modify description of is_enabled and is_archived, add keyState check before update keyState

ChrisdeR · ChrisdeR · commit c136548d2873 · 2021-03-19T12:25:45.000+08:00
diff --git a/tencentcloud/resource_tc_kms_external_key.go b/tencentcloud/resource_tc_kms_external_key.go
@@ -41,7 +41,7 @@ func resourceTencentCloudKmsExternalKey() *schema.Resource {
 			Type:        schema.TypeString,
 			Optional:    true,
 			Default:     KMS_WRAPPING_ALGORITHM_RSAES_PKCS1_V1_5,
-			Description: "The algorithm for encrypting key material. Available values include `RSAES_PKCS1_V1_5`, `RSAES_OAEP_SHA_1` and `RSAES_OAEP_SHA_256`.",
+			Description: "The algorithm for encrypting key material. Available values include `RSAES_PKCS1_V1_5`, `RSAES_OAEP_SHA_1` and `RSAES_OAEP_SHA_256`. Default value is `RSAES_PKCS1_V1_5`.",
 		},
 		"key_material_base64": {
 			Type:        schema.TypeString,
@@ -274,21 +274,37 @@ func resourceTencentCloudKmsExternalKeyUpdate(d *schema.ResourceData, meta inter
 		}
 	}
 
-	if isArchived, ok := d.GetOk("is_archived"); ok {
-		err := updateIsArchived(ctx, kmsService, keyId, isArchived.(bool))
-		if err != nil {
-			log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
-			return err
+	var key *kms.KeyMetadata
+	err := resource.Retry(readRetryTimeout, func() *resource.RetryError {
+		result, e := kmsService.DescribeKeyById(ctx, keyId)
+		if e != nil {
+			return retryError(e)
 		}
-		d.SetPartial("is_archived")
-	} else {
-		isEnabled := d.Get("is_enabled").(bool)
-		err := updateIsEnabled(ctx, kmsService, keyId, isEnabled)
-		if err != nil {
-			log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
-			return err
+		key = result
+		return nil
+	})
+	if err != nil {
+		log.Printf("[CRITAL]%s read KMS external key failed, reason:%+v", logId, err)
+		return err
+	}
+
+	if *key.KeyState == KMS_KEY_STATE_ENABLED || *key.KeyState == KMS_KEY_STATE_DISABLED || *key.KeyState == KMS_KEY_STATE_ARCHIVED {
+		if isArchived, ok := d.GetOk("is_archived"); ok {
+			err := updateIsArchived(ctx, kmsService, keyId, isArchived.(bool))
+			if err != nil {
+				log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
+				return err
+			}
+			d.SetPartial("is_archived")
+		} else {
+			isEnabled := d.Get("is_enabled").(bool)
+			err := updateIsEnabled(ctx, kmsService, keyId, isEnabled)
+			if err != nil {
+				log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
+				return err
+			}
+			d.SetPartial("is_enabled")
 		}
-		d.SetPartial("is_enabled")
 	}
 
 	if d.HasChange("tags") {
@@ -367,11 +383,11 @@ func updateKeyMaterial(ctx context.Context, kmsService KmsService, d *schema.Res
 	param["key_id"] = d.Id()
 	param["algorithm"] = d.Get("wrapping_algorithm").(string)
 	param["key_spec"] = KMS_WRAPPING_KEY_SPEC_RSA_2048
-	param["key_material_base64"] = d.Get("key_material_base64")
+	param["key_material_base64"] = d.Get("key_material_base64").(string)
 	param["valid_to"] = d.Get("valid_to").(int)
 
 	var err error
-	if param["key_material_base64"] == "" {
+	if d.HasChange("key_material_base64") && param["key_material_base64"] == "" {
 		err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
 			e := kmsService.DeleteImportKeyMaterial(ctx, d.Id())
 			if e != nil {
diff --git a/tencentcloud/resource_tc_kms_external_key_test.go b/tencentcloud/resource_tc_kms_external_key_test.go
@@ -21,10 +21,19 @@ func TestAccKmsExternalKey_basic(t *testing.T) {
 				Config: testAccKmsExternalKey_basic(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckKmsKeyExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "is_enabled", "true"),
+					resource.TestCheckResourceAttrSet(resourceName, "alias"),
+					resource.TestCheckResourceAttrSet(resourceName, "description"),
+					resource.TestCheckResourceAttr(resourceName, "key_state", "PendingImport"),
 					resource.TestCheckResourceAttr(resourceName, "tags.test-tag", "unit-test"),
 				),
 			},
+			{
+				Config: testAccKmsExternalKey_import(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKmsKeyExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "key_state", "Enabled"),
+				),
+			},
 			{
 				Config: testAccKmsExternalKey_disabled(rName),
 				Check: resource.ComposeTestCheckFunc(
@@ -47,9 +56,22 @@ func testAccKmsExternalKey_basic(rName string) string {
 resource "tencentcloud_kms_external_key" "test" {
 	alias = %[1]q
 	description = %[1]q
+
+	tags = {
+    "test-tag" = "unit-test"
+  }
+}
+`, rName)
+}
+
+func testAccKmsExternalKey_import(rName string) string {
+	return fmt.Sprintf(`
+resource "tencentcloud_kms_external_key" "test" {
+ 	alias = %[1]q
+	description = %[1]q
 	wrapping_algorithm = "RSAES_PKCS1_V1_5"
 	key_material_base64 = "MTIzMTIzMTIzMTIzMTIzQQ=="
-	is_enabled = true
+  	is_enabled = true
 
