kms: migrate to AWS SDK v2

aristosvo · Apr 27, 2024 · 076b89b · 076b89b
1 parent 92be836
commit 076b89b
Show file tree

Hide file tree

Showing 41 changed files with 567 additions and 562 deletions.
diff --git a/go.mod b/go.mod
@@ -228,6 +228,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -230,6 +230,8 @@ github.com/aws/aws-sdk-go-v2/service/keyspaces v1.10.4 h1:b8U8xht0BhuuzDlKUq/QzB
 github.com/aws/aws-sdk-go-v2/service/keyspaces v1.10.4/go.mod h1:K0uQVx8xnUBI3CudcERApORx5cJrVUDew1K3deRDjLU=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4 h1:Oe8awBiS/iitcsRJB5+DHa3iCxoA0KwJJf0JNrYMINY=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4/go.mod h1:RCZCSFbieSgNG1RKegO26opXV4EXyef/vNBVJsUyHuw=
+github.com/aws/aws-sdk-go-v2/service/kms v1.31.0 h1:yl7wcqbisxPzknJVfWTLnK83McUvXba+pz2+tPbIUmQ=
+github.com/aws/aws-sdk-go-v2/service/kms v1.31.0/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ=
 github.com/aws/aws-sdk-go-v2/service/lakeformation v1.32.0 h1:X7ydA78B8lmKVgGS3XEVUsgMKMHoYhmIwoxl3U2S2wg=
 github.com/aws/aws-sdk-go-v2/service/lakeformation v1.32.0/go.mod h1:0xTSto0XwDuPvY7P3XoEwOLH7sr5EzehNvxCoBaeuPU=
 github.com/aws/aws-sdk-go-v2/service/lambda v1.54.0 h1:gazALVrZ7RIG6gJXut3c7NKtPgs9eQ8BFCA9uoliayk=

diff --git a/internal/conns/awsclient.go b/internal/conns/awsclient.go
@@ -15,13 +15,13 @@ import (
 	aws_sdkv2 "github.com/aws/aws-sdk-go-v2/aws"
 	config_sdkv2 "github.com/aws/aws-sdk-go-v2/config"
 	apigatewayv2_types "github.com/aws/aws-sdk-go-v2/service/apigatewayv2/types"
+	kms_sdkv2 "github.com/aws/aws-sdk-go-v2/service/kms"
 	s3_sdkv2 "github.com/aws/aws-sdk-go-v2/service/s3"
 	aws_sdkv1 "github.com/aws/aws-sdk-go/aws"
 	session_sdkv1 "github.com/aws/aws-sdk-go/aws/session"
 	directoryservice_sdkv1 "github.com/aws/aws-sdk-go/service/directoryservice"
 	dynamodb_sdkv1 "github.com/aws/aws-sdk-go/service/dynamodb"
 	efs_sdkv1 "github.com/aws/aws-sdk-go/service/efs"
-	kms_sdkv1 "github.com/aws/aws-sdk-go/service/kms"
 	opsworks_sdkv1 "github.com/aws/aws-sdk-go/service/opsworks"
 	rds_sdkv1 "github.com/aws/aws-sdk-go/service/rds"
 	baselogging "github.com/hashicorp/aws-sdk-go-base/v2/logging"
@@ -95,14 +95,14 @@ func (c *AWSClient) EFSConnForRegion(ctx context.Context, region string) *efs_sd
 	return efs_sdkv1.New(c.session, aws_sdkv1.NewConfig().WithRegion(region))
 }
 
-// KMSConnForRegion returns an AWS SDK For Go v1 KMS API client for the specified AWS Region.
+// KMSConnForRegion returns an AWS SDK For Go v2 KMS API client for the specified AWS Region.
 // If the specified region is not the default a new "simple" client is created.
 // This new client does not use any configured endpoint override.
-func (c *AWSClient) KMSConnForRegion(ctx context.Context, region string) *kms_sdkv1.KMS {
+func (c *AWSClient) KMSConnForRegion(ctx context.Context, region string) *kms_sdkv2.Client {
 	if region == c.Region {
-		return c.KMSConn(ctx)
+		return c.KMSClient(ctx)
 	}
-	return kms_sdkv1.New(c.session, aws_sdkv1.NewConfig().WithRegion(region))
+	return kms_sdkv2.New(kms_sdkv2.Options{Region: region})
 }
 
 // KMSConnForRegion returns an AWS SDK For Go v1 OpsWorks API client for the specified AWS Region.

diff --git a/internal/conns/awsclient_gen.go b/internal/conns/awsclient_gen.go
diff --git a/internal/service/ec2/ebs_default_kms_key_test.go b/internal/service/ec2/ebs_default_kms_key_test.go
@@ -103,7 +103,7 @@ func testAccCheckEBSDefaultKMSKey(ctx context.Context, name string) resource.Tes
 
 // testAccEBSManagedDefaultKey returns' the account's AWS-managed default CMK.
 func testAccEBSManagedDefaultKey(ctx context.Context) (*arn.ARN, error) {
-	conn := acctest.Provider.Meta().(*conns.AWSClient).KMSConn(ctx)
+	conn := acctest.Provider.Meta().(*conns.AWSClient).KMSClient(ctx)
 
 	alias, err := tfkms.FindAliasByName(ctx, conn, "alias/aws/ebs")
 	if err != nil {

diff --git a/internal/service/kms/alias.go b/internal/service/kms/alias.go
@@ -7,13 +7,14 @@ import (
 	"context"
 	"log"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
-	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	awstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	"github.com/hashicorp/terraform-provider-aws/internal/create"
+	"github.com/hashicorp/terraform-provider-aws/internal/errs"
 	"github.com/hashicorp/terraform-provider-aws/internal/errs/sdkdiag"
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 )
@@ -70,7 +71,7 @@ func ResourceAlias() *schema.Resource {
 
 func resourceAliasCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	namePrefix := d.Get("name_prefix").(string)
 	if namePrefix == "" {
@@ -84,11 +85,13 @@ func resourceAliasCreate(ctx context.Context, d *schema.ResourceData, meta inter
 	}
 
 	// KMS is eventually consistent.
-	log.Printf("[DEBUG] Creating KMS Alias: %s", input)
+	log.Printf("[DEBUG] Creating KMS Alias: %v", input)
+
+	var NotFoundException = &awstypes.NotFoundException{}
 
 	_, err := tfresource.RetryWhenAWSErrCodeEquals(ctx, KeyRotationUpdatedTimeout, func() (interface{}, error) {
-		return conn.CreateAliasWithContext(ctx, input)
-	}, kms.ErrCodeNotFoundException)
+		return conn.CreateAlias(ctx, input)
+	}, NotFoundException.ErrorCode())
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "creating KMS Alias (%s): %s", name, err)
@@ -101,7 +104,7 @@ func resourceAliasCreate(ctx context.Context, d *schema.ResourceData, meta inter
 
 func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	outputRaw, err := tfresource.RetryWhenNewResourceNotFound(ctx, PropagationTimeout, func() (interface{}, error) {
 		return FindAliasByName(ctx, conn, d.Id())
@@ -117,17 +120,17 @@ func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interfa
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", d.Id(), err)
 	}
 
-	alias := outputRaw.(*kms.AliasListEntry)
-	aliasARN := aws.StringValue(alias.AliasArn)
-	targetKeyID := aws.StringValue(alias.TargetKeyId)
+	alias := outputRaw.(*awstypes.AliasListEntry)
+	aliasARN := aws.ToString(alias.AliasArn)
+	targetKeyID := aws.ToString(alias.TargetKeyId)
 	targetKeyARN, err := AliasARNToKeyARN(aliasARN, targetKeyID)
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", d.Id(), err)
 	}
 
 	d.Set("arn", aliasARN)
 	d.Set("name", alias.AliasName)
-	d.Set("name_prefix", create.NamePrefixFromName(aws.StringValue(alias.AliasName)))
+	d.Set("name_prefix", create.NamePrefixFromName(aws.ToString(alias.AliasName)))
 	d.Set("target_key_arn", targetKeyARN)
 	d.Set("target_key_id", targetKeyID)
 
@@ -136,16 +139,16 @@ func resourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interfa
 
 func resourceAliasUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	if d.HasChange("target_key_id") {
 		input := &kms.UpdateAliasInput{
 			AliasName:   aws.String(d.Id()),
 			TargetKeyId: aws.String(d.Get("target_key_id").(string)),
 		}
 
-		log.Printf("[DEBUG] Updating KMS Alias: %s", input)
-		_, err := conn.UpdateAliasWithContext(ctx, input)
+		log.Printf("[DEBUG] Updating KMS Alias: %v", input)
+		_, err := conn.UpdateAlias(ctx, input)
 
 		if err != nil {
 			return sdkdiag.AppendErrorf(diags, "updating KMS Alias (%s): %s", d.Id(), err)
@@ -157,14 +160,14 @@ func resourceAliasUpdate(ctx context.Context, d *schema.ResourceData, meta inter
 
 func resourceAliasDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	log.Printf("[DEBUG] Deleting KMS Alias: (%s)", d.Id())
-	_, err := conn.DeleteAliasWithContext(ctx, &kms.DeleteAliasInput{
+	_, err := conn.DeleteAlias(ctx, &kms.DeleteAliasInput{
 		AliasName: aws.String(d.Id()),
 	})
 
-	if tfawserr.ErrCodeEquals(err, kms.ErrCodeNotFoundException) {
+	if errs.IsA[*awstypes.NotFoundException](err) {
 		return diags
 	}
 

diff --git a/internal/service/kms/alias_data_source.go b/internal/service/kms/alias_data_source.go
@@ -6,7 +6,7 @@ package kms
 import (
 	"context"
 
-	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -41,7 +41,7 @@ func DataSourceAlias() *schema.Resource {
 
 func dataSourceAliasRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	target := d.Get("name").(string)
 
@@ -51,7 +51,7 @@ func dataSourceAliasRead(ctx context.Context, d *schema.ResourceData, meta inter
 		return sdkdiag.AppendErrorf(diags, "reading KMS Alias (%s): %s", target, err)
 	}
 
-	d.SetId(aws.StringValue(alias.AliasArn))
+	d.SetId(aws.ToString(alias.AliasArn))
 	d.Set("arn", alias.AliasArn)
 
 	// ListAliases can return an alias for an AWS service key (e.g.

diff --git a/internal/service/kms/alias_test.go b/internal/service/kms/alias_test.go
@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"github.com/YakDriver/regexache"
-	"github.com/aws/aws-sdk-go/service/kms"
+	awstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
@@ -23,7 +23,7 @@ import (
 
 func TestAccKMSAlias_basic(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 	keyResourceName := "aws_kms_key.test"
@@ -55,7 +55,7 @@ func TestAccKMSAlias_basic(t *testing.T) {
 
 func TestAccKMSAlias_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 
@@ -79,7 +79,7 @@ func TestAccKMSAlias_disappears(t *testing.T) {
 
 func TestAccKMSAlias_Name_generated(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 
@@ -108,7 +108,7 @@ func TestAccKMSAlias_Name_generated(t *testing.T) {
 
 func TestAccKMSAlias_namePrefix(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 
@@ -137,7 +137,7 @@ func TestAccKMSAlias_namePrefix(t *testing.T) {
 
 func TestAccKMSAlias_updateKeyID(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 	key1ResourceName := "aws_kms_key.test"
@@ -176,7 +176,7 @@ func TestAccKMSAlias_updateKeyID(t *testing.T) {
 
 func TestAccKMSAlias_multipleAliasesForSameKey(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 	alias2ResourceName := "aws_kms_alias.test2"
@@ -210,7 +210,7 @@ func TestAccKMSAlias_multipleAliasesForSameKey(t *testing.T) {
 
 func TestAccKMSAlias_arnDiffSuppress(t *testing.T) {
 	ctx := acctest.Context(t)
-	var alias kms.AliasListEntry
+	var alias awstypes.AliasListEntry
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_alias.test"
 
