Add changes for transit CBC

internal/consts/consts.go

@@ -501,6 +501,10 @@ const (
 	FieldHybridKeyTypePQC         = "hybrid_key_type_pqc"
 	FieldSignatureContext         = "signature_context"
 	FieldDisableAutomatedRotation = "disable_automated_rotation"
+	FieldKey                      = "key"
+	FieldPlaintext                = "plaintext"
+	FieldCiphertext               = "ciphertext"
+	FieldIV                       = "iv"
 
 	FieldIntervalDuration                     = "interval_duration"
 	FieldMaintainStoredCertificateCounts      = "maintain_stored_certificate_counts"
@@ -624,6 +628,7 @@ const (
 	VaultVersion1185 = "1.18.5"
 	VaultVersion119  = "1.19.0"
 	VaultVersion120  = "1.20.0"
+	VaultVersion121  = "1.21.0"
 
 	/*
 		Vault auth methods

internal/provider/meta.go

@@ -49,6 +49,7 @@ var (
 	VaultVersion1185 = version.Must(version.NewSemver(consts.VaultVersion1185))
 	VaultVersion119  = version.Must(version.NewSemver(consts.VaultVersion119))
 	VaultVersion120  = version.Must(version.NewSemver(consts.VaultVersion120))
+	VaultVersion121  = version.Must(version.NewSemver(consts.VaultVersion121))
 
 	TokenTTLMinRecommended = time.Minute * 15
 )

vault/data_source_transit_decrypt.go

@@ -6,6 +6,7 @@ package vault
 import (
 	"encoding/base64"
 	"fmt"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
@@ -17,28 +18,28 @@ func transitDecryptDataSource() *schema.Resource {
 		Read: provider.ReadWrapper(transitDecryptDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
-			"key": {
+			consts.FieldKey: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "Name of the decryption key to use.",
 			},
-			"backend": {
+			consts.FieldBackend: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "The Transit secret backend the key belongs to.",
 			},
-			"plaintext": {
+			consts.FieldPlaintext: {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "Decrypted plain text",
 				Sensitive:   true,
 			},
-			"context": {
+			consts.FieldContext: {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "Specifies the context for key derivation",
 			},
-			"ciphertext": {
+			consts.FieldCiphertext: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "Transit encrypted cipher text.",
@@ -53,25 +54,25 @@ func transitDecryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro
 		return e
 	}
 
-	backend := d.Get("backend").(string)
-	key := d.Get("key").(string)
-	ciphertext := d.Get("ciphertext").(string)
+	backend := d.Get(consts.FieldBackend).(string)
+	key := d.Get(consts.FieldKey).(string)
+	ciphertext := d.Get(consts.FieldCiphertext).(string)
 
 	context := base64.StdEncoding.EncodeToString([]byte(d.Get("context").(string)))
 	payload := map[string]interface{}{
-		"ciphertext": ciphertext,
-		"context":    context,
+		consts.FieldCiphertext: ciphertext,
+		consts.FieldContext:    context,
 	}
 
 	decryptedData, err := client.Logical().Write(backend+"/decrypt/"+key, payload)
 	if err != nil {
 		return fmt.Errorf("issue encrypting with key: %s", err)
 	}
 
-	plaintext, _ := base64.StdEncoding.DecodeString(decryptedData.Data["plaintext"].(string))
+	plaintext, _ := base64.StdEncoding.DecodeString(decryptedData.Data[consts.FieldPlaintext].(string))
 
 	d.SetId(base64.StdEncoding.EncodeToString([]byte(ciphertext)))
-	d.Set("plaintext", string(plaintext))
+	d.Set(consts.FieldPlaintext, string(plaintext))
 
 	return nil
 }

vault/data_source_transit_decrypt_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
-
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
 )
 
@@ -20,7 +20,26 @@ func TestDataSourceTransitDecrypt(t *testing.T) {
 		PreCheck:                 func() { testutil.TestAccPreCheck(t) },
 		Steps: []resource.TestStep{
 			{
-				Config: testDataSourceTransitDecrypt_config,
+				Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, "", ""),
+				Check:  testDataSourceTransitDecrypt_check,
+			},
+			{
+				Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, `type = "rsa-2048"`, ""),
+				Check:  testDataSourceTransitDecrypt_check,
+			},
+		},
+	})
+
+	resource.Test(t, resource.TestCase{
+		ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t),
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion121)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(testDataSourceTransitDecrypt_config, `type = "aes128-cbc"`, `iv = "YmxvY2stc2l6ZS12YWx1ZQ=="`),
 				Check:  testDataSourceTransitDecrypt_check,
 			},
 		},
@@ -38,12 +57,14 @@ resource "vault_transit_secret_backend_key" "test" {
   name  		   = "test"
   backend 		   = vault_mount.test.path
   deletion_allowed = true
+  %s
 }
 
 data "vault_transit_encrypt" "test" {
     backend     = vault_mount.test.path
     key         = vault_transit_secret_backend_key.test.name
 	plaintext   = "foo"
+    %s
 }
 
 data "vault_transit_decrypt" "test" {

vault/data_source_transit_encrypt.go

@@ -6,6 +6,7 @@ package vault
 import (
 	"encoding/base64"
 	"fmt"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
@@ -17,33 +18,38 @@ func transitEncryptDataSource() *schema.Resource {
 		Read: provider.ReadWrapper(transitEncryptDataSourceRead),
 
 		Schema: map[string]*schema.Schema{
-			"key": {
+			consts.FieldKey: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "Name of the encryption key to use.",
 			},
-			"backend": {
+			consts.FieldBackend: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "The Transit secret backend the key belongs to.",
 			},
-			"plaintext": {
+			consts.FieldPlaintext: {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "Map of strings read from Vault.",
 				Sensitive:   true,
 			},
-			"context": {
+			consts.FieldContext: {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "Specifies the context for key derivation",
 			},
-			"key_version": {
+			consts.FieldKeyVersion: {
 				Type:        schema.TypeInt,
 				Optional:    true,
 				Description: "The version of the key to use for encryption",
 			},
-			"ciphertext": {
+			consts.FieldIV: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "",
+			},
+			consts.FieldCiphertext: {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: "Transit encrypted cipher text.",
@@ -58,27 +64,29 @@ func transitEncryptDataSourceRead(d *schema.ResourceData, meta interface{}) erro
 		return e
 	}
 
-	backend := d.Get("backend").(string)
-	key := d.Get("key").(string)
-	keyVersion := d.Get("key_version").(int)
+	backend := d.Get(consts.FieldBackend).(string)
+	key := d.Get(consts.FieldKey).(string)
+	keyVersion := d.Get(consts.FieldKeyVersion).(int)
+	iv := d.Get(consts.FieldIV).(string)
 
 	plaintext := base64.StdEncoding.EncodeToString([]byte(d.Get("plaintext").(string)))
 	context := base64.StdEncoding.EncodeToString([]byte(d.Get("context").(string)))
 	payload := map[string]interface{}{
-		"plaintext":   plaintext,
-		"context":     context,
-		"key_version": keyVersion,
+		consts.FieldPlaintext:  plaintext,
+		consts.FieldContext:    context,
+		consts.FieldKeyVersion: keyVersion,
+		consts.FieldIV:         iv,
 	}
 
 	encryptedData, err := client.Logical().Write(backend+"/encrypt/"+key, payload)
 	if err != nil {
 		return fmt.Errorf("issue encrypting with key: %s", err)
 	}
 
-	cipherText := encryptedData.Data["ciphertext"]
+	cipherText := encryptedData.Data[consts.FieldCiphertext]
 
 	d.SetId(base64.StdEncoding.EncodeToString([]byte(cipherText.(string))))
-	d.Set("ciphertext", cipherText)
+	d.Set(consts.FieldCiphertext, cipherText)
 
 	return nil
 }

vault/data_source_transit_encrypt_test.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
-
+	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
 )
 
@@ -20,7 +20,26 @@ func TestDataSourceTransitEncrypt(t *testing.T) {
 		PreCheck:                 func() { testutil.TestAccPreCheck(t) },
 		Steps: []resource.TestStep{
 			{
-				Config: testDataSourceTransitEncrypt_config,
+				Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, "", ""),
+				Check:  testDataSourceTransitEncrypt_check,
+			},
+			{
+				Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, `type = "rsa-2048"`, ""),
+				Check:  testDataSourceTransitEncrypt_check,
+			},
+		},
+	})
+
+	resource.Test(t, resource.TestCase{
+		ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t),
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion121)
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(testDataSourceTransitEncrypt_config, `type = "aes128-cbc"`, `iv = "YmxvY2stc2l6ZS12YWx1ZQ=="`),
 				Check:  testDataSourceTransitEncrypt_check,
 			},
 		},
@@ -38,12 +57,14 @@ resource "vault_transit_secret_backend_key" "test" {
   name  		   = "test"
   backend 		   = vault_mount.test.path
   deletion_allowed = true
+  %s
 }
 
 data "vault_transit_encrypt" "test" {
     backend     = vault_mount.test.path
     key         = vault_transit_secret_backend_key.test.name
 	plaintext   = "foo"
+    %s
 }
 
 data "vault_transit_decrypt" "test" {

website/docs/d/transit_encrypt.md

@@ -45,6 +45,8 @@ Each document configuration may have one or more `rule` blocks, which each accep
 
 * `key_version` - (Optional) The version of the key to use for encryption. If not set, uses the latest version. Must be greater than or equal to the key's `min_encryption_version`, if set.
 
+* `iv` - (Optional) The IV to use when encrypting with an AES-CBC key.
+
 ## Attributes Reference
 
 * `ciphertext` - Encrypted ciphertext returned from Vault

website/docs/r/transit_secret_backend_key.html.md

@@ -40,7 +40,7 @@ The following arguments are supported:
 
 * `name` - (Required) The name to identify this key within the backend. Must be unique within the backend.
 
-* `type` - (Optional) Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
+* `type` - (Optional) Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072`, `rsa-4096`, `ml-dsa`, `hybrid`, `aes128-cmac`, `aes192-cmac`, `aes256-cmac`, `aes128-cbc`, and `aes256-cbc`.
     * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
 
 * `deletion_allowed` - (Optional) Specifies if the keyring is allowed to be deleted. Must be set to 'true' before terraform will be able to destroy keys.