Spanner MR CMEK Integration (#11319) (#19846)

[upstream:b0450ba0e17ac08ac7e07aa3bbb6eeea51785db4]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/11319.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+spanner: added `kmsKeyNames` to encryptionConfig of Database
+```

google/services/spanner/resource_spanner_database.go

@@ -162,10 +162,22 @@ whereas setting “enableDropProtection” to true protects the database from de
 					Schema: map[string]*schema.Schema{
 						"kms_key_name": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 							ForceNew: true,
 							Description: `Fully qualified name of the KMS key to use to encrypt this database. This key must exist
 in the same location as the Spanner Database.`,
+							ExactlyOneOf: []string{"encryption_config.0.kms_key_name", "encryption_config.0.kms_key_names"},
+						},
+						"kms_key_names": {
+							Type:     schema.TypeList,
+							Optional: true,
+							ForceNew: true,
+							Description: `Fully qualified name of the KMS keys to use to encrypt this database. The keys must exist
+in the same locations as the Spanner Database.`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+							ExactlyOneOf: []string{"encryption_config.0.kms_key_name", "encryption_config.0.kms_key_names"},
 						},
 					},
 				},
@@ -821,12 +833,46 @@ func flattenSpannerDatabaseEncryptionConfig(v interface{}, d *schema.ResourceDat
 	transformed := make(map[string]interface{})
 	transformed["kms_key_name"] =
 		flattenSpannerDatabaseEncryptionConfigKmsKeyName(original["kmsKeyName"], d, config)
+	transformed["kms_key_names"] =
+		flattenSpannerDatabaseEncryptionConfigKmsKeyNames(original["kmsKeyNames"], d, config)
 	return []interface{}{transformed}
 }
 func flattenSpannerDatabaseEncryptionConfigKmsKeyName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
 
+func flattenSpannerDatabaseEncryptionConfigKmsKeyNames(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	// Ignore `kms_key_names` if `kms_key_name` is set, because that field takes precedence.
+	_, kmsNameSet := d.GetOk("encryption_config.0.kms_key_name")
+	if kmsNameSet {
+		return nil
+	}
+
+	rawConfigValue := d.Get("encryption_config.0.kms_key_names")
+
+	// Convert config value to []string
+	configValue, err := tpgresource.InterfaceSliceToStringSlice(rawConfigValue)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert config value: %s", err)
+		return v
+	}
+
+	// Convert v to []string
+	apiStringValue, err := tpgresource.InterfaceSliceToStringSlice(v)
+	if err != nil {
+		log.Printf("[ERROR] Failed to convert API value: %s", err)
+		return v
+	}
+
+	sortedStrings, err := tpgresource.SortStringsByConfigOrder(configValue, apiStringValue)
+	if err != nil {
+		log.Printf("[ERROR] Could not sort API response value: %s", err)
+		return v
+	}
+
+	return sortedStrings
+}
+
 func flattenSpannerDatabaseDatabaseDialect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -870,13 +916,24 @@ func expandSpannerDatabaseEncryptionConfig(v interface{}, d tpgresource.Terrafor
 		transformed["kmsKeyName"] = transformedKmsKeyName
 	}
 
+	transformedKmsKeyNames, err := expandSpannerDatabaseEncryptionConfigKmsKeyNames(original["kms_key_names"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedKmsKeyNames); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["kmsKeyNames"] = transformedKmsKeyNames
+	}
+
 	return transformed, nil
 }
 
 func expandSpannerDatabaseEncryptionConfigKmsKeyName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
 
+func expandSpannerDatabaseEncryptionConfigKmsKeyNames(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandSpannerDatabaseDatabaseDialect(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google/tpgresource/utils.go

@@ -240,6 +240,25 @@ func ExpandStringMap(d TerraformResourceData, key string) map[string]string {
 	return ConvertStringMap(v.(map[string]interface{}))
 }
 
+// InterfaceSliceToStringSlice converts a []interface{} containing strings to []string
+func InterfaceSliceToStringSlice(v interface{}) ([]string, error) {
+	interfaceSlice, ok := v.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf("expected []interface{}, got %T", v)
+	}
+
+	stringSlice := make([]string, len(interfaceSlice))
+	for i, item := range interfaceSlice {
+		strItem, ok := item.(string)
+		if !ok {
+			return nil, fmt.Errorf("expected string, got %T at index %d", item, i)
+		}
+		stringSlice[i] = strItem
+	}
+
+	return stringSlice, nil
+}
+
 // SortStringsByConfigOrder takes a slice of map[string]interface{} from a TF config
 // and API data, and returns a new slice containing the API data, reorderd to match
 // the TF config as closely as possible (with new items at the end of the list.)

website/docs/r/spanner_database.html.markdown

@@ -131,10 +131,15 @@ When the field is set to false, deleting the database is allowed.
 <a name="nested_encryption_config"></a>The `encryption_config` block supports:
 
 * `kms_key_name` -
-  (Required)
+  (Optional)
   Fully qualified name of the KMS key to use to encrypt this database. This key must exist
   in the same location as the Spanner Database.
 
+* `kms_key_names` -
+  (Optional)
+  Fully qualified name of the KMS keys to use to encrypt this database. The keys must exist
+  in the same locations as the Spanner Database.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: