Add support for TDE key rotation

Author: whites11

docs/resources/service.md

@@ -59,7 +59,6 @@ resource "clickhouse_service" "service" {
 - `encryption_assumed_role_identifier` (String) Custom role identifier ARN.
 - `encryption_key` (String) Custom encryption key ARN.
 - `endpoints` (Attributes) Allow to enable and configure additional endpoints (read protocols) to expose on the ClickHouse service. (see [below for nested schema](#nestedatt--endpoints))
-- `has_transparent_data_encryption` (Boolean) If true, the Transparent Data Encryption (TDE) feature is enabled in the service. Only supported in AWS and GCP. Requires an organization with the Enterprise plan.
 - `idle_scaling` (Boolean) When set to true the service is allowed to scale down to zero when idle.
 - `idle_timeout_minutes` (Number) Set minimum idling timeout (in minutes). Must be greater than or equal to 5 minutes. Must be set if idle_scaling is enabled.
 - `max_replica_memory_gb` (Number) Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.
@@ -73,6 +72,7 @@ resource "clickhouse_service" "service" {
 - `readonly` (Boolean) Indicates if this service should be read only. Only allowed for secondary services, those which share data with another service (i.e. when `warehouse_id` field is set).
 - `release_channel` (String) Release channel to use for this service. Either 'default' or 'fast'. Switching from 'fast' to 'default' release channel is not supported.
 - `tier` (String) Tier of the service: 'development', 'production'. Required for organizations using the Legacy ClickHouse Cloud Tiers, must be omitted for organizations using the new ClickHouse Cloud Tiers.
+- `transparent_data_encryption` (Attributes) Configuration of the Transparent Data Encryption (TDE) feature. Requires an organization with the Enterprise plan. (see [below for nested schema](#nestedatt--transparent_data_encryption))
 - `warehouse_id` (String) ID of the warehouse to share the data with. Must be in the same cloud and region.
 
 ### Read-Only
@@ -155,6 +155,18 @@ Optional:
 - `allowed_origins` (String) Comma separated list of domain names to be allowed cross-origin resource sharing (CORS) access to the query API. Leave this field empty to restrict access to backend servers only
 
 
+<a id="nestedatt--transparent_data_encryption"></a>
+### Nested Schema for `transparent_data_encryption`
+
+Required:
+
+- `enabled` (Boolean) If true, TDE is enabled for the service.
+
+Optional:
+
+- `key_id` (String) ID of the Encryption key to use for data encryption. Must be an ARN for AWS services or a Key Resource Path for GCP services.
+
+
 <a id="nestedatt--private_endpoint_config"></a>
 ### Nested Schema for `private_endpoint_config`
 

examples/full/tde/aws/README.md renamed to examples/tde/aws/README.md

@@ -48,22 +48,6 @@ resource "clickhouse_service" "service" {
     }
   ]
 
-  endpoints = {
-    mysql = {
-      enabled = true
-    }
-  }
-
-  query_api_endpoints = {
-    api_key_ids = [
-      data.clickhouse_api_key_id.self.id,
-    ]
-    roles = [
-      "sql_console_admin"
-    ]
-    allowed_origins = null
-  }
-
   min_replica_memory_gb = 8
   max_replica_memory_gb = 120
 
@@ -73,8 +57,10 @@ resource "clickhouse_service" "service" {
     backup_start_time                = null
   }
 
-  has_transparent_data_encryption = true
-  transparent_data_encryption_key_id = "arn:aws:kms:us-east-2:662591887723:key/a4e565f6-be36-4397-8d09-83f919f1e67f"
+  transparent_data_encryption = {
+    enabled = true
+    key_id = "arn:aws:kms:us-east-2:XXXXXXXX:key/12345-6789-abcd-ef01-23456789abcde"
+  }
 }
 
 output "service_endpoints" {

examples/full/tde/aws/main.tf renamed to examples/tde/aws/main.tf

@@ -71,7 +71,10 @@ resource "clickhouse_service" "service" {
     backup_retention_period_in_hours = 48
   }
 
