feat(kms): add wrapping key resource and datasource

relates to STACKITTPR-416

Author: rubenhoenle

docs/data-sources/kms_wrapping_key.md

@@ -0,0 +1,37 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_kms_wrapping_key Data Source - stackit"
+subcategory: ""
+description: |-
+  KMS wrapping key datasource schema.
+---
+
+# stackit_kms_wrapping_key (Data Source)
+
+KMS wrapping key datasource schema.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `keyring_id` (String) The ID of the associated keyring
+- `project_id` (String) STACKIT project ID to which the keyring is associated.
+- `wrapping_key_id` (String) The ID of the wrapping key
+
+### Optional
+
+- `region` (String) The resource region. If not defined, the provider region is used.
+
+### Read-Only
+
+- `access_scope` (String) The access scope of the key. Default is `PUBLIC`. Possible values are: `PUBLIC`, `SNA`.
+- `algorithm` (String) The wrapping algorithm used to wrap the key to import. Possible values are: `rsa_2048_oaep_sha256`, `rsa_3072_oaep_sha256`, `rsa_4096_oaep_sha256`, `rsa_4096_oaep_sha512`, `rsa_2048_oaep_sha256_aes_256_key_wrap`, `rsa_3072_oaep_sha256_aes_256_key_wrap`, `rsa_4096_oaep_sha256_aes_256_key_wrap`, `rsa_4096_oaep_sha512_aes_256_key_wrap`.
+- `description` (String) A user chosen description to distinguish multiple wrapping keys.
+- `display_name` (String) The display name to distinguish multiple wrapping keys.
+- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`keyring_id`,`wrapping_key_id`".
+- `protection` (String) The underlying system that is responsible for protecting the key material. Possible values are: `software`.
+- `public_key` (String) The public key of the wrapping key.
+- `purpose` (String) The purpose for which the key will be used. Possible values are: `wrap_symmetric_key`, `wrap_asymmetric_key`.

docs/resources/kms_wrapping_key.md

@@ -0,0 +1,37 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_kms_wrapping_key Resource - stackit"
+subcategory: ""
+description: |-
+  KMS wrapping key resource schema.
+---
+
+# stackit_kms_wrapping_key (Resource)
+
+KMS wrapping key resource schema.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `algorithm` (String) The wrapping algorithm used to wrap the key to import. Possible values are: `rsa_2048_oaep_sha256`, `rsa_3072_oaep_sha256`, `rsa_4096_oaep_sha256`, `rsa_4096_oaep_sha512`, `rsa_2048_oaep_sha256_aes_256_key_wrap`, `rsa_3072_oaep_sha256_aes_256_key_wrap`, `rsa_4096_oaep_sha256_aes_256_key_wrap`, `rsa_4096_oaep_sha512_aes_256_key_wrap`.
+- `display_name` (String) The display name to distinguish multiple wrapping keys.
+- `keyring_id` (String) The ID of the associated keyring
+- `project_id` (String) STACKIT project ID to which the keyring is associated.
+- `protection` (String) The underlying system that is responsible for protecting the key material. Possible values are: `software`.
+- `purpose` (String) The purpose for which the key will be used. Possible values are: `wrap_symmetric_key`, `wrap_asymmetric_key`.
+
+### Optional
+
+- `access_scope` (String) The access scope of the key. Default is `PUBLIC`. Possible values are: `PUBLIC`, `SNA`.
+- `description` (String) A user chosen description to distinguish multiple wrapping keys.
+- `region` (String) The resource region. If not defined, the provider region is used.
+
+### Read-Only
+
+- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`,`region`,`keyring_id`,`wrapping_key_id`".
+- `public_key` (String) The public key of the wrapping key.
+- `wrapping_key_id` (String) The ID of the wrapping key

stackit/internal/services/kms/kms_acc_test.go

@@ -0,0 +1,23 @@
+variable "project_id" {}
+
+variable "keyring_display_name" {}
+variable "display_name" {}
+variable "protection" {}
+variable "algorithm" {}
+variable "purpose" {}
+variable "description" {}
+
+resource "stackit_kms_keyring" "keyring" {
+  project_id   = var.project_id
+  display_name = var.keyring_display_name
+}
+
+resource "stackit_kms_wrapping_key" "wrapping_key" {
+  project_id   = var.project_id
+  keyring_id   = stackit_kms_keyring.keyring.keyring_id
+  protection   = var.protection
+  algorithm    = var.algorithm
+  display_name = var.display_name
+  purpose      = var.purpose
+  description  = var.description
+}

stackit/internal/services/kms/testdata/wrapping-key-max.tf

@@ -0,0 +1,21 @@
+variable "project_id" {}
+
+variable "keyring_display_name" {}
+variable "display_name" {}
+variable "protection" {}
+variable "algorithm" {}
+variable "purpose" {}
+
+resource "stackit_kms_keyring" "keyring" {
+  project_id   = var.project_id
+  display_name = var.keyring_display_name
+}
+
+resource "stackit_kms_wrapping_key" "wrapping_key" {
+  project_id   = var.project_id
+  keyring_id   = stackit_kms_keyring.keyring.keyring_id
+  protection   = var.protection
+  algorithm    = var.algorithm
+  display_name = var.display_name
+  purpose      = var.purpose
+}

