[TF-27661] Add support for HYOK related attributes

[iuri-slywitch-hashicorp]

Description

Add support for HYOK related attributes in existing go-tfe objects:

• agent_pool related attributes:

  • HYOKConfigurations: read only.

• organization related attributes:

  • EnforceHYOK: create, read, update.
  • PrimaryHYOKConfiguration: read only.
  • CanUpdateHYOKConfiguration added in OrganizationPermissions.
  • CanViewHYOKFeatureInfo added in OrganizationPermissions.

• plan related attributes:

  • HYOKEncryptedDataKey: read only.
  • SanitizedPlan: read only.

• state_version related attributes:

  • EncryptedStateDownloadURL: read only.
  • SanitizedStateDownloadURL: read only.
  • SanitizedStateUploadURL: read only.
  • UploadSanitizedState(): function to upload sanitized state.
  • HYOKEncryptedDataKey: read only.

• workspace related attributes:

  • HYOKEnabled: create, read, update.
  • CanManageHYOK added in WorkspacePermissions.
  • HYOKEncryptedDataKey: read only.

Testing plan

Test files ensure the attributes are populated when using the go-tfe objects.

External links

• JIRA
  • TF-27661

Output from tests

agent_pool test cases:

• TestAgentPoolsRead

=== RUN   TestAgentPoolsRead
=== RUN   TestAgentPoolsRead/read_existing_hyok_configurations_of_an_agent_pool
--- PASS: TestAgentPoolsRead (0.38s)
    --- PASS: TestAgentPoolsRead/read_existing_hyok_configurations_of_an_agent_pool (0.16s)
PASS
ok      github.com/hashicorp/go-tfe     0.849s

organization test cases:

• TestOrganizationsRead

=== RUN   TestOrganizationsRead
=== RUN   TestOrganizationsRead/read_existing_primary_hyok_configuration_of_an_organization
--- PASS: TestOrganizationsRead (0.46s)
    --- PASS: TestOrganizationsRead/read_existing_primary_hyok_configuration_of_an_organization (0.18s)
PASS
ok      github.com/hashicorp/go-tfe     0.976s

=== RUN   TestOrganizationsRead
=== RUN   TestOrganizationsRead/read_enforce_hyok_of_an_organization
--- PASS: TestOrganizationsRead (0.39s)
    --- PASS: TestOrganizationsRead/read_enforce_hyok_of_an_organization (0.15s)
PASS
ok      github.com/hashicorp/go-tfe     0.605s

• TestOrganizationsUpdate

=== RUN   TestOrganizationsUpdate
=== RUN   TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_true
--- PASS: TestOrganizationsUpdate (0.73s)
    --- PASS: TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_true (0.21s)
PASS
ok      github.com/hashicorp/go-tfe     0.978s

=== RUN   TestOrganizationsUpdate
=== RUN   TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_false
--- PASS: TestOrganizationsUpdate (1.00s)
    --- PASS: TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_false (0.59s)
PASS
ok      github.com/hashicorp/go-tfe     1.242s

plan test cases:

• TestPlansRead

=== RUN   TestPlansRead
=== RUN   TestPlansRead/read_sanitized_plan_of_a_plan
--- PASS: TestPlansRead (0.85s)
    --- PASS: TestPlansRead/read_sanitized_plan_of_a_plan (0.45s)
PASS
ok      github.com/hashicorp/go-tfe     1.335s

=== RUN   TestPlansRead
=== RUN   TestPlansRead/read_hyok_encrypted_data_key_of_a_plan
--- PASS: TestPlansRead (0.90s)
    --- PASS: TestPlansRead/read_hyok_encrypted_data_key_of_a_plan (0.50s)
PASS
ok      github.com/hashicorp/go-tfe     1.397s

state_version test cases:

• TestStateVersionsRead

=== RUN   TestStateVersionsRead
=== RUN   TestStateVersionsRead/read_encrypted_state_download_url_of_a_state_version
--- PASS: TestStateVersionsRead (3.69s)
    --- PASS: TestStateVersionsRead/read_encrypted_state_download_url_of_a_state_version (0.45s)
PASS
ok      github.com/hashicorp/go-tfe     4.154s

=== RUN   TestStateVersionsRead
=== RUN   TestStateVersionsRead/read_sanitized_state_download_url_of_a_state_version
--- PASS: TestStateVersionsRead (3.41s)
    --- PASS: TestStateVersionsRead/read_sanitized_state_download_url_of_a_state_version (0.30s)
PASS
ok      github.com/hashicorp/go-tfe     3.641s

=== RUN   TestStateVersionsRead
=== RUN   TestStateVersionsRead/read_hyok_encrypted_data_key_of_a_state_version
--- PASS: TestStateVersionsRead (4.34s)
    --- PASS: TestStateVersionsRead/read_hyok_encrypted_data_key_of_a_state_version (0.28s)
PASS
ok      github.com/hashicorp/go-tfe     4.573s

workspace test cases:

• TestWorkspacesCreate

=== RUN   TestWorkspacesCreate
=== RUN   TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_true
--- PASS: TestWorkspacesCreate (4.41s)
    --- PASS: TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_true (3.62s)
PASS
ok      github.com/hashicorp/go-tfe     4.655s

=== RUN   TestWorkspacesCreate
=== RUN   TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_false
--- PASS: TestWorkspacesCreate (1.73s)
    --- PASS: TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_false (1.02s)
PASS

• TestWorkspacesRead

=== RUN   TestWorkspacesRead
=== RUN   TestWorkspacesRead/read_hyok_enabled_of_a_workspace
--- PASS: TestWorkspacesRead (0.87s)
    --- PASS: TestWorkspacesRead/read_hyok_enabled_of_a_workspace (0.58s)
PASS
ok      github.com/hashicorp/go-tfe     1.359s

• TestWorkspacesUpdate

=== RUN   TestWorkspacesUpdate
=== RUN   TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_false
--- PASS: TestWorkspacesUpdate (1.34s)
    --- PASS: TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_false (0.92s)
PASS
ok      github.com/hashicorp/go-tfe     1.827s

=== RUN   TestWorkspacesUpdate
=== RUN   TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_true
--- PASS: TestWorkspacesUpdate (3.05s)
    --- PASS: TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_true (2.69s)
PASS
ok      github.com/hashicorp/go-tfe     3.289s

=== RUN   TestWorkspacesUpdate
=== RUN   TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_true
--- PASS: TestWorkspacesUpdate (1.87s)
    --- PASS: TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_true (1.24s)
PASS
ok      github.com/hashicorp/go-tfe     2.413s

=== RUN   TestWorkspacesUpdate
=== RUN   TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_false
--- PASS: TestWorkspacesUpdate (0.70s)
    --- PASS: TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_false (0.32s)
PASS
ok      github.com/hashicorp/go-tfe     0.934s

