Alias support for policies

IBM-Cloud · May 17, 2022 · c245bbc · c245bbc
1 parent 440ecea
commit c245bbc
Show file tree

Hide file tree

Showing 8 changed files with 181 additions and 21 deletions.
diff --git a/ibm/service/kms/data_source_ibm_kms_key_policies.go b/ibm/service/kms/data_source_ibm_kms_key_policies.go
@@ -35,9 +35,16 @@ func DataSourceIBMKMSkeyPolicies() *schema.Resource {
 				Default:      "public",
 			},
 			"key_id": {
-				Type:        schema.TypeString,
-				Required:    true,
-				Description: "Key ID of the Key",
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Key ID of the Key",
+				ExactlyOneOf: []string{"key_id", "alias"},
+			},
+			"alias": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Alias of the Key",
+				ExactlyOneOf: []string{"key_id", "alias"},
 			},
 			"policies": {
 				Type:        schema.TypeList,
@@ -160,6 +167,7 @@ func dataSourceIBMKMSKeyPoliciesRead(context context.Context, d *schema.Resource
 		instanceID = CrnInstanceID[len(CrnInstanceID)-3]
 	}
 	endpointType := d.Get("endpoint_type").(string)
+	alias := d.Get("alias").(string)
 	key_id := d.Get("key_id").(string)
 
 	rsConClient, err := meta.(conns.ClientSession).ResourceControllerV2API()
@@ -180,9 +188,15 @@ func dataSourceIBMKMSKeyPoliciesRead(context context.Context, d *schema.Resource
 		return diag.FromErr(err)
 	}
 	api.URL = URL
-
 	api.Config.InstanceID = instanceID
-	policies, err := api.GetPolicies(context, key_id)
+	var id string
+	if key_id != "" {
+		id = key_id
+	} else {
+		id = alias
+	}
+	key, err := api.GetKey(context, id)
+	policies, err := api.GetPolicies(context, id)
 	if err != nil {
 		return diag.Errorf("Failed to read policies: %s", err)
 	}
@@ -192,12 +206,11 @@ func dataSourceIBMKMSKeyPoliciesRead(context context.Context, d *schema.Resource
 	} else {
 		d.Set("policies", flex.FlattenKeyPolicies(policies))
 	}
-
+	d.Set("key_id", key.ID)
+	d.Set("alias", alias)
 	d.SetId(instanceID)
-	d.Set("key_id", key_id)
 	d.Set("instance_id", instanceID)
 	d.Set("endpoint_type", endpointType)
 
 	return nil
-
 }
diff --git a/ibm/service/kms/resource_ibm_kms_key_alias.go b/ibm/service/kms/resource_ibm_kms_key_alias.go
@@ -34,10 +34,18 @@ func ResourceIBMKmskeyAlias() *schema.Resource {
 				Description: "Key protect or hpcs key alias name",
 			},
 			"key_id": {
-				Type:        schema.TypeString,
-				Required:    true,
-				Description: "Key ID",
-				ForceNew:    true,
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Key ID",
+				ForceNew:     true,
+				ExactlyOneOf: []string{"key_id", "existing_alias"},
+			},
+			"existing_alias": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Existing Alias of the Key",
+				ForceNew:     true,
+				ExactlyOneOf: []string{"key_id", "existing_alias"},
 			},
 			"endpoint_type": {
 				Type:         schema.TypeString,
@@ -86,7 +94,14 @@ func resourceIBMKmsKeyAliasCreate(d *schema.ResourceData, meta interface{}) erro
 
 	aliasName := d.Get("alias").(string)
 	keyID := d.Get("key_id").(string)
-	stkey, err := kpAPI.CreateKeyAlias(context.Background(), aliasName, keyID)
+	aliasID := d.Get("existing_alias").(string)
+	var id string
+	if keyID != "" {
+		id = keyID
+	} else {
+		id = aliasID
+	}
+	stkey, err := kpAPI.CreateKeyAlias(context.Background(), aliasName, id)
 	if err != nil {
 		return fmt.Errorf("[ERROR] Error while creating alias name for the key: %s", err)
 	}

