Merge pull request #112 from fortanix/PROD-9281

In this PR, PROD-9281 has been fixed.

docs-archived/guides/dsm_azure_sobject.md

@@ -53,60 +53,39 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 
 ## 1st Rotation of azure security object with DSM option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate1" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "DSM"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate1" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate1.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "DSM"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated.
 }
 
 
 ## 2nd Rotation of azure security object with DSM option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate2" {
-  name        = es.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "DSM"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate2" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate2.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group 
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "DSM"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated.
 }
+
 ```
 
 ## Rotate with AZURE Option
@@ -162,58 +141,36 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 
 ## 1st Rotation of azure security object with AZURE option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate1" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "AZURE"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate1" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate1.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "AZURE"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated.
 }
 
 ## 2nd Rotation of azure security object with AZURE option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate2" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "AZURE"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate2" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate2.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "AZURE"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated.
 }
 ```
 
@@ -237,11 +194,10 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
   soft_deletion = true
 }
 
-
 ## Purging a dsm_azure_sobject.
 
 # Enable purge_deleted_key as true.
-# This can be enabled only during update.
+# Only after soft_deletion can this be enabled during an update
 resource "dsm_azure_sobject" "rsa_key_azure" {
   name     = "rsa_key_azure"
   group_id = dsm_group.azure_group.id
@@ -258,6 +214,7 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 ## Soft deletion and Purging a key in a single request.
 
 # First it does the soft deletion and then purging the key.
+# These can be enabled only during update.
 resource "dsm_azure_sobject" "rsa_key_azure" {
   name     = "rsa_key_azure"
   group_id = dsm_group.azure_group.id

docs/guides/dsm_azure_sobject.md

@@ -53,60 +53,39 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 
 ## 1st Rotation of azure security object with DSM option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate1" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "DSM"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate1" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate1.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "DSM"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated.
 }
 
 
 ## 2nd Rotation of azure security object with DSM option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate2" {
-  name        = es.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "DSM"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate2" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate2.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group 
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "DSM"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated.
 }
+
 ```
 
 ## Rotate with AZURE Option
@@ -162,58 +141,36 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 
 ## 1st Rotation of azure security object with AZURE option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate1" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "AZURE"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate1" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate1.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "AZURE"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated.
 }
 
 ## 2nd Rotation of azure security object with AZURE option
 
-# Rotate RSA security object
-resource "dsm_sobject" "rsa_key_dsm_rotate2" {
-  name        = dsm_sobject.rsa_key_dsm.name
-  group_id    = dsm_group.normal_group.id
-  key_size    = 2048
-  key_ops     = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"]
-  obj_type    = "RSA"
-  rotate      = "AZURE"
-  rotate_from = dsm_sobject.rsa_key_dsm.name
-}
-
-# Copy above RSA key to azure key vault
+# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name
 resource "dsm_azure_sobject" "rsa_key_azure_rotate2" {
-  name     = dsm_azure_sobject.rsa_key_azure.name
+  name     = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated.
   group_id = dsm_group.azure_group.id
   key = {
-    kid = dsm_sobject.rsa_key_dsm_rotate2.id
+    kid = dsm_sobject.rsa_key_dsm.id
   }
   custom_metadata = {
-    azure-key-name  = "rsa-key-azure"
+    azure-key-name  = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group
   }
   key_ops     = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"]
   rotate      = "AZURE"
-  rotate_from = dsm_azure_sobject.rsa_key_azure.name
+  rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated.
 }
 ```
 
@@ -237,11 +194,10 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
   soft_deletion = true
 }
 
-
 ## Purging a dsm_azure_sobject.
 
 # Enable purge_deleted_key as true.
-# This can be enabled only during update.
+# Only after soft_deletion can this be enabled during an update
 resource "dsm_azure_sobject" "rsa_key_azure" {
   name     = "rsa_key_azure"
   group_id = dsm_group.azure_group.id
@@ -258,6 +214,7 @@ resource "dsm_azure_sobject" "rsa_key_azure" {
 ## Soft deletion and Purging a key in a single request.
 
 # First it does the soft deletion and then purging the key.
+# These can be enabled only during update.
 resource "dsm_azure_sobject" "rsa_key_azure" {
   name     = "rsa_key_azure"
   group_id = dsm_group.azure_group.id

docs/resources/azure_sobject.md

@@ -8,7 +8,7 @@ description: |-
   Note: Once soft deletion is enabled, Azure sobject can't be modified.
   Deletion of a dsm_azure_sobject: Unlike dsm_sobject, deletion of a dsm_azure_sobject is not normal.
   Steps to delete a dsm_azure_sobject:
-  Enable soft_deletion as shown in the examples of guides/dsm_azure_sobject.Enable purge_deleted_key after soft_deletion as shown in the examples of guides/dsm_azure_sobject.A dsm_azure_sobject can be deleted completely only when its state is destroyed.A dsm_azure_sobject comes to destroyed state when the key is deleted from Azure key vault.To know whether it is in a destroyed state or not, sync keys operation should be performed.Currently, sync keys is not supported by terraform. This can be done in UI by going to the group and HSM/KMS. Then click on SYNC KEYS.
+  Enable soft_deletion as shown in the examples of Guides/dsm_azure_sobject.Enable purge_deleted_key after soft_deletion as shown in the examples of Guides/dsm_azure_sobject.A dsm_azure_sobject can be deleted completely only when its state is destroyed.A dsm_azure_sobject comes to destroyed state when the key is deleted from Azure key vault.To know whether it is in a destroyed state or not, sync keys operation should be performed.Use dsm_azure_group data_source to sync the keys. Please refer Data Sources/dsm_azure_group.
 ---
 
 # dsm_azure_sobject (Resource)
@@ -23,12 +23,12 @@ Azure sobject can also rotate, enable soft deletion and purge the key. For examp
 
 **Steps to delete a dsm_azure_sobject**:
 
-   * Enable soft_deletion as shown in the examples of guides/dsm_azure_sobject.
-   * Enable purge_deleted_key after soft_deletion as shown in the examples of guides/dsm_azure_sobject.
+   * Enable soft_deletion as shown in the examples of `Guides/dsm_azure_sobject`.
+   * Enable purge_deleted_key after soft_deletion as shown in the examples of `Guides/dsm_azure_sobject`.
    * A dsm_azure_sobject can be deleted completely only when its state is `destroyed`.
    * A dsm_azure_sobject comes to destroyed state when the key is deleted from Azure key vault.
    * To know whether it is in a destroyed state or not, sync keys operation should be performed.
-   * Currently, sync keys is not supported by terraform. This can be done in UI by going to the group and HSM/KMS. Then click on `SYNC KEYS`.
+   * Use `dsm_azure_group` data_source to sync the keys. Please refer Data `Sources/dsm_azure_group`.
 
 ## Example Usage
 

dsm/common.go

@@ -322,6 +322,7 @@ func showWarning(msg string) diag.Diagnostics {
 	var diags diag.Diagnostics
 	diags = append(diags, diag.Diagnostic{
 		Severity: diag.Warning,
+		Summary:  "[DSM SDK] Unable to call DSM provider API client",
 		Detail:   fmt.Sprintf("[W]: %s", msg),
 	})
 	return diags