Added - Support for KMS key Rotation for Block/Boot Volume Backups

Atul Aditya · ravinitp · commit c5558b3fea09 · 2023-07-07T11:13:59.000+05:30
diff --git a/examples/storage/block/volume_backup/volume_backup.tf b/examples/storage/block/volume_backup/volume_backup.tf
@@ -57,6 +57,10 @@ variable "volume_backup_type" {
   default = "FULL"
 }
 
+variable "kms_key_ocid" {
+
+}
+
 provider "oci" {
   tenancy_ocid     = var.tenancy_ocid
   user_ocid        = var.user_ocid
@@ -81,6 +85,17 @@ resource "oci_core_volume_backup" "test_volume_backup" {
   type          = var.volume_backup_type
 }
 
+resource "oci_core_volume_backup" "test_volume_backup_kms_key_id" {
+  #Required
+  volume_id = oci_core_volume.test_volume.id
+
+  #Optional
+  display_name  = var.volume_backup_display_name
+  freeform_tags = var.volume_backup_freeform_tags
+  type          = var.volume_backup_type
+  kms_key_id    = var.kms_key_ocid
+}
+
 resource "oci_core_volume_backup" "test_volume_backup_cross_region_sourced" {
   #Required
   source_details {
diff --git a/internal/integrationtest/core_boot_volume_backup_test.go b/internal/integrationtest/core_boot_volume_backup_test.go
@@ -53,6 +53,7 @@ var (
 		"freeform_tags":  acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
 		"type":           acctest.Representation{RepType: acctest.Optional, Create: `INCREMENTAL`},
 	}
+
 	bootVolumeBackupId, bootVolumeId, instanceId string
 	CoreBootVolumeBackupResourceDependencies     = BootVolumeOptionalResource
 )
@@ -118,6 +119,7 @@ func TestCoreBootVolumeBackupResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "display_name", "displayName"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 				resource.TestCheckResourceAttr(resourceName, "type", "INCREMENTAL"),
@@ -147,6 +149,7 @@ func TestCoreBootVolumeBackupResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "display_name", "displayName2"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 				resource.TestCheckResourceAttr(resourceName, "type", "INCREMENTAL"),
@@ -202,7 +205,6 @@ func TestCoreBootVolumeBackupResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(singularDatasourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "id"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "image_id"),
-				resource.TestCheckResourceAttrSet(singularDatasourceName, "kms_key_id"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "size_in_gbs"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "source_type"),
 				resource.TestCheckResourceAttrSet(singularDatasourceName, "state"),
diff --git a/internal/integrationtest/core_volume_backup_test.go b/internal/integrationtest/core_volume_backup_test.go
@@ -56,6 +56,7 @@ var (
 		"defined_tags":  acctest.Representation{RepType: acctest.Optional, Create: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "value")}`, Update: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "updatedValue")}`},
 		"display_name":  acctest.Representation{RepType: acctest.Optional, Create: `displayName`, Update: `displayName2`},
 		"freeform_tags": acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
+		"kms_key_id":    acctest.Representation{RepType: acctest.Optional, Create: `${lookup(data.oci_kms_keys.test_keys_dependency.keys[0], "id")}`},
 		"type":          acctest.Representation{RepType: acctest.Optional, Create: `FULL`},
 	}
 	CoreVolumeBackupWithSourceDetailsRepresentation = map[string]interface{}{
@@ -124,6 +125,7 @@ func TestCoreVolumeBackupResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "display_name", "displayName"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 				resource.TestCheckResourceAttr(resourceName, "type", "FULL"),
@@ -153,6 +155,7 @@ func TestCoreVolumeBackupResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "display_name", "displayName2"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
+				resource.TestCheckResourceAttrSet(resourceName, "kms_key_id"),
 				resource.TestCheckResourceAttrSet(resourceName, "state"),
 				resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 				resource.TestCheckResourceAttr(resourceName, "type", "FULL"),
diff --git a/internal/service/core/core_boot_volume_backup_resource.go b/internal/service/core/core_boot_volume_backup_resource.go
@@ -92,6 +92,11 @@ func CoreBootVolumeBackupResource() *schema.Resource {
 				Computed: true,
 				Elem:     schema.TypeString,
 			},
+			"kms_key_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"type": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -108,10 +113,6 @@ func CoreBootVolumeBackupResource() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"kms_key_id": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
 			"size_in_gbs": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -299,6 +300,11 @@ func (s *CoreBootVolumeBackupResourceCrud) createBootVolumeBackup() error {
 		request.FreeformTags = tfresource.ObjectMapToStringMap(freeformTags.(map[string]interface{}))
 	}
 
+	if kmsKeyId, ok := s.D.GetOkExists("kms_key_id"); ok {
+		tmp := kmsKeyId.(string)
+		request.KmsKeyId = &tmp
+	}
+
 	if type_, ok := s.D.GetOkExists("type"); ok {
 		request.Type = oci_core.CreateBootVolumeBackupDetailsTypeEnum(type_.(string))
 	}
@@ -435,6 +441,11 @@ func (s *CoreBootVolumeBackupResourceCrud) Update() error {
 		return nil
 	}
 
