Merge pull request #18117 from tism/f-aws_kms_key-bypass_policy_check

r/aws_kms_key: Support policy lockout check bypass
hashicorp · Aug 3, 2021 · ce03236 · ce03236
2 parents a3c59d2 + 0b4a4c8
commit ce03236
Show file tree

Hide file tree

Showing 26 changed files with 2,005 additions and 942 deletions.
diff --git a/.changelog/18117.txt b/.changelog/18117.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_kms_key: Add `bypass_policy_lockout_safety_check` argument
+```
+
+```release-note:enhancement
+resource/aws_kms_external_key: Add `bypass_policy_lockout_safety_check` argument
+```
diff --git a/aws/data_source_aws_kms_alias.go b/aws/data_source_aws_kms_alias.go
@@ -2,26 +2,25 @@ package aws
 
 import (
 	"fmt"
-	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/kms/finder"
 )
 
 func dataSourceAwsKmsAlias() *schema.Resource {
 	return &schema.Resource{
 		Read: dataSourceAwsKmsAliasRead,
 		Schema: map[string]*schema.Schema{
+			"arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"name": {
 				Type:         schema.TypeString,
 				Required:     true,
 				ValidateFunc: validateAwsKmsName,
 			},
-			"arn": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
 			"target_key_arn": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -36,27 +35,13 @@ func dataSourceAwsKmsAlias() *schema.Resource {
 
 func dataSourceAwsKmsAliasRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).kmsconn
-	params := &kms.ListAliasesInput{}
 
-	target := d.Get("name")
-	var alias *kms.AliasListEntry
-	log.Printf("[DEBUG] Reading KMS Alias: %s", params)
-	err := conn.ListAliasesPages(params, func(page *kms.ListAliasesOutput, lastPage bool) bool {
-		for _, entity := range page.Aliases {
-			if aws.StringValue(entity.AliasName) == target {
-				alias = entity
-				return false
-			}
-		}
+	target := d.Get("name").(string)
 
-		return true
-	})
-	if err != nil {
-		return fmt.Errorf("Error fetch KMS alias list: %w", err)
-	}
+	alias, err := finder.AliasByName(conn, target)
 
-	if alias == nil {
-		return fmt.Errorf("No alias with name %q found in this region.", target)
+	if err != nil {
+		return fmt.Errorf("error reading KMS Alias (%s): %w", target, err)
 	}
 
 	d.SetId(aws.StringValue(alias.AliasArn))
@@ -73,16 +58,14 @@ func dataSourceAwsKmsAliasRead(d *schema.ResourceData, meta interface{}) error {
 	//
 	// https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html
 
-	req := &kms.DescribeKeyInput{
-		KeyId: aws.String(target.(string)),
-	}
-	resp, err := conn.DescribeKey(req)
+	keyMetadata, err := finder.KeyByID(conn, target)
+
 	if err != nil {
-		return fmt.Errorf("Error calling KMS DescribeKey: %w", err)
+		return fmt.Errorf("error reading KMS Key (%s): %w", target, err)
 	}
 
-	d.Set("target_key_arn", resp.KeyMetadata.Arn)
-	d.Set("target_key_id", resp.KeyMetadata.KeyId)
+	d.Set("target_key_arn", keyMetadata.Arn)
+	d.Set("target_key_id", keyMetadata.KeyId)
 
 	return nil
 }
diff --git a/aws/data_source_aws_kms_alias_test.go b/aws/data_source_aws_kms_alias_test.go
@@ -8,11 +8,10 @@ import (
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
 func TestAccDataSourceAwsKmsAlias_AwsService(t *testing.T) {
-	name := "alias/aws/s3"
+	rName := "alias/aws/s3"
 	resourceName := "data.aws_kms_alias.test"
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -21,11 +20,10 @@ func TestAccDataSourceAwsKmsAlias_AwsService(t *testing.T) {
 		Providers:  testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsKmsAlias_name(name),
+				Config: testAccDataSourceAwsKmsAliasConfig(rName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccDataSourceAwsKmsAliasCheckExists(resourceName),
-					testAccCheckResourceAttrRegionalARN(resourceName, "arn", "kms", name),
-					resource.TestCheckResourceAttr(resourceName, "name", name),
+					testAccCheckResourceAttrRegionalARN(resourceName, "arn", "kms", rName),
+					resource.TestCheckResourceAttr(resourceName, "name", rName),
 					testAccMatchResourceAttrRegionalARN(resourceName, "target_key_arn", "kms", regexp.MustCompile(`key/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}`)),
 					resource.TestMatchResourceAttr(resourceName, "target_key_id", regexp.MustCompile("^[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}$")),
 				),
@@ -35,7 +33,7 @@ func TestAccDataSourceAwsKmsAlias_AwsService(t *testing.T) {
 }
 
 func TestAccDataSourceAwsKmsAlias_CMK(t *testing.T) {
-	rInt := acctest.RandInt()
+	rName := acctest.RandomWithPrefix("tf-acc-test")
 	aliasResourceName := "aws_kms_alias.test"
 	datasourceAliasResourceName := "data.aws_kms_alias.test"
 
@@ -45,9 +43,8 @@ func TestAccDataSourceAwsKmsAlias_CMK(t *testing.T) {
 		Providers:  testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsKmsAlias_CMK(rInt),
+				Config: testAccDataSourceAwsKmsAliasConfigCMK(rName),
 				Check: resource.ComposeTestCheckFunc(
-					testAccDataSourceAwsKmsAliasCheckExists(datasourceAliasResourceName),
 					resource.TestCheckResourceAttrPair(datasourceAliasResourceName, "arn", aliasResourceName, "arn"),
 					resource.TestCheckResourceAttrPair(datasourceAliasResourceName, "target_key_arn", aliasResourceName, "target_key_arn"),
 					resource.TestCheckResourceAttrPair(datasourceAliasResourceName, "target_key_id", aliasResourceName, "target_key_id"),
@@ -57,37 +54,28 @@ func TestAccDataSourceAwsKmsAlias_CMK(t *testing.T) {
 	})
 }
 
-func testAccDataSourceAwsKmsAliasCheckExists(name string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		_, ok := s.RootModule().Resources[name]
-		if !ok {
-			return fmt.Errorf("root module has no resource called %s", name)
-		}
-
-		return nil
-	}
-}
-
-func testAccDataSourceAwsKmsAlias_name(name string) string {
+func testAccDataSourceAwsKmsAliasConfig(rName string) string {
 	return fmt.Sprintf(`
 data "aws_kms_alias" "test" {
-  name = "%s"
+  name = %[1]q
 }
-`, name)
+`, rName)
 }
 
-func testAccDataSourceAwsKmsAlias_CMK(rInt int) string {
+func testAccDataSourceAwsKmsAliasConfigCMK(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_kms_key" "test" {
-  description             = "Terraform acc test"
+  description             = %[1]q
   deletion_window_in_days = 7
 }
 
 resource "aws_kms_alias" "test" {
-  name          = "alias/tf-acc-key-alias-%d"
+  name          = "alias/%[1]s"
   target_key_id = aws_kms_key.test.key_id
 }
 
-%s
-`, rInt, testAccDataSourceAwsKmsAlias_name("${aws_kms_alias.test.name}"))
+data "aws_kms_alias" "test" {
+  name = aws_kms_alias.test.name
+}
+`, rName)
 }
diff --git a/aws/internal/keyvaluetags/key_value_tags.go b/aws/internal/keyvaluetags/key_value_tags.go
@@ -428,6 +428,34 @@ func (tags KeyValueTags) ContainsAll(target KeyValueTags) bool {
 	return true
 }
 
+// Equal returns whether or two sets of key-value tags are equal.
+func (tags KeyValueTags) Equal(other KeyValueTags) bool {
+	if tags == nil && other == nil {
+		return true
+	}
+
+	if tags == nil || other == nil {
+		return false
+	}
+
+	if len(tags) != len(other) {
+		return false
+	}
+
+	for k, v := range tags {
+		o, ok := other[k]
+		if !ok {
+			return false
+		}
+
+		if !v.Equal(o) {
+			return false
+		}
+	}
+
+	return true
+}
+
 // Hash returns a stable hash value.
 // The returned value may be negative (i.e. not suitable for a 'Set' function).
 func (tags KeyValueTags) Hash() int {

diff --git a/aws/internal/keyvaluetags/key_value_tags_test.go b/aws/internal/keyvaluetags/key_value_tags_test.go
@@ -1824,6 +1824,132 @@ func TestKeyValueTagsContainsAll(t *testing.T) {
 	}
 }
 
+func TestKeyValueTagsEqual(t *testing.T) {
+	testCases := []struct {
+		name   string
+		source KeyValueTags
+		target KeyValueTags
+		want   bool
+	}{
+		{
+			name:   "nil",
+			source: nil,
+			target: nil,
+			want:   true,
+		},
+		{
+			name:   "empty",
+			source: New(map[string]string{}),
+			target: New(map[string]string{}),
+			want:   true,
+		},
+		{
+			name:   "source_nil",
+			source: nil,
+			target: New(map[string]string{
+				"key1": "value1",
+			}),
+			want: false,
+		},
+		{
+			name:   "source_empty",
+			source: New(map[string]string{}),
+			target: New(map[string]string{
+				"key1": "value1",
+			}),
+			want: false,
+		},
+		{
+			name: "target_nil",
+			source: New(map[string]string{
+				"key1": "value1",
+			}),
+			target: nil,
+			want:   false,
+		},
+		{
+			name: "target_empty",
+			source: New(map[string]string{
+				"key1": "value1",
+			}),
+			target: New(map[string]string{}),
+			want:   false,
+		},
+		{
+			name: "nil value matches",
+			source: New(map[string]*string{
+				"key1": nil,
+			}),
+			target: New(map[string]*string{
+				"key1": nil,
+			}),
+			want: true,
+		},
+		{
+			name: "exact_match",
+			source: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+			}),
+			target: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+			}),
+			want: true,
+		},
+		{
+			name: "source_contains_all",
+			source: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+				"key3": "value3",
+			}),
+			target: New(map[string]string{
+				"key1": "value1",
+				"key3": "value3",
+			}),
+			want: false,
+		},
+		{
+			name: "source_does_not_contain_all",
+			source: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+				"key3": "value3",
+			}),
+			target: New(map[string]string{
+				"key1": "value1",
+				"key4": "value4",
+			}),
+			want: false,
+		},
+		{
+			name: "target_value_neq",
+			source: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+				"key3": "value3",
+			}),
+			target: New(map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+				"key3": "value4",
+			}),
+			want: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			got := testCase.source.Equal(testCase.target)
+
+			if got != testCase.want {
+				t.Errorf("unexpected Equal: %t", got)
+			}
+		})
+	}
+}
+
 func TestKeyValueTagsHash(t *testing.T) {
 	testCases := []struct {
 		name string

diff --git a/aws/internal/naming/naming_test.go b/aws/internal/naming/naming_test.go
@@ -253,6 +253,11 @@ func TestNamePrefixFromName(t *testing.T) {
 			Input:    "terraform-20060102150405000000000001",
 			Expected: strPtr("terraform-"),
 		},
+		{
+			TestName: "KMS alias prefix",
+			Input:    "alias/20210723150229087000000002",
+			Expected: strPtr("alias/"),
+		},
 	}
 
 	for _, testCase := range testCases {