diff --git a/internal/consts/consts.go b/internal/consts/consts.go index 38a0ee9225..5016568440 100644 --- a/internal/consts/consts.go +++ b/internal/consts/consts.go @@ -501,6 +501,10 @@ const ( FieldHybridKeyTypePQC = "hybrid_key_type_pqc" FieldSignatureContext = "signature_context" FieldDisableAutomatedRotation = "disable_automated_rotation" + FieldKey = "key" + FieldPlaintext = "plaintext" + FieldCiphertext = "ciphertext" + FieldIV = "iv" FieldIntervalDuration = "interval_duration" FieldMaintainStoredCertificateCounts = "maintain_stored_certificate_counts" @@ -624,6 +628,7 @@ const ( VaultVersion1185 = "1.18.5" VaultVersion119 = "1.19.0" VaultVersion120 = "1.20.0" + VaultVersion121 = "1.21.0" /* Vault auth methods diff --git a/internal/provider/meta.go b/internal/provider/meta.go index f618cf946a..8b72402469 100644 --- a/internal/provider/meta.go +++ b/internal/provider/meta.go @@ -49,6 +49,7 @@ var ( VaultVersion1185 = version.Must(version.NewSemver(consts.VaultVersion1185)) VaultVersion119 = version.Must(version.NewSemver(consts.VaultVersion119)) VaultVersion120 = version.Must(version.NewSemver(consts.VaultVersion120)) + VaultVersion121 = version.Must(version.NewSemver(consts.VaultVersion121)) TokenTTLMinRecommended = time.Minute * 15 ) diff --git a/vault/data_source_transit_decrypt.go b/vault/data_source_transit_decrypt.go index a191e92395..0aaa6a48b1 100644 --- a/vault/data_source_transit_decrypt.go +++ b/vault/data_source_transit_decrypt.go @@ -6,6 +6,7 @@ package vault import ( "encoding/base64" "fmt" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -17,28 +18,28 @@ func transitDecryptDataSource() *schema.Resource { Read: provider.ReadWrapper(transitDecryptDataSourceRead), Schema: map[string]*schema.Schema{ - "key": { + consts.FieldKey: { Type: schema.TypeString, Required: true, Description: "Name of the decryption key to use.", }, - "backend": { + consts.FieldBackend: { Type: schema.TypeString, Required: true, Description: "The Transit secret backend the key belongs to.", }, - "plaintext": { + consts.FieldPlaintext: { Type: schema.TypeString, Computed: true, Description: "Decrypted plain text", Sensitive: true, }, - "context": { + consts.FieldContext: { Type: schema.TypeString, Optional: true, Description: "Specifies the context for key derivation", }, - "ciphertext": { + consts.FieldCiphertext: { Type: schema.TypeString, Required: true, Description: "Transit encrypted cipher text.", @@ -53,14 +54,14 @@ func transitDecryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro return e } - backend := d.Get("backend").(string) - key := d.Get("key").(string) - ciphertext := d.Get("ciphertext").(string) + backend := d.Get(consts.FieldBackend).(string) + key := d.Get(consts.FieldKey).(string) + ciphertext := d.Get(consts.FieldCiphertext).(string) context := base64.StdEncoding.EncodeToString([]byte(d.Get("context").(string))) payload := map[string]interface{}{ - "ciphertext": ciphertext, - "context": context, + consts.FieldCiphertext: ciphertext, + consts.FieldContext: context, } decryptedData, err := client.Logical().Write(backend+"/decrypt/"+key, payload) @@ -68,10 +69,10 @@ func transitDecryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro return fmt.Errorf("issue encrypting with key: %s", err) } - plaintext, _ := base64.StdEncoding.DecodeString(decryptedData.Data["plaintext"].(string)) + plaintext, _ := base64.StdEncoding.DecodeString(decryptedData.Data[consts.FieldPlaintext].(string)) d.SetId(base64.StdEncoding.EncodeToString([]byte(ciphertext))) - d.Set("plaintext", string(plaintext)) + d.Set(consts.FieldPlaintext, string(plaintext)) return nil } diff --git a/vault/data_source_transit_decrypt_test.go b/vault/data_source_transit_decrypt_test.go index 6ab666055c..4cc334f568 100644 --- a/vault/data_source_transit_decrypt_test.go +++ b/vault/data_source_transit_decrypt_test.go @@ -10,7 +10,7 @@ import ( "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" - + "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) @@ -20,7 +20,26 @@ func TestDataSourceTransitDecrypt(t *testing.T) { PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testDataSourceTransitDecrypt_config, + Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, "", ""), + Check: testDataSourceTransitDecrypt_check, + }, + { + Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, `type = "rsa-2048"`, ""), + Check: testDataSourceTransitDecrypt_check, + }, + }, + }) + + resource.Test(t, resource.TestCase{ + ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t), + PreCheck: func() { + testutil.TestAccPreCheck(t) + testutil.TestEntPreCheck(t) + SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion121) + }, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, `type = "aes128-cbc"`, `iv = "YmxvY2stc2l6ZS12YWx1ZQ=="`), Check: testDataSourceTransitDecrypt_check, }, }, @@ -38,12 +57,14 @@ resource "vault_transit_secret_backend_key" "test" { name = "test" backend = vault_mount.test.path deletion_allowed = true + %s } data "vault_transit_encrypt" "test" { backend = vault_mount.test.path key = vault_transit_secret_backend_key.test.name plaintext = "foo" + %s } data "vault_transit_decrypt" "test" { diff --git a/vault/data_source_transit_encrypt.go b/vault/data_source_transit_encrypt.go index 198c790509..cdb8d41e0c 100644 --- a/vault/data_source_transit_encrypt.go +++ b/vault/data_source_transit_encrypt.go @@ -6,6 +6,7 @@ package vault import ( "encoding/base64" "fmt" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -17,33 +18,38 @@ func transitEncryptDataSource() *schema.Resource { Read: provider.ReadWrapper(transitEncryptDataSourceRead), Schema: map[string]*schema.Schema{ - "key": { + consts.FieldKey: { Type: schema.TypeString, Required: true, Description: "Name of the encryption key to use.", }, - "backend": { + consts.FieldBackend: { Type: schema.TypeString, Required: true, Description: "The Transit secret backend the key belongs to.", }, - "plaintext": { + consts.FieldPlaintext: { Type: schema.TypeString, Required: true, Description: "Map of strings read from Vault.", Sensitive: true, }, - "context": { + consts.FieldContext: { Type: schema.TypeString, Optional: true, Description: "Specifies the context for key derivation", }, - "key_version": { + consts.FieldKeyVersion: { Type: schema.TypeInt, Optional: true, Description: "The version of the key to use for encryption", }, - "ciphertext": { + consts.FieldIV: { + Type: schema.TypeString, + Optional: true, + Description: "", + }, + consts.FieldCiphertext: { Type: schema.TypeString, Computed: true, Description: "Transit encrypted cipher text.", @@ -58,16 +64,18 @@ func transitEncryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro return e } - backend := d.Get("backend").(string) - key := d.Get("key").(string) - keyVersion := d.Get("key_version").(int) + backend := d.Get(consts.FieldBackend).(string) + key := d.Get(consts.FieldKey).(string) + keyVersion := d.Get(consts.FieldKeyVersion).(int) + iv := d.Get(consts.FieldIV).(string) plaintext := base64.StdEncoding.EncodeToString([]byte(d.Get("plaintext").(string))) context := base64.StdEncoding.EncodeToString([]byte(d.Get("context").(string))) payload := map[string]interface{}{ - "plaintext": plaintext, - "context": context, - "key_version": keyVersion, + consts.FieldPlaintext: plaintext, + consts.FieldContext: context, + consts.FieldKeyVersion: keyVersion, + consts.FieldIV: iv, } encryptedData, err := client.Logical().Write(backend+"/encrypt/"+key, payload) @@ -75,10 +83,10 @@ func transitEncryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro return fmt.Errorf("issue encrypting with key: %s", err) } - cipherText := encryptedData.Data["ciphertext"] + cipherText := encryptedData.Data[consts.FieldCiphertext] d.SetId(base64.StdEncoding.EncodeToString([]byte(cipherText.(string)))) - d.Set("ciphertext", cipherText) + d.Set(consts.FieldCiphertext, cipherText) return nil } diff --git a/vault/data_source_transit_encrypt_test.go b/vault/data_source_transit_encrypt_test.go index 90f755c376..f970451353 100644 --- a/vault/data_source_transit_encrypt_test.go +++ b/vault/data_source_transit_encrypt_test.go @@ -10,7 +10,7 @@ import ( "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" - + "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) @@ -20,7 +20,26 @@ func TestDataSourceTransitEncrypt(t *testing.T) { PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testDataSourceTransitEncrypt_config, + Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, "", ""), + Check: testDataSourceTransitEncrypt_check, + }, + { + Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, `type = "rsa-2048"`, ""), + Check: testDataSourceTransitEncrypt_check, + }, + }, + }) + + resource.Test(t, resource.TestCase{ + ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t), + PreCheck: func() { + testutil.TestAccPreCheck(t) + testutil.TestEntPreCheck(t) + SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion121) + }, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, `type = "aes128-cbc"`, `iv = "YmxvY2stc2l6ZS12YWx1ZQ=="`), Check: testDataSourceTransitEncrypt_check, }, }, @@ -38,12 +57,14 @@ resource "vault_transit_secret_backend_key" "test" { name = "test" backend = vault_mount.test.path deletion_allowed = true + %s } data "vault_transit_encrypt" "test" { backend = vault_mount.test.path key = vault_transit_secret_backend_key.test.name plaintext = "foo" + %s } data "vault_transit_decrypt" "test" { diff --git a/website/docs/d/transit_encrypt.md b/website/docs/d/transit_encrypt.md index c3c8abc6e6..4bf28dd4ae 100644 --- a/website/docs/d/transit_encrypt.md +++ b/website/docs/d/transit_encrypt.md @@ -45,6 +45,8 @@ Each document configuration may have one or more `rule` blocks, which each accep * `key_version` - (Optional) The version of the key to use for encryption. If not set, uses the latest version. Must be greater than or equal to the key's `min_encryption_version`, if set. +* `iv` - (Optional) The IV to use when encrypting with an AES-CBC key. + ## Attributes Reference * `ciphertext` - Encrypted ciphertext returned from Vault diff --git a/website/docs/r/transit_secret_backend_key.html.md b/website/docs/r/transit_secret_backend_key.html.md index 9442d2b40a..179aa9287a 100644 --- a/website/docs/r/transit_secret_backend_key.html.md +++ b/website/docs/r/transit_secret_backend_key.html.md @@ -40,7 +40,7 @@ The following arguments are supported: * `name` - (Required) The name to identify this key within the backend. Must be unique within the backend. -* `type` - (Optional) Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`. +* `type` - (Optional) Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072`, `rsa-4096`, `ml-dsa`, `hybrid`, `aes128-cmac`, `aes192-cmac`, `aes256-cmac`, `aes128-cbc`, and `aes256-cbc`. * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types) * `deletion_allowed` - (Optional) Specifies if the keyring is allowed to be deleted. Must be set to 'true' before terraform will be able to destroy keys.