Add beta support for keyAccessJustificationsPolicy to KMS module (#10792

) (#18674)

[upstream:244ffe17a74221a4f3907aac6466451614a18162]

Signed-off-by: Modular Magician <[email protected]>

.changelog/10792.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+cloudkms: added `key_access_justifications_policy` field to `google_kms_crypto_key` resource (beta)
+```

google/services/kms/resource_kms_crypto_key_test.go

@@ -319,6 +319,53 @@ func TestAccKmsCryptoKey_destroyDuration(t *testing.T) {
 	})
 }
 
+func TestAccKmsCryptoKey_keyAccessJustificationsPolicy(t *testing.T) {
+	t.Parallel()
+
+	projectId := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	projectOrg := envvar.GetTestOrgFromEnv(t)
+	location := envvar.GetTestRegionFromEnv()
+	projectBillingAccount := envvar.GetTestBillingAccountFromEnv(t)
+	keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	allowedAccessReason := "CUSTOMER_INITIATED_SUPPORT"
+	updatedAllowedAccessReason := "GOOGLE_INITIATED_SERVICE"
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleKmsCryptoKey_keyAccessJustificationsPolicy(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, allowedAccessReason),
+			},
+			{
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+			{
+				Config: testGoogleKmsCryptoKey_keyAccessJustificationsPolicy(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, updatedAllowedAccessReason),
+			},
+			{
+				ResourceName:            "google_kms_crypto_key.crypto_key",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+			// Use a separate TestStep rather than a CheckDestroy because we need the project to still exist.
+			{
+				Config: testGoogleKmsCryptoKey_removed(projectId, projectOrg, projectBillingAccount, keyRingName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleKmsCryptoKeyWasRemovedFromState("google_kms_crypto_key.crypto_key"),
+					testAccCheckGoogleKmsCryptoKeyVersionsDestroyed(t, projectId, location, keyRingName, cryptoKeyName),
+					testAccCheckGoogleKmsCryptoKeyRotationDisabled(t, projectId, location, keyRingName, cryptoKeyName),
+				),
+			},
+		},
+	})
+}
+
 func TestAccKmsCryptoKey_importOnly(t *testing.T) {
 	t.Parallel()
 
@@ -791,6 +838,39 @@ resource "google_kms_crypto_key" "crypto_key" {
 `, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)
 }
 
+func testGoogleKmsCryptoKey_keyAccessJustificationsPolicy(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, allowed_access_reason string) string {
+	return fmt.Sprintf(`
+resource "google_project" "acceptance" {
+  name            = "%s"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_service" "acceptance" {
+  project = google_project.acceptance.project_id
+  service = "cloudkms.googleapis.com"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  project  = google_project_service.acceptance.project
+  name     = "%s"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = "%s"
+  key_ring = google_kms_key_ring.key_ring.id
+  labels = {
+    key = "value"
+  }
+  key_access_justifications_policy {
+    allowed_access_reasons = ["%s"]
+  }
+}
+`, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName, allowed_access_reason)
+}
+
 func testGoogleKmsCryptoKey_importOnly(projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName string) string {
 	return fmt.Sprintf(`
 resource "google_project" "acceptance" {

website/docs/r/kms_crypto_key.html.markdown

@@ -139,6 +139,18 @@ The following arguments are supported:
   The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
   The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
 
+* `key_access_justifications_policy` -
+  (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  The policy used for Key Access Justifications Policy Enforcement. If this
+  field is present and this key is enrolled in Key Access Justifications
+  Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+  sign operations, and the operation will fail if rejected by the policy. The
+  policy is defined by specifying zero or more allowed justification codes.
+  https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+  By default, this field is absent, and all justification codes are allowed.
+  This field is currently in beta and is subject to change.
+  Structure is [documented below](#nested_key_access_justifications_policy).
+
 * `skip_initial_version_creation` -
   (Optional)
   If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
@@ -157,6 +169,14 @@ The following arguments are supported:
   (Optional)
   The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
 
+<a name="nested_key_access_justifications_policy"></a>The `key_access_justifications_policy` block supports:
+
+* `allowed_access_reasons` -
+  (Optional)
+  The list of allowed reasons for access to this CryptoKey. Zero allowed
+  access reasons means all encrypt, decrypt, and sign operations for
+  this CryptoKey will fail.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: