Skip to content

Commit

Permalink
fix: fix bug in the DA which can occur when using BYOK / KYOK for dat…
Browse files Browse the repository at this point in the history 
…a encryption, but using the default ICD key for backups encryption (#571)
  • Loading branch information
@jor2
jor2 authored Jan 23, 2025
1 parent 658f852 commit c8ddb0c
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 41 deletions.
25 changes: 15 additions & 10 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,30 +38,35 @@ locals {
# Parse info from KMS key CRNs
########################################################################################################################

locals {
parse_kms_key = !var.use_ibm_owned_encryption_key
parse_backup_kms_key = !var.use_ibm_owned_encryption_key && !var.use_default_backup_encryption_key
}

module "kms_key_crn_parser" {
count = var.use_ibm_owned_encryption_key ? 0 : 1
count = local.parse_kms_key ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = var.kms_key_crn
}

module "backup_key_crn_parser" {
count = var.use_ibm_owned_encryption_key ? 0 : 1
count = local.parse_backup_kms_key ? 1 : 0
source = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
version = "1.1.0"
crn = local.backup_encryption_key_crn
}

# Put parsed values into locals
locals {
kms_service = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_name : null
kms_account_id = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].account_id : null
kms_key_id = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].resource : null
kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_instance : null
backup_kms_service = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_name : null
backup_kms_account_id = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].account_id : null
backup_kms_key_id = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].resource : null
backup_kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_instance : null
kms_service = local.parse_kms_key ? module.kms_key_crn_parser[0].service_name : null
kms_account_id = local.parse_kms_key ? module.kms_key_crn_parser[0].account_id : null
kms_key_id = local.parse_kms_key ? module.kms_key_crn_parser[0].resource : null
kms_key_instance_guid = local.parse_kms_key ? module.kms_key_crn_parser[0].service_instance : null
backup_kms_service = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_name : null
backup_kms_account_id = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].account_id : null
backup_kms_key_id = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].resource : null
backup_kms_key_instance_guid = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_instance : null
}

########################################################################################################################
Expand Down
92 changes: 61 additions & 31 deletions tests/pr_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,59 +124,89 @@ func TestRunStandardSolution(t *testing.T) {
assert.NotNil(t, output, "Expected some output")
}

// Test the DA when using IBM owned encryption keys
func TestRunStandardSolutionIBMKeys(t *testing.T) {
func TestRunStandardUpgradeSolution(t *testing.T) {
t.Parallel()

options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
Testing: t,
TerraformDir: standardSolutionTerraformDir,
Region: "us-south",
Prefix: "postgres-icd-key",
Prefix: "postgres-st-da-upg",
ResourceGroup: resourceGroup,
})

options.TerraformVars = map[string]interface{}{
"pg_version": "16",
"provider_visibility": "public",
"resource_group_name": options.Prefix,
"use_ibm_owned_encryption_key": true,
"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
"kms_endpoint_type": "public",
"provider_visibility": "public",
"resource_group_name": options.Prefix,
"admin_pass": GetRandomAdminPassword(t),
}

output, err := options.RunTestConsistency()
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
output, err := options.RunTestUpgrade()
if !options.UpgradeTestSkipped {
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
}
}

func TestRunStandardUpgradeSolution(t *testing.T) {
func TestPlanValidation(t *testing.T) {
t.Parallel()

// Generate a 15 char long random string for the admin_pass.
randomBytes := make([]byte, 13)
_, randErr := rand.Read(randomBytes)
require.Nil(t, randErr) // do not proceed if we can't gen a random password
options := &terraform.Options{
TerraformDir: "../" + standardSolutionTerraformDir,
Vars: map[string]interface{}{
"prefix": "validate-plan",
"region": "us-south",
"kms_endpoint_type": "public",
"provider_visibility": "public",
"resource_group_name": "validate-plan",
"admin_pass": GetRandomAdminPassword(t),
},
Upgrade: true,
}

randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13]
_, initErr := terraform.InitE(t, options)
assert.Nil(t, initErr, "This should not have errored")

options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
Testing: t,
TerraformDir: standardSolutionTerraformDir,
Region: "us-south",
Prefix: "postgres-st-da-upg",
ResourceGroup: resourceGroup,
})
// Test the DA when using IBM owned encryption keys
var ibmOwnedEncrytionKeyTFVars = map[string]interface{}{
"use_default_backup_encryption_key": false,
"use_ibm_owned_encryption_key": true,
}

options.TerraformVars = map[string]interface{}{
"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
"kms_endpoint_type": "public",
"provider_visibility": "public",
"resource_group_name": options.Prefix,
"admin_pass": randomPass,
// Test the DA when using Default Backup Encryption Key and not IBM owned encryption keys
var notIbmOwnedEncrytionKeyTFVars = map[string]interface{}{
"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
"use_default_backup_encryption_key": true,
"use_ibm_owned_encryption_key": false,
}

output, err := options.RunTestUpgrade()
if !options.UpgradeTestSkipped {
// Create a list (slice) of the maps
tfVarsList := []map[string]interface{}{
ibmOwnedEncrytionKeyTFVars,
notIbmOwnedEncrytionKeyTFVars,
}

// Iterate over the slice of maps
for _, tfVars := range tfVarsList {
// Iterate over the keys and values in each map
for key, value := range tfVars {
options.Vars[key] = value
}
output, err := terraform.PlanE(t, options)
assert.Nil(t, err, "This should not have errored")
assert.NotNil(t, output, "Expected some output")
}
}

func GetRandomAdminPassword(t *testing.T) string {
// Generate a 15 char long random string for the admin_pass
randomBytes := make([]byte, 13)
_, randErr := rand.Read(randomBytes)
require.Nil(t, randErr) // do not proceed if we can't gen a random password

randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13]

return randomPass
}

0 comments on commit c8ddb0c

Please sign in to comment.