Add support for TDE key rotation

Author: whites11

docs/resources/service.md

@@ -162,9 +162,9 @@ Required:
 
 - `enabled` (Boolean) If true, TDE is enabled for the service.
 
-Optional:
+Read-Only:
 
-- `key_id` (String) ID of the Encryption key to use for data encryption. Must be an ARN for AWS services or a Key Resource Path for GCP services.
+- `role_id` (String) ID of Role to be used for granting access to the Encryption Key. This is an ARN for AWS services and a Service Account Identifier for GCP.
 
 
 <a id="nestedatt--private_endpoint_config"></a>

docs/resources/service_transparent_data_encryption_key_association.md

@@ -0,0 +1,52 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "clickhouse_service_transparent_data_encryption_key_association Resource - clickhouse"
+subcategory: ""
+description: |-
+  You can use the clickhouse_service resource to deploy ClickHouse cloud instances on supported cloud providers.
+  Known limitations:
+  If you create a service with warehouse_id set and then remove warehouse_id attribute completely, the provider won't detect the change. If you want to make a secondary service become primary, remove the warehouse_id and taint it before applying.If you create a service with readonly flag set to true and then remove readonly flag completely, the provider won't detect the change. If you want to make a secondary service read write, explicitly set the readonly flag to false.
+---
+
+# clickhouse_service_transparent_data_encryption_key_association (Resource)
+
+You can use the *clickhouse_service* resource to deploy ClickHouse cloud instances on supported cloud providers.
+
+Known limitations:
+
+- If you create a service with `warehouse_id` set and then remove `warehouse_id` attribute completely, the provider won't detect the change. If you want to make a secondary service become primary, remove the `warehouse_id` and taint it before applying.
+- If you create a service with `readonly` flag set to true and then remove `readonly` flag completely, the provider won't detect the change. If you want to make a secondary service read write, explicitly set the `readonly` flag to false.
+
+## Example Usage
+
+```terraform
+resource "clickhouse_service" "service" {
+  ...
+}
+
+resource "aws_kms_key" "enc" {
+  ...
+}
+
+resource "clickhouse_service_transparent_data_encryption_key_association" "service_key_association" {
+  service_id = clickhouse_service.service.id
+  key_id = aws_kms_key.enc.arn
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `key_id` (String) ID of the Encryption key to use for data encryption. Must be an ARN for AWS services or a Key Resource Path for GCP services.
+- `service_id` (String) ClickHouse Service ID
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Endpoint Attachments can be imported by specifying the clickhouse service UUID
+terraform import clickhouse_service_transparent_data_encryption_key_association.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```

examples/tde/aws/README.md renamed to examples/full/tde/aws/README.md

@@ -0,0 +1,107 @@
+variable "aws_key" {
+  type = string
+}
+
+variable "aws_secret" {
+  type = string
+}
+
+variable "aws_session_token" {
+  type = string
+  default = ""
+}
+
+locals {
+  tags = {
+    Name = var.service_name
+  }
+}
+
+provider "aws" {
+  region     = var.region
+  access_key = var.aws_key
+  secret_key = var.aws_secret
+  token      = var.aws_session_token
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "policy" {
+  # Allow root user on the account all access.
+  statement {
+    sid = "AllowRoot"
+
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+
+  # Allow user that runs terraform to manage the KMS key.
+  statement {
+    sid = "AllowAdmins"
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+      "kms:RotateKeyOnDemand",
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:DescribeKey",
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_caller_identity.current.arn]
+    }
+  }
+
+  # Allow clickhouse's accounts to access the KMS key.
+  statement {
+    sid = "AllowClickHouse"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:DescribeKey",
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [clickhouse_service.service.transparent_data_encryption.role_id]
+    }
+  }
+}
+
+resource "aws_kms_key" "enc" {
+  customer_master_key_spec = "SYMMETRIC_DEFAULT"
+  deletion_window_in_days  = 7
+  description              = var.service_name
+  enable_key_rotation      = false
+  is_enabled               = true
+  key_usage                = "ENCRYPT_DECRYPT"
+  multi_region             = false
+
+  policy = data.aws_iam_policy_document.policy.json
+
+  tags = local.tags
+}

examples/full/tde/aws/aws.tf

@@ -59,10 +59,14 @@ resource "clickhouse_service" "service" {
 
   transparent_data_encryption = {
     enabled = true
-    key_id = "arn:aws:kms:us-east-2:XXXXXXXX:key/12345-6789-abcd-ef01-23456789abcde"
   }
 }
 
+resource "clickhouse_service_transparent_data_encryption_key_association" "service_key_association" {
+  service_id = clickhouse_service.service.id
+  key_id = aws_kms_key.enc.arn
+}
+
 output "service_endpoints" {
   value = clickhouse_service.service.endpoints
 }

examples/tde/aws/main.tf renamed to examples/full/tde/aws/main.tf

@@ -2,3 +2,8 @@
 organization_id = "aee076c1-3f83-4637-95b1-ad5a0a825b71"
 token_key       = "avhj1U5QCdWAE9CA9"
 token_secret    = "4b1dROiHQEuSXJHlV8zHFd0S7WQj7CGxz5kGJeJnca"
+
+# AWS
+aws_key                      = "key"
+aws_secret                   = "secret"
+aws_region                   = "us-west-2"

examples/tde/aws/provider.tf renamed to examples/full/tde/aws/provider.tf

@@ -73,7 +73,6 @@ resource "clickhouse_service" "service" {
 
   transparent_data_encryption = {
     enabled = true
-    key_id = "arn:aws:kms:us-east-2:XXXXXXXX:key/12345-6789-abcd-ef01-23456789abcde"
   }
 }
 

examples/tde/aws/provider.tf.template renamed to examples/full/tde/aws/provider.tf.template

@@ -0,0 +1,2 @@
+# Endpoint Attachments can be imported by specifying the clickhouse service UUID
+terraform import clickhouse_service_transparent_data_encryption_key_association.example xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

examples/tde/gcp/variables.tfvars.sample renamed to examples/full/tde/aws/variables.tfvars.sample

@@ -0,0 +1,12 @@
+resource "clickhouse_service" "service" {
+  ...
+}
+
+resource "aws_kms_key" "enc" {
+  ...
+}
+
+resource "clickhouse_service_transparent_data_encryption_key_association" "service_key_association" {
+  service_id = clickhouse_service.service.id
+  key_id = aws_kms_key.enc.arn
+}

examples/tde/gcp/README.md renamed to examples/full/tde/gcp/README.md

@@ -64,6 +64,7 @@ type Service struct {
 	EncryptionAssumedRoleIdentifier string                        `json:"encryptionAssumedRoleIdentifier,omitempty"`
 	HasTransparentDataEncryption    bool                          `json:"hasTransparentDataEncryption,omitempty"`
 	TransparentEncryptionDataKeyID  string                        `json:"transparentDataEncryptionKeyId,omitempty"`
+	EncryptionRoleID                string                        `json:"encryptionRoleId,omitempty"`
 	BackupConfiguration             *BackupConfiguration          `json:"backupConfiguration,omitempty"`
 	ReleaseChannel                  string                        `json:"releaseChannel,omitempty"`
 	QueryAPIEndpoints               *ServiceQueryEndpoint         `json:"-"`

examples/tde/gcp/main.tf renamed to examples/full/tde/gcp/main.tf

@@ -0,0 +1,2 @@
+You can use the *clickhouse_service_transparent_data_encryption_key_association* resource to associate your own Encryption Key with a Clickhouse Service with the Transparent Data Encryption (TDE) feature enabled.
+Please note that this feature requires an organization with the `Enterprise` plan.

examples/tde/gcp/provider.tf renamed to examples/full/tde/gcp/provider.tf

@@ -135,22 +135,22 @@ func (e OptionalEndpoint) ObjectValue() basetypes.ObjectValue {
 
 type TransparentEncryptionData struct {
 	Enabled types.Bool   `tfsdk:"enabled"`
-	KeyID   types.String `tfsdk:"key_id"`
+	RoleID  types.String `tfsdk:"role_id"`
 }
 
 func (t TransparentEncryptionData) ObjectType() types.ObjectType {
 	return types.ObjectType{
 		AttrTypes: map[string]attr.Type{
 			"enabled": types.BoolType,
-			"key_id":  types.StringType,
+			"role_id": types.StringType,
 		},
 	}
 }
 
 func (t TransparentEncryptionData) ObjectValue() basetypes.ObjectValue {
 	return types.ObjectValueMust(t.ObjectType().AttrTypes, map[string]attr.Value{
 		"enabled": t.Enabled,
-		"key_id":  t.KeyID,
+		"role_id": t.RoleID,
 	})
 }
 

examples/tde/gcp/provider.tf.template renamed to examples/full/tde/gcp/provider.tf.template

@@ -0,0 +1,10 @@
+package models
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type ServiceTransparentDataEncryptionKeyAssociation struct {
+	ServiceID types.String `tfsdk:"service_id"`
+	KeyID     types.String `tfsdk:"key_id"`
+}

examples/tde/aws/variables.tfvars.sample renamed to examples/full/tde/gcp/variables.tfvars.sample

@@ -11,6 +11,7 @@ func GetResourceFactories() []func() upstreamresource.Resource {
 		NewServiceResource,
 		NewPrivateEndpointRegistrationResource,
 		NewServicePrivateEndpointsAttachmentResource,
+		NewServiceTransparentDataEncryptionKeyAssociationResource,
 		NewDatabaseResource,
 		NewClickPipeResource,
 		NewClickPipeReversePrivateEndpointResource,

examples/resources/clickhouse_service_transparent_data_encryption_key_association/import.sh

@@ -11,5 +11,6 @@ func GetResourceFactories() []func() upstreamresource.Resource {
 		NewServiceResource,
 		NewPrivateEndpointRegistrationResource,
 		NewServicePrivateEndpointsAttachmentResource,
+		NewServiceTransparentDataEncryptionKeyAssociationResource,
 	}
 }