Merge pull request #43139 from acwwat/f-aws_cloudwatch_event_archive-add_kms_key_identifier_arg

feat: Add kms_key_identifier arg to aws_cloudwatch_event_archive

Author: ewbankkit

.changelog/43139.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cloudwatch_event_archive: Add `kms_key_identifier` argument
+```

internal/service/events/archive.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"log"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/eventbridge"
 	"github.com/aws/aws-sdk-go-v2/service/eventbridge/types"
@@ -60,6 +61,14 @@ func resourceArchive() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: verify.ValidARN,
 			},
+			"kms_key_identifier": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ValidateFunc: validation.All(
+					validation.StringLenBetween(0, 2048),
+					validation.StringMatch(regexache.MustCompile(`^[a-zA-Z0-9_\-/:]*$`), ""),
+				),
+			},
 			names.AttrName: {
 				Type:         schema.TypeString,
 				Required:     true,
@@ -97,6 +106,10 @@ func resourceArchiveCreate(ctx context.Context, d *schema.ResourceData, meta any
 		input.EventPattern = aws.String(v)
 	}
 
+	if v, ok := d.GetOk("kms_key_identifier"); ok {
+		input.KmsKeyIdentifier = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("retention_days"); ok {
 		input.RetentionDays = aws.Int32(int32(v.(int)))
 	}
@@ -132,6 +145,7 @@ func resourceArchiveRead(ctx context.Context, d *schema.ResourceData, meta any)
 	d.Set(names.AttrDescription, output.Description)
 	d.Set("event_pattern", output.EventPattern)
 	d.Set("event_source_arn", output.EventSourceArn)
+	d.Set("kms_key_identifier", output.KmsKeyIdentifier)
 	d.Set(names.AttrName, output.ArchiveName)
 	d.Set("retention_days", output.RetentionDays)
 
@@ -159,6 +173,10 @@ func resourceArchiveUpdate(ctx context.Context, d *schema.ResourceData, meta any
 		input.EventPattern = aws.String(v)
 	}
 
+	if v, ok := d.GetOk("kms_key_identifier"); ok {
+		input.KmsKeyIdentifier = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("retention_days"); ok {
 		input.RetentionDays = aws.Int32(int32(v.(int)))
 	}

internal/service/events/archive_test.go

@@ -40,6 +40,7 @@ func TestAccEventsArchive_basic(t *testing.T) {
 					acctest.CheckResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "events", fmt.Sprintf("archive/%s", archiveName)),
 					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, ""),
 					resource.TestCheckResourceAttr(resourceName, "event_pattern", ""),
+					resource.TestCheckResourceAttr(resourceName, "kms_key_identifier", ""),
 				),
 			},
 			{
@@ -106,6 +107,91 @@ func TestAccEventsArchive_disappears(t *testing.T) {
 	})
 }
 
+func TestAccEventsArchive_kmsKeyIdentifier(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v1 eventbridge.DescribeArchiveOutput
+	archiveName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cloudwatch_event_archive.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EventsServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckArchiveDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArchiveConfig_kmsKeyIdentifier(archiveName, "${aws_kms_key.test_1.id}"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckArchiveExists(ctx, resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_key.test_1", names.AttrID),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccArchiveConfig_kmsKeyIdentifier(archiveName, "${aws_kms_key.test_2.arn}"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckArchiveExists(ctx, resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_key.test_2", names.AttrARN),
+				),
+			},
+			{
+				Config: testAccArchiveConfig_kmsKeyIdentifier(archiveName, "${aws_kms_alias.test_1.name}"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckArchiveExists(ctx, resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_alias.test_1", names.AttrName),
+				),
+			},
+			{
+				Config: testAccArchiveConfig_kmsKeyIdentifier(archiveName, "${aws_kms_alias.test_1.arn}"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckArchiveExists(ctx, resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
+					resource.TestCheckResourceAttrPair(resourceName, "kms_key_identifier", "aws_kms_alias.test_1", names.AttrARN),
+				),
+			},
+		},
+	})
+}
+
+func TestAccEventsArchive_retentionSetOnCreation(t *testing.T) {
+	ctx := acctest.Context(t)
+	var v1 eventbridge.DescribeArchiveOutput
+	archiveName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cloudwatch_event_archive.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EventsServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckArchiveDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArchiveConfig_retentionOnCreation(archiveName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckArchiveExists(ctx, resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
+					resource.TestCheckResourceAttr(resourceName, "retention_days", "1"),
+					acctest.CheckResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "events", fmt.Sprintf("archive/%s", archiveName)),
+					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, ""),
+					resource.TestCheckResourceAttr(resourceName, "event_pattern", ""),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckArchiveDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := acctest.Provider.Meta().(*conns.AWSClient).EventsClient(ctx)
@@ -153,38 +239,6 @@ func testAccCheckArchiveExists(ctx context.Context, n string, v *eventbridge.Des
 	}
 }
 
-func TestAccEventsArchive_retentionSetOnCreation(t *testing.T) {
-	ctx := acctest.Context(t)
-	var v1 eventbridge.DescribeArchiveOutput
-	archiveName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
-	resourceName := "aws_cloudwatch_event_archive.test"
-
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
-		ErrorCheck:               acctest.ErrorCheck(t, names.EventsServiceID),
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
-		CheckDestroy:             testAccCheckArchiveDestroy(ctx),
-		Steps: []resource.TestStep{
-			{
-				Config: testAccArchiveConfig_retentionOnCreation(archiveName),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckArchiveExists(ctx, resourceName, &v1),
-					resource.TestCheckResourceAttr(resourceName, names.AttrName, archiveName),
-					resource.TestCheckResourceAttr(resourceName, "retention_days", "1"),
-					acctest.CheckResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "events", fmt.Sprintf("archive/%s", archiveName)),
-					resource.TestCheckResourceAttr(resourceName, names.AttrDescription, ""),
-					resource.TestCheckResourceAttr(resourceName, "event_pattern", ""),
-				),
-			},
-			{
-				ResourceName:      resourceName,
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-		},
-	})
-}
-
 func testAccArchiveConfig_basic(name string) string {
 	return fmt.Sprintf(`
 resource "aws_cloudwatch_event_bus" "test" {
@@ -218,6 +272,130 @@ PATTERN
 `, name)
 }
 
+func testAccArchiveConfig_kmsKeyIdentifier(name, kmsKeyIdentifier string) string {
+	return fmt.Sprintf(`
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+resource "aws_cloudwatch_event_bus" "test" {
+  name = %[1]q
+}
+
+resource "aws_kms_key" "test_1" {
+  deletion_window_in_days = 7
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "key-policy-example"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow describing of the key"
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        },
+        Action = [
+          "kms:DescribeKey"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow use of the key"
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        },
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Decrypt",
+          "kms:ReEncrypt*"
+        ],
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:EncryptionContext:aws:events:event-bus:arn" = aws_cloudwatch_event_bus.test.arn
+          }
+        }
+      }
+    ]
+  })
+  tags = {
+    EventBridgeApiDestinations = "true"
+  }
+}
+
+resource "aws_kms_alias" "test_1" {
+  name          = "alias/test-1"
+  target_key_id = aws_kms_key.test_1.key_id
+}
+
+resource "aws_kms_key" "test_2" {
+  deletion_window_in_days = 7
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "key-policy-example"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow describing of the key"
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        },
+        Action = [
+          "kms:DescribeKey"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow use of the key"
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        },
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Decrypt",
+          "kms:ReEncrypt*"
+        ],
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:EncryptionContext:aws:events:event-bus:arn" = aws_cloudwatch_event_bus.test.arn
+          }
+        }
+      }
+    ]
+  })
+  tags = {
+    EventBridgeApiDestinations = "true"
+  }
+}
+
+resource "aws_cloudwatch_event_archive" "test" {
+  name               = %[1]q
+  event_source_arn   = aws_cloudwatch_event_bus.test.arn
+  kms_key_identifier = %[2]q
+}
+`, name, kmsKeyIdentifier)
+}
+
 func testAccArchiveConfig_retentionOnCreation(name string) string {
 	return fmt.Sprintf(`
 resource "aws_cloudwatch_event_bus" "test" {