diff --git a/ibm/service/kms/resource_ibm_kms_key_alias_test.go b/ibm/service/kms/resource_ibm_kms_key_alias_test.go
@@ -111,6 +111,15 @@ func TestAccIBMKMSResource_Key_Alias_Key_Check(t *testing.T) {
 					resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName2),
 				),
 			},
+			{
+				Config: testAccCheckIBMKmsResourceAliasWithExistingAlias(instanceName, keyName, aliasName, aliasName2),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName),
+					resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias", "alias", aliasName),
+					resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias2", "existing_alias", aliasName),
+					resource.TestCheckResourceAttr("ibm_kms_key_alias.testAlias2", "alias", aliasName2),
+				),
+			},
 		},
 	})
 }
@@ -221,6 +230,34 @@ func testAccCheckIBMKmsResourceAliasTwo(instanceName, KeyName, aliasName, aliasN
 `, instanceName, KeyName, aliasName, aliasName2)
 }
 
+func testAccCheckIBMKmsResourceAliasWithExistingAlias(instanceName, KeyName, aliasName, aliasName2 string) string {
+	return fmt.Sprintf(`
+	resource "ibm_resource_instance" "kms_instance" {
+		name              = "%s"
+		service           = "kms"
+		plan              = "tiered-pricing"
+		location          = "us-south"
+	  }
+	  resource "ibm_kms_key" "test" {
+		instance_id = "${ibm_resource_instance.kms_instance.guid}"
+		key_name = "%s"
+		standard_key =  true
+		force_delete = true
+	}
+	resource "ibm_kms_key_alias" "testAlias" {
+		instance_id = "${ibm_resource_instance.kms_instance.guid}"
+		alias = "%s"
+		key_id = "${ibm_kms_key.test.key_id}"
+	}
+	resource "ibm_kms_key_alias" "testAlias2" {
+		instance_id = "${ibm_resource_instance.kms_instance.guid}"
+		alias = "%s"
+		existing_alias = "${ibm_kms_key_alias.testAlais.alias}"
+	}
+
+`, instanceName, KeyName, aliasName, aliasName2)
+}
+
 func testAccCheckIBMKmsResourceAliasOne(instanceName, KeyName, aliasName string) string {
 	return fmt.Sprintf(`
 	resource "ibm_resource_instance" "kms_instance" {

diff --git a/ibm/service/kms/resource_ibm_kms_key_policies.go b/ibm/service/kms/resource_ibm_kms_key_policies.go
@@ -42,9 +42,15 @@ func ResourceIBMKmskeyPolicies() *schema.Resource {
 				DiffSuppressFunc: suppressKMSInstanceIDDiff,
 			},
 			"key_id": {
-				Type:        schema.TypeString,
-				Required:    true,
-				Description: "Key ID",
+				Type:         schema.TypeString,
+				Optional:     true,
+				Description:  "Key ID",
+				ExactlyOneOf: []string{"key_id", "alias"},
+			},
+			"alias": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ExactlyOneOf: []string{"key_id", "alias"},
 			},
 			"endpoint_type": {
 				Type:         schema.TypeString,
@@ -177,7 +183,10 @@ func resourceIBMKmsKeyPolicyCreate(context context.Context, d *schema.ResourceDa
 	}
 	endpointType := d.Get("endpoint_type").(string)
 	key_id := d.Get("key_id").(string)
-
+	alias := d.Get("alias").(string)
+	if key_id == "" {
+		key_id = alias
+	}
 	rsConClient, err := meta.(conns.ClientSession).ResourceControllerV2API()
 	if err != nil {
 		return diag.FromErr(err)

diff --git a/ibm/service/kms/resource_ibm_kms_key_policies_test.go b/ibm/service/kms/resource_ibm_kms_key_policies_test.go
@@ -79,6 +79,27 @@ func TestAccIBMKMSKeyPolicy_dualAuth_check(t *testing.T) {
 	})
 }
 
