Merge pull request #8 from fortanix/aman/aws-rotation

update to rotate aws key based on local key rotation or aws key rotaion
fortanix · Mar 29, 2022 · 4f2d3a3 · 4f2d3a3
2 parents 862dfb0 + c79699f
commit 4f2d3a3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/docs/resources/dsm_aws_sobject.md b/docs/resources/dsm_aws_sobject.md
@@ -42,7 +42,9 @@ The following arguments are supported in the `dsm_aws_sobject` resource block:
 * _**state (optional)**_: The key states of the AWS key. The values are `PendingDeletion`, `Enabled`, `Disabled`, `PendingImport`
 * _**pending_window\_in\_days (optional)**_: The default value is `7` days, input the value for “`days`” after which the AWS key will be deleted 
 * _**expiry\_date (optional)**_: The security object expiry date in RFC format
-* _**rotate(optional)**_: = "DSM" (To mark this key as rotated from another key)
+* _**rotate(optional)**_: specify method to use for key rotation 
+  * **DSM** - To rotate from a DSM local key. The key material of new key will be stored in DSM.
+  * **AWS** - To rotate from a AWS key. The key material of new key will be stored in AWS.
 * _**rotate_from(optional)**_  = Name of the security object to be rotated
 
 * _**custom\_metadata (optional)**_:  Contains metadata about an AWS KMS key

diff --git a/dsm/resource_aws_sobject.go b/dsm/resource_aws_sobject.go
@@ -151,7 +151,7 @@ func resourceAWSSobject() *schema.Resource {
 			"rotate": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ValidateFunc: validation.StringInSlice([]string{"DSM", "ALL"}, true),
+				ValidateFunc: validation.StringInSlice([]string{"DSM", "AWS"}, true),
 			},
 			"rotate_from": {
 				Type:     schema.TypeString,
@@ -171,10 +171,13 @@ func resourceCreateAWSSobject(ctx context.Context, d *schema.ResourceData, m int
 
 	if rotate := d.Get("rotate").(string); len(rotate) > 0 {
 		if rotate_from := d.Get("rotate_from").(string); len(rotate_from) <= 0 {
+			if rotate == "AWS" {
+				endpoint = "crypto/v1/keys/rekey"
+			}
 			diags = append(diags, diag.Diagnostic{
 				Severity: diag.Error,
 				Summary:  "[DSM SDK] Unable to call DSM provider API client",
-				Detail:   "[E]: API: GET crypto/v1/keys/rekey: 'rotate_from' missing",
+				Detail:   fmt.Sprintf("[E]: API: POST %s: 'rotate_from' missing", endpoint),
 			})
 			return diags
 		}
@@ -213,7 +216,9 @@ func resourceCreateAWSSobject(ctx context.Context, d *schema.ResourceData, m int
 
 	if rotate := d.Get("rotate").(string); len(rotate) > 0 {
 		security_object["name"] = d.Get("rotate_from").(string)
-		endpoint = "crypto/v1/keys/rekey"
+		if rotate == "AWS" {
+			endpoint = "crypto/v1/keys/rekey"
+		}
 	}
 
 	req, err := m.(*api_client).APICallBody("POST", endpoint, security_object)