service/kms: Address #6993 PR feedback

Reference: #6993

aws/resource_aws_kms_ciphertext.go

@@ -14,8 +14,8 @@ func resourceAwsKmsCiphertext() *schema.Resource {
 
 	return &schema.Resource{
 		Create: resourceAwsKmsCiphertextCreate,
-		Read:   resourceAwsKmsCiphertextRead,
-		Delete: resourceAwsKmsCiphertextDelete,
+		Read:   schema.Noop,
+		Delete: schema.Noop,
 
 		Schema: map[string]*schema.Schema{
 			"plaintext": {
@@ -70,17 +70,3 @@ func resourceAwsKmsCiphertextCreate(d *schema.ResourceData, meta interface{}) er
 
 	return nil
 }
-
-func resourceAwsKmsCiphertextDelete(d *schema.ResourceData, meta interface{}) error {
-	d.SetId("")
-	return nil
-}
-
-func resourceAwsKmsCiphertextRead(d *schema.ResourceData, meta interface{}) error {
-	// If the input has changed, generate a new ciphertext_blob
-	// This should never be the case since ForceNew set on all input.
-	if d.HasChange("plaintext") || d.HasChange("key_id") || d.HasChange("context") {
-		return resourceAwsKmsCiphertextCreate(d, meta)
-	}
-	return nil
-}

aws/resource_aws_kms_ciphertext_test.go

@@ -23,79 +23,69 @@ func TestAccResourceAwsKmsCiphertext_basic(t *testing.T) {
 }
 
 func TestAccResourceAwsKmsCiphertext_validate(t *testing.T) {
+	kmsSecretsDataSource := "data.aws_kms_secrets.foo"
+	resourceName := "aws_kms_ciphertext.foo"
+
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccResourceAwsKmsCiphertextConfig_validate,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttrSet(
-						"aws_kms_ciphertext.foo", "ciphertext_blob"),
-					resource.TestCheckResourceAttrSet(
-						"data.aws_kms_secret.foo", "plaintext"),
-					resource.TestCheckResourceAttr(
-						"data.aws_kms_secret.foo", "plaintext", "Super secret data"),
+					resource.TestCheckResourceAttrSet(resourceName, "ciphertext_blob"),
+					resource.TestCheckResourceAttrPair(resourceName, "plaintext", kmsSecretsDataSource, "plaintext.plaintext"),
 				),
 			},
 		},
 	})
 }
 
 func TestAccResourceAwsKmsCiphertext_validate_withContext(t *testing.T) {
+	kmsSecretsDataSource := "data.aws_kms_secrets.foo"
+	resourceName := "aws_kms_ciphertext.foo"
+
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccResourceAwsKmsCiphertextConfig_validate_withContext,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttrSet(
-						"aws_kms_ciphertext.foo", "ciphertext_blob"),
-					resource.TestCheckResourceAttrSet(
-						"aws_kms_secret.foo", "plaintext"),
-					resource.TestCheckResourceAttr(
-						"aws_kms_secret.foo", "plaintext", "Super secret data"),
+					resource.TestCheckResourceAttrSet(resourceName, "ciphertext_blob"),
+					resource.TestCheckResourceAttrPair(resourceName, "plaintext", kmsSecretsDataSource, "plaintext.plaintext"),
 				),
 			},
 		},
 	})
 }
 
 const testAccResourceAwsKmsCiphertextConfig_basic = `
-provider "aws" {
-  region = "us-west-2"
-}
-
 resource "aws_kms_key" "foo" {
   description = "tf-test-acc-data-source-aws-kms-ciphertext-basic"
   is_enabled = true
 }
 
-data "aws_kms_ciphertext" "foo" {
+resource "aws_kms_ciphertext" "foo" {
   key_id = "${aws_kms_key.foo.key_id}"
 
   plaintext = "Super secret data"
 }
 `
 
 const testAccResourceAwsKmsCiphertextConfig_validate = `
-provider "aws" {
-  region = "us-west-2"
-}
-
 resource "aws_kms_key" "foo" {
   description = "tf-test-acc-data-source-aws-kms-ciphertext-validate"
   is_enabled = true
 }
 
-data "aws_kms_ciphertext" "foo" {
+resource "aws_kms_ciphertext" "foo" {
   key_id = "${aws_kms_key.foo.key_id}"
 
   plaintext = "Super secret data"
 }
 
-data "aws_kms_secret" "foo" {
+data "aws_kms_secrets" "foo" {
   secret {
     name = "plaintext"
     payload = "${aws_kms_ciphertext.foo.ciphertext_blob}"
@@ -104,32 +94,28 @@ data "aws_kms_secret" "foo" {
 `
 
 const testAccResourceAwsKmsCiphertextConfig_validate_withContext = `
-provider "aws" {
-  region = "us-west-2"
-}
-
 resource "aws_kms_key" "foo" {
   description = "tf-test-acc-data-source-aws-kms-ciphertext-validate-with-context"
   is_enabled = true
 }
 
-data "aws_kms_ciphertext" "foo" {
+resource "aws_kms_ciphertext" "foo" {
   key_id = "${aws_kms_key.foo.key_id}"
 
   plaintext = "Super secret data"
 
-  context {
-	name = "value"
+  context = {
+    name = "value"
   }
 }
 
-data "aws_kms_secret" "foo" {
+data "aws_kms_secrets" "foo" {
   secret {
     name = "plaintext"
     payload = "${aws_kms_ciphertext.foo.ciphertext_blob}"
 
-    context {
-	  name = "value"
+  context = {
+    name = "value"
     }
   }
 }

website/docs/d/kms_ciphertext.html.markdown

@@ -9,7 +9,9 @@ description: |-
 # Data Source: aws_kms_ciphertext
 
 The KMS ciphertext data source allows you to encrypt plaintext into ciphertext
-by using an AWS KMS customer master key.
+by using an AWS KMS customer master key. The value returned by this data source
+changes every apply. For a stable ciphertext value, see the [`aws_kms_ciphertext`
+resource](/docs/providers/aws/r/kms_ciphertext.html).
 
 ~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
 [Read more about sensitive data in state](/docs/state/sensitive-data.html).

website/docs/r/kms_ciphertext.html.markdown

@@ -9,7 +9,9 @@ description: |-
 # Resource: aws_kms_ciphertext
 
 The KMS ciphertext resource allows you to encrypt plaintext into ciphertext
-by using an AWS KMS customer master key.
+by using an AWS KMS customer master key. The value returned by this resource
+is stable across every apply. For a changing ciphertext value each apply, see
+the [`aws_kms_ciphertext` data source](/docs/providers/aws/d/kms_ciphertext.html).
 
 ~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
 [Read more about sensitive data in state](/docs/state/sensitive-data.html).