hashicorp · ewbankkit · Jan 2, 2024 · Dec 25, 2023 · Dec 25, 2023 · Dec 25, 2023
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_prometheus_workspace: Add `kms_key_arn` argument, enabling encryption at-rest using AWS KMS Customer Managed Keys (CMK)
+```
+
+```release-note:enhancement
+data-source/aws_prometheus_workspace: Add `kms_key_arn` attribute 
+```
@@ -51,6 +51,12 @@ func ResourceWorkspace() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"kms_key_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidARN,
+			},
 			"logging_configuration": {
 				Type:     schema.TypeList,
 				MaxItems: 1,
@@ -88,6 +94,10 @@ func resourceWorkspaceCreate(ctx context.Context, d *schema.ResourceData, meta i
 		input.Alias = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("kms_key_arn"); ok {
+		input.KmsKeyArn = aws.String(v.(string))
+	}
+
 	result, err := conn.CreateWorkspaceWithContext(ctx, input)
 
 	if err != nil {
@@ -141,6 +151,7 @@ func resourceWorkspaceRead(ctx context.Context, d *schema.ResourceData, meta int
 	d.Set("alias", ws.Alias)
 	arn := aws.StringValue(ws.Arn)
 	d.Set("arn", arn)
+	d.Set("kms_key_arn", ws.KmsKeyArn)
 	d.Set("prometheus_endpoint", ws.PrometheusEndpoint)
 
 	loggingConfiguration, err := FindLoggingConfigurationByWorkspaceID(ctx, conn, d.Id())

@@ -32,6 +32,10 @@ func DataSourceWorkspace() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"kms_key_arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"prometheus_endpoint": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -67,6 +71,7 @@ func dataSourceWorkspaceRead(ctx context.Context, d *schema.ResourceData, meta i
 	d.Set("alias", workspace.Alias)
 	d.Set("arn", workspace.Arn)
 	d.Set("created_date", workspace.CreatedAt.Format(time.RFC3339))
+	d.Set("kms_key_arn", workspace.KmsKeyArn)
 	d.Set("prometheus_endpoint", workspace.PrometheusEndpoint)
 	d.Set("status", workspace.Status.StatusCode)
 

@@ -34,6 +34,7 @@ func TestAccAMPWorkspaceDataSource_basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(resourceName, "alias", dataSourceName, "alias"),
 					resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "created_date"),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key_arn", dataSourceName, "kms_key_arn"),
 					resource.TestCheckResourceAttrPair(resourceName, "prometheus_endpoint", dataSourceName, "prometheus_endpoint"),
 					resource.TestCheckResourceAttrSet(dataSourceName, "status"),
 					resource.TestCheckResourceAttrPair(resourceName, "tags.%", dataSourceName, "tags.%"),

@@ -39,6 +39,7 @@ func TestAccAMPWorkspace_basic(t *testing.T) {
 					testAccCheckWorkspaceExists(ctx, resourceName, &v),
 					resource.TestCheckResourceAttr(resourceName, "alias", ""),
 					resource.TestCheckResourceAttrSet(resourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "kms_key_arn", ""),
 					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", "0"),
 					resource.TestCheckResourceAttrSet(resourceName, "prometheus_endpoint"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
@@ -79,6 +80,32 @@ func TestAccAMPWorkspace_disappears(t *testing.T) {
 	})
 }
 
+func TestAccAMPWorkspace_kms(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v prometheusservice.WorkspaceDescription
+	rName1 := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_prometheus_workspace.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			acctest.PreCheckPartitionHasService(t, prometheusservice.EndpointsID)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, prometheusservice.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckWorkspaceDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWorkspaceConfig_kms(rName1),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWorkspaceExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttrSet(resourceName, "kms_key_arn"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAMPWorkspace_tags(t *testing.T) {
 	ctx := acctest.Context(t)
 	var v prometheusservice.WorkspaceDescription
@@ -353,3 +380,17 @@ resource "aws_prometheus_workspace" "test" {
 }
 `, rName, idx)
 }
+
+func testAccWorkspaceConfig_kms(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_prometheus_workspace" "test" {
+  alias       = %[1]q
+  kms_key_arn = aws_kms_key.test.arn
+}
+
+resource "aws_kms_key" "test" {
+  description             = "Test"
+  deletion_window_in_days = 7
+}
+`, rName)
+}
@@ -34,5 +34,6 @@ This data source exports the following attributes in addition to the arguments a
 * `created_date` - Creation date of the Prometheus workspace.
 * `prometheus_endpoint` - Endpoint of the Prometheus workspace.
 * `alias` - Prometheus workspace alias.
+* `kms_key_arn` - ARN of the KMS key used to encrypt data in the Prometheus workspace.
 * `status` - Status of the Prometheus workspace.
 * `tags` - Tags assigned to the resource.
@@ -36,11 +36,26 @@ resource "aws_prometheus_workspace" "example" {
 }
 ```
 
+### AWS KMS Customer Managed Keys (CMK)
+
+```terraform
+resource "aws_prometheus_workspace" "example" {
+  alias       = "example"
+  kms_key_arn = aws_kms_key.example.arn
+}
+
+resource "aws_kms_key" "example" {
+  description             = "example"
+  deletion_window_in_days = 7
+}
+```
+
 ## Argument Reference
 
 This resource supports the following arguments:
 
 * `alias` - (Optional) The alias of the prometheus workspace. See more [in AWS Docs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-onboard-create-workspace.html).
+* `kms_key_arn` - (Optional) The ARN for the KMS encryption key. If this argument is not provided, then the AWS owned encryption key will be used to encrypt the data in the workspace. See more [in AWS Docs](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html)
 * `logging_configuration` - (Optional) Logging configuration for the workspace. See [Logging Configuration](#logging-configuration) below for details.
 * `tags` - (Optional) A map of tags to assign to the resource. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.