+func TestAccIBMKMSKeyPolicy_dualAuth_check_with_Alias(t *testing.T) {
+	instanceName := fmt.Sprintf("kms_%d", acctest.RandIntRange(10, 100))
+	keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100))
+	aliasName := fmt.Sprintf("alias_%d", acctest.RandIntRange(10, 100))
+	dual_auth_delete := false
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { acc.TestAccPreCheck(t) },
+		Providers: acc.TestAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMKmsKeyPolicyDualAuthCheckWithAlias(instanceName, keyName, aliasName, dual_auth_delete),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("ibm_kms_key.test", "key_name", keyName),
+					resource.TestCheckResourceAttr("ibm_kms_key.test", "alias", aliasName),
+					resource.TestCheckResourceAttr("ibm_kms_key.test", "policies.0.dual_auth_delete.0.enabled", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMKMSKeyPolicy_invalid_interval_check(t *testing.T) {
 	instanceName := fmt.Sprintf("kms_%d", acctest.RandIntRange(10, 100))
 	keyName := fmt.Sprintf("key_%d", acctest.RandIntRange(10, 100))
@@ -147,6 +168,37 @@ func testAccCheckIBMKmsKeyPolicyDualAuthCheck(instanceName, KeyName string, dual
 `, instanceName, KeyName, dual_auth_delete)
 }
 
+func testAccCheckIBMKmsKeyPolicyDualAuthCheckWithAlias(instanceName, KeyName string, alias string, dual_auth_delete bool) string {
+	return fmt.Sprintf(`
+	resource "ibm_resource_instance" "kp_instance" {
+		name     = "%s"
+		service  = "kms"
+		plan     = "tiered-pricing"
+		location = "us-south"
+	  }
+
+	  resource "ibm_kms_key" "test" {
+		instance_id = ibm_resource_instance.kp_instance.guid
+		key_name       = "%s"
+		standard_key   = false
+	  }
+
+	  resource "ibm_kms_key_alias" "alias_test" {
+		instance_id = ibm_resource_instance.kp_instance.guid
+		alias = "%s"
+		key_id = ibm_kms_key.test.key_id
+	  }
+
+	  resource "ibm_kms_key_policies" "Policy" {
+		instance_id = ibm_resource_instance.kp_instance.guid
+		alias = ibm_kms_key_alias.alias_test.alias
+		  dual_auth_delete {
+			enabled = %t
+		  }
+	  }
+`, instanceName, KeyName, alias, dual_auth_delete)
+}
+
 func testAccCheckIBMKmsKeyPolicyRotationCheck(instanceName, KeyName string, rotation_interval int) string {
 	return fmt.Sprintf(`
 	resource "ibm_resource_instance" "kp_instance" {

diff --git a/website/docs/d/kms_key_policies.html.markdown b/website/docs/d/kms_key_policies.html.markdown
@@ -17,6 +17,11 @@ data "ibm_kms_key_policies" "test" {
   instance_id = "guid-of-keyprotect-or hs-crypto-instance"
   key_id = "key-id-of-the-key"
 }
+OR
+data "ibm_kms_key_policies" "test" {
+  instance_id = "guid-of-keyprotect-or hs-crypto-instance"
+  alias = "alias-of-the-key"
+}
 ```
 
 
@@ -26,13 +31,15 @@ The following arguments are supported:
 
 - `endpoint_type` - (Optional, String) The type of the public or private endpoint to be used for fetching keys.
 - `instance_id` - (Required, string) The keyprotect instance guid.
-- `key_id` - (Required, string) The id of the key.
+- `key_id` - (Required - If the alias is not provided, String) The id of the key.
+- `alias`  - (Required - If the key_id is not provided, String) The alias of the key.
 
 ## Attribute reference
 
 In addition to all arguments above, the following attributes are exported:
 - `id` - (String) The CRN of the key.
 - `key_id` - (String) The ID of the key.
+- `alias`  - (String) The alias of the key.
 - `rotation` - (List) The key rotation time interval in months, with a minimum of 1, and a maximum of 12.
 
     Nested scheme for `rotation`:

diff --git a/website/docs/r/kms_key_alias.html.markdown b/website/docs/r/kms_key_alias.html.markdown
@@ -30,6 +30,12 @@ resource "ibm_kms_key_alias" "key_alias" {
     alias  = "alias"
     key_id = "ibm_kms_key.test.key_id"
 }
+OR
+resource "ibm_kms_key_alias" "key_alias" {
+    instance_id = ibm_kms_key.test.instance_id
+    alias  = "alias"
+    existing_alias = "myalias"
+}
 resource "ibm_cos_bucket" "smart-us-south" {
   bucket_name          = "atest-bucket"
   resource_instance_id = "cos-instance-id"
@@ -39,17 +45,18 @@ resource "ibm_cos_bucket" "smart-us-south" {
 }
 ```
 
