Merge pull request #65 from fortanix/EXTREQ-1005

ravigfortanix · web-flow · commit 8d1f751aa091 · 2023-12-04T23:08:47.000+05:30
Support for rotation policy:
diff --git a/docs/resources/dsm_aws_sobject.md b/docs/resources/dsm_aws_sobject.md
@@ -24,6 +24,10 @@ resource "dsm_aws_sobject" "sobject" {
     custom_metadata        = {
         aws-aliases        = <alias-to-use>
     }
+    rotation_policy = {
+      interval_days = <number of days>
+      effective_at = "<yyyymmddThhmmssZ>"
+    }
 }
 ```
 
@@ -50,6 +54,21 @@ The following arguments are supported in the `dsm_aws_sobject` resource block:
 * _**custom\_metadata (optional)**_:  Contains metadata about an AWS KMS key
   *	**aws-aliases** – The display name for AWS KMS key used to identify the key.
   *	**aws-policy** - JSON format of AWS policy that should be enforced for the key.
+* * _**rotation_policy(optional)**_ = Policy to rotate a Security Object, configure the below parameters.
+* * _**interval_days**_ = Rotate the key for every given number of days
+* * _**interval_weeks**_ = Rotate the key for every given number of weeks
+* * _**interval_months**_ = Rotate the key for every given number of months
+* * _**interval_years**_ = Rotate the key for every given number of years
+* * _**effective_at**_ = Start of the rotation policy time
+
+## Note on rotational_policy
+
+Only one of the following attributes should be used while configuring the interval in rotational_policy
+1. interval_days
+2. interval_weeks
+3. interval_months
+4. interval_years
+
 
 ## Attribute Reference
 
@@ -76,3 +95,4 @@ The following attributes are stored in the `dsm_aws_sobject` resource block:
 * **key\_size**: The size of the security object
 * **description**: The security object description
 * **expiry\_date**: The security object expiry date in RFC format from Fortanix DSM
+* * _**rotation_\_policy**_ = Policy to rotate a Security Object
diff --git a/docs/resources/dsm_azure_sobject.md b/docs/resources/dsm_azure_sobject.md
@@ -23,6 +23,11 @@ resource "dsm_azure_sobject" "sobject" {
         azure_key_state = <azure_key_state> 
         azure-key-name = <azure_key_name>
     }
+    rotation_policy = {
+      interval_days = <number of days>
+      effective_at = "<yyyymmddThhmmssZ>"
+      deactivate_rotated_key = <true/false>
+    }
 }
 ```
 
@@ -43,6 +48,21 @@ The following arguments are supported in the `dsm_azure_sobject` resource block:
 * _**custom\_metadata (optional)**_:  Azure CMK level metadata information
   *	**azure-key-state** – Key state within Azure KV
   * **azure-key-name** - Key name within Azure KV
+* _**rotation_policy(optional)**_ = Policy to rotate a Security Object, configure the below parameters.
+* * _**interval_days**_ = Rotate the key for every given number of days
+* * _**interval_weeks**_ = Rotate the key for every given number of weeks
+* * _**interval_months**_ = Rotate the key for every given number of months
+* * _**interval_years**_ = Rotate the key for every given number of years
+* * _**effective_at**_ = Start of the rotation policy time
+* * _**deactivate_rotated_key**_ = Deactivate original key after rotation (true/false)
+
+## Note on rotational_policy
+
+Only one of the following attributes should be used while configuring the interval in rotational_policy
+1. interval_days
+2. interval_weeks
+3. interval_months
+4. interval_years
   
 ## Attribute Reference
 
@@ -66,3 +86,4 @@ The following attributes are stored in the `dsm_azure_sobject` resource block:
 * _**custom\_metadata (optional)**_:  Azure CMK level metadata information
   *	**azure-key-state** – Key state within Azure KV
   * **azure-key-name** - Key name within Azure KV
+* _**rotation\_policy**_ = Policy to rotate a Security Object
diff --git a/docs/resources/dsm_sobject.md b/docs/resources/dsm_sobject.md
@@ -30,6 +30,12 @@ resource "dsm_sobject" "sobject" {
     value = <imported sobject content>
     hash_alg = <HashAlgorithm>
     subgroup_size = <subgroup_size_value>
+    rotation_policy = {
+      interval_days = <number of days>
+      effective_at = "<yyyymmddThhmmssZ>"
+      deactivate_rotated_key = <true/false>
+      rotate_copied_keys = "all_external"
+    }
 }
 ```
 
@@ -58,6 +64,24 @@ The following arguments are supported in the `dsm_sobject` resource block:
 * _**allowed\_missing\_justifications (optional)**_: The security object allows missing justifications even if not provided.
