From eb63cfb28849fece328952be5967fbfba452b270 Mon Sep 17 00:00:00 2001
From: Ilia Lazebnik <Ilia.lazebnik@gmail.com>
Date: Fri, 21 Aug 2020 20:02:54 +0300
Subject: [PATCH] resource/aws_storagegateway_cached_iscsi_volume: Add
 kms_encrypted and kms_key arguments (#12066)

Output from acceptance testing:

```
--- PASS: TestAccAWSStorageGatewayCachedIscsiVolume_kms (179.65s)
--- PASS: TestAccAWSStorageGatewayCachedIscsiVolume_Tags (226.14s)
--- PASS: TestAccAWSStorageGatewayCachedIscsiVolume_SnapshotId (229.53s)
--- PASS: TestAccAWSStorageGatewayCachedIscsiVolume_basic (230.15s)
--- PASS: TestAccAWSStorageGatewayCachedIscsiVolume_disappears (287.92s)
```
---
 ..._aws_storagegateway_cached_iscsi_volume.go | 28 +++++-
 ...storagegateway_cached_iscsi_volume_test.go | 85 +++++++++++++++++++
 ...egateway_cached_iscsi_volume.html.markdown |  2 +
 3 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/aws/resource_aws_storagegateway_cached_iscsi_volume.go b/aws/resource_aws_storagegateway_cached_iscsi_volume.go
index c35ed2901f92..c56811ea6d5e 100644
--- a/aws/resource_aws_storagegateway_cached_iscsi_volume.go
+++ b/aws/resource_aws_storagegateway_cached_iscsi_volume.go
@@ -87,6 +87,18 @@ func resourceAwsStorageGatewayCachedIscsiVolume() *schema.Resource {
 				ForceNew: true,
 			},
 			"tags": tagsSchema(),
+			"kms_encrypted": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+			},
+			"kms_key": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
+				RequiredWith: []string{"kms_encrypted"},
+			},
 		},
 	}
 }
@@ -111,6 +123,14 @@ func resourceAwsStorageGatewayCachedIscsiVolumeCreate(d *schema.ResourceData, me
 		input.SourceVolumeARN = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("kms_key"); ok {
+		input.KMSKey = aws.String(v.(string))
+	}
+
+	if v, ok := d.GetOk("kms_encrypted"); ok {
+		input.KMSEncrypted = aws.Bool(v.(bool))
+	}
+
 	log.Printf("[DEBUG] Creating Storage Gateway cached iSCSI volume: %s", input)
 	output, err := conn.CreateCachediSCSIVolume(input)
 	if err != nil {
@@ -147,7 +167,7 @@ func resourceAwsStorageGatewayCachedIscsiVolumeRead(d *schema.ResourceData, meta
 	output, err := conn.DescribeCachediSCSIVolumes(input)
 
 	if err != nil {
-		if isAWSErr(err, storagegateway.ErrorCodeVolumeNotFound, "") {
+		if isAWSErr(err, storagegateway.ErrorCodeVolumeNotFound, "") || isAWSErr(err, storagegateway.ErrCodeInvalidGatewayRequestException, "The specified volume was not found") {
 			log.Printf("[WARN] Storage Gateway cached iSCSI volume %q not found, removing from state", d.Id())
 			d.SetId("")
 			return nil
@@ -169,6 +189,12 @@ func resourceAwsStorageGatewayCachedIscsiVolumeRead(d *schema.ResourceData, meta
 	d.Set("volume_arn", arn)
 	d.Set("volume_id", aws.StringValue(volume.VolumeId))
 	d.Set("volume_size_in_bytes", int(aws.Int64Value(volume.VolumeSizeInBytes)))
+	d.Set("kms_key", volume.KMSKey)
+	if volume.KMSKey != nil {
+		d.Set("kms_encrypted", true)
+	} else {
+		d.Set("kms_encrypted", false)
+	}
 
 	tags, err := keyvaluetags.StoragegatewayListTags(conn, arn)
 	if err != nil {
diff --git a/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go b/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go
index 224b5a23a783..af29572a1e49 100644
--- a/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go
+++ b/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go
@@ -94,6 +94,35 @@ func TestAccAWSStorageGatewayCachedIscsiVolume_basic(t *testing.T) {
 					resource.TestMatchResourceAttr(resourceName, "volume_id", regexp.MustCompile(`^vol-.+$`)),
 					testAccMatchResourceAttrRegionalARN(resourceName, "volume_arn", "storagegateway", regexp.MustCompile(`gateway/sgw-.+/volume/vol-.`)),
 					resource.TestCheckResourceAttr(resourceName, "volume_size_in_bytes", "5368709120"),
+					resource.TestCheckResourceAttr(resourceName, "kms_encrypted", "false"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccAWSStorageGatewayCachedIscsiVolume_kms(t *testing.T) {
+	var cachedIscsiVolume storagegateway.CachediSCSIVolume
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_storagegateway_cached_iscsi_volume.test"
+	keyResourceName := "aws_kms_key.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSStorageGatewayCachedIscsiVolumeDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSStorageGatewayCachedIscsiVolumeConfigKMSEncrypted(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName, &cachedIscsiVolume),
+					resource.TestCheckResourceAttr(resourceName, "kms_encrypted", "true"),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key", keyResourceName, "arn"),
 				),
 			},
 			{
@@ -227,6 +256,28 @@ func TestAccAWSStorageGatewayCachedIscsiVolume_SourceVolumeArn(t *testing.T) {
 	})
 }
 
+func TestAccAWSStorageGatewayCachedIscsiVolume_disappears(t *testing.T) {
+	var storedIscsiVolume storagegateway.CachediSCSIVolume
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_storagegateway_cached_iscsi_volume.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSStorageGatewayCachedIscsiVolumeDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSStorageGatewayCachedIscsiVolumeConfig_Basic(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName, &storedIscsiVolume),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsStorageGatewayCachedIscsiVolume(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName string, cachedIscsiVolume *storagegateway.CachediSCSIVolume) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[resourceName]
@@ -347,6 +398,40 @@ resource "aws_storagegateway_cached_iscsi_volume" "test" {
 `, rName))
 }
 
+func testAccAWSStorageGatewayCachedIscsiVolumeConfigKMSEncrypted(rName string) string {
+	return testAccAWSStorageGatewayCachedIscsiVolumeConfigBase(rName) + fmt.Sprintf(`
+ resource "aws_kms_key" "test" {
+     description = "Terraform acc test %[1]s"
+     policy = <<POLICY
+ {
+   "Version": "2012-10-17",
+   "Id": "kms-tf-1",
+   "Statement": [
+     {
+       "Sid": "Enable IAM User Permissions",
+       "Effect": "Allow",
+       "Principal": {
+         "AWS": "*"
+       },
+       "Action": "kms:*",
+       "Resource": "*"
+     }
+   ]
+ }
+ POLICY
+}
+
+resource "aws_storagegateway_cached_iscsi_volume" "test" {
+  gateway_arn          = aws_storagegateway_cache.test.gateway_arn
+  network_interface_id = aws_instance.test.private_ip
+  target_name          = %[1]q
+  volume_size_in_bytes = 5368709120
+  kms_encrypted        = true
+  kms_key              = aws_kms_key.test.arn
+}
+`, rName)
+}
+
 func testAccAWSStorageGatewayCachedIscsiVolumeConfigTags1(rName, tagKey1, tagValue1 string) string {
 	return composeConfig(
 		testAccAWSStorageGatewayCachedIscsiVolumeConfigBase(rName),
diff --git a/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown b/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown
index d4a0f4af5464..8c7f925525a2 100644
--- a/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown
+++ b/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown
@@ -63,6 +63,8 @@ The following arguments are supported:
 * `volume_size_in_bytes` - (Required) The size of the volume in bytes.
 * `snapshot_id` - (Optional) The snapshot ID of the snapshot to restore as the new cached volume. e.g. `snap-1122aabb`.
 * `source_volume_arn` - (Optional) The ARN for an existing volume. Specifying this ARN makes the new volume into an exact copy of the specified existing volume's latest recovery point. The `volume_size_in_bytes` value for this new volume must be equal to or larger than the size of the existing volume, in bytes.
+* `kms_encrypted` - (Optional) Set to `true` to use Amazon S3 server side encryption with your own AWS KMS key, or `false` to use a key managed by Amazon S3.
+* `kms_key` - (Optional) The Amazon Resource Name (ARN) of the AWS KMS key used for Amazon S3 server side encryption. Is required when `kms_encrypted` is set.
 * `tags` - (Optional) Key-value map of resource tags
 
 ## Attribute Reference