Skip to content

Hold Your Own Key Support #1862

Merged
ctrombley merged 23 commits intomainfrom
feature/hyok
Oct 10, 2025
Merged

Hold Your Own Key Support #1862
ctrombley merged 23 commits intomainfrom
feature/hyok

Conversation

@iuri-slywitch-hashicorp
Copy link
Copy Markdown
Contributor

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp commented Sep 26, 2025
edited
Loading

Description

This particular PR is a combination of a series of PRs that have been approved before. See the Related PRs.

Add the following resources to manage OIDC configurations:

  • tfe_vault_oidc_configuration
  • tfe_aws_oidc_configuration
  • tfe_gcp_oidc_configuration
  • tfe_azure_oidc_configuration

Add the HYOK configuration resource:

  • tfe_hyok_configuration

Add the following data sources for managing HYOK keys:

  • hyok_customer_key_version
  • hyok_encrypted_data_key

Updating the attributes of the following objects to support HYOK related attributes:

  • Workspace, added read-only hyok_enabled attribute for data source and resource.
  • Organization, added enforce-hyok attribute for data source and resource.

Remember to:

Testing plan

Testing HYOK OIDC Configurations:

  • Use a terraform configuration with resources to create, update, read and delete OIDC Configurations:
resource "tfe_aws_oidc_configuration" "aws_oidc_tfe_provider" {
  role_arn = "arn:aws:iam::111111111111:role/example-role-arn"
}

resource "tfe_gcp_oidc_configuration" "gcp_oidc_tfe_provider" {
  service_account_email     = "myemail@gmail.com"
  project_number            = "11111111"
  workload_provider_name    = "projects/1/locations/global/workloadIdentityPools/1/providers/1"
}

resource "tfe_azure_oidc_configuration" "azure_oidc_tfe_provider" {
  client_id         = "application-id1"
  subscription_id   = "subscription-id1"
  tenant_id         = "tenant-id1"
}

resource "tfe_vault_oidc_configuration" "vault_oidc_tfe_provider" {
  address           = "https://my-vault-cluster-public-vault-token.token.z1.hashicorp.cloud:port"
  role_name         = "vault-role-name"
  namespace         = "admin"
  auth_path         = "jwt-auth-path"
}

Testing HYOK Configurations:

  • Use a terraform configuration with resources to create, update, read and delete HYOK Configurations:
resource "tfe_hyok_configuration" "aws_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "aws_hyok_config_provider_test"
  kek_id = "arn:aws:kms:rocket:key/21z"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_aws_oidc_configuration.aws_oidc_tfe_provider.id}"
  oidc_configuration_type = "aws"

  kms_options {
    key_region = "us-east-1"
  }
}

resource "tfe_hyok_configuration" "gcp_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "gcp_hyok_config_provider_test"
  kek_id = "rocket_key_id5"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider.id}"
  oidc_configuration_type = "gcp"

  kms_options {
    key_ring_id = "YOUR-KEY-RING-ID2"
    key_location = "global"
  }
}

resource "tfe_hyok_configuration" "azure_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "azure_hyok_config_provider_test"
  kek_id = "https://coolvaule.vault.azure.net/keys/cool-key2"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_azure_oidc_configuration.azure_oidc_tfe_provider.id}"
  oidc_configuration_type = "azure"
}

resource "tfe_hyok_configuration" "vault_hyok_config" {
  organization = "YOUR-HYOK-ORGANIZATION"
  name = "vault_hyok_config_provider_test"
  kek_id = "rocket_key_id3"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  oidc_configuration_id = "${tfe_vault_oidc_configuration.vault_oidc_tfe_provider.id}"
  oidc_configuration_type = "vault"
}

Testing HYOK customer key version and encrypted data key:

  • Use a terraform configuration with data sources to read customer key versions and encrypted data keys:
data "tfe_hyok_customer_key_version" "tfe_hyok_customer_key_version1" {
  id = "keyv-YOUR-KEY-ID"
}

output "tfe_hyok_customer_key_version" {
  value = data.tfe_hyok_customer_key_version.tfe_hyok_customer_key_version1
}

data "tfe_hyok_encrypted_data_key" "tfe_hyok_encrypted_data_key1" {
  id = "dek-YOUR-KEY-ID"
}

output "tfe_hyok_encrypted_data_key" {
  value = data.tfe_hyok_encrypted_data_key.tfe_hyok_encrypted_data_key1
}

Testing HYOK Attributes:

  • Use a terraform configuration with resources to create and update Organizations and read Workspaces with HYOK options via terraform plan, and terraform apply:
resource "tfe_organization" "provider-tfe-hyok-test" {
  name         = "provider-tfe-hyok-test"
  email        = "YOUR-EMAIL"
  enforce_hyok = true
}

resource "tfe_workspace" "test-workspace-hyok-enabled" {
  organization = "YOUR-ORG"
  name         = "test-workspace-hyok-enabled"
}
  • Use a terraform configuration with data sources to read Organizations and Workspaces with HYOK options via terraform plan, and terraform apply:
data "tfe_organization" "tfe_organization_test" {
  name = "YOUR-ORG"
}

output "tfe_organization" {
  value = data.tfe_organization.tfe_organization_test
}

data "tfe_workspace" "tfe_workspace_test" {
  organization = "YOUR-ORG"
  name = "YOUR-NAME"
}

output "tfe_workspace" {
  value = data.tfe_workspace.tfe_workspace_test
}

External links

Output from acceptance tests

HYOK OIDC Configurations:

  • TestAccTFEVaultOIDCConfiguration_basic:
=== RUN   TestAccTFEVaultOIDCConfiguration_basic
--- PASS: TestAccTFEVaultOIDCConfiguration_basic (3.01s)
PASS
  • TestAccTFEAWSOIDCConfiguration_basic:
=== RUN   TestAccTFEAWSOIDCConfiguration_basic
--- PASS: TestAccTFEAWSOIDCConfiguration_basic (3.28s)
PASS
  • TestAccTFEGCPOIDCConfiguration_basic:
=== RUN   TestAccTFEGCPOIDCConfiguration_basic
--- PASS: TestAccTFEGCPOIDCConfiguration_basic (3.16s)
PASS
  • TestAccTFEAzureOIDCConfiguration_basic:
=== RUN   TestAccTFEAzureOIDCConfiguration_basic
--- PASS: TestAccTFEAzureOIDCConfiguration_basic (2.82s)
PASS

HYOK Configuration:

  • TestAccTFEHYOKConfiguration_basic:
=== RUN   TestAccTFEHYOKConfiguration_basic
--- PASS: TestAccTFEHYOKConfiguration_basic (21.41s)
PASS

HYOK customer key version and encrypted data key:

  • TestAccTFEHYOKCustomerKeyVersionDataSource_basic:
=== RUN   TestAccTFEHYOKCustomerKeyVersionDataSource_basic
--- PASS: TestAccTFEHYOKCustomerKeyVersionDataSource_basic (0.93s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.266s
  • TestAccTFEHYOKEncryptedDataKeyDataSource_basic:
=== RUN   TestAccTFEHYOKEncryptedDataKeyDataSource_basic
--- PASS: TestAccTFEHYOKEncryptedDataKeyDataSource_basic (1.12s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   1.439s

HYOK Attributes:

  • TestAccTFEOrganizationDataSource_readEnforceHYOK:
=== RUN   TestAccTFEOrganizationDataSource_readEnforceHYOK
--- PASS: TestAccTFEOrganizationDataSource_readEnforceHYOK (2.85s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.246s
  • TestAccTFEWorkspaceDataSource_readHYOKEnabled:
=== RUN   TestAccTFEWorkspaceDataSource_readHYOKEnabled
--- PASS: TestAccTFEWorkspaceDataSource_readHYOKEnabled (2.38s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   3.008s
  • TestAccTFEWorkspace_HYOKEnabled:
=== RUN   TestAccTFEWorkspace_HYOKEnabled
--- PASS: TestAccTFEWorkspace_HYOKEnabled (3.43s)
PASS
ok      github.com/hashicorp/terraform-provider-tfe/internal/provider   4.094s
  • TestAccTFEOrganization_EnforceHYOK:
=== RUN   TestAccTFEOrganization_EnforceHYOK
    resource_tfe_organization_test.go:211: Skipping test until HYOK configurations can be promoted to primary through the provider. Currently,even if promotion is possible, primary configurations cannot be deleted and leaves dangling resources.
--- SKIP: TestAccTFEOrganization_EnforceHYOK (0.00s)
PASS