@@ -243,7 +243,7 @@ func TestAccKMSAlias_arnDiffSuppress(t *testing.T) {
 
 func testAccCheckAliasDestroy(ctx context.Context) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
-		conn := acctest.Provider.Meta().(*conns.AWSClient).KMSConn(ctx)
+		conn := acctest.Provider.Meta().(*conns.AWSClient).KMSClient(ctx)
 
 		for _, rs := range s.RootModule().Resources {
 			if rs.Type != "aws_kms_alias" {
@@ -267,7 +267,7 @@ func testAccCheckAliasDestroy(ctx context.Context) resource.TestCheckFunc {
 	}
 }
 
-func testAccCheckAliasExists(ctx context.Context, name string, v *kms.AliasListEntry) resource.TestCheckFunc {
+func testAccCheckAliasExists(ctx context.Context, name string, v *awstypes.AliasListEntry) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[name]
 		if !ok {
@@ -278,7 +278,7 @@ func testAccCheckAliasExists(ctx context.Context, name string, v *kms.AliasListE
 			return fmt.Errorf("No KMS Alias ID is set")
 		}
 
-		conn := acctest.Provider.Meta().(*conns.AWSClient).KMSConn(ctx)
+		conn := acctest.Provider.Meta().(*conns.AWSClient).KMSClient(ctx)
 
 		output, err := tfkms.FindAliasByName(ctx, conn, rs.Primary.ID)
 

diff --git a/internal/service/kms/ciphertext.go b/internal/service/kms/ciphertext.go
@@ -7,8 +7,8 @@ import (
 	"context"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -52,7 +52,7 @@ func ResourceCiphertext() *schema.Resource {
 
 func resourceCiphertextCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	keyID := d.Get("key_id").(string)
 	input := &kms.EncryptInput{
@@ -61,10 +61,10 @@ func resourceCiphertextCreate(ctx context.Context, d *schema.ResourceData, meta
 	}
 
 	if v, ok := d.GetOk("context"); ok && len(v.(map[string]interface{})) > 0 {
-		input.EncryptionContext = flex.ExpandStringMap(v.(map[string]interface{}))
+		input.EncryptionContext = flex.ExpandStringValueMap(v.(map[string]interface{}))
 	}
 
-	output, err := conn.EncryptWithContext(ctx, input)
+	output, err := conn.Encrypt(ctx, input)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "encrypting with KMS Key (%s): %s", keyID, err)

diff --git a/internal/service/kms/ciphertext_data_source.go b/internal/service/kms/ciphertext_data_source.go
@@ -6,8 +6,8 @@ package kms
 import (
 	"context"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -46,7 +46,7 @@ func DataSourceCiphertext() *schema.Resource {
 
 func dataSourceCiphertextRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
-	conn := meta.(*conns.AWSClient).KMSConn(ctx)
+	conn := meta.(*conns.AWSClient).KMSClient(ctx)
 
 	keyID := d.Get("key_id").(string)
 	input := &kms.EncryptInput{
@@ -55,16 +55,16 @@ func dataSourceCiphertextRead(ctx context.Context, d *schema.ResourceData, meta
 	}
 
 	if v, ok := d.GetOk("context"); ok && len(v.(map[string]interface{})) > 0 {
-		input.EncryptionContext = flex.ExpandStringMap(v.(map[string]interface{}))
+		input.EncryptionContext = flex.ExpandStringValueMap(v.(map[string]interface{}))
 	}
 
-	output, err := conn.EncryptWithContext(ctx, input)
+	output, err := conn.Encrypt(ctx, input)
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "encrypting with KMS Key (%s): %s", keyID, err)
 	}
 
-	d.SetId(aws.StringValue(output.KeyId))
+	d.SetId(aws.ToString(output.KeyId))
 	d.Set("ciphertext_blob", itypes.Base64Encode(output.CiphertextBlob))
 
 	return diags