Add support for Customer Key Version and Encrypted Data Keys (#1203)

Co-authored-by: Jarrett Spiker <[email protected]>

Author: helenjw

aws_oidc_configuration.go

@@ -8,6 +8,9 @@ import (
 
 const OIDCConfigPathFormat = "oidc-configurations/%s"
 
+// AWSOIDCConfigurations describes all the AWS OIDC configuration related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/oidc-configurations/aws
 type AWSOIDCConfigurations interface {
 	Create(ctx context.Context, organization string, options AWSOIDCConfigurationCreateOptions) (*AWSOIDCConfiguration, error)
 

azure_oidc_configuration.go

@@ -6,6 +6,9 @@ import (
 	"net/url"
 )
 
+// AzureOIDCConfigurations describes all the Azure OIDC configuration related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/oidc-configurations/azure
 type AzureOIDCConfigurations interface {
 	Create(ctx context.Context, organization string, options AzureOIDCConfigurationCreateOptions) (*AzureOIDCConfiguration, error)
 

errors.go

@@ -244,6 +244,10 @@ var (
 	ErrInvalidOIDC = errors.New("invalid value for OIDC configuration ID")
 
 	ErrInvalidHYOK = errors.New("invalid value for HYOK configuration ID")
+
+	ErrInvalidHYOKCustomerKeyVersion = errors.New("invalid value for HYOK Customer key version ID")
+
+	ErrInvalidHYOKEncryptedDataKey = errors.New("invalid value for HYOK encrypted data key ID")
 )
 
 var (

gcp_oidc_configuration.go

@@ -6,6 +6,9 @@ import (
 	"net/url"
 )
 
+// GCPOIDCConfigurations describes all the GCP OIDC configuration related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/oidc-configurations/gcp
 type GCPOIDCConfigurations interface {
 	Create(ctx context.Context, organization string, options GCPOIDCConfigurationCreateOptions) (*GCPOIDCConfiguration, error)
 

hyok_configuration.go

@@ -6,6 +6,9 @@ import (
 	"net/url"
 )
 
+// HYOKConfigurations describes all the HYOK configuration related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/configurations
 type HYOKConfigurations interface {
 	List(ctx context.Context, organization string, options *HYOKConfigurationsListOptions) (*HYOKConfigurationsList, error)
 
@@ -72,6 +75,7 @@ type HYOKConfiguration struct {
 	Organization      *Organization                `jsonapi:"relation,organization"`
 	OIDCConfiguration *OIDCConfigurationTypeChoice `jsonapi:"polyrelation,oidc-configuration"`
 	AgentPool         *AgentPool                   `jsonapi:"relation,agent-pool"`
+	KeyVersions       []*HYOKCustomerKeyVersion    `jsonapi:"relation,hyok-customer-key-versions"`
 }
 
 type HYOKConfigurationsList struct {

hyok_customer_key_version.go

@@ -0,0 +1,143 @@
+package tfe
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"time"
+)
+
+var _ HYOKCustomerKeyVersions = (*hyokCustomerKeyVersions)(nil)
+
+// HYOKCustomerKeyVersions describes all the hyok customer key version related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/key-versions
+type HYOKCustomerKeyVersions interface {
+	// List all hyok customer key versions associated to a HYOK configuration.
+	List(ctx context.Context, hyokConfigurationID string, options *HYOKCustomerKeyVersionListOptions) (*HYOKCustomerKeyVersionList, error)
+
+	// Read a hyok customer key version by its ID.
+	Read(ctx context.Context, hyokCustomerKeyVersionID string) (*HYOKCustomerKeyVersion, error)
+
+	// Revoke a hyok customer key version.
+	Revoke(ctx context.Context, hyokCustomerKeyVersionID string) error
+
+	// Delete a hyok customer key version.
+	Delete(ctx context.Context, hyokCustomerKeyVersionID string) error
+}
+
+// hyokCustomerKeyVersions implements HYOKCustomerKeyVersions
+type hyokCustomerKeyVersions struct {
+	client *Client
+}
+
+// HYOKCustomerKeyVersionList represents a list of hyok customer key versions
+type HYOKCustomerKeyVersionList struct {
+	*Pagination
+	Items []*HYOKCustomerKeyVersion
+}
+
+// HYOKCustomerKeyVersion represents the resource
+type HYOKCustomerKeyVersion struct {
+	// Attributes
+	ID         string               `jsonapi:"primary,hyok-customer-key-versions"`
+	KeyVersion string               `jsonapi:"attr,key-version"`
+	CreatedAt  time.Time            `jsonapi:"attr,created-at,iso8601"`
+	UpdatedAt  time.Time            `jsonapi:"attr,updated-at,iso8601"`
+	RevokedAt  time.Time            `jsonapi:"attr,revoked-at,iso8601"`
+	Status     HYOKKeyVersionStatus `jsonapi:"attr,status"`
+	Error      string               `jsonapi:"attr,error"`
+
+	// Relationships
+	HYOKConfiguration *HYOKConfiguration `jsonapi:"relation,hyok-configuration"`
+}
+
+// HYOKKeyVersionStatus represents a key version status.
+type HYOKKeyVersionStatus string
+
+// List all available configuration version statuses.
+const (
+	KeyVersionStatusAvailable        HYOKKeyVersionStatus = "available"
+	KeyVersionStatusRevoking         HYOKKeyVersionStatus = "revoking"
+	KeyVersionStatusRevoked          HYOKKeyVersionStatus = "revoked"
+	KeyVersionStatusRevocationFailed HYOKKeyVersionStatus = "revocation_failed"
+)
+
+// HYOKCustomerKeyVersionListOptions represents the options for listing hyok customer key versions
+type HYOKCustomerKeyVersionListOptions struct {
+	ListOptions
+	Refresh bool `url:"refresh,omitempty"`
+}
+
+// List all hyok customer key versions.
+func (s *hyokCustomerKeyVersions) List(ctx context.Context, hyokConfigurationID string, options *HYOKCustomerKeyVersionListOptions) (*HYOKCustomerKeyVersionList, error) {
+	if !validStringID(&hyokConfigurationID) {
+		return nil, ErrInvalidHYOK
+	}
+
+	path := fmt.Sprintf("hyok-configurations/%s/hyok-customer-key-versions", url.PathEscape(hyokConfigurationID))
+	req, err := s.client.NewRequest("GET", path, options)
+	if err != nil {
+		return nil, err
+	}
+
+	kvs := &HYOKCustomerKeyVersionList{}
+	err = req.Do(ctx, kvs)
+	if err != nil {
+		return nil, err
+	}
+
+	return kvs, nil
+}
+
+// Read a hyok customer key version by its ID.
+func (s *hyokCustomerKeyVersions) Read(ctx context.Context, hyokCustomerKeyVersionID string) (*HYOKCustomerKeyVersion, error) {
+	if !validStringID(&hyokCustomerKeyVersionID) {
+		return nil, ErrInvalidHYOKCustomerKeyVersion
+	}
+
+	path := fmt.Sprintf("hyok-customer-key-versions/%s", url.PathEscape(hyokCustomerKeyVersionID))
+	req, err := s.client.NewRequest("GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	kv := &HYOKCustomerKeyVersion{}
+	err = req.Do(ctx, kv)
+	if err != nil {
+		return nil, err
+	}
+
+	return kv, nil
+}
+
+// Revoke a hyok customer key version. This process is asynchronous.
+// Returns `error` if there was a problem triggering the revocation. Otherwise revocation has been triggered successfully.
+func (s *hyokCustomerKeyVersions) Revoke(ctx context.Context, hyokCustomerKeyVersionID string) error {
+	if !validStringID(&hyokCustomerKeyVersionID) {
+		return ErrInvalidHYOKCustomerKeyVersion
+	}
+
+	path := fmt.Sprintf("hyok-customer-key-versions/%s/actions/revoke", url.PathEscape(hyokCustomerKeyVersionID))
+	req, err := s.client.NewRequest("POST", path, nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}
+
+// Delete a hyok customer key version.
+func (s *hyokCustomerKeyVersions) Delete(ctx context.Context, hyokCustomerKeyVersionID string) error {
+	if !validStringID(&hyokCustomerKeyVersionID) {
+		return ErrInvalidHYOKCustomerKeyVersion
+	}
+
+	path := fmt.Sprintf("hyok-customer-key-versions/%s", url.PathEscape(hyokCustomerKeyVersionID))
+	req, err := s.client.NewRequest("DELETE", path, nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}

hyok_customer_key_version_integration_test.go

@@ -0,0 +1,55 @@
+package tfe
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// These tests are intended for local execution only, as key versions for HYOK requires specific conditions
+// for tests to run successfully. To test locally:
+// 1. Follow the instructions outlined in hyok_configuration_integration_test.go.
+// 2. Set hyokCustomerKeyVersionID to the ID of an existing HYOK customer key version
+
+func TestHYOKCustomerKeyVersionsList(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	orgTest, err := client.Organizations.Read(ctx, hyokOrganizationName)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	agentPool, agentPoolCleanup := createAgentPool(t, client, orgTest)
+	t.Cleanup(agentPoolCleanup)
+
+	oidc, oidcCleanup := createGCPOIDCConfiguration(t, client, orgTest)
+	t.Cleanup(oidcCleanup)
+	hyok, hyokCleanup := oidc.createHYOKConfiguration(t, client, orgTest, agentPool)
+	t.Cleanup(hyokCleanup)
+
+	t.Run("with no list options", func(t *testing.T) {
+		_, err := client.HYOKCustomerKeyVersions.List(ctx, hyok.ID, nil)
+		require.NoError(t, err)
+	})
+}
+
+func TestHYOKCustomerKeyVersionsRead(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	t.Run("read an existing key version", func(t *testing.T) {
+		hyokCustomerKeyVersionID := ""
+		_, err := client.HYOKCustomerKeyVersions.Read(ctx, hyokCustomerKeyVersionID)
+		require.NoError(t, err)
+	})
+}

hyok_encrypted_data_key.go

@@ -0,0 +1,56 @@
+package tfe
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"time"
+)
+
+var _ HYOKEncryptedDataKeys = (*hyokEncryptedDataKeys)(nil)
+
+// HYOKEncryptedDataKeys describes all the hyok customer key version related methods that the HCP Terraform API supports.
+// HCP Terraform API docs:
+// https://developer.hashicorp.com/terraform/cloud-docs/api-docs/hold-your-own-key/encrypted-data-keys
+type HYOKEncryptedDataKeys interface {
+	// Read a HYOK encrypted data key by its ID.
+	Read(ctx context.Context, hyokEncryptedDataKeyID string) (*HYOKEncryptedDataKey, error)
+}
+
+// hyokEncryptedDataKeys implements HYOKEncryptedDataKeys
+type hyokEncryptedDataKeys struct {
+	client *Client
+}
+
+// HYOKEncryptedDataKey represents the resource
+type HYOKEncryptedDataKey struct {
+	// Attributes
+	ID              string    `jsonapi:"primary,hyok-encrypted-data-keys"`
+	EncryptedDEK    string    `jsonapi:"attr,encrypted-dek"`
+	CustomerKeyName string    `jsonapi:"attr,customer-key-name"`
+	CreatedAt       time.Time `jsonapi:"attr,created-at,iso8601"`
+
+	// Relationships
+	KeyVersion *HYOKCustomerKeyVersion `jsonapi:"relation,hyok-customer-key-versions"`
+}
+
+// Read a HYOK encrypted data key by its ID.
+func (h hyokEncryptedDataKeys) Read(ctx context.Context, hyokEncryptedDataKeyID string) (*HYOKEncryptedDataKey, error) {
+	if !validStringID(&hyokEncryptedDataKeyID) {
+		return nil, ErrInvalidHYOKEncryptedDataKey
+	}
+
+	path := fmt.Sprintf("hyok-encrypted-data-keys/%s", url.PathEscape(hyokEncryptedDataKeyID))
+	req, err := h.client.NewRequest("GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	dek := &HYOKEncryptedDataKey{}
+	err = req.Do(ctx, dek)
+	if err != nil {
+		return nil, err
+	}
+
+	return dek, nil
+}

hyok_encrypted_data_key_integration_test.go

@@ -0,0 +1,28 @@
+package tfe
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// These tests are intended for local execution only, as data encryption keys for HYOK requires specific conditions
+// for tests to run successfully. To test locally:
+// 1. Follow the instructions outlined in hyok_configuration_integration_test.go.
+// 2. Set hyokEncryptedDataKeyID to the ID of an existing data encryption key
+
+func TestHYOKEncryptedDataKeyRead(t *testing.T) {
+	if skipHYOKIntegrationTests {
+		t.Skip()
+	}
+
+	client := testClient(t)
+	ctx := context.Background()
+
+	t.Run("read an existing encrypted data key", func(t *testing.T) {
+		hyokEncryptedDataKeyID := ""
+		_, err := client.HYOKEncryptedDataKeys.Read(ctx, hyokEncryptedDataKeyID)
+		require.NoError(t, err)
+	})
+}

tfe.go

@@ -170,6 +170,8 @@ type Client struct {
 	SSHKeys                         SSHKeys
 	Stacks                          Stacks
 	HYOKConfigurations              HYOKConfigurations
+	HYOKCustomerKeyVersions         HYOKCustomerKeyVersions
+	HYOKEncryptedDataKeys           HYOKEncryptedDataKeys
 	StackConfigurations             StackConfigurations
 	StackDeployments                StackDeployments
 	StackDeploymentGroups           StackDeploymentGroups
@@ -509,6 +511,8 @@ func NewClient(cfg *Config) (*Client, error) {
 	client.SSHKeys = &sshKeys{client: client}
 	client.Stacks = &stacks{client: client}
 	client.HYOKConfigurations = &hyokConfigurations{client: client}
+	client.HYOKCustomerKeyVersions = &hyokCustomerKeyVersions{client: client}
+	client.HYOKEncryptedDataKeys = &hyokEncryptedDataKeys{client: client}
 	client.StackConfigurations = &stackConfigurations{client: client}
 	client.StackDeployments = &stackDeployments{client: client}
 	client.StackDeploymentGroups = &stackDeploymentGroups{client: client}