Kmip mgmt PR (#5352)

* initial kmip adapter stuff

* provider for kmip adapter

* go mod

* fix adapters

* certs first draft, edit adapters a bit

* add code for kmip cert and objects

* fix stuff

* manual tests working

* add tests

* fixes and tests

* add instance prefixes, fix registrations testing bug

* undo registrations fix, suppress tests

* fix policy overrides tests for real

* remove unnecessary if

* address PR comments

* expand acceptance tests

* update ibm-kms examples

* add endpoint type

* resource docs

* first draft data source docs

* add total counts

* proofreading docs fixes

* kmip doc metadata fixes

* update the docs, change adapter internal tf ID to use instance ID

* fix docs, syntax errors on adapter and cert examples, some were missing forces new resource, remove unused update function

* updated adapters and certs to use internal id's that contain the full path of instance/adapter/cert(this includes adding needed fields not present, and proper logic for updating this)
updated docs to use consistent var names and replaced
updated docs to use new resource ids and not terraform id
updated docs with terraform import examples

* update go sum and also fix example syntax

* fix unit tests to use adapter id and cert id instead of terraform internal id

---------

Co-authored-by: Michael Darmawan <[email protected]>
Co-authored-by: Michael Darmawan <[email protected]>
Co-authored-by: stephaniegalang <[email protected]>
Co-authored-by: wsiew <[email protected]>

Author: 4 people

examples/ibm-kms/README.md

@@ -98,6 +98,7 @@ resource "ibm_cos_bucket" "flex-us-south" {
 ## Notes
 
 1. Before doing terraform destroy if force_delete flag is introduced after provisioning keys, a terraform apply must be done before terraform destroy for force_delete flag to take effect.
+2. KMIP adapters with active KMIP objects cannot be deleted by Terraform.
 
 ## Examples
 

examples/ibm-kms/localhost.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUcMeKlwdgHxftIsIWPL11JXzTEmwwDQYJKoZIhvcNAQEL
+BQAwADAeFw0yNDA0MjMyMDQ5NDVaFw0yNTA0MjMyMDQ5NDVaMAAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaVSSRPva2qO7OcRTcV+I70YIGfIGYI2gv
+kpi6jt9mHWO0NnWWRnpKME7KcU+PSLrDtSVU+0lc5wj64g5h2QGXMubA+hRWDac8
+3wDIbhLr8AadxBoRHrUnzMxmxogT10JclBv5198MdU7S9HQoTx1IO4ygk8p2QfYa
++aHoB1zIiV5m8QdF8HGqhU9msZGScm+4Ufcbze64CC/JFOSpdc2HigStd8p/lS5B
+M2pfikamwqDPRjpdMF5MmGwDjCFCTxKfw1oeesPAuqdJAeWdNDB2GhnULaHBKBYa
+YdBlvsUk+aoptJOaq6C2I+fKI0SUjk6QfXEIj1bf6kcsoXccsu5VAgMBAAGjaTBn
+MB0GA1UdDgQWBBSQQW+1vmCg7if8uR0ZtmQk6EgvvTAfBgNVHSMEGDAWgBSQQW+1
+vmCg7if8uR0ZtmQk6EgvvTAPBgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCTEy
+Ny4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAQEAcfA4Fy7YRf/kCTjX0K3Vf7na56te
+WjJuryweq/YPFRu5L1q7j71ZUHDQOe+YLhpyNrFAzIa+8zpZx9Ubnitzi43K4u3y
+uQGwsq67gIY8PYHDNVZgk2O989TmI3EIPSUwaf9sTfFzQf54YiGYiwJWmttg0pYt
+crIJLCI3oLFHPBII4XvHAysdbIFqQX/PJAXXG4fqTK6e9pjsqoRu56gyEqnF6iy9
+c3lforvszS3CUxKbB9GM+IJZ60pPXZwoX5Y74dgVzkcyOxKkNjHjJSCY/P2+lK6E
+ANdjxL3XBPu1Oorti3MJWlllQ6PzHWKb/iPx0HYhh3sXw0+nfiPocAhQbw==
+-----END CERTIFICATE-----

