feat: Add kms key options to secrets manager instance commands (#1347)

s-inter · web-flow · commit 5003626fd584 · 2026-03-27T10:17:52.000Z
* feat(secrets-manager): add KMS flags to create and update instance commands

* feat(secrets-manager): implement request building with KMS key

* feat(secrets-manager): enforce mutual exclusivity between ACL and KMS key flags

* refactor(secrets-manager): refactor flag requirements to use cobra built-in validtion

* feat(secrets-manager): add KMS key options examples for create and update commands

* refactor(secrets-manager): change test data

* feat(secrets-manager): add KMS key options to create and update instance tests

* feat(secrets-manager): add KMS key details to instance output

* feat(secrets-manager): add docs

* fix(secrets-manager): include instance name in payload, as it is required

* feat(secrets-manager): Support multiple API calls for instance update and ACL updates to align with create command

* feat(secrets-manager): test new instance update features
diff --git a/docs/stackit_secrets-manager_instance_create.md b/docs/stackit_secrets-manager_instance_create.md
@@ -18,14 +18,21 @@ stackit secrets-manager instance create [flags]
 
   Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it
   $ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24
+
+  Create a Secrets Manager instance with name "my-instance" and configure KMS key options
+  $ stackit secrets-manager instance create --name my-instance --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud
 ```
 
 ### Options
 
 ```
-      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
-  -h, --help          Help for "stackit secrets-manager instance create"
-  -n, --name string   Instance name
+      --acl strings                        List of IP networks in CIDR notation which are allowed to access this instance (default [])
+  -h, --help                               Help for "stackit secrets-manager instance create"
+      --kms-key-id string                  ID of the KMS key to use for encryption
+      --kms-key-version int                Version of the KMS key
+      --kms-keyring-id string              ID of the KMS key ring
+      --kms-service-account-email string   Service account email for KMS access
+  -n, --name string                        Instance name
 ```
 
 ### Options inherited from parent commands
diff --git a/docs/stackit_secrets-manager_instance_update.md b/docs/stackit_secrets-manager_instance_update.md
@@ -13,15 +13,29 @@ stackit secrets-manager instance update INSTANCE_ID [flags]
 ### Examples
 
 ```
+  Update the name of a Secrets Manager instance with ID "xxx"
+  $ stackit secrets-manager instance update xxx --name my-new-name
+
   Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx"
   $ stackit secrets-manager instance update xxx --acl 1.2.3.0/24
+
+  Update the name and ACLs of a Secrets Manager instance with ID "xxx"
+  $ stackit secrets-manager instance update xxx --name my-new-name --acl 1.2.3.0/24
+
+  Update the KMS key settings of a Secrets Manager instance with ID "xxx"
+  $ stackit secrets-manager instance update xxx --name my-instance --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud
 ```
 
 ### Options
 