Output hyok-testing.sh

TestAgentPoolsRead/read_hyok_configurations_of_an_agent_pool: PASS
TestPlansRead/read_hyok_encrypted_data_key_of_a_plan: PASS
TestPlansRead/read_sanitized_plan_of_a_plan: PASS
TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_false: PASS
TestWorkspacesCreate/create_workspace_with_hyok_enabled_set_to_true: PASS
TestWorkspacesRead/read_hyok_enabled_of_a_workspace: PASS
TestWorkspacesRead/read_hyok_encrypted_data_key_of_a_workspace: PASS
TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_false: PASS
TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_false_to_true: PASS
TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_true: PASS
TestWorkspacesUpdate/update_hyok_enabled_of_a_workspace_from_true_to_false: PASS
TestOrganizationsRead/read_primary_hyok_configuration_of_an_organization: PASS
TestOrganizationsRead/read_enforce_hyok_of_an_organization: PASS
TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_true: PASS
TestOrganizationsUpdate/update_enforce_hyok_of_an_organization_to_false: PASS
TestStateVersionsRead/read_encrypted_state_download_url_of_a_state_version: PASS
TestStateVersionsRead/read_sanitized_state_download_url_of_a_state_version: PASS
TestStateVersionsRead/read_hyok_encrypted_data_key_of_a_state_version: PASS
TestStateVersionsUpload/uploading_state_using_SanitizedStateUploadURL_and_verifying_SanitizedStateDownloadURL_exists: PASS
TestStateVersionsUpload/SanitizedStateUploadURL_is_required_when_uploading_sanitized_state: PASS
TestAWSOIDCConfigurationCreateDelete/with_valid_options: PASS
TestAWSOIDCConfigurationCreateDelete/missing_role_ARN: PASS
TestAWSOIDCConfigurationRead/fetch_existing_configuration: PASS
TestAWSOIDCConfigurationRead/fetching_non-existing_configuration: PASS
TestAWSOIDCConfigurationsUpdate/with_valid_options: PASS
TestAWSOIDCConfigurationsUpdate/missing_role_ARN: PASS
TestAzureOIDCConfigurationCreateDelete/with_valid_options: PASS
TestAzureOIDCConfigurationCreateDelete/missing_client_ID: PASS
TestAzureOIDCConfigurationCreateDelete/missing_subscription_ID: PASS
TestAzureOIDCConfigurationCreateDelete/missing_tenant_ID: PASS
TestAzureOIDCConfigurationRead/fetch_existing_configuration: PASS
TestAzureOIDCConfigurationRead/fetching_non-existing_configuration: PASS
TestAzureOIDCConfigurationUpdate/update_all_fields: PASS
TestAzureOIDCConfigurationUpdate/client_ID_not_provided: PASS
TestAzureOIDCConfigurationUpdate/subscription_ID_not_provided: PASS
TestAzureOIDCConfigurationUpdate/tenant_ID_not_provided: PASS
TestGCPOIDCConfigurationCreateDelete/with_valid_options: PASS
TestGCPOIDCConfigurationCreateDelete/missing_workload_provider_name: PASS
TestGCPOIDCConfigurationCreateDelete/missing_service_account_email: PASS
TestGCPOIDCConfigurationCreateDelete/missing_project_number: PASS
TestGCPOIDCConfigurationRead/fetch_existing_configuration: PASS
TestGCPOIDCConfigurationRead/fetching_non-existing_configuration: PASS
TestGCPOIDCConfigurationUpdate/update_all_fields: PASS
TestGCPOIDCConfigurationUpdate/workload_provider_name_not_provided: PASS
TestGCPOIDCConfigurationUpdate/service_account_email_not_provided: PASS
TestGCPOIDCConfigurationUpdate/project_number_not_provided: PASS
TestVaultOIDCConfigurationCreateDelete/with_valid_options: PASS
TestVaultOIDCConfigurationCreateDelete/missing_address: PASS
TestVaultOIDCConfigurationCreateDelete/missing_role_name: PASS
TestVaultOIDCConfigurationRead/fetch_existing_configuration: PASS
TestVaultOIDCConfigurationRead/fetching_non-existing_configuration: PASS
TestVaultOIDCConfigurationUpdate/update_all_fields: PASS
TestVaultOIDCConfigurationUpdate/address_not_provided: PASS
TestVaultOIDCConfigurationUpdate/role_name_not_provided: PASS
TestVaultOIDCConfigurationUpdate/namespace_not_provided: PASS
TestVaultOIDCConfigurationUpdate/JWTAuthPath_not_provided: PASS
TestVaultOIDCConfigurationUpdate/TLSCACertificate_not_provided: PASS
TestHYOKCustomerKeyVersionsList/with_no_list_options: PASS
TestHYOKCustomerKeyVersionsRead/read_an_existing_key_version: PASS
TestHYOKEncryptedDataKeyRead/read_an_existing_encrypted_data_key: PASS
TestHYOKConfigurationCreateRevokeDelete/AWS_with_valid_options: PASS
TestHYOKConfigurationCreateRevokeDelete/AWS_with_missing_key_region: PASS
TestHYOKConfigurationCreateRevokeDelete/GCP_with_valid_options: PASS
TestHYOKConfigurationCreateRevokeDelete/GCP_with_missing_key_location: PASS
TestHYOKConfigurationCreateRevokeDelete/GCP_with_missing_key_ring_ID: PASS
TestHYOKConfigurationCreateRevokeDelete/Vault_with_valid_options: PASS
TestHYOKConfigurationCreateRevokeDelete/Azure_with_valid_options: PASS
TestHYOKConfigurationCreateRevokeDelete/with_missing_KEK_ID: PASS
TestHYOKConfigurationCreateRevokeDelete/with_missing_agent_pool: PASS
TestHYOKConfigurationCreateRevokeDelete/with_missing_OIDC_config: PASS
TestHyokConfigurationList/without_list_options: PASS
TestHyokConfigurationRead/AWS: PASS
TestHyokConfigurationRead/Azure: PASS
TestHyokConfigurationRead/GCP: PASS
TestHyokConfigurationRead/Vault: PASS
TestHyokConfigurationRead/fetching_non-existing_configuration: PASS
TestHYOKConfigurationUpdate/AWS_with_valid_options: PASS
TestHYOKConfigurationUpdate/GCP_with_valid_options: PASS
TestHYOKConfigurationUpdate/Vault_with_valid_options: PASS
TestHYOKConfigurationUpdate/Azure_with_valid_options: PASS

[SwiftEngineer]

I only had one nit, other than that this looks great to me 👍

That being said, I would recommend waiting to merge this branch until we've implemented the terraform provider HYOK support, just to make sure it's got everything we need and to reduce the chances of us releasing a version of go-tfe with "broken" support for HYOK.

[dominic-retli-hashi]

Do we need representation for hyok_customer_key_version?
I noticed its not mentioned in this ticket, but we do plan to add a terraform-tfe-provider data source for it.