+	if kmsKeyId, ok := s.D.GetOkExists("kms_key_id"); ok {
+		tmp := kmsKeyId.(string)
+		request.KmsKeyId = &tmp
+	}
+
 	request.RequestMetadata.RetryPolicy = tfresource.GetRetryPolicy(s.DisableNotFoundRetries, "core")
 
 	response, err := s.Client.UpdateBootVolumeBackup(context.Background(), request)
diff --git a/internal/service/core/core_volume_backup_resource.go b/internal/service/core/core_volume_backup_resource.go
@@ -91,6 +91,11 @@ func CoreVolumeBackupResource() *schema.Resource {
 				Computed: true,
 				Elem:     schema.TypeString,
 			},
+			"kms_key_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"type": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -103,10 +108,6 @@ func CoreVolumeBackupResource() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
-			"kms_key_id": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
 			"size_in_gbs": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -357,6 +358,11 @@ func (s *CoreVolumeBackupResourceCrud) CreateVolumeBackup() error {
 		request.FreeformTags = tfresource.ObjectMapToStringMap(freeformTags.(map[string]interface{}))
 	}
 
+	if kmsKeyId, ok := s.D.GetOkExists("kms_key_id"); ok {
+		tmp := kmsKeyId.(string)
+		request.KmsKeyId = &tmp
+	}
+
 	if type_, ok := s.D.GetOkExists("type"); ok {
 		request.Type = oci_core.CreateVolumeBackupDetailsTypeEnum(type_.(string))
 	}
@@ -423,6 +429,11 @@ func (s *CoreVolumeBackupResourceCrud) Update() error {
 		request.FreeformTags = tfresource.ObjectMapToStringMap(freeformTags.(map[string]interface{}))
 	}
 
+	if kmsKeyId, ok := s.D.GetOkExists("kms_key_id"); ok {
+		tmp := kmsKeyId.(string)
+		request.KmsKeyId = &tmp
+	}
+
 	tmp := s.D.Id()
 	request.VolumeBackupId = &tmp
 
diff --git a/website/docs/r/core_boot_volume_backup.html.markdown b/website/docs/r/core_boot_volume_backup.html.markdown
@@ -29,6 +29,7 @@ resource "oci_core_boot_volume_backup" "test_boot_volume_backup" {
 	defined_tags = {"Operations.CostCenter"= "42"}
 	display_name = var.boot_volume_backup_display_name
 	freeform_tags = {"Department"= "Finance"}
+	kms_key_id = oci_kms_key.test_key.id
 	type = var.boot_volume_backup_type
 }
 ```
@@ -42,6 +43,7 @@ The following arguments are supported:
 * `defined_tags` - (Optional) (Updatable) Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Operations.CostCenter": "42"}` 
 * `display_name` - (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. 
 * `freeform_tags` - (Optional) (Updatable) Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Department": "Finance"}` 
+* `kms_key_id` - (Optional) (Updatable) The OCID of the Vault service key which is the master encryption key for the volume backup. For more information about the Vault service and encryption keys, see [Overview of Vault service](https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm) and [Using Keys](https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/usingkeys.htm). 
 * `type` - (Optional) The type of backup to create. If omitted, defaults to incremental. Supported values are 'FULL' or 'INCREMENTAL'.
 * `source_details` - (Optional) Details of the volume backup source in the cloud. Cannot be defined if `boot_volume_id` is defined.
     * `kms_key_id` - (Optional) The OCID of the KMS key in the destination region which will be the master encryption key for the copied volume backup.
diff --git a/website/docs/r/core_volume_backup.html.markdown b/website/docs/r/core_volume_backup.html.markdown
@@ -29,6 +29,7 @@ resource "oci_core_volume_backup" "test_volume_backup" {
 	defined_tags = {"Operations.CostCenter"= "42"}
 	display_name = var.volume_backup_display_name
 	freeform_tags = {"Department"= "Finance"}
+	kms_key_id = oci_kms_key.test_key.id
 	type = var.volume_backup_type
 }
 ```
@@ -41,6 +42,7 @@ The following arguments are supported:
 * `defined_tags` - (Optional) (Updatable) Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Operations.CostCenter": "42"}` 
 * `display_name` - (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. 
 * `freeform_tags` - (Optional) (Updatable) Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see [Resource Tags](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm).  Example: `{"Department": "Finance"}` 
+* `kms_key_id` - (Optional) (Updatable) The OCID of the Vault service key which is the master encryption key for the volume backup. For more information about the Vault service and encryption keys, see [Overview of Vault service](https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm) and [Using Keys](https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/usingkeys.htm). 
 * `type` - (Optional) The type of backup to create. If omitted, defaults to INCREMENTAL. Supported values are 'FULL' or 'INCREMENTAL'.
 * `volume_id` - (Optional) The OCID of the volume that needs to be backed up.**Note: To create the resource either `volume_id` or `source_details` is required to be set.
 * `source_details` - (Optional) Details of the volume backup source in the cloud.