 	tags = {
     "test-tag" = "unit-test"
diff --git a/tencentcloud/resource_tc_kms_key.go b/tencentcloud/resource_tc_kms_key.go
@@ -53,13 +53,13 @@ func TencentKmsBasicInfo() map[string]*schema.Schema {
 			Type:          schema.TypeBool,
 			Optional:      true,
 			ConflictsWith: []string{"is_archived"},
-			Description:   "Specify whether to enable key. Default value is `false`.",
+			Description:   "Specify whether to enable key. Default value is `false`. This field is conflict with `is_archived`, valid when key_state is `Enabled`, `Disabled`, `Archived`.",
 		},
 		"is_archived": {
 			Type:          schema.TypeBool,
 			Optional:      true,
 			ConflictsWith: []string{"is_enabled"},
-			Description:   "Specify whether to archive key. Default value is `false`.",
+			Description:   "Specify whether to archive key. Default value is `false`. This field is conflict with `is_enabled`, valid when key_state is `Enabled`, `Disabled`, `Archived`.",
 		},
 		"pending_delete_window_in_days": {
 			Type:        schema.TypeInt,
@@ -164,17 +164,19 @@ func resourceTencentCloudKmsKeyCreate(d *schema.ResourceData, meta interface{})
 		}
 	}
 
-	if keyRotationEnabled := d.Get("key_rotation_enabled").(bool); keyRotationEnabled {
-		err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
-			e := kmsService.EnableKeyRotation(ctx, d.Id())
-			if e != nil {
-				return retryError(e)
+	if keyUsage == KMS_KEY_USAGE_ENCRYPT_DECRYPT {
+		if keyRotationEnabled := d.Get("key_rotation_enabled").(bool); keyRotationEnabled {
+			err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+				e := kmsService.EnableKeyRotation(ctx, d.Id())
+				if e != nil {
+					return retryError(e)
+				}
+				return nil
+			})
+			if err != nil {
+				log.Printf("[CRITAL]%s modify KMS key rotation status failed, reason:%+v", logId, err)
+				return err
 			}
-			return nil
-		})
-		if err != nil {
-			log.Printf("[CRITAL]%s modify KMS key rotation status failed, reason:%+v", logId, err)
-			return err
 		}
 	}
 
@@ -299,31 +301,35 @@ func resourceTencentCloudKmsKeyUpdate(d *schema.ResourceData, meta interface{})
 		d.SetPartial("alias")
 	}
 
-	if isArchived, ok := d.GetOk("is_archived"); ok {
-		err := updateIsArchived(ctx, kmsService, keyId, isArchived.(bool))
-		if err != nil {
-			log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
-			return err
-		}
-		d.SetPartial("is_archived")
-	} else {
-		isEnabled := d.Get("is_enabled").(bool)
-		err := updateIsEnabled(ctx, kmsService, keyId, isEnabled)
-		if err != nil {
-			log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
-			return err
+	if keyState := d.Get("key_state").(string); keyState == KMS_KEY_STATE_ENABLED || keyState == KMS_KEY_STATE_DISABLED || keyState == KMS_KEY_STATE_ARCHIVED {
+		if isArchived, ok := d.GetOk("is_archived"); ok {
+			err := updateIsArchived(ctx, kmsService, keyId, isArchived.(bool))
+			if err != nil {
+				log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
+				return err
+			}
+			d.SetPartial("is_archived")
+		} else {
+			isEnabled := d.Get("is_enabled").(bool)
+			err := updateIsEnabled(ctx, kmsService, keyId, isEnabled)
+			if err != nil {
+				log.Printf("[CRITAL]%s modify key state failed, reason:%+v", logId, err)
+				return err
+			}
+			d.SetPartial("is_enabled")
 		}
-		d.SetPartial("is_enabled")
 	}
 