stackit/internal/services/kms/testdata/wrapping-key-min.tf

@@ -0,0 +1,168 @@
+package kms
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	sdkUtils "github.com/stackitcloud/stackit-sdk-go/core/utils"
+	"github.com/stackitcloud/stackit-sdk-go/services/kms"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/core"
+	kmsUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/kms/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/utils"
+	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/validate"
+)
+
+var (
+	_ datasource.DataSource = &wrappingKeyDataSource{}
+)
+
+func NewWrappingKeyDataSource() datasource.DataSource {
+	return &wrappingKeyDataSource{}
+}
+
+type wrappingKeyDataSource struct {
+	client       *kms.APIClient
+	providerData core.ProviderData
+}
+
+func (w *wrappingKeyDataSource) Metadata(_ context.Context, request datasource.MetadataRequest, response *datasource.MetadataResponse) {
+	response.TypeName = request.ProviderTypeName + "_kms_wrapping_key"
+}
+
+func (w *wrappingKeyDataSource) Configure(ctx context.Context, request datasource.ConfigureRequest, response *datasource.ConfigureResponse) {
+	var ok bool
+	w.providerData, ok = conversion.ParseProviderData(ctx, request.ProviderData, &response.Diagnostics)
+	if !ok {
+		return
+	}
+
+	apiClient := kmsUtils.ConfigureClient(ctx, &w.providerData, &response.Diagnostics)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	w.client = apiClient
+	tflog.Info(ctx, "Wrapping key configured")
+}
+
+func (w *wrappingKeyDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, response *datasource.SchemaResponse) {
+	response.Schema = schema.Schema{
+		Description: "KMS wrapping key datasource schema.",
+		Attributes: map[string]schema.Attribute{
+			"access_scope": schema.StringAttribute{
+				Description: fmt.Sprintf("The access scope of the key. Default is `%s`. %s", string(kms.ACCESSSCOPE_PUBLIC), utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedAccessScopeEnumValues)...)),
+				Computed:    true,
+			},
+			"algorithm": schema.StringAttribute{
+				Description: fmt.Sprintf("The wrapping algorithm used to wrap the key to import. %s", utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedWrappingAlgorithmEnumValues)...)),
+				Computed:    true,
+			},
+			"description": schema.StringAttribute{
+				Description: "A user chosen description to distinguish multiple wrapping keys.",
+				Computed:    true,
+			},
+			"display_name": schema.StringAttribute{
+				Description: "The display name to distinguish multiple wrapping keys.",
+				Computed:    true,
+			},
+			"id": schema.StringAttribute{
+				Description: "Terraform's internal resource ID. It is structured as \"`project_id`,`region`,`keyring_id`,`wrapping_key_id`\".",
+				Computed:    true,
+			},
+			"keyring_id": schema.StringAttribute{
+				Description: "The ID of the associated keyring",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"protection": schema.StringAttribute{
+				Description: fmt.Sprintf("The underlying system that is responsible for protecting the key material. %s", utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedProtectionEnumValues)...)),
+				Computed:    true,
+			},
+			"purpose": schema.StringAttribute{
+				Description: fmt.Sprintf("The purpose for which the key will be used. %s", utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(kms.AllowedWrappingPurposeEnumValues)...)),
+				Computed:    true,
+			},
+			"project_id": schema.StringAttribute{
+				Description: "STACKIT project ID to which the keyring is associated.",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"region": schema.StringAttribute{
+				Optional:    true,
+				Computed:    true,
+				Description: "The resource region. If not defined, the provider region is used.",
+			},
+			"wrapping_key_id": schema.StringAttribute{
+				Description: "The ID of the wrapping key",
+				Required:    true,
+				Validators: []validator.String{
+					validate.UUID(),
+					validate.NoSeparator(),
+				},
+			},
+			"public_key": schema.StringAttribute{
+				Description: "The public key of the wrapping key.",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+func (w *wrappingKeyDataSource) Read(ctx context.Context, request datasource.ReadRequest, response *datasource.ReadResponse) { // nolint:gocritic // function signature required by Terraform
+	var model Model
+	diags := request.Config.Get(ctx, &model)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	projectId := model.ProjectId.ValueString()
+	keyRingId := model.KeyRingId.ValueString()
+	region := w.providerData.GetRegionWithOverride(model.Region)
+	wrappingKeyId := model.WrappingKeyId.ValueString()
+
+	ctx = tflog.SetField(ctx, "keyring_id", keyRingId)
+	ctx = tflog.SetField(ctx, "project_id", projectId)
+	ctx = tflog.SetField(ctx, "region", region)
+	ctx = tflog.SetField(ctx, "wrapping_key_id", wrappingKeyId)
+
+	wrappingKeyResponse, err := w.client.GetWrappingKey(ctx, projectId, region, keyRingId, wrappingKeyId).Execute()
+	if err != nil {
+		utils.LogError(
+			ctx,
+			&response.Diagnostics,
+			err,
+			"Reading wrapping key",
+			fmt.Sprintf("Wrapping key with ID %q does not exist in project %q.", wrappingKeyId, projectId),
+			map[int]string{
+				http.StatusForbidden: fmt.Sprintf("Project with ID %q not found or forbidden access", projectId),
+			},
+		)
+		response.State.RemoveResource(ctx)
+		return
+	}
+
+	err = mapFields(wrappingKeyResponse, &model, region)
+	if err != nil {
+		core.LogAndAddError(ctx, &response.Diagnostics, "Error reading wrapping key", fmt.Sprintf("Processing API payload: %v", err))
+		return
+	}
+	diags = response.State.Set(ctx, model)
+	response.Diagnostics.Append(diags...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+	tflog.Info(ctx, "Wrapping key read")
+}