This repository has been archived by the owner on Sep 12, 2020. It is now read-only.
forked from yandex-cloud/terraform-provider-yandex
-
Notifications
You must be signed in to change notification settings - Fork 6
/
resource_yandex_kms_secret_ciphertext.go
124 lines (97 loc) · 3.15 KB
/
resource_yandex_kms_secret_ciphertext.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package yandex
import (
"crypto/sha256"
"encoding/base64"
"fmt"
"time"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
"github.com/yandex-cloud/go-genproto/yandex/cloud/kms/v1"
)
const (
yandexKMSSecretCiphertextDefaultTimeout = 1 * time.Minute
)
func resourceYandexKMSSecretCiphertext() *schema.Resource {
return &schema.Resource{
Create: resourceYandexKMSSecretCiphertextCreate,
Read: resourceYandexKMSSecretCiphertextRead,
Delete: resourceYandexKMSSecretCiphertextDelete,
Timeouts: &schema.ResourceTimeout{
Create: schema.DefaultTimeout(yandexKMSSecretCiphertextDefaultTimeout),
Read: schema.DefaultTimeout(yandexKMSSecretCiphertextDefaultTimeout),
Delete: schema.DefaultTimeout(yandexKMSSecretCiphertextDefaultTimeout),
},
Schema: map[string]*schema.Schema{
"key_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"aad_context": {
Type: schema.TypeString,
ValidateFunc: validation.StringLenBetween(0, 8192),
ForceNew: true,
Optional: true,
},
"plaintext": {
Type: schema.TypeString,
ValidateFunc: validation.StringLenBetween(0, 32768),
Required: true,
ForceNew: true,
},
"ciphertext": {
Type: schema.TypeString,
Computed: true,
},
},
}
}
func resourceYandexKMSSecretCiphertextCreate(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
ctx, cancel := config.ContextWithTimeout(d.Timeout(schema.TimeoutCreate))
defer cancel()
req := &kms.SymmetricEncryptRequest{
KeyId: d.Get("key_id").(string),
Plaintext: []byte(d.Get("plaintext").(string)),
AadContext: []byte(d.Get("aad_context").(string)),
}
resp, err := config.sdk.KMSCrypto().SymmetricCrypto().Encrypt(ctx, req)
if err != nil {
return fmt.Errorf("Error while requesting API to encrypt data with KMS symmetric key: %s", err)
}
ciphertext := base64.StdEncoding.EncodeToString(resp.Ciphertext)
d.Set("ciphertext", ciphertext)
h := sha256.New()
_, err = h.Write(resp.Ciphertext)
if err != nil {
return fmt.Errorf("Error while hashing ciphertext with sha256: %s", err)
}
hashedCiphertext := h.Sum(nil)
id := fmt.Sprintf("%s/%x", resp.KeyId, hashedCiphertext)
d.SetId(id)
return resourceYandexKMSSecretCiphertextRead(d, meta)
}
func resourceYandexKMSSecretCiphertextRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*Config)
ctx, cancel := config.ContextWithTimeout(d.Timeout(schema.TimeoutRead))
defer cancel()
resp, err := config.sdk.KMS().SymmetricKey().Get(ctx, &kms.GetSymmetricKeyRequest{
KeyId: d.Get("key_id").(string),
})
if err != nil {
return handleNotFoundError(err, d, fmt.Sprintf("KMS Symmetric Key %q", d.Id()))
}
if err != nil {
return fmt.Errorf("Error while requesting API to get KMS symmetric key: %s", err)
}
if resp == nil {
fmt.Printf("[DEBUG] Removing yandex_kms_secret_ciphertext because related key no longer exists.")
d.SetId("")
return nil
}
return nil
}
func resourceYandexKMSSecretCiphertextDelete(d *schema.ResourceData, meta interface{}) error {
d.SetId("")
return nil
}