feat(kms): add key resource and datasource

relates to STACKITTPR-411

docs/data-sources/kms_key.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_kms_key Data Source - stackit"
+subcategory: ""
+description: |-
+  KMS Key datasource schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+---
+
+# stackit_kms_key (Data Source)
+
+KMS Key datasource schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+## Example Usage
+
+```terraform
+data "stackit_kms_key" "key" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  keyring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  key_id     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `key_id` (String) The ID of the key
+- `keyring_id` (String) The ID of the associated key ring
+- `project_id` (String) STACKIT project ID to which the key is associated.
+
+### Optional
+
+- `region` (String) The resource region. If not defined, the provider region is used.
+
+### Read-Only
+
+- `access_scope` (String) The access scope of the key. Default is `PUBLIC`. Possible values are: `PUBLIC`, `SNA`.
+- `algorithm` (String) The encryption algorithm that the key will use to encrypt data. Possible values are: `aes_256_gcm`, `rsa_2048_oaep_sha256`, `rsa_3072_oaep_sha256`, `rsa_4096_oaep_sha256`, `rsa_4096_oaep_sha512`, `hmac_sha256`, `hmac_sha384`, `hmac_sha512`, `ecdsa_p256_sha256`, `ecdsa_p384_sha384`, `ecdsa_p521_sha512`.
+- `description` (String) A user chosen description to distinguish multiple keys
+- `display_name` (String) The display name to distinguish multiple keys
+- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`keyring_id,`key_id`".
+- `import_only` (Boolean) States whether versions can be created or only imported.
+- `protection` (String) The purpose for which the key will be used
+- `purpose` (String) The purpose for which the key will be used. Possible values are: `symmetric_encrypt_decrypt`, `asymmetric_encrypt_decrypt`, `message_authentication_code`, `asymmetric_sign_verify`.

docs/resources/kms_key.md

@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_kms_key Resource - stackit"
+subcategory: ""
+description: |-
+  KMS Key resource schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on resource level.
+  ~> Keys will not be instantly destroyed by terraform during a terraform destroy. They will just be scheduled for deletion via the API and thrown out of the Terraform state afterwards. This way we can ensure no key setups are deleted by accident and it gives you the option to recover your keys within the grace period.
+---
+
+# stackit_kms_key (Resource)
+
+KMS Key resource schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on resource level.
+
+ ~> Keys will **not** be instantly destroyed by terraform during a `terraform destroy`. They will just be scheduled for deletion via the API and thrown out of the Terraform state afterwards. **This way we can ensure no key setups are deleted by accident and it gives you the option to recover your keys within the grace period.**
+
+## Example Usage
+
+```terraform
+resource "stackit_kms_key" "key" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  keyring_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "key-01"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `algorithm` (String) The encryption algorithm that the key will use to encrypt data. Possible values are: `aes_256_gcm`, `rsa_2048_oaep_sha256`, `rsa_3072_oaep_sha256`, `rsa_4096_oaep_sha256`, `rsa_4096_oaep_sha512`, `hmac_sha256`, `hmac_sha384`, `hmac_sha512`, `ecdsa_p256_sha256`, `ecdsa_p384_sha384`, `ecdsa_p521_sha512`.
+- `display_name` (String) The display name to distinguish multiple keys
+- `keyring_id` (String) The ID of the associated keyring
+- `project_id` (String) STACKIT project ID to which the key is associated.
+- `protection` (String) The underlying system that is responsible for protecting the key material. Currently only software is accepted.
+- `purpose` (String) The purpose for which the key will be used. Possible values are: `symmetric_encrypt_decrypt`, `asymmetric_encrypt_decrypt`, `message_authentication_code`, `asymmetric_sign_verify`.
+
+### Optional
+
+- `access_scope` (String) The access scope of the key. Default is `PUBLIC`. Possible values are: `PUBLIC`, `SNA`.
+- `description` (String) A user chosen description to distinguish multiple keys
+- `import_only` (Boolean) States whether versions can be created or only imported.
+- `region` (String) The resource region. If not defined, the provider region is used.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`keyring_id`,`key_id`".
+- `key_id` (String) The ID of the key

examples/data-sources/stackit_kms_key/data-source.tf

@@ -0,0 +1,5 @@
+data "stackit_kms_key" "key" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  keyring_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  key_id     = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}

examples/resources/stackit_kms_key/resource.tf

@@ -0,0 +1,8 @@
+resource "stackit_kms_key" "key" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  keyring_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "key-01"
+  protection   = "software"
+  algorithm    = "aes_256_gcm"
+  purpose      = "symmetric_encrypt_decrypt"
+}

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.29.0
 	github.com/hashicorp/terraform-plugin-log v0.10.0
 	github.com/hashicorp/terraform-plugin-testing v1.13.3
-	github.com/stackitcloud/stackit-sdk-go/core v0.17.3
+	github.com/stackitcloud/stackit-sdk-go/core v0.19.0
 	github.com/stackitcloud/stackit-sdk-go/services/cdn v1.6.0
 	github.com/stackitcloud/stackit-sdk-go/services/dns v0.17.1
 	github.com/stackitcloud/stackit-sdk-go/services/git v0.8.0

go.sum

@@ -152,8 +152,8 @@ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
-github.com/stackitcloud/stackit-sdk-go/core v0.17.3 h1:GsZGmRRc/3GJLmCUnsZswirr5wfLRrwavbnL/renOqg=
-github.com/stackitcloud/stackit-sdk-go/core v0.17.3/go.mod h1:HBCXJGPgdRulplDzhrmwC+Dak9B/x0nzNtmOpu+1Ahg=
+github.com/stackitcloud/stackit-sdk-go/core v0.19.0 h1:dtJcs6/TTCzzb2RKI7HJugDrbCkaFEDmn1pOeFe8qnI=
+github.com/stackitcloud/stackit-sdk-go/core v0.19.0/go.mod h1:fqto7M82ynGhEnpZU6VkQKYWYoFG5goC076JWXTUPRQ=
 github.com/stackitcloud/stackit-sdk-go/services/authorization v0.9.0 h1:7ZKd3b+E/R4TEVShLTXxx5FrsuDuJBOyuVOuKTMa4mo=
 github.com/stackitcloud/stackit-sdk-go/services/authorization v0.9.0/go.mod h1:/FoXa6hF77Gv8brrvLBCKa5ie1Xy9xn39yfHwaln9Tw=
 github.com/stackitcloud/stackit-sdk-go/services/cdn v1.6.0 h1:Q+qIdejeMsYMkbtVoI9BpGlKGdSVFRBhH/zj44SP8TM=

stackit/internal/services/kms/key/datasource.go

@@ -0,0 +1,187 @@
+package kms
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	sdkUtils "github.com/stackitcloud/stackit-sdk-go/core/utils"
+	"github.com/stackitcloud/stackit-sdk-go/services/kms"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+	kmsUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/kms/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/validate"
+)
+
+var (
+	_ datasource.DataSource = &keyDataSource{}
+)
+
+func NewKeyDataSource() datasource.DataSource {
+	return &keyDataSource{}
+}
+
+type keyDataSource struct {
+	client       *kms.APIClient
+	providerData core.ProviderData
+}
+
+func (k *keyDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_kms_key"
+}
+
+func (k *keyDataSource) Configure(ctx context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	var ok bool
+	k.providerData, ok = conversion.ParseProviderData(ctx, req.ProviderData, &resp.Diagnostics)
+	if !ok {
+		return
+	}
+
+	k.client = kmsUtils.ConfigureClient(ctx, &k.providerData, &resp.Diagnostics)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	tflog.Info(ctx, "KMS client configured")
+}
+
+func (k *keyDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Description: fmt.Sprintf("KMS Key datasource schema. %s", core.DatasourceRegionFallbackDocstring),
+		Attributes: map[string]schema.Attribute{
+			"access_scope": schema.StringAttribute{
+				Description: fmt.Sprintf("The access scope of the key. Default is `%s`. %s", string(kms.ACCESSSCOPE_PUBLIC), utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedAccessScopeEnumValues)...)),
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"algorithm": schema.StringAttribute{
+				Description: fmt.Sprintf("The encryption algorithm that the key will use to encrypt data. %s", utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedAlgorithmEnumValues)...)),
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"description": schema.StringAttribute{
+				Description: "A user chosen description to distinguish multiple keys",
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"display_name": schema.StringAttribute{
+				Description: "The display name to distinguish multiple keys",
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"id": schema.StringAttribute{
+				Description: "Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`keyring_id,`key_id`\".",
+				Computed:    true,
+			},
+			"import_only": schema.BoolAttribute{
+				Description: "States whether versions can be created or only imported.",
+				Computed:    true,
+			},
+			"key_id": schema.StringAttribute{
+				Description: "The ID of the key",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"keyring_id": schema.StringAttribute{
+				Description: "The ID of the associated key ring",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"protection": schema.StringAttribute{
+				Description: "The purpose for which the key will be used",
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"purpose": schema.StringAttribute{
+				Description: fmt.Sprintf("The purpose for which the key will be used. %s", utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedPurposeEnumValues)...)),
+				Computed:    true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
+			"project_id": schema.StringAttribute{
+				Description: "STACKIT project ID to which the key is associated.",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"region": schema.StringAttribute{
+				Optional: true,
+				// must be computed to allow for storing the override value from the provider
+				Computed:    true,
+				Description: "The resource region. If not defined, the provider region is used.",
+			},
+		},
+	}
+}
+
+func (k *keyDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) { // nolint:gocritic // function signature required by Terraform
+	var model Model
+	diags := req.Config.Get(ctx, &model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	projectId := model.ProjectId.ValueString()
+	keyRingId := model.KeyRingId.ValueString()
+	region := k.providerData.GetRegionWithOverride(model.Region)
+	keyId := model.KeyId.ValueString()
+
+	ctx = tflog.SetField(ctx, "keyring_id", keyRingId)
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+	ctx = tflog.SetField(ctx, "key_id", keyId)
+
+	keyResponse, err := k.client.GetKey(ctx, projectId, region, keyRingId, keyId).Execute()
+	if err != nil {
+		utils.LogError(
+			ctx,
+			&resp.Diagnostics,
+			err,
+			"Reading key",
+			fmt.Sprintf("Key with ID %q does not exist in project %q.", keyId, projectId),
+			map[int]string{
+				http.StatusForbidden: fmt.Sprintf("Project with ID %q not found or forbidden access", projectId),
+			},
+		)
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	err = mapFields(keyResponse, &model, region)
+	if err != nil {
+		core.LogAndAddError(ctx, &resp.Diagnostics, "Error reading key", fmt.Sprintf("Processing API payload: %v", err))
+		return
+	}
+	diags = resp.State.Set(ctx, model)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "Key read")
+}