-  has_transparent_data_encryption = true
+  transparent_data_encryption = {
+    enabled = true
+    key_id = "arn:aws:kms:us-east-2:XXXXXXXX:key/12345-6789-abcd-ef01-23456789abcde"
+  }
 }
 
 output "service_endpoints" {

examples/full/tde/aws/provider.tf renamed to examples/tde/aws/provider.tf

@@ -62,7 +62,8 @@ type Service struct {
 	PrivateEndpointIds              []string                      `json:"privateEndpointIds,omitempty"`
 	EncryptionKey                   string                        `json:"encryptionKey,omitempty"`
 	EncryptionAssumedRoleIdentifier string                        `json:"encryptionAssumedRoleIdentifier,omitempty"`
-	HasTransparentDataEncryption    *bool                         `json:"hasTransparentDataEncryption,omitempty"`
+	HasTransparentDataEncryption    bool                          `json:"hasTransparentDataEncryption,omitempty"`
+	TransparentEncryptionDataKeyID  string                        `json:"transparentDataEncryptionKeyId,omitempty"`
 	BackupConfiguration             *BackupConfiguration          `json:"backupConfiguration,omitempty"`
 	ReleaseChannel                  string                        `json:"releaseChannel,omitempty"`
 	QueryAPIEndpoints               *ServiceQueryEndpoint         `json:"-"`

examples/full/tde/aws/provider.tf.template renamed to examples/tde/aws/provider.tf.template

@@ -133,6 +133,27 @@ func (e OptionalEndpoint) ObjectValue() basetypes.ObjectValue {
 	})
 }
 
+type TransparentEncryptionData struct {
+	Enabled types.Bool   `tfsdk:"enabled"`
+	KeyID   types.String `tfsdk:"key_id"`
+}
+
+func (t TransparentEncryptionData) ObjectType() types.ObjectType {
+	return types.ObjectType{
+		AttrTypes: map[string]attr.Type{
+			"enabled": types.BoolType,
+			"key_id":  types.StringType,
+		},
+	}
+}
+
+func (t TransparentEncryptionData) ObjectValue() basetypes.ObjectValue {
+	return types.ObjectValueMust(t.ObjectType().AttrTypes, map[string]attr.Value{
+		"enabled": t.Enabled,
+		"key_id":  t.KeyID,
+	})
+}
+
 type QueryAPIEndpoints struct {
 	APIKeyIDs      types.List   `tfsdk:"api_key_ids"`
 	Roles          types.List   `tfsdk:"roles"`
@@ -208,7 +229,7 @@ type ServiceResourceModel struct {
 	PrivateEndpointConfig           types.Object `tfsdk:"private_endpoint_config"`
 	EncryptionKey                   types.String `tfsdk:"encryption_key"`
 	EncryptionAssumedRoleIdentifier types.String `tfsdk:"encryption_assumed_role_identifier"`
-	HasTransparentDataEncryption    types.Bool   `tfsdk:"has_transparent_data_encryption"`
+	TransparentEncryptionData       types.Object `tfsdk:"transparent_data_encryption"`
 	QueryAPIEndpoints               types.Object `tfsdk:"query_api_endpoints"`
 	BackupConfiguration             types.Object `tfsdk:"backup_configuration"`
 }
@@ -237,7 +258,7 @@ func (m *ServiceResourceModel) Equals(b ServiceResourceModel) bool {
 		!m.PrivateEndpointConfig.Equal(b.PrivateEndpointConfig) ||
 		!m.EncryptionKey.Equal(b.EncryptionKey) ||
 		!m.EncryptionAssumedRoleIdentifier.Equal(b.EncryptionAssumedRoleIdentifier) ||
-		!m.HasTransparentDataEncryption.Equal(b.HasTransparentDataEncryption) ||
+		!m.TransparentEncryptionData.Equal(b.TransparentEncryptionData) ||
 		!m.IpAccessList.Equal(b.IpAccessList) ||
 		!m.QueryAPIEndpoints.Equal(b.QueryAPIEndpoints) ||
 		!m.BackupConfiguration.Equal(b.BackupConfiguration) {

examples/full/tde/aws/variables.tfvars.sample renamed to examples/tde/aws/variables.tfvars.sample

@@ -244,6 +244,14 @@ func TestServiceResource_Equals(t *testing.T) {
 			}).Get(),
 			want: false,
 		},
+		{
+			name: "TransparentEncryptionDataKeyID changed",
+			a:    base,
+			b: test.NewUpdater(base).Update(func(src *ServiceResourceModel) {
+				src.TransparentEncryptionDataKeyID = types.StringValue("changed")
+			}).Get(),
+			want: false,
+		},
 		{
 			name: "BackupConfiguration.BackupPeriodInHours changed",
 			a:    base,

examples/full/tde/gcp/README.md renamed to examples/tde/gcp/README.md

@@ -13,6 +13,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/boolvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/int32validator"
+	"github.com/hashicorp/terraform-plugin-framework-validators/objectvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
@@ -335,13 +336,21 @@ func (r *ServiceResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 				Description: "Custom role identifier ARN.",
 				Optional:    true,
 			},
-			"has_transparent_data_encryption": schema.BoolAttribute{
-				Description: "If true, the Transparent Data Encryption (TDE) feature is enabled in the service. Only supported in AWS and GCP. Requires an organization with the Enterprise plan.",
+			"transparent_data_encryption": schema.SingleNestedAttribute{
+				Description: "Configuration of the Transparent Data Encryption (TDE) feature. Requires an organization with the Enterprise plan.",
 				Optional:    true,
-				Computed:    true,
-				PlanModifiers: []planmodifier.Bool{
-					boolplanmodifier.UseStateForUnknown(),
-					boolplanmodifier.RequiresReplace(),
+				Attributes: map[string]schema.Attribute{
+					"enabled": schema.BoolAttribute{
+						Required:    true,
+						Description: "If true, TDE is enabled for the service.",
+					},
+					"key_id": schema.StringAttribute{
+						Optional:    true,
+						Description: "ID of the Encryption key to use for data encryption. Must be an ARN for AWS services or a Key Resource Path for GCP services.",
+					},
+				},
+				Validators: []validator.Object{
+					objectvalidator.ConflictsWith(path.Expressions{path.MatchRoot("warehouse_id")}...),
 				},
 			},
 			"query_api_endpoints": schema.SingleNestedAttribute{
@@ -518,6 +527,49 @@ func (r *ServiceResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 				)
 			}
 		}
+
+		var isEnabled, wantEnabled bool
+		var isKey, wantKey string
+		if !state.TransparentEncryptionData.IsNull() {
+			stateTDE := models.TransparentEncryptionData{}
+			state.TransparentEncryptionData.As(ctx, &stateTDE, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+			isEnabled = stateTDE.Enabled.ValueBool()
+			isKey = stateTDE.KeyID.ValueString()
+		}
+
+		if !plan.TransparentEncryptionData.IsNull() && !plan.TransparentEncryptionData.IsUnknown() {
+			planTDE := models.TransparentEncryptionData{}
+			plan.TransparentEncryptionData.As(ctx, &planTDE, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+			wantEnabled = planTDE.Enabled.ValueBool()
+			wantKey = planTDE.KeyID.ValueString()
+		} else {
+			wantEnabled = false
+			wantKey = ""
+		}
+
+		if isEnabled && !wantEnabled {
+			resp.Diagnostics.AddAttributeError(
+				path.Root("transparent_data_encryption.enabled"),
+				"Invalid Update",
+				"It is not possible to disable TDE (Transparend data encryption) on an existing service.",
+			)
+		}
+
+		if !isEnabled && wantEnabled {
+			resp.Diagnostics.AddAttributeError(
+				path.Root("transparent_data_encryption.enabled"),
+				"Invalid Update",
+				"It is not possible to enable TDE (Transparend data encryption) on an existing service.",
+			)
+		}
+
+		if isKey != "" && wantKey == "" {
+			resp.Diagnostics.AddAttributeError(
+				path.Root("transparent_data_encryption.key_id"),
+				"Invalid Update",
+				"It is not possible to remove the key_id for TDE (Transparend data encryption) on a service. If the KeyID was updated outside terraform, please set the same value in the transparent_data_encryption.key_id field.",
+			)
+		}
 	}
 
 	if plan.Tier.ValueString() == api.TierDevelopment {
@@ -795,10 +847,14 @@ func (r *ServiceResource) Create(ctx context.Context, req resource.CreateRequest
 		}
 	}
 
-	if service.Tier == api.TierPPv2 {
-		if !plan.HasTransparentDataEncryption.IsUnknown() && !plan.HasTransparentDataEncryption.IsNull() {
-			service.HasTransparentDataEncryption = plan.HasTransparentDataEncryption.ValueBoolPointer()
+	var tde *models.TransparentEncryptionData
+	if !plan.TransparentEncryptionData.IsNull() {
+		tde = &models.TransparentEncryptionData{}
+		diag := plan.TransparentEncryptionData.As(ctx, tde, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+		if diag.HasError() {
+			return
 		}
+		service.HasTransparentDataEncryption = tde.Enabled.ValueBool()
 	}
 
 	service.IdleScaling = plan.IdleScaling.ValueBool()
@@ -973,6 +1029,18 @@ func (r *ServiceResource) Create(ctx context.Context, req resource.CreateRequest
 				return
 			}
 		}
+
+		// Set TDE key
+		if tde != nil && tde.Enabled.ValueBool() && tde.KeyID.ValueString() != "" {
+			err = r.client.RotateTDEKey(ctx, s.Id, tde.KeyID.ValueString())
+			if err != nil {
+				resp.Diagnostics.AddError(
+					"Error setting TDE encryption key id",
+					"Could not set TDE encryption key id, unexpected error: "+err.Error(),
+				)
+				return
+			}
+		}
 	}
 
 	// Map response body to schema and populate Computed attribute values
@@ -1350,6 +1418,26 @@ func (r *ServiceResource) Update(ctx context.Context, req resource.UpdateRequest
 		}
 	}
 
+	// TDE Key rotation
+	{
+		if !plan.TransparentEncryptionData.Equal(state.TransparentEncryptionData) {
+			tde := &models.TransparentEncryptionData{}
+			diag := plan.TransparentEncryptionData.As(ctx, tde, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+			if diag.HasError() {
+				return
+			}
+
+			err := r.client.RotateTDEKey(ctx, serviceId, tde.KeyID.ValueString())
+			if err != nil {
+				resp.Diagnostics.AddError(
+					"Error rotating TDE encryption key",
+					"Could not rotate TDE encryption, unexpected error: "+err.Error(),
+				)
+				return
+			}
+		}
+	}
+
 	err := r.syncServiceState(ctx, &plan, true)
 	if err != nil {
 		resp.Diagnostics.AddError(
@@ -1823,10 +1911,18 @@ func (r *ServiceResource) syncServiceState(ctx context.Context, state *models.Se
 		state.EncryptionAssumedRoleIdentifier = types.StringNull()
 	}
 
-	if service.HasTransparentDataEncryption != nil {
-		state.HasTransparentDataEncryption = types.BoolValue(*service.HasTransparentDataEncryption)
+	if service.HasTransparentDataEncryption {
+		tde := models.TransparentEncryptionData{
+			Enabled: types.BoolValue(service.HasTransparentDataEncryption),
+		}
+		if service.TransparentEncryptionDataKeyID != "" {
+			tde.KeyID = types.StringValue(service.TransparentEncryptionDataKeyID)
+		} else {
+			tde.KeyID = types.StringNull()
+		}
+		state.TransparentEncryptionData = tde.ObjectValue()
 	} else {
-		state.HasTransparentDataEncryption = types.BoolNull()
+		state.TransparentEncryptionData = types.ObjectNull(models.TransparentEncryptionData{}.ObjectType().AttrTypes)
 	}
 
 	if service.QueryAPIEndpoints != nil {