-**Note** 
+**Note**
 
 An alias that identifies a key. Each alias is unique only within the given instance and is not reserved across the Key Protect service. Each key can have up to five aliases. There is a limit of 1000 aliases per instance. Alias must be alphanumeric and cannot contain spaces or special characters other than '-' or '_'.
 
 ## Argument reference
-Review the argument references that you can specify for your resource. 
+Review the argument references that you can specify for your resource.
 
 - `alias` - (Required, Forces new resource, String) The alias name of the key.
 - `endpoint_type` - (Optional, Forces new resource, String) The type of the public endpoint, or private endpoint to be used for creating keys.
 - `instance_id` - (Required, Forces new resource, String) The hs-crypto or key protect instance GUID.
-- `key_id` - (Required, String) The key ID for which alias has to be created.
+- `existing_alias` - (Required, If the key_id is not provided, String) Existing Alias of the key.
+- `key_id` - (Required, If the alias is not provided, String) The key ID for which alias has to be created.
 
 
 ## Attribute reference

diff --git a/website/docs/r/kms_key_policies.html.markdown b/website/docs/r/kms_key_policies.html.markdown
@@ -30,6 +30,12 @@ resource "ibm_kms_key" "key" {
   standard_key   = false
 }
 
+resource "ibm_kms_key_alias" "key_alias" {
+    instance_id = ibm_kms_key.test.instance_id
+    alias  = "alias"
+    key_id = "ibm_kms_key.test.key_id"
+}
+
 resource "ibm_kms_key_policies" "key_policy" {
   instance_id = ibm_resource_instance.kms_instance.guid
   key_id = ibm_kms_key.key.key_id
@@ -40,13 +46,26 @@ resource "ibm_kms_key_policies" "key_policy" {
        enabled = false
     }
 }
+OR
+resource "ibm_kms_key_policies" "key_policy" {
+  instance_id = ibm_resource_instance.kms_instance.guid
+  alias= ibm_kms_key_alias.key_alias.alias
+  rotation {
+       interval_month = 3
+    }
+    dual_auth_delete {
+       enabled = false
+    }
+}
 ```
 
 ## Argument reference
 
 The following arguments are supported:
 
 - `endpoint_type` - (Optional, String) The type of the public or private endpoint to be used for fetching policies.
+- `key_id` - (Required - If the alias is not provided, String) The ID of the key.
+- `alias` - (Required - If the key_id is not provided, String) The alias created for the key.
 - `instance_id` - (Required, String) The key-protect instance ID for creating policies.
 - `rotation` - (Optional,list) The key rotation time interval in months, with a minimum of 1, and a maximum of 12. Atleast one of `rotation` and `dual_auth_delete` is required
 
@@ -64,6 +83,7 @@ In addition to all arguments above, the following attributes are exported:
 
 - `id` - (String) The CRN of the key.
 - `key_id` - (String) The ID of the key.
+- `alias`  - (String) The alias of the key.
 - `rotation` - (List) The key rotation time interval in months, with a minimum of 1, and a maximum of 12.
 
     Nested scheme for `rotation`: