Skip to content

SP-991#845

Open
Thorben Hellweg (thllwg) wants to merge 5 commits intomasterfrom
SP-991
Open

SP-991#845
Thorben Hellweg (thllwg) wants to merge 5 commits intomasterfrom
SP-991

Conversation

@thllwg
Copy link
Contributor

@thllwg Thorben Hellweg (thllwg) commented Oct 2, 2025
edited
Loading

Release Notes

New Features

  • Add new optional alias for the self-managed key that can be updated
  • Add new key validation related object fields Phase, Since, Message and Region

Checklist

  • I can successfully build and use a custom Terraform provider binary for Confluent.
  • I have verified my PR with real Confluent Cloud resources in a pre-prod or production environment, or both.
  • I have attached manual Terraform verification results or screenshots in the Test & Review section below.
  • I have included appropriate Terraform acceptance or unit tests for any new resource, data source, or functionality.
  • I have included appropriate Terraform live testing for any new resource, data source, or functionality.
  • I confirm that this PR introduces no breaking changes or backward compatibility issues.
  • I have updated the corresponding documentation and include relevant examples for this PR.
  • I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
  • I have put checkmarks below confirming that the feature associated with this PR is enabled in:
    • Confluent Cloud prod
    • Confluent Cloud stag
    • Check this box if the feature is enabled for certain organizations only

What

Blast Radius

  • Confluent Cloud customers who are using confluent_byok_key resource/data-source will be blocked.

References

Test & Review

Generating a BYOK object utilizing new alias field

➜  minimal-aws-byok git:(SP-991) ✗ terraform apply

data.aws_caller_identity.current: Reading...
data.aws_caller_identity.current: Read complete after 1s [id=REDACTED]

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.kms_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "kms_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:CreateGrant",
              + "kms:Decrypt",
              + "kms:DescribeKey",
              + "kms:Encrypt",
              + "kms:GenerateDataKey*",
              + "kms:ListGrants",
              + "kms:ReEncrypt*",
              + "kms:RevokeGrant",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "Allow KMS Use"

          + principals {
              + identifiers = (known after apply)
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "Enable IAM User Permissions"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::REDACTED:root",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_kms_key.byok_key will be created
  + resource "aws_kms_key" "byok_key" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "KMS key for Confluent BYOK encryption"
      + enable_key_rotation                = false
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + region                             = "us-west-2"
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = (known after apply)
    }

  # aws_kms_key_policy.byok_policy will be created
  + resource "aws_kms_key_policy" "byok_policy" {
      + bypass_policy_lockout_safety_check = false
      + id                                 = (known after apply)
      + key_id                             = (known after apply)
      + policy                             = (known after apply)
      + region                             = "us-west-2"
    }

  # confluent_byok_key.main will be created
  + resource "confluent_byok_key" "main" {
      + display_name = "My AWS BYOK Encryption Key"
      + id           = (known after apply)
      + validation   = (known after apply)

      + aws {
          + key_arn = (known after apply)
          + roles   = (known after apply)
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + aws_kms_key_arn       = (known after apply)
  + byok_key_display_name = "My AWS BYOK Encryption Key"
  + byok_key_id           = (known after apply)
  + confluent_roles       = (known after apply)
  + validation_message    = (known after apply)
  + validation_phase      = (known after apply)
  + validation_region     = (known after apply)
  + validation_since      = (known after apply)

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_kms_key.byok_key: Creating...
aws_kms_key.byok_key: Creation complete after 1s [id=REDACTED]
confluent_byok_key.main: Creating...
confluent_byok_key.main: Creation complete after 2s [id=cck-lw4ke]
data.aws_iam_policy_document.kms_policy: Reading...
data.aws_iam_policy_document.kms_policy: Read complete after 0s [id=2130709017]
aws_kms_key_policy.byok_policy: Creating...
aws_kms_key_policy.byok_policy: Still creating... [10s elapsed]
aws_kms_key_policy.byok_policy: Creation complete after 14s [id=REDACTED]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

aws_kms_key_arn = "arn:aws:kms:us-west-2:REDACTED:key/REDACTED"
byok_key_display_name = "My AWS BYOK Encryption Key"
byok_key_id = "cck-lw4ke"
confluent_roles = toset([
  "arn:aws:iam::REDACTED:role/cc-kafka-e481211c-a2aa-11f0-adf7-76a4917b3b71",
])
validation_message = ""
validation_phase = "INITIALIZING"
validation_region = ""
validation_since = "2025-10-06T11:52:11.511Z"
➜  minimal-aws-byok git:(SP-991) ✗ terraform plan

data.aws_caller_identity.current: Reading...
aws_kms_key.byok_key: Refreshing state... [id=REDACTED]
data.aws_caller_identity.current: Read complete after 0s [id=REDACTED]
confluent_byok_key.main: Refreshing state... [id=cck-lw4ke]
data.aws_iam_policy_document.kms_policy: Reading...
data.aws_iam_policy_document.kms_policy: Read complete after 0s [id=2130709017]
aws_kms_key_policy.byok_policy: Refreshing state... [id=REDACTED]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply"
which may have affected this plan:

  # confluent_byok_key.main has changed
  ~ resource "confluent_byok_key" "main" {
        id           = "cck-lw4ke"
      ~ validation   = [                                                                                         ~ {
              ~ phase   = "INITIALIZING" -> "VALID"
              ~ region  = "" -> "us-west-2"
              ~ since   = "2025-10-06T11:52:11.511Z" -> "2025-10-06T11:52:20.384Z"
                # (1 unchanged attribute hidden)
            },
        ]
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes
using ignore_changes, the following plan may include actions to undo or respond to these changes.

──────────────────────────────────────────────────────────────────────────────────────────────────────

Changes to Outputs:
  ~ validation_phase      = "INITIALIZING" -> "VALID"
  ~ validation_region     = "" -> "us-west-2"
  ~ validation_since      = "2025-10-06T11:52:11.511Z" -> "2025-10-06T11:52:20.384Z"

You can apply this plan to save these new output values to the Terraform state, without changing any
real infrastructure.

──────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly
these actions if you run "terraform apply" now.

@sonarqube-confluent

This comment has been minimized.

Sign in to view
@thllwg Thorben Hellweg (thllwg) marked this pull request as ready for review October 2, 2025 13:28
@thllwg Thorben Hellweg (thllwg) requested a review from a team as a code owner October 2, 2025 13:28
Copilot AI review requested due to automatic review settings October 2, 2025 13:28
Copilot AI reviewed Oct 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds optional display name field and validation information to the BYOK (Bring Your Own Key) resource and data source, enabling users to set a human-readable alias for keys that can be updated after creation.

  • Added optional display_name field that can be updated for existing BYOK keys
  • Added computed validation fields (phase, since, message, region) to provide key validation status
  • Added update functionality to support changing the display name

Reviewed Changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
internal/provider/resource_byok_key.go Added display_name field, validation schema, and update functionality
internal/provider/data_source_byok_key.go Added display_name and validation fields to data source schema
internal/testdata/byok/*.json Added test data files with display_name and validation fields
internal/provider/resource_byok_key_*_test.go Enhanced tests to verify display_name updates and validation field handling
go.mod Updated Go version and byok SDK dependency
.go-version Updated Go version specification

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

sgagniere
Steven Gagniere (sgagniere) reviewed Oct 2, 2025
View reviewed changes
Copy link
Member

@sgagniere Steven Gagniere (sgagniere) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Here's some comments

@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Oct 6, 2025

Passed

Analysis Details

0 Issues

  • Bug 0 Bugs
  • Vulnerability 0 Vulnerabilities
  • Code Smell 0 Code Smells

Coverage and Duplications

  • Coverage 93.40% Coverage (79.80% Estimated after merge)
  • Duplications No duplication information (0.00% Estimated after merge)

Project ID: terraform-provider-confluent

View in SonarQube

sgagniere
Steven Gagniere (sgagniere) reviewed Oct 14, 2025
View reviewed changes
Copy link
Member

@sgagniere Steven Gagniere (sgagniere) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, some more comments.

  1. From the test results, I see ~ validation_phase = "INITIALIZING" -> "VALID". We might want to add a "wait for sync/provision" function that will poll until the backend returns a desirable phase (in this case "VALID"). Is there any external action the user has to take to go from initialization -> valid? If not, we should consider adding the wait function.
  2. Let's update the data source test files too. Since the data source tests use the same json files as the resource tests, I think all we need is a few extra test lines to check the validation fields.

@thllwg
feat: add display_name support and PATCH updates for BYOK keys
0cbcdbf 
Implement display name (alias) functionality for BYOK keys with in-place
updates using the new BYOK SDK v0.0.8 PATCH capabilities.

Core Changes:
- Add optional display_name field to confluent_byok_key resource schema
- Implement byokUpdate function using UpdateByokV1Key PATCH API
- Update byokCreate to handle display_name during resource creation
- Enhance setKeyAttributes to read/set display_name from API responses

Testing Updates:
- Add update test scenarios for AWS, Azure, and GCP
- Fix WireMock scenario state management for create→update→verify flows
- Add display_name validation in all acceptance tests
@thllwg
feat: add BYOK key validation object support with BYOK v0.0.8
8d4a428 
This commit implements support for the new validation object returned by
the BYOK API v0.0.8, which provides key validation status information
to help users monitor and troubleshoot their encryption keys.

**Core Changes:**
- Add validation schema with phase, since, message, and region fields
- Update setKeyAttributes() to parse validation object from API responses
- Add validation support to both resource and data source schemas
- All validation fields are computed-only (no user configuration)
- Update all testdata JSON files with realistic validation examples
@thllwg
update byok sdk to v0.0.9; update go version to 1.24.7
ea2201f
@thllwg
addressing nits
178e58a
@thllwg
test: add validation field checks to BYOK data source tests
88d2836
linouk23
Kostya Linou (linouk23) reviewed Jan 7, 2026
View reviewed changes
internal/provider/resource_byok_key.go
paramDisplayName: {
Type: schema.TypeString,
Description: "A human-readable name for the BYOK key.",
Optional: true,
Copy link
Contributor

@linouk23 Kostya Linou (linouk23) Jan 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to have both computed and optional here? What's the default value if user doesn't provide display_name in the request data?

Copy link
Contributor Author

@thllwg Thorben Hellweg (thllwg) Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The backend does not compute a default value for this. It's fully optional.

linouk23
Kostya Linou (linouk23) reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@linouk23 Kostya Linou (linouk23) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Added quick question.

linouk23
Kostya Linou (linouk23) reviewed Jan 7, 2026
View reviewed changes
internal/provider/resource_byok_key.go
createByokKeyRequest := byok.NewByokV1Key()

// Set display name
displayName := d.Get(paramDisplayName).(string)
Copy link
Contributor

@linouk23 Kostya Linou (linouk23) Jan 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recall that some resources only assign this attribute if it is not empty. Will the server still process the request if name is an empty string ("")?

Copy link
Contributor Author

@thllwg Thorben Hellweg (thllwg) Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, an patching with empty works. Tried an example with the provider to be sure:

Changes to Outputs:
  ~ byok_key_display_name = "My AWS BYOK Encryption Key" -> ""
  
  
  Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

Outputs:

...
byok_key_display_name = ""

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sgagniere Steven Gagniere (sgagniere) Awaiting requested review from sgagniere

@linouk23 Kostya Linou (linouk23) Awaiting requested review from linouk23

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thllwg @linouk23 @sgagniere