fix: fix bug in the DA which can occur when using BYOK / KYOK for data encryption, but using the default ICD key for backups encryption (#571)

jor2 · web-flow · commit c8ddb0ca5b31 · 2025-01-23T15:54:52.000Z
diff --git a/main.tf b/main.tf
@@ -38,30 +38,35 @@ locals {
 # Parse info from KMS key CRNs
 ########################################################################################################################
 
+locals {
+  parse_kms_key        = !var.use_ibm_owned_encryption_key
+  parse_backup_kms_key = !var.use_ibm_owned_encryption_key && !var.use_default_backup_encryption_key
+}
+
 module "kms_key_crn_parser" {
-  count   = var.use_ibm_owned_encryption_key ? 0 : 1
+  count   = local.parse_kms_key ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
   crn     = var.kms_key_crn
 }
 
 module "backup_key_crn_parser" {
-  count   = var.use_ibm_owned_encryption_key ? 0 : 1
+  count   = local.parse_backup_kms_key ? 1 : 0
   source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
   version = "1.1.0"
   crn     = local.backup_encryption_key_crn
 }
 
 # Put parsed values into locals
 locals {
-  kms_service                  = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_name : null
-  kms_account_id               = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].account_id : null
-  kms_key_id                   = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].resource : null
-  kms_key_instance_guid        = !var.use_ibm_owned_encryption_key ? module.kms_key_crn_parser[0].service_instance : null
-  backup_kms_service           = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_name : null
-  backup_kms_account_id        = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].account_id : null
-  backup_kms_key_id            = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].resource : null
-  backup_kms_key_instance_guid = !var.use_ibm_owned_encryption_key ? module.backup_key_crn_parser[0].service_instance : null
+  kms_service                  = local.parse_kms_key ? module.kms_key_crn_parser[0].service_name : null
+  kms_account_id               = local.parse_kms_key ? module.kms_key_crn_parser[0].account_id : null
+  kms_key_id                   = local.parse_kms_key ? module.kms_key_crn_parser[0].resource : null
+  kms_key_instance_guid        = local.parse_kms_key ? module.kms_key_crn_parser[0].service_instance : null
+  backup_kms_service           = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_name : null
+  backup_kms_account_id        = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].account_id : null
+  backup_kms_key_id            = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].resource : null
+  backup_kms_key_instance_guid = local.parse_backup_kms_key ? module.backup_key_crn_parser[0].service_instance : null
 }
 
 ########################################################################################################################
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -124,59 +124,89 @@ func TestRunStandardSolution(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
-// Test the DA when using IBM owned encryption keys
-func TestRunStandardSolutionIBMKeys(t *testing.T) {
+func TestRunStandardUpgradeSolution(t *testing.T) {
 	t.Parallel()
 
 	options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
 		Testing:       t,
 		TerraformDir:  standardSolutionTerraformDir,
 		Region:        "us-south",
-		Prefix:        "postgres-icd-key",
+		Prefix:        "postgres-st-da-upg",
 		ResourceGroup: resourceGroup,
 	})
 
 	options.TerraformVars = map[string]interface{}{
-		"pg_version":                   "16",
-		"provider_visibility":          "public",
-		"resource_group_name":          options.Prefix,
-		"use_ibm_owned_encryption_key": true,
+		"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
+		"kms_endpoint_type":         "public",
+		"provider_visibility":       "public",
+		"resource_group_name":       options.Prefix,
+		"admin_pass":                GetRandomAdminPassword(t),
 	}
 
-	output, err := options.RunTestConsistency()
-	assert.Nil(t, err, "This should not have errored")
-	assert.NotNil(t, output, "Expected some output")
+	output, err := options.RunTestUpgrade()
+	if !options.UpgradeTestSkipped {
+		assert.Nil(t, err, "This should not have errored")
+		assert.NotNil(t, output, "Expected some output")
+	}
 }
 
-func TestRunStandardUpgradeSolution(t *testing.T) {
+func TestPlanValidation(t *testing.T) {
 	t.Parallel()
 
-	// Generate a 15 char long random string for the admin_pass.
-	randomBytes := make([]byte, 13)
-	_, randErr := rand.Read(randomBytes)
-	require.Nil(t, randErr) // do not proceed if we can't gen a random password
+	options := &terraform.Options{
+		TerraformDir: "../" + standardSolutionTerraformDir,
+		Vars: map[string]interface{}{
+			"prefix":              "validate-plan",
+			"region":              "us-south",
+			"kms_endpoint_type":   "public",
+			"provider_visibility": "public",
+			"resource_group_name": "validate-plan",
+			"admin_pass":          GetRandomAdminPassword(t),
+		},
+		Upgrade: true,
+	}
 
-	randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13]
+	_, initErr := terraform.InitE(t, options)
+	assert.Nil(t, initErr, "This should not have errored")
 
-	options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
-		Testing:       t,
-		TerraformDir:  standardSolutionTerraformDir,
-		Region:        "us-south",
-		Prefix:        "postgres-st-da-upg",
-		ResourceGroup: resourceGroup,
-	})
+	// Test the DA when using IBM owned encryption keys
+	var ibmOwnedEncrytionKeyTFVars = map[string]interface{}{
+		"use_default_backup_encryption_key": false,
+		"use_ibm_owned_encryption_key":      true,
+	}
 
-	options.TerraformVars = map[string]interface{}{
-		"existing_kms_instance_crn": permanentResources["hpcs_south_crn"],
-		"kms_endpoint_type":         "public",
-		"provider_visibility":       "public",
-		"resource_group_name":       options.Prefix,
-		"admin_pass":                randomPass,
+	// Test the DA when using Default Backup Encryption Key and not IBM owned encryption keys
+	var notIbmOwnedEncrytionKeyTFVars = map[string]interface{}{
+		"existing_kms_instance_crn":         permanentResources["hpcs_south_crn"],
+		"use_default_backup_encryption_key": true,
+		"use_ibm_owned_encryption_key":      false,
 	}
 
-	output, err := options.RunTestUpgrade()
-	if !options.UpgradeTestSkipped {
+	// Create a list (slice) of the maps
+	tfVarsList := []map[string]interface{}{
+		ibmOwnedEncrytionKeyTFVars,
+		notIbmOwnedEncrytionKeyTFVars,
+	}
+
+	// Iterate over the slice of maps
+	for _, tfVars := range tfVarsList {
+		// Iterate over the keys and values in each map
+		for key, value := range tfVars {
+			options.Vars[key] = value
+		}
+		output, err := terraform.PlanE(t, options)
 		assert.Nil(t, err, "This should not have errored")
 		assert.NotNil(t, output, "Expected some output")
 	}
 }
+
+func GetRandomAdminPassword(t *testing.T) string {
+	// Generate a 15 char long random string for the admin_pass
+	randomBytes := make([]byte, 13)
+	_, randErr := rand.Read(randomBytes)
+	require.Nil(t, randErr) // do not proceed if we can't gen a random password
+
+	randomPass := "A1" + base64.URLEncoding.EncodeToString(randomBytes)[:13]
+
+	return randomPass
+}