 * _**hash\_alg**_ = Hashing Algorithm for KCDSA and ECKCDSA
 * _**subgroup\_size**_ = Subgroup Size for DSA and ECKCDSA
+* _**rotation_policy(optional)**_ = Policy to rotate a Security Object, configure the below parameters.
+* * _**interval_days**_ = Rotate the key for every given number of days
+* * _**interval_weeks**_ = Rotate the key for every given number of weeks
+* * _**interval_months**_ = Rotate the key for every given number of months
+* * _**interval_years**_ = Rotate the key for every given number of years
+* * _**effective_at**_ = Start of the rotation policy time
+* * _**deactivate_rotated_key**_ = Deactivate original key after rotation (true/false)
+* * _**rotate_copied_keys**_ = Enable key rotation for copied keys
+
+## Note on rotational_policy
+
+Only one of the following attributes should be used while configuring the interval in rotational_policy
+  1. interval_days
+  2. interval_weeks
+  3. interval_months
+  4. interval_years
+
+
 
 ## Attribute Reference
 
@@ -89,4 +113,5 @@ The following attributes are stored in the `dsm_sobject` resource block:
 * _**allowed\_missing\_justifications (optional)**_: Boolean value which allows missing justifications even if not provided to the security object. The values are `True` / `False`.
 
 * _**hash\_alg**_ = Hashing Algorithm for KCDSA and ECKCDSA. The allowed Hashing Algorithms are `SHA1`,`SHA224`, `SHA256`, `SHA384`, `SHA521`.
-* _**subgroup\_size**_ = Subgroup Size for DSA and ECKCDSA. The allowed Subgroup Sizes are `224` and `256`
+* _**subgroup\_size**_ = Subgroup Size for DSA and ECKCDSA. The allowed Subgroup Sizes are `224` and `256`
+* _**rotation\_policy**_ = Policy to rotate a security object
diff --git a/dsm/common.go b/dsm/common.go
@@ -15,6 +15,7 @@ import (
 	"encoding/json"
 	//"encoding/pem"
 	"fmt"
+	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -152,3 +153,44 @@ func substr(input string, start int, length int) string {
 
         return string(asRunes[start : start+length])
 }
+
+// To write/update the security object rotation_policy
+func sobj_rotation_policy_write(rp map[string]interface{}) map[string]interface{} {
+        rotation_policy := make(map[string]interface{})
+        for k, v := range  rp{
+            /* while sending the request, interval_days should be assigned as an integer.
+               Hence it is converted to integer from the string.
+            */
+            if k == "interval_days" {
+                val, _ := strconv.Atoi(v.(string))
+                rotation_policy[k] = val
+            } else if k == "deactivate_rotated_key" {
+                /* while sending the request, deactivate_rotated_key should be assigned as a boolean..
+                   Hence it is converted to boolean from the string.
+                */
+                val, _ := strconv.ParseBool(v.(string))
+                rotation_policy[k] = val
+            } else {
+                rotation_policy[k] = v
+            }
+        }
+        return rotation_policy
+}
+
+// To read the security object rotation_policy
+func sobj_rotation_policy_read(rp map[string]interface{}) map[string]interface{}  {
+        rotation_policy := make(map[string]interface{})
+        for k, v := range  rp{
+            /* while reading the rotation_policy from terraform the interval_days attribute is assigned as float64 datatype.
+               Hence it will be converted to string from float object.
