added encryption_config field to google_backup_dr_backup_vault (#15583) (#11086)

[upstream:5425dbd16171e0c67ab67cea073ca18d9b35d001]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/15583.txt

@@ -0,0 +1 @@
+unknown: added `encryption_config` field to `google_backup_dr_backup_vault`

google-beta/services/backupdr/resource_backup_dr_backup_vault.go

@@ -167,6 +167,21 @@ Please refer to the field 'effective_annotations' for all of the annotations pre
 				Optional:    true,
 				Description: `Optional. Time after which the BackupVault resource is locked.`,
 			},
+			"encryption_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `Encryption configuration for the backup vault.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kms_key_name": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: `The Resource name of the Cloud KMS key to be used to encrypt new backups. The key must be in the same location as the backup vault. The key must be a Cloud KMS CryptoKey.`,
+						},
+					},
+				},
+			},
 			"force_delete": {
 				Type:       schema.TypeBool,
 				Optional:   true,
@@ -334,6 +349,12 @@ func resourceBackupDRBackupVaultCreate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("backup_retention_inheritance"); !tpgresource.IsEmptyValue(reflect.ValueOf(backupRetentionInheritanceProp)) && (ok || !reflect.DeepEqual(v, backupRetentionInheritanceProp)) {
 		obj["backupRetentionInheritance"] = backupRetentionInheritanceProp
 	}
+	encryptionConfigProp, err := expandBackupDRBackupVaultEncryptionConfig(d.Get("encryption_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(encryptionConfigProp)) && (ok || !reflect.DeepEqual(v, encryptionConfigProp)) {
+		obj["encryptionConfig"] = encryptionConfigProp
+	}
 	effectiveLabelsProp, err := expandBackupDRBackupVaultEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -493,6 +514,9 @@ func resourceBackupDRBackupVaultRead(d *schema.ResourceData, meta interface{}) e
 	if err := d.Set("access_restriction", flattenBackupDRBackupVaultAccessRestriction(res["accessRestriction"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackupVault: %s", err)
 	}
+	if err := d.Set("encryption_config", flattenBackupDRBackupVaultEncryptionConfig(res["encryptionConfig"], d, config)); err != nil {
+		return fmt.Errorf("Error reading BackupVault: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenBackupDRBackupVaultTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading BackupVault: %s", err)
 	}
@@ -546,6 +570,12 @@ func resourceBackupDRBackupVaultUpdate(d *schema.ResourceData, meta interface{})
 	} else if v, ok := d.GetOkExists("backup_retention_inheritance"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, backupRetentionInheritanceProp)) {
 		obj["backupRetentionInheritance"] = backupRetentionInheritanceProp
 	}
+	encryptionConfigProp, err := expandBackupDRBackupVaultEncryptionConfig(d.Get("encryption_config"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("encryption_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, encryptionConfigProp)) {
+		obj["encryptionConfig"] = encryptionConfigProp
+	}
 	effectiveLabelsProp, err := expandBackupDRBackupVaultEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -584,6 +614,10 @@ func resourceBackupDRBackupVaultUpdate(d *schema.ResourceData, meta interface{})
 		updateMask = append(updateMask, "backupRetentionInheritance")
 	}
 
+	if d.HasChange("encryption_config") {
+		updateMask = append(updateMask, "encryptionConfig")
+	}
+
 	if d.HasChange("effective_labels") {
 		updateMask = append(updateMask, "labels")
 	}
@@ -820,6 +854,23 @@ func flattenBackupDRBackupVaultAccessRestriction(v interface{}, d *schema.Resour
 	return v
 }
 
+func flattenBackupDRBackupVaultEncryptionConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["kms_key_name"] =
+		flattenBackupDRBackupVaultEncryptionConfigKmsKeyName(original["kmsKeyName"], d, config)
+	return []interface{}{transformed}
+}
+func flattenBackupDRBackupVaultEncryptionConfigKmsKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenBackupDRBackupVaultTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -863,6 +914,32 @@ func expandBackupDRBackupVaultBackupRetentionInheritance(v interface{}, d tpgres
 	return v, nil
 }
 
+func expandBackupDRBackupVaultEncryptionConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedKmsKeyName, err := expandBackupDRBackupVaultEncryptionConfigKmsKeyName(original["kms_key_name"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKmsKeyName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["kmsKeyName"] = transformedKmsKeyName
+	}
+
+	return transformed, nil
+}
+
+func expandBackupDRBackupVaultEncryptionConfigKmsKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandBackupDRBackupVaultEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

google-beta/services/backupdr/resource_backup_dr_backup_vault_generated_meta.yaml

@@ -22,6 +22,7 @@ fields:
   - field: 'effective_labels'
     provider_only: true
   - api_field: 'effectiveTime'
+  - api_field: 'encryptionConfig.kmsKeyName'
   - api_field: 'etag'
   - field: 'force_delete'
     provider_only: true

google-beta/services/backupdr/resource_backup_dr_backup_vault_generated_test.go

@@ -50,7 +50,7 @@ var (
 	_ = googleapi.Error{}
 )
 
