Paddy drop pgp key (#2680)

Merged PR #2680.

third_party/terraform/resources/resource_google_service_account_key.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/hashicorp/terraform-plugin-sdk/helper/encryption"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"google.golang.org/api/iam/v1"
@@ -31,10 +30,10 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 				ValidateFunc: validation.StringInSlice([]string{"KEY_ALG_UNSPECIFIED", "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048"}, false),
 			},
 			"pgp_key": {
-				Type:       schema.TypeString,
-				Optional:   true,
-				ForceNew:   true,
-				Deprecated: "The pgp_key field has been deprecated and support for encrypting values in state will be removed in version 3.0.0. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.",
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Removed:  "The pgp_key field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.",
 			},
 			"private_key_type": {
 				Type:         schema.TypeString,
@@ -77,10 +76,12 @@ func resourceGoogleServiceAccountKey() *schema.Resource {
 			"private_key_encrypted": {
 				Type:     schema.TypeString,
 				Computed: true,
+				Removed:  "The private_key_encrypted field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.",
 			},
 			"private_key_fingerprint": {
 				Type:     schema.TypeString,
 				Computed: true,
+				Removed:  "The private_key_fingerprint field has been removed. See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.",
 			},
 		},
 	}
@@ -108,22 +109,7 @@ func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interfac
 	// Data only available on create.
 	d.Set("valid_after", sak.ValidAfterTime)
 	d.Set("valid_before", sak.ValidBeforeTime)
-	if v, ok := d.GetOk("pgp_key"); ok {
-		encryptionKey, err := encryption.RetrieveGPGKey(v.(string))
-		if err != nil {
-			return err
-		}
-
-		fingerprint, encrypted, err := encryption.EncryptValue(encryptionKey, sak.PrivateKeyData, "Google Service Account Key")
-		if err != nil {
-			return err
-		}
-
-		d.Set("private_key_encrypted", encrypted)
-		d.Set("private_key_fingerprint", fingerprint)
-	} else {
-		d.Set("private_key", sak.PrivateKeyData)
-	}
+	d.Set("private_key", sak.PrivateKeyData)
 
 	err = serviceAccountKeyWaitTime(config.clientIAM.Projects.ServiceAccounts.Keys, d.Id(), d.Get("public_key_type").(string), "Creating Service account key", 4)
 	if err != nil {

third_party/terraform/tests/resource_google_service_account_key_test.go

@@ -58,28 +58,6 @@ func TestAccServiceAccountKey_fromEmail(t *testing.T) {
 	})
 }
 
-func TestAccServiceAccountKey_pgp(t *testing.T) {
-	t.Parallel()
-	resourceName := "google_service_account_key.acceptance"
-	accountID := "a" + acctest.RandString(10)
-	displayName := "Terraform Test"
-	resource.Test(t, resource.TestCase{
-		PreCheck:  func() { testAccPreCheck(t) },
-		Providers: testAccProviders,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccServiceAccountKey_pgp(accountID, displayName, testKeyPairPubKey1),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckGoogleServiceAccountKeyExists(resourceName),
-					resource.TestCheckResourceAttrSet(resourceName, "public_key"),
-					resource.TestCheckResourceAttrSet(resourceName, "private_key_encrypted"),
-					resource.TestCheckResourceAttrSet(resourceName, "private_key_fingerprint"),
-				),
-			},
-		},
-	})
-}
-
 func testAccCheckGoogleServiceAccountKeyExists(r string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 
@@ -129,47 +107,3 @@ resource "google_service_account_key" "acceptance" {
 }
 `, account, name)
 }
-
-func testAccServiceAccountKey_pgp(account, name string, key string) string {
-	return fmt.Sprintf(`
-resource "google_service_account" "acceptance" {
-	account_id = "%s"
-	display_name = "%s"
-}
-
-resource "google_service_account_key" "acceptance" {
-	service_account_id = "${google_service_account.acceptance.name}"
-	public_key_type = "TYPE_X509_PEM_FILE"
-	pgp_key = <<EOF
-%s
-EOF
-}
-`, account, name, key)
-}
-
-const testKeyPairPubKey1 = `mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzzwiMwBS5cD0da
-rGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7H+/mhfFvKmgr0Y5kDCF1j0T/
-063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0f
-sF5St9jhO7mbZU9EFkv9O3t3EaURfHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg
-8hQssKeVGpuskTdz5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3Qg
-S2V5IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOfLr44B
-HbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRTJfjECi+AuTGeDwBy84TD
-cRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3CEe8cMwIPqPT2kajJVdOyrvkyuFOdPFOE
-A7bdCH0MqgIdM2SdF8t40k/ATfuD2K1ZmumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlB
-C0yoArn+0QA3cf2B9T4zJ2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXa
-QKfOt5x+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7oEDCn
-aY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I1Ktm698UAZS9Jt8y
-jak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okjh5o/3d4cBt1yZPUJJyLKY43Wvptb
-6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTjOleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5N
-ZLGnED3lq+hQNbe+8UI5tD2oP/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu
-9p315E87DOleYwxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
-AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVhEGipBmpDGRYu
-lEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHkGRHG0/DGum0l4sKTta3OPGHN
-C1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRdtPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0
-YwKoz3h9+QEcZHvsjSZjgydKvfLYcm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJi
-oPn2jVMnXCm4EKc7fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH
-/AtY+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7moViAAcI
-PXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWkojHqyob3cyLgy6z9Q557O
-9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJiEBt8UZGypQ/E56/343epmYAe0a87sHx
-8iDV+dNtDVKfPRENiLOOc19MmS+phmUyrbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKd
-OIu60YPNE4+h7u2CfYyFPu3AlUaGNMBlvy6PEpU=`

third_party/terraform/website/docs/r/google_service_account_key.html.markdown

@@ -79,15 +79,6 @@ Valid values are listed at
 
 * `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
 
-* `pgp_key` – (Optional, Deprecated) An optional PGP key to encrypt the resulting private
-key material. Only used when creating or importing a new key pair. May either be
-a base64-encoded public key or a `keybase:keybaseusername` string for looking up
-in Vault.
-
-~> **NOTE:** The pgp_key field has been deprecated and support for encrypting values in state will be removed in version 3.0.0.
-See https://www.terraform.io/docs/extend/best-practices/sensitive-state.html for more information.
-
-
 ## Attributes Reference
 
 The following attributes are exported in addition to the arguments listed above:
@@ -97,15 +88,7 @@ The following attributes are exported in addition to the arguments listed above:
 * `public_key` - The public key, base64 encoded
 
 * `private_key` - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
-service account keys through the CLI or web console. This is only populated when creating a new key, and when no
-`pgp_key` is provided.
-
-* `private_key_encrypted` – The private key material, base 64 encoded and
-encrypted with the given `pgp_key`. This is only populated when creating a new
-key and `pgp_key` is supplied
-
-* `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted
-private key. This is only populated when creating a new key and `pgp_key` is supplied
+service account keys through the CLI or web console. This is only populated when creating a new key.
 
 * `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".