From 411e99739ac313463b9fa1269392bd2e7bdfc154 Mon Sep 17 00:00:00 2001
From: "Marcel S. Henselin" <marcel.henselin@stackit.cloud>
Date: Tue, 3 Mar 2026 09:21:10 +0100
Subject: [PATCH] feat: add encypted instance test for postgres

---
 .../postgresflex_acc_test.go                  | 136 ++++++++++++++++++
 .../testdata/instance_template.gompl          |   4 +-
 2 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/stackit/internal/services/postgresflexalpha/postgresflex_acc_test.go b/stackit/internal/services/postgresflexalpha/postgresflex_acc_test.go
index ba6d6d77..dcf879ba 100644
--- a/stackit/internal/services/postgresflexalpha/postgresflex_acc_test.go
+++ b/stackit/internal/services/postgresflexalpha/postgresflex_acc_test.go
@@ -5,6 +5,7 @@ import (
 	_ "embed"
 	"fmt"
 	"log"
+	"math"
 	"os"
 	"strconv"
 	"strings"
@@ -183,8 +184,56 @@ func TestAccInstance(t *testing.T) {
 						exData,
 					),
 					Check: resource.ComposeAggregateTestCheckFunc(
+						// check params acl count
+						resource.TestCheckResourceAttr(testItemID, "acl.#", "1"),
+
 						// check params are set
+						resource.TestCheckResourceAttrSet(testItemID, "backup_schedule"),
+
+						//// connection_info should contain 1 sub entry
+						// resource.TestCheckResourceAttr(testItemID, "connection_info.%", "1"),
+						//
+						//// connection_info.write should contain 2 sub entries
+						// resource.TestCheckResourceAttr(testItemID, "connection_info.write", "2"),
+						//
+						// resource.TestCheckResourceAttrSet(testItemID, "connection_info.write.host"),
+						// resource.TestCheckResourceAttrSet(testItemID, "connection_info.write.port"),
+
+						resource.TestCheckResourceAttrSet(testItemID, "flavor_id"),
 						resource.TestCheckResourceAttrSet(testItemID, "id"),
+						resource.TestCheckResourceAttrSet(testItemID, "instance_id"),
+						resource.TestCheckResourceAttrSet(testItemID, "is_deletable"),
+						resource.TestCheckResourceAttrSet(testItemID, "name"),
+
+						// network should contain 4 sub entries
+						resource.TestCheckResourceAttr(testItemID, "network.%", "4"),
+
+						resource.TestCheckResourceAttrSet(testItemID, "network.access_scope"),
+
+						// on unencrypted instances we expect this to be empty
+						resource.TestCheckResourceAttr(testItemID, "network.instance_address", ""),
+						resource.TestCheckResourceAttr(testItemID, "network.router_address", ""),
+
+						// only one acl entry should be set
+						resource.TestCheckResourceAttr(testItemID, "network.acl.#", "1"),
+
+						resource.TestCheckResourceAttrSet(testItemID, "replicas"),
+						resource.TestCheckResourceAttrSet(testItemID, "retention_days"),
+						resource.TestCheckResourceAttrSet(testItemID, "status"),
+
+						// storage should contain 2 sub entries
+						resource.TestCheckResourceAttr(testItemID, "storage.%", "2"),
+
+						resource.TestCheckResourceAttrSet(testItemID, "storage.performance_class"),
+						resource.TestCheckResourceAttrSet(testItemID, "storage.size"),
+						resource.TestCheckResourceAttrSet(testItemID, "version"),
+
+						// check absent attr
+						resource.TestCheckNoResourceAttr(testItemID, "encryption"),
+						resource.TestCheckNoResourceAttr(testItemID, "encryption.kek_key_id"),
+						resource.TestCheckNoResourceAttr(testItemID, "encryption.kek_key_ring_id"),
+						resource.TestCheckNoResourceAttr(testItemID, "encryption.kek_key_version"),
+						resource.TestCheckNoResourceAttr(testItemID, "encryption.service_account"),
 
 						// check param values
 						resource.TestCheckResourceAttr(testItemID, "name", exData.Name),
@@ -341,6 +390,93 @@ func TestAccInstanceWithDatabases(t *testing.T) {
 	)
 }
 