 ```
-      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
-  -h, --help          Help for "stackit secrets-manager instance update"
+      --acl strings                        List of IP networks in CIDR notation which are allowed to access this instance (default [])
+  -h, --help                               Help for "stackit secrets-manager instance update"
+      --kms-key-id string                  ID of the KMS key to use for encryption
+      --kms-key-version int                Version of the KMS key
+      --kms-keyring-id string              ID of the KMS key ring
+      --kms-service-account-email string   Service account email for KMS access
+  -n, --name string                        Instance name
 ```
 
 ### Options inherited from parent commands
diff --git a/internal/cmd/secrets-manager/instance/create/create.go b/internal/cmd/secrets-manager/instance/create/create.go
@@ -23,13 +23,23 @@ import (
 const (
 	instanceNameFlag = "name"
 	aclFlag          = "acl"
+
+	kmsKeyIdFlag               = "kms-key-id"
+	kmsKeyringIdFlag           = "kms-keyring-id"
+	kmsKeyVersionFlag          = "kms-key-version"
+	kmsServiceAccountEmailFlag = "kms-service-account-email"
 )
 
 type inputModel struct {
 	*globalflags.GlobalFlagModel
 
 	InstanceName *string
 	Acls         *[]string
+
+	KmsKeyId               *string
+	KmsKeyringId           *string
+	KmsKeyVersion          *int64
+	KmsServiceAccountEmail *string
 }
 
 func NewCmd(params *types.CmdParams) *cobra.Command {
@@ -45,6 +55,9 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			examples.NewExample(
 				`Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it`,
 				`$ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24`),
+			examples.NewExample(
+				`Create a Secrets Manager instance with name "my-instance" and configure KMS key options`,
+				`$ stackit secrets-manager instance create --name my-instance --kms-key-id key-id --kms-keyring-id keyring-id --kms-key-version 1 --kms-service-account-email my-service-account-1234567@sa.stackit.cloud`),
 		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.Background()
@@ -103,8 +116,15 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().StringP(instanceNameFlag, "n", "", "Instance name")
 	cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance")
 
+	cmd.Flags().String(kmsKeyIdFlag, "", "ID of the KMS key to use for encryption")
+	cmd.Flags().String(kmsKeyringIdFlag, "", "ID of the KMS key ring")
+	cmd.Flags().Int64(kmsKeyVersionFlag, 0, "Version of the KMS key")
+	cmd.Flags().String(kmsServiceAccountEmailFlag, "", "Service account email for KMS access")
+
 	err := flags.MarkFlagsRequired(cmd, instanceNameFlag)
 	cobra.CheckErr(err)
+
+	cmd.MarkFlagsRequiredTogether(kmsKeyIdFlag, kmsKeyringIdFlag, kmsKeyVersionFlag, kmsServiceAccountEmailFlag)
 }
 
 func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel, error) {
@@ -114,9 +134,13 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 	}
 
 	model := inputModel{
-		GlobalFlagModel: globalFlags,
-		InstanceName:    flags.FlagToStringPointer(p, cmd, instanceNameFlag),
-		Acls:            flags.FlagToStringSlicePointer(p, cmd, aclFlag),
+		GlobalFlagModel:        globalFlags,
+		InstanceName:           flags.FlagToStringPointer(p, cmd, instanceNameFlag),
+		Acls:                   flags.FlagToStringSlicePointer(p, cmd, aclFlag),
+		KmsKeyId:               flags.FlagToStringPointer(p, cmd, kmsKeyIdFlag),
+		KmsKeyringId:           flags.FlagToStringPointer(p, cmd, kmsKeyringIdFlag),
+		KmsKeyVersion:          flags.FlagToInt64Pointer(p, cmd, kmsKeyVersionFlag),
+		KmsServiceAccountEmail: flags.FlagToStringPointer(p, cmd, kmsServiceAccountEmailFlag),
 	}
 
 	p.DebugInputModel(model)
@@ -126,9 +150,20 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 func buildCreateInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest {
 	req := apiClient.CreateInstance(ctx, model.ProjectId)
 
-	req = req.CreateInstancePayload(secretsmanager.CreateInstancePayload{
+	payload := secretsmanager.CreateInstancePayload{
 		Name: model.InstanceName,
-	})
+	}
+
+	if model.KmsKeyId != nil {
+		payload.KmsKey = &secretsmanager.KmsKeyPayload{
+			KeyId:               model.KmsKeyId,
+			KeyRingId:           model.KmsKeyringId,
+			KeyVersion:          model.KmsKeyVersion,
+			ServiceAccountEmail: model.KmsServiceAccountEmail,
+		}
+	}
+
+	req = req.CreateInstancePayload(payload)
 
 	return req
 }
diff --git a/internal/cmd/secrets-manager/instance/create/create_test.go b/internal/cmd/secrets-manager/instance/create/create_test.go
@@ -25,6 +25,13 @@ var testClient = &secretsmanager.APIClient{}
 var testProjectId = uuid.NewString()
 var testInstanceId = uuid.NewString()
 
+const (
+	testKmsKeyId               = "key-id"
