Add support for TDE key rotation

whites11 · whites11 · commit 87411d255bd6 · 2025-04-23T11:28:44.000+02:00
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -147,7 +147,7 @@ jobs:
           region: ${{ steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
       - name: cleanup
-        if: ${{ always() && matrix.test.cloud == 'aws' && matrix.test.name == 'private_endpoint' }}
+        if: ${{ always() && matrix.test.cloud == 'aws' }}
         uses: ./.github/actions/cleanup-aws
         with:
           service_name: ${{steps.name.outputs.test_name}}
@@ -218,13 +218,15 @@ jobs:
           skip_build: "false"
           region: ${{ steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+
       - name: cleanup
-        if: ${{ always() && matrix.test.cloud == 'aws' && matrix.test.name == 'private_endpoint' }}
+        if: ${{ always() && matrix.test.cloud == 'aws' }}
         uses: ./.github/actions/cleanup-aws
         with:
           service_name: ${{steps.name.outputs.test_name}}
           aws_region: ${{ steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+
       - name: Mark error
         id: status
         if: failure()
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -136,6 +136,14 @@ jobs:
           region: ${{ steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
 
+      - name: cleanup
+        if: ${{ always() && matrix.test.cloud == 'aws' }}
+        uses: ./.github/actions/cleanup-aws
+        with:
+          service_name: "[e2e]-${{ matrix.test.name }}-${{ matrix.tf_release }}-${{ matrix.test.cloud }}-${{ needs.token.outputs.token }}"
+          aws_region: ${{ steps.credentials.outputs.region }}
+          aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+
       - name: Mark error
         id: status
         if: failure()
@@ -190,6 +198,14 @@ jobs:
           region: ${{ steps.credentials.outputs.region }}
           aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
 
+      - name: cleanup
+        if: ${{ always() && matrix.test.cloud == 'aws' }}
+        uses: ./.github/actions/cleanup-aws
+        with:
+          service_name: "[upg]-${{ matrix.test.name }}-${{ matrix.tf_release }}-${{ matrix.test.cloud }}-${{ needs.token.outputs.token }}"
+          aws_region: ${{ steps.credentials.outputs.region }}
+          aws_role_arn: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+
       - name: Mark error
         id: status
         if: failure()
diff --git a/docs/resources/service.md b/docs/resources/service.md
@@ -61,9 +61,9 @@ resource "clickhouse_service" "service" {
 - `endpoints` (Attributes) Allow to enable and configure additional endpoints (read protocols) to expose on the ClickHouse service. (see [below for nested schema](#nestedatt--endpoints))
 - `idle_scaling` (Boolean) When set to true the service is allowed to scale down to zero when idle.
 - `idle_timeout_minutes` (Number) Set minimum idling timeout (in minutes). Must be greater than or equal to 5 minutes. Must be set if idle_scaling is enabled.
-- `max_replica_memory_gb` (Number) Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.
+- `max_replica_memory_gb` (Number) Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 4 greater than or equal to 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.
 - `max_total_memory_gb` (Number, Deprecated) Maximum total memory of all workers during auto-scaling in Gb. Must be a multiple of 12 and lower than 360 for non paid services or 720 for paid services.
-- `min_replica_memory_gb` (Number) Minimum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `min_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.
+- `min_replica_memory_gb` (Number) Minimum memory of a single replica during auto-scaling in Gb. Must be a multiple of 4 greater than or equal to 8. `min_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.
 - `min_total_memory_gb` (Number, Deprecated) Minimum total memory of all workers during auto-scaling in Gb. Must be a multiple of 12 and greater than 24.
 - `num_replicas` (Number) Number of replicas for the service. Must be between 3 and 20. Contact support to enable this feature.
 - `password` (String, Sensitive) Password for the default user. One of either `password` or `password_hash` must be specified.
@@ -158,7 +158,7 @@ Optional:
 <a id="nestedatt--transparent_data_encryption"></a>
 ### Nested Schema for `transparent_data_encryption`
 
-Required:
+Optional:
 
 - `enabled` (Boolean) If true, TDE is enabled for the service.
 
diff --git a/pkg/resource/service.go b/pkg/resource/service.go
@@ -41,6 +41,7 @@ var (
 	_ resource.Resource                = &ServiceResource{}
 	_ resource.ResourceWithConfigure   = &ServiceResource{}
 	_ resource.ResourceWithImportState = &ServiceResource{}
+	_ resource.ResourceWithModifyPlan  = &ServiceResource{}
 )
 
 //go:embed descriptions/service.md
@@ -283,12 +284,12 @@ func (r *ServiceResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 				DeprecationMessage: "Please use max_replica_memory_gb instead",
 			},
 			"min_replica_memory_gb": schema.Int64Attribute{
-				Description: "Minimum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `min_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.",
+				Description: "Minimum memory of a single replica during auto-scaling in Gb. Must be a multiple of 4 greater than or equal to 8. `min_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.",
 				Optional:    true,
 				Computed:    true,
 			},
 			"max_replica_memory_gb": schema.Int64Attribute{
-				Description: "Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.",
+				Description: "Maximum memory of a single replica during auto-scaling in Gb. Must be a multiple of 4 greater than or equal to 8. `max_replica_memory_gb` x `num_replicas` (default 3) must be lower than 360 for non paid services or 720 for paid services.",
 				Optional:    true,
 				Computed:    true,
 			},
@@ -339,6 +340,7 @@ func (r *ServiceResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 			"transparent_data_encryption": schema.SingleNestedAttribute{
 				Description: "Configuration of the Transparent Data Encryption (TDE) feature. Requires an organization with the Enterprise plan.",
 				Optional:    true,
+				Computed:    true,
 				Attributes: map[string]schema.Attribute{
 					"role_id": schema.StringAttribute{
 						Computed:    true,
@@ -348,10 +350,14 @@ func (r *ServiceResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 						},
 					},
 					"enabled": schema.BoolAttribute{
-						Required:    true,
+						Optional:    true,
+						Computed:    true, // To allow client side defaulting.
 						Description: "If true, TDE is enabled for the service.",
 					},
 				},
+				PlanModifiers: []planmodifier.Object{
+					objectplanmodifier.UseStateForUnknown(),
+				},
 				Validators: []validator.Object{
 					objectvalidator.ConflictsWith(path.Expressions{path.MatchRoot("warehouse_id")}...),
 				},
@@ -541,10 +547,10 @@ func (r *ServiceResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 				isEnabled = false
 			}
 
-			if !plan.TransparentEncryptionData.IsNull() && !plan.TransparentEncryptionData.IsUnknown() {
-				planTDE := models.TransparentEncryptionData{}
-				plan.TransparentEncryptionData.As(ctx, &planTDE, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
-				wantEnabled = planTDE.Enabled.ValueBool()
+			if !config.TransparentEncryptionData.IsNull() && !config.TransparentEncryptionData.IsUnknown() {
+				configTDE := models.TransparentEncryptionData{}
+				config.TransparentEncryptionData.As(ctx, &configTDE, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+				wantEnabled = configTDE.Enabled.ValueBool()
 			} else {
 				wantEnabled = false
 			}
@@ -555,7 +561,7 @@ func (r *ServiceResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 			resp.Diagnostics.AddAttributeError(
 				path.Root("transparent_data_encryption.enabled"),
 				"Invalid Update",
-				"It is not possible to disable TDE (Transparend data encryption) on an existing service.",
+				"It is not possible to disable TDE (Transparent data encryption) on an existing service.",
 			)
 		}
 
@@ -564,9 +570,18 @@ func (r *ServiceResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 			resp.Diagnostics.AddAttributeError(
 				path.Root("transparent_data_encryption.enabled"),
 				"Invalid Update",
-				"It is not possible to enable TDE (Transparend data encryption) on an existing service.",
+				"It is not possible to enable TDE (Transparent data encryption) on an existing service.",
 			)
 		}
+
+		if !wantEnabled {
+			// Mark RoleID as known null.
+			planTDE := models.TransparentEncryptionData{}
+			plan.TransparentEncryptionData.As(ctx, &planTDE, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+			planTDE.RoleID = types.StringNull()
+			plan.TransparentEncryptionData = planTDE.ObjectValue()
+			resp.Plan.Set(ctx, plan)
+		}
 	}
 
 	if plan.Tier.ValueString() == api.TierDevelopment {
@@ -774,6 +789,27 @@ func (r *ServiceResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 			resp.Plan.Set(ctx, plan)
 		}
 	}
+
+	var defaultTDE = false
+	{
+		if config.TransparentEncryptionData.IsNull() || config.TransparentEncryptionData.IsUnknown() {
+			defaultTDE = true
+		} else {
+			cfg := models.TransparentEncryptionData{}
+			diag := config.TransparentEncryptionData.As(ctx, &cfg, basetypes.ObjectAsOptions{UnhandledNullAsEmpty: false, UnhandledUnknownAsEmpty: false})
+			if diag.HasError() {
+				return
+			}
+			defaultTDE = cfg.Enabled.IsUnknown() || cfg.Enabled.IsNull()
+		}
+		if defaultTDE {
+			plan.TransparentEncryptionData = models.TransparentEncryptionData{
+				Enabled: types.BoolValue(false),
+				RoleID:  types.StringNull(),
+			}.ObjectValue()
+			resp.Plan.Set(ctx, plan)
+		}
+	}
 }
 
 // Create a new resource
@@ -1875,15 +1911,18 @@ func (r *ServiceResource) syncServiceState(ctx context.Context, state *models.Se
 		state.EncryptionAssumedRoleIdentifier = types.StringNull()
 	}
 
-	if service.HasTransparentDataEncryption {
-		state.TransparentEncryptionData = models.TransparentEncryptionData{
-			RoleID:  types.StringValue(service.EncryptionRoleID),
-			Enabled: types.BoolValue(service.HasTransparentDataEncryption),
-		}.ObjectValue()
+	tde := models.TransparentEncryptionData{
+		Enabled: types.BoolValue(service.HasTransparentDataEncryption),
+	}
+
+	if service.EncryptionRoleID != "" {
+		tde.RoleID = types.StringValue(service.EncryptionRoleID)
 	} else {
-		state.TransparentEncryptionData = types.ObjectNull(models.TransparentEncryptionData{}.ObjectType().AttrTypes)
+		tde.RoleID = types.StringNull()
 	}
 
+	state.TransparentEncryptionData = tde.ObjectValue()
+
 	if service.QueryAPIEndpoints != nil {
 		queryApiEndpoint := models.QueryAPIEndpoints{}
 