-	if d.HasChange("key_rotation_enabled") {
-		keyRotationEnabled := d.Get("key_rotation_enabled").(bool)
-		err := updateKeyRotationStatus(ctx, kmsService, keyId, keyRotationEnabled)
-		if err != nil {
-			log.Printf("[CRITAL]%s modify KMS key rotation status failed, reason:%+v", logId, err)
-			return err
+	if v := d.Get("key_usage").(string); v == KMS_KEY_USAGE_ENCRYPT_DECRYPT {
+		if d.HasChange("key_rotation_enabled") {
+			keyRotationEnabled := d.Get("key_rotation_enabled").(bool)
+			err := updateKeyRotationStatus(ctx, kmsService, keyId, keyRotationEnabled)
+			if err != nil {
+				log.Printf("[CRITAL]%s modify KMS key rotation status failed, reason:%+v", logId, err)
+				return err
+			}
+			d.SetPartial("key_rotation_enabled")
 		}
-		d.SetPartial("key_rotation_enabled")
 	}
 
 	if d.HasChange("tags") {
diff --git a/website/docs/r/kms_external_key.html.markdown b/website/docs/r/kms_external_key.html.markdown
@@ -30,13 +30,13 @@ The following arguments are supported:
 
 * `alias` - (Required) Name of CMK. The name can only contain English letters, numbers, underscore and hyphen '-'. The first character must be a letter or number.
 * `description` - (Optional) Description of CMK. The maximum is 1024 bytes.
-* `is_archived` - (Optional) Specify whether to archive key. Default value is `false`.
-* `is_enabled` - (Optional) Specify whether to enable key. Default value is `false`.
+* `is_archived` - (Optional) Specify whether to archive key. Default value is `false`. This field is conflict with `is_enabled`, valid when key_state is `Enabled`, `Disabled`, `Archived`.
+* `is_enabled` - (Optional) Specify whether to enable key. Default value is `false`. This field is conflict with `is_archived`, valid when key_state is `Enabled`, `Disabled`, `Archived`.
 * `key_material_base64` - (Optional) The base64-encoded key material encrypted with the public_key. For regions using the national secret version, the length of the imported key material is required to be 128 bits, and for regions using the FIPS version, the length of the imported key material is required to be 256 bits.
 * `pending_delete_window_in_days` - (Optional) Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 7 days.
 * `tags` - (Optional) Tags of CMK.
 * `valid_to` - (Optional) This value means the effective timestamp of the key material, 0 means it does not expire. Need to be greater than the current timestamp, the maximum support is 2147443200.
-* `wrapping_algorithm` - (Optional) The algorithm for encrypting key material. Available values include `RSAES_PKCS1_V1_5`, `RSAES_OAEP_SHA_1` and `RSAES_OAEP_SHA_256`.
+* `wrapping_algorithm` - (Optional) The algorithm for encrypting key material. Available values include `RSAES_PKCS1_V1_5`, `RSAES_OAEP_SHA_1` and `RSAES_OAEP_SHA_256`. Default value is `RSAES_PKCS1_V1_5`.
 
 ## Attributes Reference
 
diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown
@@ -32,8 +32,8 @@ The following arguments are supported:
 
 * `alias` - (Required) Name of CMK. The name can only contain English letters, numbers, underscore and hyphen '-'. The first character must be a letter or number.
 * `description` - (Optional) Description of CMK. The maximum is 1024 bytes.
-* `is_archived` - (Optional) Specify whether to archive key. Default value is `false`.
-* `is_enabled` - (Optional) Specify whether to enable key. Default value is `false`.
+* `is_archived` - (Optional) Specify whether to archive key. Default value is `false`. This field is conflict with `is_enabled`, valid when key_state is `Enabled`, `Disabled`, `Archived`.
+* `is_enabled` - (Optional) Specify whether to enable key. Default value is `false`. This field is conflict with `is_archived`, valid when key_state is `Enabled`, `Disabled`, `Archived`.
 * `key_rotation_enabled` - (Optional) Specify whether to enable key rotation, valid when key_usage is `ENCRYPT_DECRYPT`. Default value is `false`.
 * `key_usage` - (Optional, ForceNew) Usage of CMK. Available values include `ENCRYPT_DECRYPT`, `ASYMMETRIC_DECRYPT_RSA_2048`, `ASYMMETRIC_DECRYPT_SM2`, `ASYMMETRIC_SIGN_VERIFY_SM2`, `ASYMMETRIC_SIGN_VERIFY_RSA_2048`, `ASYMMETRIC_SIGN_VERIFY_ECC`. Default value is `ENCRYPT_DECRYPT`.
 * `pending_delete_window_in_days` - (Optional) Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 7 days.
