add kms interface (#1949)

* add kms interface

* add kms interfac

* 1.modify doc
2.modify logic.

* 1.add changelog.
2.rm import

---------

Co-authored-by: qiqiwwang <qiqiwwang@tencent.com>
Co-authored-by: nickyinluo <nickyinluo@tencent.com>

Author: 3 people

.changelog/1949.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+tencentcloud_kubernetes_encryption_protection
+```

go.mod

@@ -84,7 +84,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdmq v1.0.691
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.529
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.644
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.691
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse v1.0.650
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tsf v1.0.674
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.199

go.sum

@@ -832,7 +832,6 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.627/go.mod
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.628/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.633/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.634/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.644/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.650/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.651/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.652/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
@@ -940,8 +939,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578 h1:vBpQhUr
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578/go.mod h1:UlojGQh/9wb7/uXPNi7PvMral1CNAskVDNgqJEV83l0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.529 h1:vWUgseUvHs1fW/Ok+x3ld9UIhrYRNO9Yr8ccX8wmkkY=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.529/go.mod h1:vOd23iOVeQqm5LSEXUmE8773kiUCwGuoJnTO0po5D+Q=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.644 h1:iyS55TcFRybmnn1SHR7HgLcdaSsxFmY+T1WORE0Znww=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.644/go.mod h1:xJIrKYqmsIFTUovx1cwuH8GGu2arW5CDFvM6eqQGf7Q=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.691 h1:D+a7bZnjLoqPAAHSPCOmil4eigXnGPkR1R5G3ybT/+c=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.691/go.mod h1:hsc/CPzbCRXqblCYuE1HuvP3G06OWA9zhAGI6AtEe5U=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse v1.0.650 h1:gQFdOULR78GKaUwPkHnupLTZO5Z3STZ1xSp/83xZMnA=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse v1.0.650/go.mod h1:cNgQjHihEHq9Z2n6sSe/l7gG6pf7nhWue7e+Iu+wQCc=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tsf v1.0.674 h1:VsMV1/vsgVzespG7jUzraZS/AbAUllVQjmtVAlA9W/M=

tencentcloud/provider.go

@@ -551,6 +551,7 @@ Tencent Kubernetes Engine(TKE)
 	tencentcloud_kubernetes_node_pool
 	tencentcloud_kubernetes_serverless_node_pool
     tencentcloud_kubernetes_backup_storage_location
+    tencentcloud_kubernetes_encryption_protection
     tencentcloud_kubernetes_auth_attachment
     tencentcloud_kubernetes_addon_attachment
 	tencentcloud_kubernetes_cluster_endpoint
@@ -2317,6 +2318,7 @@ func Provider() *schema.Provider {
 			"tencentcloud_kubernetes_node_pool":                                resourceTencentCloudKubernetesNodePool(),
 			"tencentcloud_kubernetes_serverless_node_pool":                     resourceTkeServerLessNodePool(),
 			"tencentcloud_kubernetes_backup_storage_location":                  resourceTencentCloudTkeBackupStorageLocation(),
+			"tencentcloud_kubernetes_encryption_protection":                    resourceTencentCloudTkeEncryptionProtection(),
 			"tencentcloud_mysql_backup_policy":                                 resourceTencentCloudMysqlBackupPolicy(),
 			"tencentcloud_mysql_account":                                       resourceTencentCloudMysqlAccount(),
 			"tencentcloud_mysql_account_privilege":                             resourceTencentCloudMysqlAccountPrivilege(),

tencentcloud/resource_tc_kubernetes_cluster.go

@@ -934,8 +934,7 @@ func resourceTencentCloudTkeCluster() *schema.Resource {
 		"cluster_version": {
 			Type:        schema.TypeString,
 			Optional:    true,
-			Default:     "1.10.5",
-			Description: "Version of the cluster, Default is '1.10.5'. Use `tencentcloud_kubernetes_available_cluster_versions` to get the available versions.",
+			Description: "Version of the cluster. Use `tencentcloud_kubernetes_available_cluster_versions` to get the upgradable cluster version.",
 		},
 		"upgrade_instances_follow_cluster": {
 			Type:        schema.TypeBool,

tencentcloud/resource_tc_kubernetes_encryption_protection.go

@@ -0,0 +1,214 @@
+/*
+Provides a resource to create a tke encryption_protection
+
+Example Usage
+
+Enable tke encryption protection
+
+```hcl
+variable "example_region" {
+  default = "ap-guangzhou"
+}
+
+variable "example_cluster_cidr" {
+  default = "10.31.0.0/16"
+}
+
+variable "availability_zone" {
+  default = "ap-guangzhou-3"
+}
+
+data "tencentcloud_vpc_subnets" "vpc" {
+  is_default        = true
+  availability_zone = var.availability_zone
+}
+
+resource "tencentcloud_kubernetes_cluster" "example" {
+  vpc_id                  = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
+  cluster_cidr            = var.example_cluster_cidr
+  cluster_max_pod_num     = 32
+  cluster_name            = "tf_example_cluster"
+  cluster_desc            = "a tf example cluster for the kms test"
+  cluster_max_service_num = 32
+  cluster_internet        = true
+  cluster_version         = "1.24.4"
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+}
+
+resource "tencentcloud_kms_key" "example" {
+  alias       = "tf-example-kms-key-ed-%s"
+  description = "example of kms key instance"
+  key_usage   = "ENCRYPT_DECRYPT"
+  is_enabled  = true
+}
+
+resource "tencentcloud_kubernetes_encryption_protection" "example" {
+  cluster_id = tencentcloud_kubernetes_cluster.example.id
+  kms_configuration {
+    key_id     = tencentcloud_kms_key.example.id
+    kms_region = var.example_region
+  }
+}
+```
+*/
+package tencentcloud
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	tke "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke/v20180525"
+	"github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func resourceTencentCloudTkeEncryptionProtection() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceTencentCloudTkeEncryptionProtectionCreate,
+		Read:   resourceTencentCloudTkeEncryptionProtectionRead,
+		Delete: resourceTencentCloudTkeEncryptionProtectionDelete,
+		Schema: map[string]*schema.Schema{
+			"cluster_id": {
+				Required:    true,
+				ForceNew:    true,
+				Type:        schema.TypeString,
+				Description: "cluster id.",
+			},
+
+			"kms_configuration": {
+				Required:    true,
+				ForceNew:    true,
+				Type:        schema.TypeList,
+				MaxItems:    1,
+				Description: "kms encryption configuration.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"key_id": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "kms id.",
+						},
+						"kms_region": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "kms region.",
+						},
+					},
+				},
+			},
+			"status": {
+				Computed:    true,
+				Type:        schema.TypeString,
+				Description: "kms encryption status.",
+			},
+		},
+	}
+}
+
+func resourceTencentCloudTkeEncryptionProtectionCreate(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_tke_encryption_protection.create")()
+	defer inconsistentCheck(d, meta)()
+
+	logId := getLogId(contextNil)
+
+	var (
+		request   = tke.NewEnableEncryptionProtectionRequest()
+		clusterId string
+	)
+	if v, ok := d.GetOk("cluster_id"); ok {
+		request.ClusterId = helper.String(v.(string))
+		clusterId = v.(string)
+	}
+
+	if dMap, ok := helper.InterfacesHeadMap(d, "kms_configuration"); ok {
+		kMSConfiguration := tke.KMSConfiguration{}
+		if v, ok := dMap["key_id"]; ok {
+			kMSConfiguration.KeyId = helper.String(v.(string))
+		}
+		if v, ok := dMap["kms_region"]; ok {
+			kMSConfiguration.KmsRegion = helper.String(v.(string))
+		}
+		request.KMSConfiguration = &kMSConfiguration
+	}
+
+	err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+		result, e := meta.(*TencentCloudClient).apiV3Conn.UseTkeClient().EnableEncryptionProtection(request)
+		if e != nil {
+			return retryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+		return nil
+	})
+	if err != nil {
+		log.Printf("[CRITAL]%s create tke encryptionProtection failed, reason:%+v", logId, err)
+		return err
+	}
+
+	d.SetId(clusterId)
+
+	service := TkeService{client: meta.(*TencentCloudClient).apiV3Conn}
+
+	conf := BuildStateChangeConf([]string{}, []string{"Opened"}, 3*readRetryTimeout, time.Second, service.TkeEncryptionProtectionStateRefreshFunc(d.Id(), []string{}))
+
+	if _, e := conf.WaitForState(); e != nil {
+		return e
+	}
+
+	return resourceTencentCloudTkeEncryptionProtectionRead(d, meta)
+}
+
+func resourceTencentCloudTkeEncryptionProtectionRead(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_tke_encryption_protection.read")()
+	defer inconsistentCheck(d, meta)()
+
+	logId := getLogId(contextNil)
+
+	ctx := context.WithValue(context.TODO(), logIdKey, logId)
+
+	service := TkeService{client: meta.(*TencentCloudClient).apiV3Conn}
+
+	encryptionProtectionId := d.Id()
+
+	encryptionProtection, err := service.DescribeTkeEncryptionProtectionById(ctx, encryptionProtectionId)
+	if err != nil {
+		return err
+	}
+
+	if encryptionProtection == nil {
+		d.SetId("")
+		log.Printf("[WARN]%s resource `TkeEncryptionProtection` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+		return nil
+	}
+
+	if encryptionProtection.Status != nil {
+		_ = d.Set("status", encryptionProtection.Status)
+	}
+
+	return nil
+}
+
+func resourceTencentCloudTkeEncryptionProtectionDelete(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_tke_encryption_protection.delete")()
+	defer inconsistentCheck(d, meta)()
+
+	logId := getLogId(contextNil)
+	ctx := context.WithValue(context.TODO(), logIdKey, logId)
+
+	service := TkeService{client: meta.(*TencentCloudClient).apiV3Conn}
+	encryptionProtectionId := d.Id()
+
+	if err := service.DeleteTkeEncryptionProtectionById(ctx, encryptionProtectionId); err != nil {
+		return err
+	}
+
+	conf := BuildStateChangeConf([]string{}, []string{"Closed"}, 3*readRetryTimeout, time.Second, service.TkeEncryptionProtectionStateRefreshFunc(d.Id(), []string{}))
+
+	if _, e := conf.WaitForState(); e != nil {
+		return e
+	}
+
+	return nil
+}

tencentcloud/resource_tc_kubernetes_encryption_protection_test.go

@@ -0,0 +1,81 @@
+package tencentcloud
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccTencentCloudTkeEncryptionProtectionResource_basic(t *testing.T) {
+	t.Parallel()
+	rName := acctest.RandString(10)
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(testAccTkeEncryptionProtection, rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_encryption_protection.example", "id"),
+					resource.TestCheckResourceAttr("tencentcloud_kubernetes_encryption_protection.example", "cluster_id", defaultTkeClusterId),
+					resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_encryption_protection.example", "kms_configuration.#"),
+					resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_encryption_protection.example", "kms_configuration.0.key_id"),
+					resource.TestCheckResourceAttr("tencentcloud_kubernetes_encryption_protection.example", "kms_configuration.0.kms_region", "ap-guangzhou"),
+					resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_encryption_protection.example", "status"),
+				),
+			},
+		},
+	})
+}
+
+const testAccTkeEncryptionProtection = `
+
+variable "example_region" {
+  default = "ap-guangzhou"
+}
+
+variable "example_cluster_cidr" {
+  default = "10.31.0.0/16"
+}
+
+variable "availability_zone" {
+  default = "ap-guangzhou-3"
+}
+
+data "tencentcloud_vpc_subnets" "vpc" {
+  is_default        = true
+  availability_zone = var.availability_zone
+}
+
+resource "tencentcloud_kubernetes_cluster" "example" {
+  vpc_id                  = data.tencentcloud_vpc_subnets.vpc.instance_list.0.vpc_id
+  cluster_cidr            = var.example_cluster_cidr
+  cluster_max_pod_num     = 32
+  cluster_name            = "tf_example_cluster"
+  cluster_desc            = "a tf example cluster for the kms test"
+  cluster_max_service_num = 32
+  cluster_internet        = true
+  cluster_version         = "1.24.4"
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+}
+
+resource "tencentcloud_kms_key" "example" {
+  alias       = "tf-example-%s"
+  description = "example of kms key instance"
+  key_usage   = "ENCRYPT_DECRYPT"
+  is_enabled  = true
+}
+
+resource "tencentcloud_kubernetes_encryption_protection" "example" {
+  cluster_id = tencentcloud_kubernetes_cluster.example.id
+  kms_configuration {
+    key_id     = tencentcloud_kms_key.example.id
+    kms_region = var.example_region
+  }
+}
+
+`