Merge pull request #14916 from DrFaust92/r/glue_data_catalog_encrypti…

…on_settings r/glue_data_catalog_encryption_settings - new resource
hashicorp · Oct 1, 2020 · 03b3b8b · 03b3b8b
2 parents 7882e3f + 40ec3a9
commit 03b3b8b
Show file tree

Hide file tree

Showing 4 changed files with 407 additions and 0 deletions.
diff --git a/aws/provider.go b/aws/provider.go
@@ -643,6 +643,7 @@ func Provider() *schema.Provider {
 			"aws_glue_classifier":                                     resourceAwsGlueClassifier(),
 			"aws_glue_connection":                                     resourceAwsGlueConnection(),
 			"aws_glue_crawler":                                        resourceAwsGlueCrawler(),
+			"aws_glue_data_catalog_encryption_settings":               resourceAwsGlueDataCatalogEncryptionSettings(),
 			"aws_glue_job":                                            resourceAwsGlueJob(),
 			"aws_glue_ml_transform":                                   resourceAwsGlueMLTransform(),
 			"aws_glue_security_configuration":                         resourceAwsGlueSecurityConfiguration(),

diff --git a/aws/resource_aws_glue_data_catalog_encryption_settings.go b/aws/resource_aws_glue_data_catalog_encryption_settings.go
@@ -0,0 +1,188 @@
+package aws
+
+import (
+	"fmt"
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/glue"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func resourceAwsGlueDataCatalogEncryptionSettings() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsGlueDataCatalogEncryptionSettingsPut,
+		Read:   resourceAwsGlueDataCatalogEncryptionSettingsRead,
+		Update: resourceAwsGlueDataCatalogEncryptionSettingsPut,
+		Delete: schema.Noop,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"catalog_id": {
+				Type:     schema.TypeString,
+				ForceNew: true,
+				Optional: true,
+				Computed: true,
+			},
+			"data_catalog_encryption_settings": {
+				Type:     schema.TypeList,
+				Required: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"connection_password_encryption": {
+							Type:     schema.TypeList,
+							Required: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"aws_kms_key_id": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: validateArn,
+									},
+									"return_connection_password_encrypted": {
+										Type:     schema.TypeBool,
+										Required: true,
+									},
+								},
+							},
+						},
+						"encryption_at_rest": {
+							Type:     schema.TypeList,
+							Required: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"catalog_encryption_mode": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validation.StringInSlice(glue.CatalogEncryptionMode_Values(), false),
+									},
+									"sse_aws_kms_key_id": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: validateArn,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsGlueDataCatalogEncryptionSettingsPut(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).glueconn
+	catalogID := createAwsGlueCatalogID(d, meta.(*AWSClient).accountid)
+
+	input := &glue.PutDataCatalogEncryptionSettingsInput{
+		CatalogId:                     aws.String(catalogID),
+		DataCatalogEncryptionSettings: expandGlueDataCatalogEncryptionSettings(d.Get("data_catalog_encryption_settings").([]interface{})),
+	}
+
+	_, err := conn.PutDataCatalogEncryptionSettings(input)
+	if err != nil {
+		return fmt.Errorf("Error setting Data Catalog Encryption Settings: %w", err)
+	}
+
+	d.SetId(catalogID)
+
+	return resourceAwsGlueDataCatalogEncryptionSettingsRead(d, meta)
+}
+
+func resourceAwsGlueDataCatalogEncryptionSettingsRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).glueconn
+
+	input := &glue.GetDataCatalogEncryptionSettingsInput{
+		CatalogId: aws.String(d.Id()),
+	}
+
+	out, err := conn.GetDataCatalogEncryptionSettings(input)
+	if err != nil {
+		return fmt.Errorf("Error reading Glue Data Catalog Encryption Settings: %w", err)
+	}
+
+	d.Set("catalog_id", d.Id())
+
+	if err := d.Set("data_catalog_encryption_settings", flattenGlueDataCatalogEncryptionSettings(out.DataCatalogEncryptionSettings)); err != nil {
+		return fmt.Errorf("error setting data_catalog_encryption_settings: %w", err)
+	}
+
+	return nil
+}
+
+func expandGlueDataCatalogEncryptionSettings(settings []interface{}) *glue.DataCatalogEncryptionSettings {
+	m := settings[0].(map[string]interface{})
+
+	target := &glue.DataCatalogEncryptionSettings{
+		ConnectionPasswordEncryption: expandGlueDataCatalogConnectionPasswordEncryption(m["connection_password_encryption"].([]interface{})),
+		EncryptionAtRest:             expandGlueDataCatalogEncryptionAtRest(m["encryption_at_rest"].([]interface{})),
+	}
+
+	return target
+}
+
+func flattenGlueDataCatalogEncryptionSettings(settings *glue.DataCatalogEncryptionSettings) []map[string]interface{} {
+	m := map[string]interface{}{
+		"connection_password_encryption": flattenGlueDataCatalogConnectionPasswordEncryption(settings.ConnectionPasswordEncryption),
+		"encryption_at_rest":             flattenGlueDataCatalogEncryptionAtRest(settings.EncryptionAtRest),
+	}
+
+	return []map[string]interface{}{m}
+}
+
+func expandGlueDataCatalogConnectionPasswordEncryption(settings []interface{}) *glue.ConnectionPasswordEncryption {
+	m := settings[0].(map[string]interface{})
+
+	target := &glue.ConnectionPasswordEncryption{
