Add preliminary support for TDE

Author: whites11

docs/resources/service.md

@@ -59,6 +59,7 @@ resource "clickhouse_service" "service" {
 - `encryption_assumed_role_identifier` (String) Custom role identifier ARN.
 - `encryption_key` (String) Custom encryption key ARN.
 - `endpoints` (Attributes) Allow to enable and configure additional endpoints (read protocols) to expose on the ClickHouse service. (see [below for nested schema](#nestedatt--endpoints))
+- `has_transparent_data_encryption` (Boolean) If true, the Transparent Data Encryption (TDE) feature is enabled in the service. Only supported in AWS and GCP. Requires an organization with the Enterprise plan.
 - `idle_scaling` (Boolean) When set to true the service is allowed to scale down to zero when idle.
 - `idle_timeout_minutes` (Number) Set minimum idling timeout (in minutes). Must be greater than or equal to 5 minutes. Must be set if idle_scaling is enabled.
 - `max_replica_memory_gb` (Number) Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.

examples/full/tde/aws/README.md

@@ -0,0 +1,12 @@
+## AWS Basic example
+
+The Terraform code deploys following resources:
+- 1 ClickHouse service on AWS
+
+WARNING: this example requires an organization with the Enterprise plan to run.
+
+## How to run
+
+- Rename `variables.tfvars.sample` to `variables.tfvars` and fill in all needed data.
+- Run `terraform init`
+- Run `terraform <plan|apply> -var-file=variables.tfvars`

examples/full/tde/aws/main.tf

@@ -0,0 +1,85 @@
+variable "organization_id" {
+  type = string
+}
+
+variable "token_key" {
+  type = string
+}
+
+variable "token_secret" {
+  type = string
+}
+
+variable "service_name" {
+  type = string
+  default = "My Terraform Service"
+}
+
+variable "region" {
+  type = string
+  default = "us-east-2"
+}
+
+variable "release_channel" {
+  type = string
+  default = "default"
+  validation {
+    condition     = var.release_channel == "default" || var.release_channel == "fast"
+    error_message = "Release channel can be either 'default' or 'fast'."
+  }
+}
+
+data "clickhouse_api_key_id" "self" {
+}
+
+resource "clickhouse_service" "service" {
+  name                      = var.service_name
+  cloud_provider            = "aws"
+  region                    = var.region
+  release_channel           = var.release_channel
+  idle_scaling              = true
+  idle_timeout_minutes      = 5
+  password_hash             = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  ip_access = [
+    {
+      source      = "0.0.0.0"
+      description = "Anywhere"
+    }
+  ]
+
+  endpoints = {
+    mysql = {
+      enabled = true
+    }
+  }
+
+  query_api_endpoints = {
+    api_key_ids = [
+      data.clickhouse_api_key_id.self.id,
+    ]
+    roles = [
+      "sql_console_admin"
+    ]
+    allowed_origins = null
+  }
+
+  min_replica_memory_gb = 8
+  max_replica_memory_gb = 120
+
+  backup_configuration = {
+    backup_period_in_hours           = 24
+    backup_retention_period_in_hours = 24
+    backup_start_time                = null
+  }
+
+  has_transparent_data_encryption = true
+}
+
+output "service_endpoints" {
+  value = clickhouse_service.service.endpoints
+}
+
+output "service_iam" {
+  value = clickhouse_service.service.iam_role
+}

examples/full/tde/aws/provider.tf

@@ -0,0 +1,15 @@
+# This file is generated automatically please do not edit
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "3.0.0"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/tde/aws/provider.tf.template

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "${CLICKHOUSE_TERRAFORM_PROVIDER_VERSION}"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/tde/aws/variables.tfvars.sample

@@ -0,0 +1,4 @@
+# these keys are for example only and won't work when pointed to a deployed ClickHouse OpenAPI server
+organization_id = "aee076c1-3f83-4637-95b1-ad5a0a825b71"
+token_key       = "avhj1U5QCdWAE9CA9"
+token_secret    = "4b1dROiHQEuSXJHlV8zHFd0S7WQj7CGxz5kGJeJnca"

examples/full/tde/gcp/README.md

@@ -0,0 +1,12 @@
+## AWS Basic example
+
+The Terraform code deploys following resources:
+- 1 ClickHouse service on GCP with TDE feature enabled
+
+WARNING: this example requires an organization with the Enterprise plan to run.
+
+## How to run
+
+- Rename `variables.tfvars.sample` to `variables.tfvars` and fill in all needed data.
+- Run `terraform init`
+- Run `terraform <plan|apply> -var-file=variables.tfvars`

examples/full/tde/gcp/main.tf

@@ -0,0 +1,83 @@
+variable "organization_id" {
+  type = string
+}
+
+variable "token_key" {
+  type = string
+}
+
+variable "token_secret" {
+  type = string
+}
+
+variable "service_name" {
+  type = string
+  default = "My Terraform Service"
+}
+
+variable "region" {
+  type = string
+  default = "europe-west4"
+}
+
+variable "release_channel" {
+  type = string
+  default = "default"
+  validation {
+    condition     = var.release_channel == "default" || var.release_channel == "fast"
+    error_message = "Release channel can be either 'default' or 'fast'."
+  }
+}
+
+data "clickhouse_api_key_id" "self" {
+}
+
+resource "clickhouse_service" "service" {
+  name                      = var.service_name
+  cloud_provider            = "gcp"
+  region                    = var.region
+  release_channel           = var.release_channel
+  idle_scaling              = true
+  idle_timeout_minutes      = 5
+  password_hash             = "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=" # base64 encoded sha256 hash of "test"
+
+  ip_access = [
+    {
+      source      = "0.0.0.0"
+      description = "Anywhere"
+    }
+  ]
+
+  endpoints = {
+    mysql = {
+      enabled = true
+    }
+  }
+
+  query_api_endpoints = {
+    api_key_ids = [
+      data.clickhouse_api_key_id.self.id,
+    ]
+    roles = [
+      "sql_console_admin"
+    ]
+    allowed_origins = null
+  }
+
+  min_replica_memory_gb = 8
+  max_replica_memory_gb = 120
+
+  backup_configuration = {
+    backup_retention_period_in_hours = 48
+  }
+
+  has_transparent_data_encryption = true
+}
+
+output "service_endpoints" {
+  value = clickhouse_service.service.endpoints
+}
+
+output "service_iam" {
+  value = clickhouse_service.service.iam_role
+}

examples/full/tde/gcp/provider.tf

@@ -0,0 +1,15 @@
+# This file is generated automatically please do not edit
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "3.0.0"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/tde/gcp/provider.tf.template

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    clickhouse = {
+      version = "${CLICKHOUSE_TERRAFORM_PROVIDER_VERSION}"
+      source  = "ClickHouse/clickhouse"
+    }
+  }
+}
+
+provider "clickhouse" {
+  organization_id = var.organization_id
+  token_key       = var.token_key
+  token_secret    = var.token_secret
+}

examples/full/tde/gcp/variables.tfvars.sample

@@ -0,0 +1,4 @@
+# these keys are for example only and won't work when pointed to a deployed ClickHouse OpenAPI server
+organization_id = "aee076c1-3f83-4637-95b1-ad5a0a825b71"
+token_key       = "avhj1U5QCdWAE9CA9"
+token_secret    = "4b1dROiHQEuSXJHlV8zHFd0S7WQj7CGxz5kGJeJnca"

pkg/internal/api/models.go

@@ -62,10 +62,10 @@ type Service struct {
 	PrivateEndpointIds              []string                      `json:"privateEndpointIds,omitempty"`
 	EncryptionKey                   string                        `json:"encryptionKey,omitempty"`
 	EncryptionAssumedRoleIdentifier string                        `json:"encryptionAssumedRoleIdentifier,omitempty"`
+	HasTransparentDataEncryption    *bool                         `json:"hasTransparentDataEncryption,omitempty"`
 	BackupConfiguration             *BackupConfiguration          `json:"backupConfiguration,omitempty"`
 	ReleaseChannel                  string                        `json:"releaseChannel,omitempty"`
 	QueryAPIEndpoints               *ServiceQueryEndpoint         `json:"-"`
-	HasTransparentDataEncryption    bool                          `json:"hasTransparentDataEncryption,omitempty"`
 }
 
 type ServiceUpdate struct {

pkg/resource/models/service_resource.go

@@ -208,6 +208,7 @@ type ServiceResourceModel struct {
 	PrivateEndpointConfig           types.Object `tfsdk:"private_endpoint_config"`
 	EncryptionKey                   types.String `tfsdk:"encryption_key"`
 	EncryptionAssumedRoleIdentifier types.String `tfsdk:"encryption_assumed_role_identifier"`
+	HasTransparentDataEncryption    types.Bool   `tfsdk:"has_transparent_data_encryption"`
 	QueryAPIEndpoints               types.Object `tfsdk:"query_api_endpoints"`
 	BackupConfiguration             types.Object `tfsdk:"backup_configuration"`
 	HasTransparentDataEncryption		types.Bool   `tfsdk:"has_transparent_data_encryption"`
@@ -237,6 +238,7 @@ func (m *ServiceResourceModel) Equals(b ServiceResourceModel) bool {
 		!m.PrivateEndpointConfig.Equal(b.PrivateEndpointConfig) ||
 		!m.EncryptionKey.Equal(b.EncryptionKey) ||
 		!m.EncryptionAssumedRoleIdentifier.Equal(b.EncryptionAssumedRoleIdentifier) ||
+		!m.HasTransparentDataEncryption.Equal(b.HasTransparentDataEncryption) ||
 		!m.IpAccessList.Equal(b.IpAccessList) ||
 		!m.QueryAPIEndpoints.Equal(b.QueryAPIEndpoints) ||
 		!m.BackupConfiguration.Equal(b.BackupConfiguration) ||

pkg/resource/service.go

@@ -338,6 +338,15 @@ func (r *ServiceResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 				Description: "Custom role identifier ARN.",
 				Optional:    true,
 			},
+			"has_transparent_data_encryption": schema.BoolAttribute{
+				Description: "If true, the Transparent Data Encryption (TDE) feature is enabled in the service. Only supported in AWS and GCP. Requires an organization with the Enterprise plan.",
+				Optional:    true,
+				Computed:    true,
+				PlanModifiers: []planmodifier.Bool{
+					boolplanmodifier.UseStateForUnknown(),
+					boolplanmodifier.RequiresReplace(),
+				},
+			},
 			"query_api_endpoints": schema.SingleNestedAttribute{
 				Description: "Configuration of the query API endpoints feature.",
 				Optional:    true,
@@ -768,6 +777,12 @@ func (r *ServiceResource) Create(ctx context.Context, req resource.CreateRequest
 		}
 	}
 
+	if service.Tier == api.TierPPv2 {
+		if !plan.HasTransparentDataEncryption.IsUnknown() && !plan.HasTransparentDataEncryption.IsNull() {
+			service.HasTransparentDataEncryption = plan.HasTransparentDataEncryption.ValueBoolPointer()
+		}
+	}
+
 	service.IdleScaling = plan.IdleScaling.ValueBool()
 	if !plan.IdleTimeoutMinutes.IsNull() {
 		idleTimeoutMinutes := int(plan.IdleTimeoutMinutes.ValueInt64())
@@ -1794,6 +1809,12 @@ func (r *ServiceResource) syncServiceState(ctx context.Context, state *models.Se
 		state.EncryptionAssumedRoleIdentifier = types.StringNull()
 	}
 
+	if service.HasTransparentDataEncryption != nil {
+		state.HasTransparentDataEncryption = types.BoolValue(*service.HasTransparentDataEncryption)
+	} else {
+		state.HasTransparentDataEncryption = types.BoolNull()
+	}
+
 	if service.QueryAPIEndpoints != nil {
 		queryApiEndpoint := models.QueryAPIEndpoints{}