hashicorp · bflad · Aug 21, 2020 · Feb 17, 2020 · Feb 17, 2020 · Feb 18, 2020
diff --git a/aws/resource_aws_storagegateway_cached_iscsi_volume.go b/aws/resource_aws_storagegateway_cached_iscsi_volume.go
@@ -87,6 +87,18 @@ func resourceAwsStorageGatewayCachedIscsiVolume() *schema.Resource {
  ForceNew: true,
  },
  "tags": tagsSchema(),
+ "kms_encrypted": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ },
+ "kms_key": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ ValidateFunc: validateArn,
+ RequiredWith: []string{"kms_encrypted"},
+ },
  },
  }
 }
@@ -111,6 +123,14 @@ func resourceAwsStorageGatewayCachedIscsiVolumeCreate(d *schema.ResourceData, me
  input.SourceVolumeARN = aws.String(v.(string))
  }
 
+ if v, ok := d.GetOk("kms_key"); ok {
+ input.KMSKey = aws.String(v.(string))
+ }
+
+ if v, ok := d.GetOk("kms_encrypted"); ok {
+ input.KMSEncrypted = aws.Bool(v.(bool))
+ }
+
  log.Printf("[DEBUG] Creating Storage Gateway cached iSCSI volume: %s", input)
  output, err := conn.CreateCachediSCSIVolume(input)
  if err != nil {
@@ -147,7 +167,7 @@ func resourceAwsStorageGatewayCachedIscsiVolumeRead(d *schema.ResourceData, meta
  output, err := conn.DescribeCachediSCSIVolumes(input)
 
  if err != nil {
- if isAWSErr(err, storagegateway.ErrorCodeVolumeNotFound, "") {
+ if isAWSErr(err, storagegateway.ErrorCodeVolumeNotFound, "") || isAWSErr(err, storagegateway.ErrCodeInvalidGatewayRequestException, "The specified volume was not found") {
  log.Printf("[WARN] Storage Gateway cached iSCSI volume %q not found, removing from state", d.Id())
  d.SetId("")
  return nil
@@ -169,6 +189,12 @@ func resourceAwsStorageGatewayCachedIscsiVolumeRead(d *schema.ResourceData, meta
  d.Set("volume_arn", arn)
  d.Set("volume_id", aws.StringValue(volume.VolumeId))
  d.Set("volume_size_in_bytes", int(aws.Int64Value(volume.VolumeSizeInBytes)))
+ d.Set("kms_key", volume.KMSKey)
+ if volume.KMSKey != nil {
+ d.Set("kms_encrypted", true)
+ } else {
+ d.Set("kms_encrypted", false)
+ }
 
  tags, err := keyvaluetags.StoragegatewayListTags(conn, arn)
  if err != nil {

diff --git a/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go b/aws/resource_aws_storagegateway_cached_iscsi_volume_test.go
@@ -94,6 +94,35 @@ func TestAccAWSStorageGatewayCachedIscsiVolume_basic(t *testing.T) {
  resource.TestMatchResourceAttr(resourceName, "volume_id", regexp.MustCompile(`^vol-.+$`)),
  testAccMatchResourceAttrRegionalARN(resourceName, "volume_arn", "storagegateway", regexp.MustCompile(`gateway/sgw-.+/volume/vol-.`)),
  resource.TestCheckResourceAttr(resourceName, "volume_size_in_bytes", "5368709120"),
+ resource.TestCheckResourceAttr(resourceName, "kms_encrypted", "false"),
+ ),
+ },
+ {
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
+
+func TestAccAWSStorageGatewayCachedIscsiVolume_kms(t *testing.T) {
+ var cachedIscsiVolume storagegateway.CachediSCSIVolume
+ rName := acctest.RandomWithPrefix("tf-acc-test")
+ resourceName := "aws_storagegateway_cached_iscsi_volume.test"
+ keyResourceName := "aws_kms_key.test"
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSStorageGatewayCachedIscsiVolumeDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSStorageGatewayCachedIscsiVolumeConfigKMSEncrypted(rName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName, &cachedIscsiVolume),
+ resource.TestCheckResourceAttr(resourceName, "kms_encrypted", "true"),
+ resource.TestCheckResourceAttrPair(resourceName, "kms_key", keyResourceName, "arn"),
  ),
  },
  {
@@ -227,6 +256,28 @@ func TestAccAWSStorageGatewayCachedIscsiVolume_SourceVolumeArn(t *testing.T) {
  })
 }
 