+	testKmsKeyringId           = "keyring-id"
+	testKmsKeyVersion          = int64(1)
+	testKmsServiceAccountEmail = "my-service-account-1234567@sa.stackit.cloud"
+)
+
 func fixtureFlagValues(mods ...func(flagValues map[string]string)) map[string]string {
 	flagValues := map[string]string{
 		projectIdFlag:    testProjectId,
@@ -162,6 +169,24 @@ func TestParseInput(t *testing.T) {
 				*model.Acls = append(*model.Acls, "1.2.3.4/32")
 			}),
 		},
+		{
+			description: "kms flags",
+			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
+				delete(flagValues, aclFlag)
+				flagValues[kmsKeyIdFlag] = testKmsKeyId
+				flagValues[kmsKeyringIdFlag] = testKmsKeyringId
+				flagValues[kmsKeyVersionFlag] = "1"
+				flagValues[kmsServiceAccountEmailFlag] = testKmsServiceAccountEmail
+			}),
+			isValid: true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				model.Acls = nil
+				model.KmsKeyId = utils.Ptr(testKmsKeyId)
+				model.KmsKeyringId = utils.Ptr(testKmsKeyringId)
+				model.KmsKeyVersion = utils.Ptr(testKmsKeyVersion)
+				model.KmsServiceAccountEmail = utils.Ptr(testKmsServiceAccountEmail)
+			}),
+		},
 		{
 			description: "project id missing",
 			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
@@ -205,6 +230,28 @@ func TestBuildCreateInstanceRequest(t *testing.T) {
 			model:           fixtureInputModel(),
 			expectedRequest: fixtureRequest(),
 		},
+		{
+			description: "with kms",
+			model: fixtureInputModel(func(model *inputModel) {
+				model.Acls = nil
+				model.KmsKeyId = utils.Ptr(testKmsKeyId)
+				model.KmsKeyringId = utils.Ptr(testKmsKeyringId)
+				model.KmsKeyVersion = utils.Ptr(testKmsKeyVersion)
+				model.KmsServiceAccountEmail = utils.Ptr(testKmsServiceAccountEmail)
+			}),
+			expectedRequest: fixtureRequest(func(request *secretsmanager.ApiCreateInstanceRequest) {
+				payload := secretsmanager.CreateInstancePayload{
+					Name: utils.Ptr("example"),
+					KmsKey: &secretsmanager.KmsKeyPayload{
+						KeyId:               utils.Ptr(testKmsKeyId),
+						KeyRingId:           utils.Ptr(testKmsKeyringId),
+						KeyVersion:          utils.Ptr(testKmsKeyVersion),
+						ServiceAccountEmail: utils.Ptr(testKmsServiceAccountEmail),
+					},
+				}
+				*request = (*request).CreateInstancePayload(payload)
+			}),
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/internal/cmd/secrets-manager/instance/describe/describe.go b/internal/cmd/secrets-manager/instance/describe/describe.go
@@ -128,6 +128,17 @@ func outputResult(p *print.Printer, outputFormat string, instance *secretsmanage
 		table.AddSeparator()
 		table.AddRow("CREATION DATE", utils.PtrString(instance.CreationStartDate))
 		table.AddSeparator()
+		kmsKey := instance.KmsKey
+		showKms := kmsKey != nil && (kmsKey.KeyId != nil || kmsKey.KeyRingId != nil || kmsKey.KeyVersion != nil || kmsKey.ServiceAccountEmail != nil)
+		if showKms {
+			table.AddRow("KMS KEY ID", utils.PtrString(kmsKey.KeyId))
+			table.AddSeparator()
+			table.AddRow("KMS KEYRING ID", utils.PtrString(kmsKey.KeyRingId))
+			table.AddSeparator()
+			table.AddRow("KMS KEY VERSION", utils.PtrString(kmsKey.KeyVersion))
+			table.AddSeparator()
+			table.AddRow("KMS SERVICE ACCOUNT EMAIL", utils.PtrString(kmsKey.ServiceAccountEmail))
+		}
 		// Only show ACL if it's present and not empty
 		if aclList.Acls != nil && len(*aclList.Acls) > 0 {
 			var cidrs []string
@@ -136,6 +147,9 @@ func outputResult(p *print.Printer, outputFormat string, instance *secretsmanage
 				cidrs = append(cidrs, *acl.Cidr)
 			}
 
+			if showKms {
+				table.AddSeparator()
+			}
 			table.AddRow("ACL", strings.Join(cidrs, ","))
 		}
 		err := table.Display(p)
diff --git a/internal/cmd/secrets-manager/instance/describe/describe_test.go b/internal/cmd/secrets-manager/instance/describe/describe_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/testutils"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -247,6 +248,21 @@ func TestOutputResult(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "instance with kms key",
+			args: args{
+				instance: &secretsmanager.Instance{
+					KmsKey: &secretsmanager.KmsKeyPayload{
+						KeyId:               utils.Ptr("key-id"),
+						KeyRingId:           utils.Ptr("keyring-id"),
+						KeyVersion:          utils.Ptr(int64(1)),
+						ServiceAccountEmail: utils.Ptr("my-service-account-1234567@sa.stackit.cloud"),
+					},
+				},
+				aclList: &secretsmanager.ListACLsResponse{},
+			},
+			wantErr: false,
+		},
 	}
 	p := print.NewPrinter()
 	p.Cmd = NewCmd(&types.CmdParams{Printer: p})
diff --git a/internal/cmd/secrets-manager/instance/update/update.go b/internal/cmd/secrets-manager/instance/update/update.go
diff --git a/internal/cmd/secrets-manager/instance/update/update_test.go b/internal/cmd/secrets-manager/instance/update/update_test.go