examples/ibm-kms/main.tf

@@ -35,4 +35,55 @@ resource "ibm_cos_bucket" "flex-us-south" {
   region_location      = "us-south"
   storage_class        = "flex"
   kms_key_crn          = ibm_kms_key.test.id
+}
+
+resource "ibm_kms_kmip_adapter" "myadapter" {
+    instance_id = "${ibm_kms_key.test.instance_id}" 
+    profile = "native_1.0"
+    profile_data = {
+      "crk_id" = ibm_kms_key.test.key_id
+    }
+    description = "adding a description"
+    name = var.kmip_adapter_name
+}
+
+resource "ibm_kms_kmip_client_cert" "mycert" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  adapter_id = "${ibm_kms_kmip_adapter.myadapter.id}"
+  certificate = file("${path.module}/localhost.crt")
+  name = var.kmip_cert_name
+}
+
+data "ibm_kms_kmip_adapter" "adapter_data" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  name = "${ibm_kms_kmip_adapter.myadapter.name}"
+  # adapter_id = "${ibm_kms_kmip_adapter.myadapter.adapter_id}"
+}
+
+data "ibm_kms_kmip_client_cert" "cert1" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  adapter_name = "${ibm_kms_kmip_adapter.myadapter.name}"
+  cert_id = "${ibm_kms_kmip_client_cert.mycert.id}"
+}
+
+data "ibm_kms_kmip_adapters" "adapters" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+}
+
+data "ibm_kms_kmip_client_certs" "cert_list" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  adapter_name = "${ibm_kms_kmip_adapter.myadapter.name}"
+}
+
+data "ibm_kms_kmip_objects" "objects_list" {
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  adapter_id = "${ibm_kms_kmip_adapter.myadapter.id}"
+  object_state_filter = [1,2,3,4]
+}
+
+data "ibm_kms_kmip_object" "object1" {
+  count = length(data.ibm_kms_kmip_objects.objects_list.objects) > 0 ? 1 : 0
+  instance_id = "${ibm_kms_key.test.instance_id}" 
+  adapter_id = "${ibm_kms_kmip_adapter.myadapter.id}"
+  object_id = "${data.ibm_kms_kmip_objects.objects_list.objects.0.object_id}"
 }

examples/ibm-kms/variables.tf

@@ -42,4 +42,15 @@ variable "bucket_name" {
    description = "The cos bucket name"
   type        = string
   default = "test_buck"
+}
+variable "kmip_adapter_name" {
+   description = "The KMIP adapter name"
+  type        = string
+  default = "myadapter"
+}
+
+variable "kmip_cert_name" {
+   description = "The KMIP client certificate name"
+  type        = string
+  default = "mycert"
 }

go.sum

@@ -163,9 +163,6 @@ github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1 h1:T5UwRKKd+B
 github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1/go.mod h1:M2JyuyeWHPtgGNeezr6YqVRuaav2MpY8Ha4QrEYvMoI=
 github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta h1:P1fdIfKsD9xvJQ5MHIEztPS9yfNf9x+VDTamaYcmqcs=
 github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta/go.mod h1:MLVNHMYoKsvovJZ4v1gQCpIYtRDHTtoIHK6XztDZGsU=
-github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
-github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
 github.com/IBM/keyprotect-go-client v0.14.0 h1:GqgK3BdczA/w7+B1RxEPLya0w9S/ZXi5YWKAxdW8vHQ=
 github.com/IBM/keyprotect-go-client v0.14.0/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
 github.com/IBM/logs-go-sdk v0.1.1 h1:aiVnKHJzYcsHvQY58vLB7QbUV/kXcWTpCPqRKC2QS0A=

ibm/provider/provider.go

@@ -568,6 +568,12 @@ func Provider() *schema.Provider {
 			"ibm_kms_key_policies":                   kms.DataSourceIBMKMSkeyPolicies(),
 			"ibm_kms_keys":                           kms.DataSourceIBMKMSkeys(),
 			"ibm_kms_key":                            kms.DataSourceIBMKMSkey(),
+			"ibm_kms_kmip_adapter":                   kms.DataSourceIBMKMSKmipAdapter(),
+			"ibm_kms_kmip_adapters":                  kms.DataSourceIBMKMSKmipAdapters(),
+			"ibm_kms_kmip_client_cert":               kms.DataSourceIBMKmsKMIPClientCertificate(),
+			"ibm_kms_kmip_client_certs":              kms.DataSourceIBMKmsKMIPClientCertificates(),
+			"ibm_kms_kmip_object":                    kms.DataSourceIBMKMSKMIPObject(),
+			"ibm_kms_kmip_objects":                   kms.DataSourceIBMKMSKMIPObjects(),
 			"ibm_pn_application_chrome":              pushnotification.DataSourceIBMPNApplicationChrome(),
 			"ibm_app_config_environment":             appconfiguration.DataSourceIBMAppConfigEnvironment(),
 			"ibm_app_config_environments":            appconfiguration.DataSourceIBMAppConfigEnvironments(),
@@ -1215,6 +1221,8 @@ func Provider() *schema.Provider {
 			"ibm_kms_key_policies":                          kms.ResourceIBMKmskeyPolicies(),
 			"ibm_kp_key":                                    kms.ResourceIBMkey(),
 			"ibm_kms_instance_policies":                     kms.ResourceIBMKmsInstancePolicy(),
+			"ibm_kms_kmip_adapter":                          kms.ResourceIBMKmsKMIPAdapter(),
+			"ibm_kms_kmip_client_cert":                      kms.ResourceIBMKmsKMIPClientCertificate(),
 			"ibm_resource_group":                            resourcemanager.ResourceIBMResourceGroup(),
 			"ibm_resource_instance":                         resourcecontroller.ResourceIBMResourceInstance(),
 			"ibm_resource_key":                              resourcecontroller.ResourceIBMResourceKey(),