EDIT: Nevermind I see this was already added in a different PR!

[iuri-slywitch-hashicorp]

Setting up staging environment for testing:

envchain --set STAGING_ENVCHAIN TFE_ADDRESS TFE_TOKEN SKIP_HYOK_INTEGRATION_TESTS HYOK_ORGANIZATION_NAME HYOK_WORKSPACE_NAME HYOK_POOL_ID HYOK_PLAN_ID HYOK_STATE_VERSION_ID HYOK_CUSTOMER_KEY_VERSION_ID HYOK_ENCRYPTED_DATA_KEY_ID

hyok-testing.sh

#!/bin/bash

env="STAGING_ENVCHAIN"
pairs=(
    # HYOK Attributes testing
    # -- Agent Pools
    "TestAgentPoolsRead:read_hyok_configurations_of_an_agent_pool"
    # -- Plans
    "TestPlansRead:read_hyok_encrypted_data_key_of_a_plan"
    "TestPlansRead:read_sanitized_plan_of_a_plan"
    # -- Workspaces
    "TestWorkspacesCreate:create_workspace_with_hyok_enabled_set_to_false"
    "TestWorkspacesCreate:create_workspace_with_hyok_enabled_set_to_true"
    "TestWorkspacesRead:read_hyok_enabled_of_a_workspace"
    "TestWorkspacesRead:read_hyok_encrypted_data_key_of_a_workspace"
    "TestWorkspacesUpdate:update_hyok_enabled_of_a_workspace_from_false_to_false"
    "TestWorkspacesUpdate:update_hyok_enabled_of_a_workspace_from_false_to_true"
    "TestWorkspacesUpdate:update_hyok_enabled_of_a_workspace_from_true_to_true"
    "TestWorkspacesUpdate:update_hyok_enabled_of_a_workspace_from_true_to_false"
    # -- Organizations
    "TestOrganizationsRead:read_primary_hyok_configuration_of_an_organization"
    "TestOrganizationsRead:read_enforce_hyok_of_an_organization"
    "TestOrganizationsUpdate:update_enforce_hyok_of_an_organization_to_true"
    "TestOrganizationsUpdate:update_enforce_hyok_of_an_organization_to_false"
    # -- State Versions
    "TestStateVersionsRead:read_encrypted_state_download_url_of_a_state_version"
    "TestStateVersionsRead:read_sanitized_state_download_url_of_a_state_version"
    "TestStateVersionsRead:read_hyok_encrypted_data_key_of_a_state_version"
    "TestStateVersionsUpload:uploading_state_using_SanitizedStateUploadURL_and_verifying_SanitizedStateDownloadURL_exists"
    "TestStateVersionsUpload:SanitizedStateUploadURL_is_required_when_uploading_sanitized_state"

    # AWS OIDC Configuration testing
    "TestAWSOIDCConfigurationCreateDelete:with_valid_options"
    "TestAWSOIDCConfigurationCreateDelete:missing_role_ARN"
    "TestAWSOIDCConfigurationRead:fetch_existing_configuration"
    "TestAWSOIDCConfigurationRead:fetching_non-existing_configuration"
    "TestAWSOIDCConfigurationsUpdate:with_valid_options"
    "TestAWSOIDCConfigurationsUpdate:missing_role_ARN"

    # Azure OIDC Configuration testing
    "TestAzureOIDCConfigurationCreateDelete:with_valid_options"
    "TestAzureOIDCConfigurationCreateDelete:missing_client_ID"
    "TestAzureOIDCConfigurationCreateDelete:missing_subscription_ID"
    "TestAzureOIDCConfigurationCreateDelete:missing_tenant_ID"
    "TestAzureOIDCConfigurationRead:fetch_existing_configuration"
    "TestAzureOIDCConfigurationRead:fetching_non-existing_configuration"
    "TestAzureOIDCConfigurationUpdate:update_all_fields"
    "TestAzureOIDCConfigurationUpdate:client_ID_not_provided"
    "TestAzureOIDCConfigurationUpdate:subscription_ID_not_provided"
    "TestAzureOIDCConfigurationUpdate:tenant_ID_not_provided"

    # GCP OIDC Configuration testing
    "TestGCPOIDCConfigurationCreateDelete:with_valid_options"
    "TestGCPOIDCConfigurationCreateDelete:missing_workload_provider_name"
    "TestGCPOIDCConfigurationCreateDelete:missing_service_account_email"
    "TestGCPOIDCConfigurationCreateDelete:missing_project_number"
    "TestGCPOIDCConfigurationRead:fetch_existing_configuration"
    "TestGCPOIDCConfigurationRead:fetching_non-existing_configuration"
    "TestGCPOIDCConfigurationUpdate:update_all_fields"
    "TestGCPOIDCConfigurationUpdate:workload_provider_name_not_provided"
    "TestGCPOIDCConfigurationUpdate:service_account_email_not_provided"
    "TestGCPOIDCConfigurationUpdate:project_number_not_provided"

    # Vault OIDC Configuration testing
    "TestVaultOIDCConfigurationCreateDelete:with_valid_options"
    "TestVaultOIDCConfigurationCreateDelete:missing_address"
    "TestVaultOIDCConfigurationCreateDelete:missing_role_name"
    "TestVaultOIDCConfigurationRead:fetch_existing_configuration"
    "TestVaultOIDCConfigurationRead:fetching_non-existing_configuration"
    "TestVaultOIDCConfigurationUpdate:update_all_fields"
    "TestVaultOIDCConfigurationUpdate:address_not_provided"
    "TestVaultOIDCConfigurationUpdate:role_name_not_provided"
    "TestVaultOIDCConfigurationUpdate:namespace_not_provided"
    "TestVaultOIDCConfigurationUpdate:JWTAuthPath_not_provided"
    "TestVaultOIDCConfigurationUpdate:TLSCACertificate_not_provided"

    # HYOK Customer Key Version testing
    "TestHYOKCustomerKeyVersionsList:with_no_list_options"
    "TestHYOKCustomerKeyVersionsRead:read_an_existing_key_version"

    # HYOK Encrypted Data Key testing
    "TestHYOKEncryptedDataKeyRead:read_an_existing_encrypted_data_key"

    # HYOK Configurations testing
    "TestHYOKConfigurationCreateRevokeDelete:AWS_with_valid_options"
    "TestHYOKConfigurationCreateRevokeDelete:AWS_with_missing_key_region"
    "TestHYOKConfigurationCreateRevokeDelete:GCP_with_valid_options"
    "TestHYOKConfigurationCreateRevokeDelete:GCP_with_missing_key_location"
    "TestHYOKConfigurationCreateRevokeDelete:GCP_with_missing_key_ring_ID"
    "TestHYOKConfigurationCreateRevokeDelete:Vault_with_valid_options"
    "TestHYOKConfigurationCreateRevokeDelete:Azure_with_valid_options"
    "TestHYOKConfigurationCreateRevokeDelete:with_missing_KEK_ID"
    "TestHYOKConfigurationCreateRevokeDelete:with_missing_agent_pool"
    "TestHYOKConfigurationCreateRevokeDelete:with_missing_OIDC_config"
    "TestHyokConfigurationList:without_list_options"
    "TestHyokConfigurationRead:AWS"
    "TestHyokConfigurationRead:Azure"
    "TestHyokConfigurationRead:GCP"
    "TestHyokConfigurationRead:Vault"
    "TestHyokConfigurationRead:fetching_non-existing_configuration"
    "TestHYOKConfigurationUpdate:AWS_with_valid_options"
    "TestHYOKConfigurationUpdate:GCP_with_valid_options"
    "TestHYOKConfigurationUpdate:Vault_with_valid_options"
    "TestHYOKConfigurationUpdate:Azure_with_valid_options"
)

for pair in "${pairs[@]}"; do
    IFS=':' read -r parent child <<< "$pair"
    result=$(envchain ${env} go test -run "^${parent}$/^${child}$" -v ./...)
    status="\033[33mUNKNOWN\033[0m" # yellow by default
    if echo "$result" | grep -q "^--- PASS: ${parent}"; then
        status="\033[32mPASS\033[0m" # green
    elif echo "$result" | grep -q "^--- FAIL: ${parent}"; then
        status="\033[31mFAIL\033[0m" # red
    fi
    echo -e "\033[34m${parent}/${child}\033[0m: ${status}"
done

[Maed223]

Code changes are looking good. We could probably better encapsulate the use skipHYOKIntegrationTests into a helper similar to skipUnlessBeta or skipUnlessEnterprise for example, but that's non-blocking.

[iuri-slywitch-hashicorp]

Unsure what's the Lint error, would appreciate if anyone knows the reason?

[iuri-slywitch-hashicorp]

Testing again...
HYOK attributes:

OIDC configurations:

HYOK stuff:

[iuri-slywitch-hashicorp]

If the attribute ENABLE_HYOK_INTEGRATION_TESTS is not available or not set to 1:

[helenjw]

✨LGTM!

[github-actions]

Reminder to the contributor that merged this PR: if your changes have added important functionality or fixed a relevant bug, open a follow-up PR to update CHANGELOG.md with a note on your changes.