-func TestAccBackupDRBackupVault_backupDrBackupVaultFullExample(t *testing.T) {
+func TestAccBackupDRBackupVault_backupDrBackupVaultSimpleExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
@@ -64,7 +64,7 @@ func TestAccBackupDRBackupVault_backupDrBackupVaultFullExample(t *testing.T) {
 		CheckDestroy:             testAccCheckBackupDRBackupVaultDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccBackupDRBackupVault_backupDrBackupVaultFullExample(context),
+				Config: testAccBackupDRBackupVault_backupDrBackupVaultSimpleExample(context),
 			},
 			{
 				ResourceName:            "google_backup_dr_backup_vault.backup-vault-test",
@@ -76,7 +76,7 @@ func TestAccBackupDRBackupVault_backupDrBackupVaultFullExample(t *testing.T) {
 	})
 }
 
-func testAccBackupDRBackupVault_backupDrBackupVaultFullExample(context map[string]interface{}) string {
+func testAccBackupDRBackupVault_backupDrBackupVaultSimpleExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_backup_dr_backup_vault" "backup-vault-test" {
   location = "us-central1"
@@ -101,6 +101,71 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
 `, context)
 }
 
+func TestAccBackupDRBackupVault_backupDrBackupVaultCmekExample(t *testing.T) {
+	t.Parallel()
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-backupdr.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
+
+	context := map[string]interface{}{
+		"project":       envvar.GetTestProjectFromEnv(),
+		"kms_key_name":  acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name,
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBackupDRBackupVaultDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBackupDRBackupVault_backupDrBackupVaultCmekExample(context),
+			},
+			{
+				ResourceName:            "google_backup_dr_backup_vault.backup-vault-cmek",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"allow_missing", "annotations", "backup_retention_inheritance", "backup_vault_id", "force_delete", "force_update", "ignore_backup_plan_references", "ignore_inactive_datasources", "labels", "location", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccBackupDRBackupVault_backupDrBackupVaultCmekExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+data "google_project" "test_project" {
+	project_id = "%{project}"
+}
+
+resource "google_backup_dr_backup_vault" "backup-vault-cmek" {
+  location = "us-central1"
+  backup_vault_id    = "tf-test-backup-vault-cmek%{random_suffix}"
+  description = "This is a second backup vault built by Terraform."
+  backup_minimum_enforced_retention_duration = "100000s"
+  annotations = {
+    annotations1 = "bar1"
+    annotations2 = "baz1"
+  }
+  labels = {
+    foo = "bar1"
+    bar = "baz1"
+  }
+  encryption_config {
+    kms_key_name = "%{kms_key_name}"
+  }
+  force_update = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
+  backup_retention_inheritance = "INHERIT_VAULT_RETENTION"
+  ignore_inactive_datasources = "true"
+  ignore_backup_plan_references = "true"
+  allow_missing = "true"
+}
+`, context)
+}
+
 func testAccCheckBackupDRBackupVaultDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/backup_dr_backup_vault.html.markdown

@@ -25,7 +25,7 @@ Container to store and organize immutable and indelible backups.
 
 
 
-## Example Usage - Backup Dr Backup Vault Full
+## Example Usage - Backup Dr Backup Vault Simple
 
 
 ```hcl
@@ -50,6 +50,38 @@ resource "google_backup_dr_backup_vault" "backup-vault-test" {
   allow_missing = "true"
 }
 ```
+## Example Usage - Backup Dr Backup Vault Cmek
+
+
+```hcl
+data "google_project" "test_project" {
+	project_id = "my-project-name"
+}
+
+resource "google_backup_dr_backup_vault" "backup-vault-cmek" {
+  location = "us-central1"
+  backup_vault_id    = "backup-vault-cmek"
+  description = "This is a second backup vault built by Terraform."
+  backup_minimum_enforced_retention_duration = "100000s"
+  annotations = {
+    annotations1 = "bar1"
+    annotations2 = "baz1"
+  }
+  labels = {
+    foo = "bar1"
+    bar = "baz1"
+  }
+  encryption_config {
+    kms_key_name = "bkpvault-key"
+  }
+  force_update = "true"
+  access_restriction = "WITHIN_ORGANIZATION"
+  backup_retention_inheritance = "INHERIT_VAULT_RETENTION"
+  ignore_inactive_datasources = "true"
+  ignore_backup_plan_references = "true"
+  allow_missing = "true"
+}
+```
 
 ## Argument Reference
 
@@ -101,6 +133,11 @@ The following arguments are supported:
   How a backup's enforced retention end time is inherited. Default value is `INHERIT_VAULT_RETENTION` if not provided during creation.
   Possible values are: `BACKUP_RETENTION_INHERITANCE_UNSPECIFIED`, `INHERIT_VAULT_RETENTION`, `MATCH_BACKUP_EXPIRE_TIME`.
 
+* `encryption_config` -
+  (Optional)
+  Encryption configuration for the backup vault.
+  Structure is [documented below](#nested_encryption_config).
+
 * `force_update` -
   (Optional)
   If set, allow update to extend the minimum enforced retention for backup vault. This overrides
@@ -135,6 +172,12 @@ The following arguments are supported:
 
 
 
+<a name="nested_encryption_config"></a>The `encryption_config` block supports:
+
+* `kms_key_name` -
+  (Optional)
+  The Resource name of the Cloud KMS key to be used to encrypt new backups. The key must be in the same location as the backup vault. The key must be a Cloud KMS CryptoKey.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: