aws_kms_ciphertext into new resource keeping datasource

aws/provider.go

@@ -523,6 +523,7 @@ func Provider() terraform.ResourceProvider {
  "aws_kms_alias": resourceAwsKmsAlias(),
  "aws_kms_grant": resourceAwsKmsGrant(),
  "aws_kms_key": resourceAwsKmsKey(),
+ "aws_kms_ciphertext": resourceAwsKmsCiphertext(),
  "aws_lambda_function": resourceAwsLambdaFunction(),
  "aws_lambda_event_source_mapping": resourceAwsLambdaEventSourceMapping(),
  "aws_lambda_alias": resourceAwsLambdaAlias(),

aws/resource_aws_kms_ciphertext.go

@@ -0,0 +1,86 @@
+package aws
+
+import (
+ "encoding/base64"
+ "log"
+ "time"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/kms"
+ "github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsKmsCiphertext() *schema.Resource {
+
+ return &schema.Resource{
+ Create: resourceAwsKmsCiphertextCreate,
+ Read: resourceAwsKmsCiphertextRead,
+ Delete: resourceAwsKmsCiphertextDelete,
+
+ Schema: map[string]*schema.Schema{
+ "plaintext": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Sensitive: true,
+ },
+
+ "key_id": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ },
+
+ "context": {
+ Type: schema.TypeMap,
+ Optional: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ ForceNew: true,
+ },
+
+ "ciphertext_blob": {
+ Type: schema.TypeString,
+ Computed: true,
+ },
+ },
+ }
+}
+
+func resourceAwsKmsCiphertextCreate(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).kmsconn
+
+ d.SetId(time.Now().UTC().String())
+
+ req := &kms.EncryptInput{
+ KeyId: aws.String(d.Get("key_id").(string)),
+ Plaintext: []byte(d.Get("plaintext").(string)),
+ }
+
+ if ec := d.Get("context"); ec != nil {
+ req.EncryptionContext = stringMapToPointers(ec.(map[string]interface{}))
+ }
+
+ log.Printf("[DEBUG] KMS encrypt for key: %s", d.Get("key_id").(string))
+ resp, err := conn.Encrypt(req)
+ if err != nil {
+ return err
+ }
+
+ d.Set("ciphertext_blob", base64.StdEncoding.EncodeToString(resp.CiphertextBlob))
+
+ return nil
+}
+
+func resourceAwsKmsCiphertextDelete(d *schema.ResourceData, meta interface{}) error {
+ d.SetId("")
+ return nil
+}
+
+func resourceAwsKmsCiphertextRead(d *schema.ResourceData, meta interface{}) error {
+ // If the input has changed, generate a new ciphertext_blob
+ // This should never be the case since ForceNew set on all input.
+ if d.HasChange("plaintext") || d.HasChange("key_id") || d.HasChange("context") {
+ return resourceAwsKmsCiphertextCreate(d, meta)
+ }
+ return nil
+}

aws/resource_aws_kms_ciphertext_test.go

@@ -0,0 +1,136 @@
+package aws
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccResourceAwsKmsCiphertext_basic(t *testing.T) {
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccResourceAwsKmsCiphertextConfig_basic,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttrSet(
+ "aws_kms_ciphertext.foo", "ciphertext_blob"),
+ ),
+ },
+ },
+ })
+}
+
+func TestAccResourceAwsKmsCiphertext_validate(t *testing.T) {
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccResourceAwsKmsCiphertextConfig_validate,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttrSet(
+ "aws_kms_ciphertext.foo", "ciphertext_blob"),
+ resource.TestCheckResourceAttrSet(
+ "data.aws_kms_secret.foo", "plaintext"),
+ resource.TestCheckResourceAttr(
+ "data.aws_kms_secret.foo", "plaintext", "Super secret data"),
+ ),
+ },
+ },
+ })
+}
+
+func TestAccResourceAwsKmsCiphertext_validate_withContext(t *testing.T) {
+ resource.ParallelTest(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccResourceAwsKmsCiphertextConfig_validate_withContext,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttrSet(
+ "aws_kms_ciphertext.foo", "ciphertext_blob"),
+ resource.TestCheckResourceAttrSet(
+ "aws_kms_secret.foo", "plaintext"),
+ resource.TestCheckResourceAttr(
+ "aws_kms_secret.foo", "plaintext", "Super secret data"),
+ ),
+ },
+ },
+ })
+}
+
+const testAccResourceAwsKmsCiphertextConfig_basic = `
+provider "aws" {
+ region = "us-west-2"
+}
+
+resource "aws_kms_key" "foo" {
+ description = "tf-test-acc-data-source-aws-kms-ciphertext-basic"
+ is_enabled = true
+}
+
+data "aws_kms_ciphertext" "foo" {
+ key_id = "${aws_kms_key.foo.key_id}"
+
+ plaintext = "Super secret data"
+}
+`
+
+const testAccResourceAwsKmsCiphertextConfig_validate = `
+provider "aws" {
+ region = "us-west-2"
+}
+
+resource "aws_kms_key" "foo" {
+ description = "tf-test-acc-data-source-aws-kms-ciphertext-validate"
+ is_enabled = true
+}
+
+data "aws_kms_ciphertext" "foo" {
+ key_id = "${aws_kms_key.foo.key_id}"
+
+ plaintext = "Super secret data"
+}
+
+data "aws_kms_secret" "foo" {
+ secret {
+ name = "plaintext"
+ payload = "${aws_kms_ciphertext.foo.ciphertext_blob}"
+ }
+}
+`
+
+const testAccResourceAwsKmsCiphertextConfig_validate_withContext = `
+provider "aws" {
+ region = "us-west-2"
+}
+
+resource "aws_kms_key" "foo" {
+ description = "tf-test-acc-data-source-aws-kms-ciphertext-validate-with-context"
+ is_enabled = true
+}
+
+data "aws_kms_ciphertext" "foo" {
+ key_id = "${aws_kms_key.foo.key_id}"
+
+ plaintext = "Super secret data"
+
+ context {
+ name = "value"
+ }
+}
+
+data "aws_kms_secret" "foo" {
+ secret {
+ name = "plaintext"
+ payload = "${aws_kms_ciphertext.foo.ciphertext_blob}"
+
+ context {
+ name = "value"
+ }
+ }
+}
+`

website/aws.erb

@@ -1637,6 +1637,10 @@
  <a href="/docs/providers/aws/r/kms_grant.html">aws_kms_grant</a>
  </li>
 
+ <li<%= sidebar_current("docs-aws-resource-kms-ciphertext") %>>
+ <a href="/docs/providers/aws/r/kms_ciphertext.html">aws_kms_ciphertext</a>
+ </li>
+
  <li<%= sidebar_current("docs-aws-resource-kms-key") %>>
  <a href="/docs/providers/aws/r/kms_key.html">aws_kms_key</a>
  </li>

website/docs/r/kms_ciphertext.html.markdown

@@ -0,0 +1,49 @@
+---
+layout: "aws"
+page_title: "AWS: aws_kms_ciphertext"
+sidebar_current: "docs-aws-resource-kms-ciphertext"
+description: |-
+ Provides ciphertext encrypted using a KMS key
+---
+
+# Resource: aws_kms_ciphertext
+
+The KMS ciphertext resource allows you to encrypt plaintext into ciphertext
+by using an AWS KMS customer master key.
+
+~> **Note:** All arguments including the plaintext be stored in the raw state as plain-text.
+[Read more about sensitive data in state](/docs/state/sensitive-data.html).
+
+## Example Usage
+
+```hcl
+resource "aws_kms_key" "oauth_config" {
+ description = "oauth config"
+ is_enabled = true
+}
+
+resource "aws_kms_ciphertext" "oauth" {
+ key_id = "${aws_kms_key.oauth_config.key_id}"
+
+ plaintext = <<EOF
+{
+ "client_id": "e587dbae22222f55da22",
+ "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
+}
+EOF
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `plaintext` - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
+* `key_id` - (Required) Globally unique key ID for the customer master key.
+* `context` - (Optional) An optional mapping that makes up the encryption context.
+
+## Attributes Reference
+
+All of the argument attributes are also exported as result attributes.
+
+* `ciphertext_blob` - Base64 encoded ciphertext