Rollback Plan

Changes to Security Controls

Related PRs

dominic-retli-hashi and others added 19 commits September 9, 2025 13:54
@dominic-retli-hashi
WIP testing new hyok customer key version resource
202a208
@dominic-retli-hashi
added data source for hyok encrypted data key and hyok customer key v…
4060a6a 
…ersion, with some baseline tests that pass for me locally but need to be genericised
@dominic-retli-hashi
maded tests generic and dependent on env var
81ad65c
@dominic-retli-hashi
added mention of the env vars needed for the hyok data source tests i…
34dae45 
…n testing.md
@dominic-retli-hashi
updated change log
8b846dc
@dominic-retli-hashi
Merge branch 'main' into dominicretli/TF-28674/hyok-data-objects
2713372
@dominic-retli-hashi
Merge remote-tracking branch 'origin/main' into dominicretli/TF-28674…
5a1c9b2 
…/hyok-data-objects
@dominic-retli-hashi
Added website docs for hyok data sources
49d4a3a
@dominic-retli-hashi
Added workspaces secured, general cleanup
6abdd35
@dominic-retli-hashi
updated docs
8457a54
@dominic-retli-hashi
test cleanup
66f2a61
@dominic-retli-hashi
misc cleanup
44add6a
@dominic-retli-hashi
Merge branch 'feature/hyok' into dominicretli/TF-28674/hyok-data-objects
afa401b
@dominic-retli-hashi
renamed variable for lint
9a469a4
@dominic-retli-hashi
Merge branch 'dominicretli/TF-28674/hyok-data-objects' of github.com:…
a7622dd 
…hashicorp/terraform-provider-tfe into dominicretli/TF-28674/hyok-data-objects
@helenjw
[TF-28672] Add Vault, AWS, GCP, and Azure OIDC configuration resources (
91036d7 
#1835)
@helenjw
[TF-28671] Add HYOK configuration resources (#1841)
c83b4ba
@iuri-slywitch-hashicorp
Merge branch 'feature/hyok' into dominicretli/TF-28674/hyok-data-objects
8a2e80c
@dominic-retli-hashi
Merge pull request #1842 from hashicorp/dominicretli/TF-28674/hyok-da…
f192017 
…ta-objects

[TF-28674] Add HYOK data sources for HYOKCustomerKeyVersion and HYOKEncryptedDataKey
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp mentioned this pull request Sep 26, 2025
Merged
@helenjw
Add skipUnlessHYOKEnabled check before performing tests in data_sourc…
1609917 
…e_hyok_customer_key_version_test.go, data_source_hyok_encrypted_data_key_test.go, and resource_tfe_hyok_configuration_test.go
iuri-slywitch-hashicorp
iuri-slywitch-hashicorp commented Oct 1, 2025
View reviewed changes
helenjw and others added 2 commits October 1, 2025 13:27
@helenjw
Update CHANGELOG.md formatting
550a5ba
@iuri-slywitch-hashicorp @helenjw @ctrombley
[TF-28673] Adding HYOK related attributes to Organizations and Worksp…
12c21fd 
…aces (#1863)

* WIP, almost finishing up tests.

* Updating documentation.

* Removing create and update options for hyok_enabled. Updating test cases.

* Updated documentation.

* Update website/docs/r/organization.html.markdown

Co-authored-by: Helen Jiang <50344290+helenjw@users.noreply.github.com>

* Removed Default argument since attribute is read-only

* Changed documentation for organization data source.

* Moved changes to Attributes Reference

* Updating CHANGELOG.md

* Updated function name in data source organization test.

* Update CHANGELOG.md

Co-authored-by: Chris Trombley <chris.trombley@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Chris Trombley <chris.trombley@hashicorp.com>

* Updated test case for tfe_workspace

* Removing orgEmail.

* Updating test cases. Removing HYOK_WORKSPACE_NAME

* Refactor HYOK tests to use createPremiumOrganization function and remove environment variable dependency where possible

* Remove HYOK_ORGANIZATION_NAME env variable entirely

* Wait for test_failed before attempting to revoke HYOK config

---------

Co-authored-by: Helen Jiang <50344290+helenjw@users.noreply.github.com>
Co-authored-by: Chris Trombley <chris.trombley@hashicorp.com>
Co-authored-by: Helen Jiang <helen.jiang@hashicorp.com>
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp marked this pull request as ready for review October 7, 2025 17:57
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp requested a review from a team as a code owner October 7, 2025 17:57
ctrombley
ctrombley approved these changes Oct 10, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ctrombley ctrombley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. In the future if it's possible to submit the PRs separately it would be appreciated!

internal/provider/resource_tfe_aws_oidc_configuration.go
Comment on lines +22 to +23
_ resource.ResourceWithConfigure = &resourceTFEAWSOIDCConfiguration{}
_ resource.ResourceWithImportState = &resourceTFEAWSOIDCConfiguration{}
Copy link
Copy Markdown
Collaborator

@ctrombley ctrombley Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
_ resource.ResourceWithConfigure = &resourceTFEAWSOIDCConfiguration{}
_ resource.ResourceWithImportState = &resourceTFEAWSOIDCConfiguration{}
_ resource.Resource = &resourceTFEAWSOIDCConfiguration{}
_ resource.ResourceWithConfigure = &resourceTFEAWSOIDCConfiguration{}
_ resource.ResourceWithImportState = &resourceTFEAWSOIDCConfiguration{}

@ctrombley ctrombley merged commit 710b431 into main Oct 10, 2025
29 checks passed
@ctrombley ctrombley deleted the feature/hyok branch October 10, 2025 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctrombley ctrombley ctrombley approved these changes

@helenjw helenjw helenjw approved these changes

@dominic-retli-hashi dominic-retli-hashi Awaiting requested review from dominic-retli-hashi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@iuri-slywitch-hashicorp @ctrombley @helenjw @dominic-retli-hashi