+            */
+            if k == "interval_days" {
+                rotation_policy[k] = strconv.FormatFloat(v.(float64), 'f', -1, 64)
+            } else if k == "deactivate_rotated_key" {
+                rotation_policy[k] = strconv.FormatBool(v.(bool))
+            } else {
+                rotation_policy[k] = v
+            }
+        }
+        return rotation_policy
+}
diff --git a/dsm/resource_aws_sobject.go b/dsm/resource_aws_sobject.go
@@ -90,6 +90,13 @@ func resourceAWSSobject() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"rotation_policy": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type:     schema.TypeString,
+				},
+			},
 			"custom_metadata": {
 				Type:     schema.TypeMap,
 				Optional: true,
@@ -203,6 +210,9 @@ func resourceCreateAWSSobject(ctx context.Context, d *schema.ResourceData, m int
 	if err := d.Get("custom_metadata").(map[string]interface{}); len(err) > 0 {
 		security_object["custom_metadata"] = d.Get("custom_metadata")
 	}
+	if rotation_policy := d.Get("rotation_policy").(map[string]interface{}); len(rotation_policy) > 0 {
+		security_object["rotation_policy"] = sobj_rotation_policy_write(rotation_policy)
+	}
 
 	// FYOO: Get tags
 	if err := d.Get("aws_tags").(map[string]interface{}); len(err) > 0 {
@@ -355,6 +365,12 @@ func resourceReadAWSSobject(ctx context.Context, d *schema.ResourceData, m inter
 				return diag.FromErr(newerr)
 			}
 		}
+		if _, ok := req["rotation_policy"]; ok {
+			rotation_policy := sobj_rotation_policy_read(req["rotation_policy"].(map[string]interface{}))
+			if err := d.Set("rotation_policy", rotation_policy); err != nil {
+				return diag.FromErr(err)
+			}
+		}
 		// FYOO: clear values that are irrelevant
 		d.Set("rotate", "")
 		d.Set("rotate_from", "")
diff --git a/dsm/resource_azure_sobject.go b/dsm/resource_azure_sobject.go
@@ -63,6 +63,13 @@ func resourceAzureSobject() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"rotation_policy": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type:     schema.TypeString,
+				},
+			},
 			"custom_metadata": {
 				Type:     schema.TypeMap,
 				Optional: true,
@@ -140,6 +147,9 @@ func resourceCreateAzureSobject(ctx context.Context, d *schema.ResourceData, m i
 	if err := d.Get("custom_metadata").(map[string]interface{}); len(err) > 0 {
 		security_object["custom_metadata"] = d.Get("custom_metadata")
 	}
+	if rotation_policy := d.Get("rotation_policy").(map[string]interface{}); len(rotation_policy) > 0 {
+		security_object["rotation_policy"] = sobj_rotation_policy_write(rotation_policy)
+	}
 
 	req, err := m.(*api_client).APICallBody("POST", "crypto/v1/keys/copy", security_object)
 	if err != nil {
@@ -254,6 +264,12 @@ func resourceReadAzureSobject(ctx context.Context, d *schema.ResourceData, m int
 				return diag.FromErr(newerr)
 			}
 		}
+		if _, ok := req["rotation_policy"]; ok {
+			rotation_policy := sobj_rotation_policy_read(req["rotation_policy"].(map[string]interface{}))
+			if err := d.Set("rotation_policy", rotation_policy); err != nil {
+				return diag.FromErr(err)
+			}
+		}
 	}
 
 	return nil
diff --git a/dsm/resource_sobject.go b/dsm/resource_sobject.go
@@ -69,6 +69,13 @@ func resourceSobject() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"rotation_policy": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type:     schema.TypeString,
+				},
+			},
 			// Unable to define links
 			//"links": {
 			//	Type:     schema.TypeMap,
@@ -305,6 +312,9 @@ func createSO(ctx context.Context, d *schema.ResourceData, m interface{}) diag.D
 	if err := d.Get("custom_metadata").(map[string]interface{}); len(err) > 0 {
 		security_object["custom_metadata"] = err
 	}
+	if rotation_policy := d.Get("rotation_policy").(map[string]interface{}); len(rotation_policy) > 0 {
+		security_object["rotation_policy"] = sobj_rotation_policy_write(rotation_policy)
+	}
 	
 	if len(hash_alg) > 0 && obj_type == "KCDSA" {
 		kcdsa := make(map[string]interface{})
@@ -556,6 +566,12 @@ func resourceReadSobject(ctx context.Context, d *schema.ResourceData, m interfac
 			}
 		}
 		}
+		if _, ok := req["rotation_policy"]; ok {
+			rotation_policy := sobj_rotation_policy_read(req["rotation_policy"].(map[string]interface{}))
+			if err := d.Set("rotation_policy", rotation_policy); err != nil {
+				return diag.FromErr(err)
+			}
+		}
 
 		// FYOO: clear values that are irrelevant
 		d.Set("rotate", "")
@@ -619,6 +635,11 @@ func resourceUpdateSobject(ctx context.Context, d *schema.ResourceData, m interf
 		security_object["custom_metadata"] = d.Get("custom_metadata").(map[string]interface{})
 		has_changed = true
 	}
+	if d.HasChange("rotation_policy") {
+		rotation_policy := d.Get("rotation_policy").(map[string]interface{})
+		security_object["rotation_policy"] = sobj_rotation_policy_write(rotation_policy)
+		has_changed = true
+	}
 	if d.HasChange("hash_alg") {
 		old_ha, new_ha := d.GetChange("hash_alg")
 		d.Set("hash_alg", old_ha)
