Merge pull request #7657 from terraform-providers/td-aws_kms_secret-s…

…oft-removal data-source/aws_kms_secret: Soft remove data source type with removal message
hashicorp · Feb 25, 2019 · 38e13f5 · 38e13f5
2 parents 8d95162 + ddde690
commit 38e13f5
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 227 deletions.
diff --git a/aws/data_source_aws_kms_secret.go b/aws/data_source_aws_kms_secret.go
@@ -1,20 +1,18 @@
 package aws
 
 import (
-	"encoding/base64"
-	"fmt"
-	"log"
-	"time"
+	"errors"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/hashicorp/terraform/helper/schema"
 )
 
+const dataSourceAwsKmsSecretRemovedMessage = "This data source has been replaced with the `aws_kms_secrets` data source. Upgrade information is available at: https://www.terraform.io/docs/providers/aws/guides/version-2-upgrade.html#data-source-aws_kms_secret"
+
 func dataSourceAwsKmsSecret() *schema.Resource {
 	return &schema.Resource{
-		DeprecationMessage: "This data source will be removed in Terraform AWS provider version 2.0. Please see migration information available in: https://www.terraform.io/docs/providers/aws/guides/version-2-upgrade.html#data-source-aws_kms_secret",
-		Read:               dataSourceAwsKmsSecretRead,
+		Read: func(d *schema.ResourceData, meta interface{}) error {
+			return errors.New(dataSourceAwsKmsSecretRemovedMessage)
+		},
 
 		Schema: map[string]*schema.Schema{
 			"secret": {
@@ -44,57 +42,6 @@ func dataSourceAwsKmsSecret() *schema.Resource {
 					},
 				},
 			},
-			"__has_dynamic_attributes": {
-				Type:     schema.TypeString,
-				Optional: true,
-			},
 		},
 	}
 }
-
-// dataSourceAwsKmsSecretRead decrypts the specified secrets
-func dataSourceAwsKmsSecretRead(d *schema.ResourceData, meta interface{}) error {
-	conn := meta.(*AWSClient).kmsconn
-	secrets := d.Get("secret").(*schema.Set)
-
-	d.SetId(time.Now().UTC().String())
-
-	for _, v := range secrets.List() {
-		secret := v.(map[string]interface{})
-
-		// base64 decode the payload
-		payload, err := base64.StdEncoding.DecodeString(secret["payload"].(string))
-		if err != nil {
-			return fmt.Errorf("Invalid base64 value for secret '%s': %v", secret["name"].(string), err)
-		}
-
-		// build the kms decrypt params
-		params := &kms.DecryptInput{
-			CiphertextBlob: payload,
-		}
-		if context, exists := secret["context"]; exists {
-			params.EncryptionContext = make(map[string]*string)
-			for k, v := range context.(map[string]interface{}) {
-				params.EncryptionContext[k] = aws.String(v.(string))
-			}
-		}
-		if grant_tokens, exists := secret["grant_tokens"]; exists {
-			params.GrantTokens = make([]*string, 0)
-			for _, v := range grant_tokens.([]interface{}) {
-				params.GrantTokens = append(params.GrantTokens, aws.String(v.(string)))
-			}
-		}
-
-		// decrypt
-		resp, err := conn.Decrypt(params)
-		if err != nil {
-			return fmt.Errorf("Failed to decrypt '%s': %s", secret["name"].(string), err)
-		}
-
-		// Set the secret via the name
-		log.Printf("[DEBUG] aws_kms_secret - successfully decrypted secret: %s", secret["name"].(string))
-		d.UnsafeSetFieldRaw(secret["name"].(string), string(resp.Plaintext))
-	}
-
-	return nil
-}
diff --git a/aws/data_source_aws_kms_secret_test.go b/aws/data_source_aws_kms_secret_test.go
@@ -1,96 +1,34 @@
 package aws
 
 import (
-	"encoding/base64"
-	"fmt"
+	"regexp"
 	"testing"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
-
 	"github.com/hashicorp/terraform/helper/resource"
-	"github.com/hashicorp/terraform/terraform"
 )
 