+func TestAccAWSStorageGatewayCachedIscsiVolume_disappears(t *testing.T) {
+ var storedIscsiVolume storagegateway.CachediSCSIVolume
+ rName := acctest.RandomWithPrefix("tf-acc-test")
+ resourceName := "aws_storagegateway_cached_iscsi_volume.test"
+
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSStorageGatewayCachedIscsiVolumeDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSStorageGatewayCachedIscsiVolumeConfig_Basic(rName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName, &storedIscsiVolume),
+ testAccCheckResourceDisappears(testAccProvider, resourceAwsStorageGatewayCachedIscsiVolume(), resourceName),
+ ),
+ ExpectNonEmptyPlan: true,
+ },
+ },
+ })
+}
+
 func testAccCheckAWSStorageGatewayCachedIscsiVolumeExists(resourceName string, cachedIscsiVolume *storagegateway.CachediSCSIVolume) resource.TestCheckFunc {
  return func(s *terraform.State) error {
  rs, ok := s.RootModule().Resources[resourceName]
@@ -347,6 +398,40 @@ resource "aws_storagegateway_cached_iscsi_volume" "test" {
 `, rName))
 }
 
+func testAccAWSStorageGatewayCachedIscsiVolumeConfigKMSEncrypted(rName string) string {
+ return testAccAWSStorageGatewayCachedIscsiVolumeConfigBase(rName) + fmt.Sprintf(`
+ resource "aws_kms_key" "test" {
+ description = "Terraform acc test %[1]s"
+ policy = <<POLICY
+ {
+ "Version": "2012-10-17",
+ "Id": "kms-tf-1",
+ "Statement": [
+ {
+ "Sid": "Enable IAM User Permissions",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "*"
+ },
+ "Action": "kms:*",
+ "Resource": "*"
+ }
+ ]
+ }
+ POLICY
+}
+
+resource "aws_storagegateway_cached_iscsi_volume" "test" {
+ gateway_arn = aws_storagegateway_cache.test.gateway_arn
+ network_interface_id = aws_instance.test.private_ip
+ target_name = %[1]q
+ volume_size_in_bytes = 5368709120
+ kms_encrypted = true
+ kms_key = aws_kms_key.test.arn
+}
+`, rName)
+}
+
 func testAccAWSStorageGatewayCachedIscsiVolumeConfigTags1(rName, tagKey1, tagValue1 string) string {
  return composeConfig(
  testAccAWSStorageGatewayCachedIscsiVolumeConfigBase(rName),

diff --git a/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown b/website/docs/r/storagegateway_cached_iscsi_volume.html.markdown
@@ -63,6 +63,8 @@ The following arguments are supported:
 * `volume_size_in_bytes` - (Required) The size of the volume in bytes.
 * `snapshot_id` - (Optional) The snapshot ID of the snapshot to restore as the new cached volume. e.g. `snap-1122aabb`.
 * `source_volume_arn` - (Optional) The ARN for an existing volume. Specifying this ARN makes the new volume into an exact copy of the specified existing volume's latest recovery point. The `volume_size_in_bytes` value for this new volume must be equal to or larger than the size of the existing volume, in bytes.
+* `kms_encrypted` - (Optional) Set to `true` to use Amazon S3 server side encryption with your own AWS KMS key, or `false` to use a key managed by Amazon S3.
+* `kms_key` - (Optional) The Amazon Resource Name (ARN) of the AWS KMS key used for Amazon S3 server side encryption. Is required when `kms_encrypted` is set.
 * `tags` - (Optional) Key-value map of resource tags
 
 ## Attribute Reference