Add missing import_method valid options for google_kms_key_ring_import_job.

[romanini-ciandt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

Comparing google_kms_key_ring_import_job terraform resource with keyring import-jobs API it is possible to notice that specifically for import_method field:

• Terraform resource possible values are: RSA_OAEP_3072_SHA1_AES_256, RSA_OAEP_4096_SHA1_AES_256.
• API import-jobs create possible values are: rsa-oaep-3072-sha1-aes-256, rsa-oaep-3072-sha256, rsa-oaep-3072-sha256-aes-256, rsa-oaep-4096-sha1-aes-256, rsa-oaep-4096-sha256, rsa-oaep-4096-sha256-aes-256.

For the use case I'm building a terraform automation, I have the explicit requirement to use rsa-oaep-4096-sha256 and because it is not available I won't be able to achieve the expected result by using google_kms_key_ring_import_job resource. I'll need to use gcloud instead.

New or Affected Resource(s)

• google_kms_key_ring_import_job

Potential Terraform Configuration

resource "google_kms_key_ring_import_job" "import-job" {
  key_ring      = google_kms_key_ring.keyring.id
  import_job_id = "import-job-id"

  import_method    = "rsa-oaep-4096-sha256" // Desired but not available import_method option
  protection_level = "HSM"
}

References

No response

b/328081938

[tdbhacks]

Without having taken a very close look, this might be an easy fix: https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/products/kms/KeyRingImportJob.yaml#L70-L78

We'll have to check the tests and if anything else needs to be changed though

[melinath]

Note from triage: Actual list of values that should be supported: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.importJobs#importmethod

If this field is expected to change frequently, it could make sense to eliminate the validation of enum values altogether so the provider doesn't have to be updated each time.