+		ReturnConnectionPasswordEncrypted: aws.Bool(m["return_connection_password_encrypted"].(bool)),
+	}
+
+	if v, ok := m["aws_kms_key_id"].(string); ok && v != "" {
+		target.AwsKmsKeyId = aws.String(v)
+	}
+
+	return target
+}
+
+func flattenGlueDataCatalogConnectionPasswordEncryption(settings *glue.ConnectionPasswordEncryption) []map[string]interface{} {
+	m := map[string]interface{}{
+		"return_connection_password_encrypted": aws.BoolValue(settings.ReturnConnectionPasswordEncrypted),
+	}
+
+	if settings.AwsKmsKeyId != nil {
+		m["aws_kms_key_id"] = aws.StringValue(settings.AwsKmsKeyId)
+	}
+
+	return []map[string]interface{}{m}
+}
+
+func expandGlueDataCatalogEncryptionAtRest(settings []interface{}) *glue.EncryptionAtRest {
+	m := settings[0].(map[string]interface{})
+
+	target := &glue.EncryptionAtRest{
+		CatalogEncryptionMode: aws.String(m["catalog_encryption_mode"].(string)),
+	}
+
+	if v, ok := m["sse_aws_kms_key_id"].(string); ok && v != "" {
+		target.SseAwsKmsKeyId = aws.String(v)
+	}
+
+	return target
+}
+
+func flattenGlueDataCatalogEncryptionAtRest(settings *glue.EncryptionAtRest) []map[string]interface{} {
+	m := map[string]interface{}{
+		"catalog_encryption_mode": aws.StringValue(settings.CatalogEncryptionMode),
+	}
+
+	if settings.SseAwsKmsKeyId != nil {
+		m["sse_aws_kms_key_id"] = aws.StringValue(settings.SseAwsKmsKeyId)
+	}
+
+	return []map[string]interface{}{m}
+}
diff --git a/aws/resource_aws_glue_data_catalog_encryption_settings_test.go b/aws/resource_aws_glue_data_catalog_encryption_settings_test.go
@@ -0,0 +1,153 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/glue"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccAWSDataCatalogEncryptionSettings_basic(t *testing.T) {
+	var settings glue.DataCatalogEncryptionSettings
+
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_glue_data_catalog_encryption_settings.test"
+	keyResourceName := "aws_kms_key.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataCatalogEncryptionSettingsNonEncryptedConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSDataCatalogEncryptionSettingsExists(resourceName, &settings),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted", "false"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.aws_kms_key_id", ""),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.catalog_encryption_mode", "DISABLED"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.sse_aws_kms_key_id", ""),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccAWSDataCatalogEncryptionSettingsEncryptedConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSDataCatalogEncryptionSettingsExists(resourceName, &settings),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted", "true"),
+					resource.TestCheckResourceAttrPair(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.aws_kms_key_id", keyResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.catalog_encryption_mode", "SSE-KMS"),
+					resource.TestCheckResourceAttrPair(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.sse_aws_kms_key_id", keyResourceName, "arn"),
+				),
+			},
+			{
+				Config: testAccAWSDataCatalogEncryptionSettingsNonEncryptedConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSDataCatalogEncryptionSettingsExists(resourceName, &settings),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted", "false"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.connection_password_encryption.0.aws_kms_key_id", ""),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.catalog_encryption_mode", "DISABLED"),
+					resource.TestCheckResourceAttr(resourceName, "data_catalog_encryption_settings.0.encryption_at_rest.0.sse_aws_kms_key_id", ""),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSDataCatalogEncryptionSettingsExists(resourceName string, settings *glue.DataCatalogEncryptionSettings) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", resourceName)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Glue Data Catalog Encryption Settings ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).glueconn
+
+		output, err := conn.GetDataCatalogEncryptionSettings(&glue.GetDataCatalogEncryptionSettingsInput{
+			CatalogId: aws.String(rs.Primary.ID),
+		})
+		if err != nil {
+			return err
+		}
+
+		*settings = *output.DataCatalogEncryptionSettings
+
+		return nil
+	}
+}
+
+func testAccAWSDataCatalogEncryptionSettingsEncryptedConfig(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "test" {
+  description = %[1]q
+  policy      = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_glue_data_catalog_encryption_settings" "test" {
+  data_catalog_encryption_settings {
+    connection_password_encryption {
+      aws_kms_key_id                       = aws_kms_key.test.arn
+      return_connection_password_encrypted = true
+    }
+
+    encryption_at_rest {
+      catalog_encryption_mode = "SSE-KMS"
+      sse_aws_kms_key_id      = aws_kms_key.test.arn
+    }
+  }
+}
+`, rName)
+}
+
+func testAccAWSDataCatalogEncryptionSettingsNonEncryptedConfig() string {
+	return fmt.Sprintf(`
+resource "aws_glue_data_catalog_encryption_settings" "test" {
+  data_catalog_encryption_settings {
+    connection_password_encryption {
+      return_connection_password_encrypted = false
+    }
+
+    encryption_at_rest {
+      catalog_encryption_mode = "DISABLED"
+    }
+  }
+}
+`)
+}