ibm/service/kms/data_source_ibm_kms_instance_policies_test.go

@@ -115,5 +115,5 @@ func testAccCheckIBMKmsDataSourceInstancePolicyWithPolicyType(instanceName strin
 		policy_type = var.policy_type
 		
 	}
-`, instanceName, enablePolicy, interval_month, dadenabled)
+`, addPrefixToResourceName(instanceName), enablePolicy, interval_month, dadenabled)
 }

ibm/service/kms/data_source_ibm_kms_key_policies_test.go

@@ -63,5 +63,5 @@ func testAccCheckIBMKmsDataSourceKeyPolicyConfigNew(instanceName, keyName string
 		instance_id = "${ibm_kms_key_policies.test2.instance_id}"
 		key_id = "${ibm_kms_key_policies.test2.key_id}"
 	}
-`, instanceName, keyName, rotationEnable, interval_month, enabled)
+`, addPrefixToResourceName(instanceName), keyName, rotationEnable, interval_month, enabled)
 }

ibm/service/kms/data_source_ibm_kms_key_rings_test.go

@@ -47,5 +47,5 @@ func testAccCheckIBMKmsKeyRingDataSourceConfig(instanceName, keyRing string) str
 	data "ibm_kms_key_rings" "test2" {
 		instance_id = "${ibm_kms_key_rings.test.instance_id}"
 	}
-`, instanceName, keyRing)
+`, addPrefixToResourceName(instanceName), keyRing)
 }

ibm/service/kms/data_source_ibm_kms_key_test.go

@@ -149,7 +149,7 @@ func testAccCheckIBMKmsKeyDataSourceKeyConfig(instanceName, keyName string) stri
 		limit = 2
 		key_name = "${ibm_kms_key.test.key_name}"
 	}
-`, instanceName, keyName)
+`, addPrefixToResourceName(instanceName), keyName)
 }
 
 func testAccCheckIBMKmsKeyDataSourceConfig(instanceName, keyName string) string {
@@ -170,7 +170,7 @@ func testAccCheckIBMKmsKeyDataSourceConfig(instanceName, keyName string) string
 		instance_id = "${ibm_kms_key.test.instance_id}"
 		key_name = "${ibm_kms_key.test.key_name}"
 	}
-`, instanceName, keyName)
+`, addPrefixToResourceName(instanceName), keyName)
 }
 
 func testAccCheckIBMKmsKeyDataSourceConfigAndDescription(instanceName, keyName string, description string) string {
@@ -192,7 +192,7 @@ func testAccCheckIBMKmsKeyDataSourceConfigAndDescription(instanceName, keyName s
 		instance_id = "${ibm_kms_key.test.instance_id}"
 		key_name = "${ibm_kms_key.test.key_name}"
 	}
-`, instanceName, keyName, description)
+`, addPrefixToResourceName(instanceName), keyName, description)
 }
 
 func testAccCheckIBMKmsKeyDataSourceHpcsConfig(hpcsInstanceID string, KeyName string) string {
@@ -239,5 +239,5 @@ func testAccCheckIBMKmsDataSourceKeyPolicyConfig(instanceName, keyName string, i
 		instance_id = "${ibm_kms_key_policies.testPolicy.instance_id}"
 		key_id = "${ibm_kms_key.test.key_id}"
 	}
-`, instanceName, keyName, interval_month, enabled)
+`, addPrefixToResourceName(instanceName), keyName, interval_month, enabled)
 }

ibm/service/kms/data_source_ibm_kms_keys_test.go

@@ -129,7 +129,7 @@ func testAccCheckIBMKmsKeyDataSourceKeysConfig(instanceName, keyName string) str
 		limit = 2
 		key_name = "${ibm_kms_key.test.key_name}"
 	}
-`, instanceName, keyName)
+`, addPrefixToResourceName(instanceName), keyName)
 }
 
 func testAccCheckIBMKmsDataSourceConfig(instanceName, keyName string) string {
@@ -149,7 +149,7 @@ func testAccCheckIBMKmsDataSourceConfig(instanceName, keyName string) string {
 	data "ibm_kms_keys" "test" {
 		instance_id = "${ibm_kms_key.test.instance_id}"
 	}
-`, instanceName, keyName)
+`, addPrefixToResourceName(instanceName), keyName)
 }
 
 func testAccCheckIBMKmsDataSourceHpcsConfig(hpcsInstanceID, KeyName string) string {
@@ -196,5 +196,5 @@ func testAccCheckIBMKmsDataSourceKeysPolicyConfig(instanceName, keyName string,
 		instance_id = "${ibm_kms_key_policies.testPolicy.instance_id}"
 		key_id = ibm_kms_key.test.key_id
 	}
-`, instanceName, keyName, interval_month, enabled)
+`, addPrefixToResourceName(instanceName), keyName, interval_month, enabled)
 }

ibm/service/kms/data_source_ibm_kms_kmip_adapter.go

@@ -0,0 +1,117 @@
+// Copyright IBM Corp. 2017, 2021 All Rights Reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package kms
+
+import (
+	"context"
+
+	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/validate"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceIBMKMSKmipAdapterBaseSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"adapter_id": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The UUID of the KMIP adapter to be fetched",
+		},
+		"name": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The name of the KMIP adapter to be fetched",
+		},
+		"description": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The description of the KMIP adapter to be fetched",
+		},
+		"profile": {
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The profile of the KMIP adapter to be fetched",
+		},
+		"profile_data": {
+			Type:        schema.TypeMap,
+			Computed:    true,
+			Description: "The data specific to the KMIP Adapter profile",
+		},
+		"created_by": &schema.Schema{
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The unique identifier that is associated with the entity that created the adapter.",
+		},
+		"created_at": &schema.Schema{
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The date when a resource was created. The date format follows RFC 3339.",
+		},
+		"updated_by": &schema.Schema{
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The unique identifier that is associated with the entity that updated the adapter.",
+		},
+		"updated_at": &schema.Schema{
+			Type:        schema.TypeString,
+			Computed:    true,
+			Description: "The date when a resource was updated. The date format follows RFC 3339.",
+		},
+	}
+}
+
+func DataSourceIBMKMSKmipAdapter() *schema.Resource {
+	baseMap := dataSourceIBMKMSKmipAdapterBaseSchema()
+
+	baseMap["endpoint_type"] = &schema.Schema{
+		Type:         schema.TypeString,
+		Optional:     true,
+		Computed:     true,
+		ValidateFunc: validate.ValidateAllowedStringValues([]string{"public", "private"}),
+		Description:  "public or private",
+	}
+
+	baseMap["instance_id"] = &schema.Schema{
+		Type:             schema.TypeString,
+		Required:         true,
+		Description:      "Key protect or hpcs instance GUID",
+		DiffSuppressFunc: suppressKMSInstanceIDDiff,
+	}
+	adapterIDSchema := baseMap["adapter_id"]
+	adapterIDSchema.Optional = true
+	adapterIDSchema.ExactlyOneOf = []string{"adapter_id", "name"}
+	baseMap["adapter_id"] = adapterIDSchema
+
+	adapterNameSchema := baseMap["name"]
+	adapterNameSchema.Optional = true
+	adapterNameSchema.ExactlyOneOf = []string{"adapter_id", "name"}
+	baseMap["name"] = adapterNameSchema
+
+	return &schema.Resource{
+		Read:   dataSourceIBMKMSKmipAdapterRead,
+		Schema: baseMap,
+	}
+}
+
+func dataSourceIBMKMSKmipAdapterRead(d *schema.ResourceData, meta interface{}) error {
+	// initialize API
+	instanceID := getInstanceIDFromResourceData(d, "instance_id")
+	kpAPI, _, err := populateKPClient(d, meta, instanceID)
+	if err != nil {
+		return err
+	}
+
+	nameOrID, hasID := d.GetOk("adapter_id")
+	if !hasID {
+		nameOrID = d.Get("name")
+	}
+	adapterNameOrID := nameOrID.(string)
+	// call GetKMIPAdapter api
+	adapter, err := kpAPI.GetKMIPAdapter(context.Background(), adapterNameOrID)
+	if err != nil {
+		return err
+	}
+
+	// set computed values
+	return populateKMIPAdapterSchemaDataFromStruct(d, *adapter, instanceID)
+}