-func TestAccAWSKmsSecretDataSource_basic(t *testing.T) {
-	// Run a resource test to setup our KMS key
-	resource.Test(t, resource.TestCase{
+func TestAccAWSKmsSecretDataSource_removed(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccCheckAwsKmsSecretDataSourceKey,
-				Check: func(s *terraform.State) error {
-					encryptedPayload, err := testAccCheckAwsKmsSecretDataSourceCheckKeySetup(s)
-					if err != nil {
-						return err
-					}
-
-					// We run the actual test on our data source nested in the
-					// Check function of the KMS key so we can access the
-					// encrypted output, above, and so that the key will be
-					// deleted at the end of the test
-					resource.Test(t, resource.TestCase{
-						PreCheck:  func() { testAccPreCheck(t) },
-						Providers: testAccProviders,
-						Steps: []resource.TestStep{
-							{
-								Config: fmt.Sprintf(testAccCheckAwsKmsSecretDataSourceSecret, encryptedPayload),
-								Check: resource.ComposeTestCheckFunc(
-									resource.TestCheckResourceAttr("data.aws_kms_secret.testing", "secret_name", "PAYLOAD"),
-								),
-							},
-						},
-					})
-
-					return nil
-				},
+				Config:      testAccAwsKmsSecretDataSourceConfig,
+				ExpectError: regexp.MustCompile(dataSourceAwsKmsSecretRemovedMessage),
 			},
 		},
 	})
-
 }
 
-func testAccCheckAwsKmsSecretDataSourceCheckKeySetup(s *terraform.State) (string, error) {
-	rs, ok := s.RootModule().Resources["aws_kms_key.terraform_data_source_testing"]
-	if !ok {
-		return "", fmt.Errorf("Failed to setup a KMS key for data source testing!")
-	}
-
-	// Now that the key is setup encrypt a string using it
-	// XXX TODO: Set up and test with grants
-	params := &kms.EncryptInput{
-		KeyId:     aws.String(rs.Primary.Attributes["arn"]),
-		Plaintext: []byte("PAYLOAD"),
-		EncryptionContext: map[string]*string{
-			"name": aws.String("value"),
-		},
-	}
-
-	kmsconn := testAccProvider.Meta().(*AWSClient).kmsconn
-	resp, err := kmsconn.Encrypt(params)
-	if err != nil {
-		return "", fmt.Errorf("Failed encrypting string with KMS for data source testing: %s", err)
-	}
-
-	return base64.StdEncoding.EncodeToString(resp.CiphertextBlob), nil
-}
-
-const testAccCheckAwsKmsSecretDataSourceKey = `
-resource "aws_kms_key" "terraform_data_source_testing" {
-    description = "Testing the Terraform AWS KMS Secret data_source"
-}
-`
-
-const testAccCheckAwsKmsSecretDataSourceSecret = `
+const testAccAwsKmsSecretDataSourceConfig = `
 data "aws_kms_secret" "testing" {
-    secret {
-        name = "secret_name"
-        payload = "%s"
+  secret {
+    name    = "secret_name"
+    payload = "data-source-removed"
 
-        context {
-            name = "value"
-        }
+    context = {
+      name = "value"
     }
+  }
 }
 `
diff --git a/website/aws.erb b/website/aws.erb
@@ -263,9 +263,6 @@
                         <li<%= sidebar_current("docs-aws-datasource-kms-key") %>>
                           <a href="/docs/providers/aws/d/kms_key.html">aws_kms_key</a>
                         </li>
-                        <li<%= sidebar_current("docs-aws-datasource-kms-secret-x") %>>
-                            <a href="/docs/providers/aws/d/kms_secret.html">aws_kms_secret</a>
-                        </li>
                         <li<%= sidebar_current("docs-aws-datasource-kms-secrets") %>>
                             <a href="/docs/providers/aws/d/kms_secrets.html">aws_kms_secrets</a>
                         </li>

diff --git a/website/docs/d/kms_secret.html.markdown b/website/docs/d/kms_secret.html.markdown