourceWorkflowsWorkflowEncoder(d, meta, obj)
 	if err != nil {
@@ -292,6 +305,9 @@ func resourceWorkflowsWorkflowRead(d *schema.ResourceData, meta interface{}) err
 	if err := d.Set("revision_id", flattenWorkflowsWorkflowRevisionId(res["revisionId"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Workflow: %s", err)
 	}
+	if err := d.Set("crypto_key_name", flattenWorkflowsWorkflowCryptoKeyName(res["cryptoKeyName"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Workflow: %s", err)
+	}
 
 	return nil
 }
@@ -336,6 +352,12 @@ func resourceWorkflowsWorkflowUpdate(d *schema.ResourceData, meta interface{}) e
 	} else if v, ok := d.GetOkExists("source_contents"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, sourceContentsProp)) {
 		obj["sourceContents"] = sourceContentsProp
 	}
+	cryptoKeyNameProp, err := expandWorkflowsWorkflowCryptoKeyName(d.Get("crypto_key_name"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("crypto_key_name"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, cryptoKeyNameProp)) {
+		obj["cryptoKeyName"] = cryptoKeyNameProp
+	}
 
 	obj, err = resourceWorkflowsWorkflowEncoder(d, meta, obj)
 	if err != nil {
@@ -365,6 +387,10 @@ func resourceWorkflowsWorkflowUpdate(d *schema.ResourceData, meta interface{}) e
 	if d.HasChange("source_contents") {
 		updateMask = append(updateMask, "sourceContents")
 	}
+
+	if d.HasChange("crypto_key_name") {
+		updateMask = append(updateMask, "cryptoKeyName")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -480,6 +506,10 @@ func flattenWorkflowsWorkflowRevisionId(v interface{}, d *schema.ResourceData, c
 	return v
 }
 
+func flattenWorkflowsWorkflowCryptoKeyName(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func expandWorkflowsWorkflowName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
@@ -507,6 +537,10 @@ func expandWorkflowsWorkflowSourceContents(v interface{}, d TerraformResourceDat
 	return v, nil
 }
 
+func expandWorkflowsWorkflowCryptoKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func resourceWorkflowsWorkflowEncoder(d *schema.ResourceData, meta interface{}, obj map[string]interface{}) (map[string]interface{}, error) {
 	var ResName string
 	if v, ok := d.GetOk("name"); ok {

diff --git a/google-beta/resource_workflows_workflow_test.go b/google-beta/resource_workflows_workflow_test.go
@@ -147,3 +147,63 @@ func TestWorkflowsWorkflowStateUpgradeV0(t *testing.T) {
 		})
 	}
 }
+
+func TestAccWorkflowsWorkflow_CMEK(t *testing.T) {
+	// Custom test written to test diffs
+	t.Parallel()
+
+	workflowName := fmt.Sprintf("tf-test-acc-workflow-%d", RandInt(t))
+	kms := BootstrapKMSKeyInLocation(t, "us-central1")
+	if BootstrapPSARole(t, "service-", "gcp-sa-workflows", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
+		t.Fatal("Stopping the test because a role was added to the policy.")
+	}
+
+	VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckWorkflowsWorkflowDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWorkflowsWorkflow_CMEK(workflowName, kms.CryptoKey.Name),
+			},
+		},
+	})
+}
+
+func testAccWorkflowsWorkflow_CMEK(workflowName, kmsKeyName string) string {
+	return fmt.Sprintf(`
+resource "google_workflows_workflow" "example" {
+  name          = "%s"
+  region        = "us-central1"
+  description   = "Magic"
+  crypto_key_name = "%s"
+  source_contents = <<-EOF
+  # This is a sample workflow, feel free to replace it with your source code
+  #
+  # This workflow does the following:
+  # - reads current time and date information from an external API and stores
+  #   the response in CurrentDateTime variable
+  # - retrieves a list of Wikipedia articles related to the day of the week
+  #   from CurrentDateTime
+  # - returns the list of articles as an output of the workflow
+  # FYI, In terraform you need to escape the $$ or it will cause errors.
+
+  - getCurrentTime:
+      call: http.get
+      args:
+          url: https://us-central1-workflowsample.cloudfunctions.net/datetime
+      result: CurrentDateTime
+  - readWikipedia:
+      call: http.get
+      args:
+          url: https:/fi.wikipedia.org/w/api.php
+          query:
+              action: opensearch
+              search: $${CurrentDateTime.body.dayOfTheWeek}
+      result: WikiResult
+  - returnOutput:
+      return: $${WikiResult.body[1]}
+EOF
+}
+`, workflowName, kmsKeyName)
+}
diff --git a/website/docs/r/workflows_workflow.html.markdown b/website/docs/r/workflows_workflow.html.markdown
@@ -108,6 +108,11 @@ The following arguments are supported:
   (Optional)
   Workflow code to be executed. The size limit is 32KB.
 
+* `crypto_key_name` -
+  (Optional)
+  The KMS key used to encrypt workflow and execution data.
+  Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}
+
 * `region` -
   (Optional)
   The region of the workflow.