+func TestAccEncryptedInstanceWithDatabases(t *testing.T) {
+	encKekKeyID, ok := os.LookupEnv("TF_ACC_KEK_KEY_ID")
+	if !ok || encKekKeyID == "" {
+		t.Skip("env var TF_ACC_KEK_KEY_ID needed for encryption test")
+	}
+
+	encKekKeyRingID, ok := os.LookupEnv("TF_ACC_KEK_KEY_RING_ID")
+	if !ok || encKekKeyRingID == "" {
+		t.Skip("env var TF_ACC_KEK_KEY_RING_ID needed for encryption test")
+	}
+
+	encKekKeyVersion, ok := os.LookupEnv("TF_ACC_KEK_KEY_VERSION")
+	if !ok || encKekKeyVersion == "" {
+		t.Skip("env var TF_ACC_KEK_KEY_VERSION needed for encryption test")
+	}
+
+	encSvcAcc, ok := os.LookupEnv("TF_ACC_KEK_SERVICE_ACCOUNT")
+	if !ok || encSvcAcc == "" {
+		t.Skip("env var TF_ACC_KEK_SERVICE_ACCOUNT needed for encryption test")
+	}
+
+	data := getExample()
+	data.UseEncryption = true
+	data.KekKeyID = encKekKeyID
+	data.KekKeyRingID = encKekKeyRingID
+	data.KekServiceAccount = encSvcAcc
+	encKekKeyVersionInt, err := strconv.Atoi(encKekKeyVersion)
+	if err != nil {
+		t.Errorf("error converting string to int")
+	}
+	if encKekKeyVersionInt > math.MaxUint8 {
+		t.Errorf("value too large to convert to uint8")
+	}
+	data.KekKeyVersion = uint8(encKekKeyVersionInt) //nolint:gosec // handled above
+
+	dbName := "testdb"
+	userName := "testUser"
+	data.Users = []User{
+		{
+			Name:      userName,
+			ProjectID: os.Getenv("TF_ACC_PROJECT_ID"),
+			Roles:     []string{"login"},
+		},
+	}
+
+	data.Databases = []Database{
+		{
+			Name:      dbName,
+			ProjectID: os.Getenv("TF_ACC_PROJECT_ID"),
+			Owner:     userName,
+		},
+	}
+
+	resource.ParallelTest(
+		t, resource.TestCase{
+			PreCheck: func() {
+				testAccPreCheck(t)
+				t.Logf("  ... working on instance %s", data.TfName)
+			},
+			CheckDestroy:             testAccCheckPostgresFlexDestroy,
+			ProtoV6ProviderFactories: testutils.TestAccProtoV6ProviderFactories,
+			Steps: []resource.TestStep{
+				// Create and verify
+				{
+					Config: testutils.StringFromTemplateMust(
+						"testdata/instance_template.gompl",
+						data,
+					),
+					Check: resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							testutils.ResStr(pfx, "instance", data.TfName),
+							"name",
+							data.Name,
+						),
+						resource.TestCheckResourceAttrSet(testutils.ResStr(pfx, "instance", data.TfName), "id"),
+						resource.TestCheckResourceAttr(testutils.ResStr(pfx, "user", userName), "name", userName),
+						resource.TestCheckResourceAttrSet(testutils.ResStr(pfx, "user", userName), "id"),
+						resource.TestCheckResourceAttr(testutils.ResStr(pfx, "database", dbName), "name", dbName),
+						resource.TestCheckResourceAttr(testutils.ResStr(pfx, "database", dbName), "owner", userName),
+						resource.TestCheckResourceAttrSet(testutils.ResStr(pfx, "database", dbName), "id"),
+					),
+				},
+			},
+		},
+	)
+}
+
 // func setupMockServer() *httptest.Server {
 //	mux := http.NewServeMux()
 //
diff --git a/stackit/internal/services/postgresflexalpha/testdata/instance_template.gompl b/stackit/internal/services/postgresflexalpha/testdata/instance_template.gompl
index d7335cf7..d0ab3f25 100644
--- a/stackit/internal/services/postgresflexalpha/testdata/instance_template.gompl
+++ b/stackit/internal/services/postgresflexalpha/testdata/instance_template.gompl
@@ -16,8 +16,8 @@ resource "stackitprivatepreview_postgresflexalpha_instance" "{{ .TfName }}" {
   }
 {{ if .UseEncryption }}
   encryption = {
-    kek_key_id      = {{ .KekKeyID }}
-    kek_key_ring_id = {{ .KekKeyRingID }}
+    kek_key_id      = "{{ .KekKeyID }}"
+    kek_key_ring_id = "{{ .KekKeyRingID }}"
     kek_key_version = {{ .KekKeyVersion }}
     service_account = "{{ .KekServiceAccount }}"
   }