feat(kms): add wrapping key resource and datasource (#1060)

relates to STACKITTPR-416
2025-11-18 16:53:58 +01:00 · 2025-11-18 16:53:58 +01:00 · 7709986560
commit 7709986560
parent 5e8c7a7369
13 changed files with 1395 additions and 2 deletions
--- a/stackit/internal/services/kms/kms_acc_test.go
+++ b/stackit/internal/services/kms/kms_acc_test.go
@ -36,6 +36,12 @@ var (

 	//go:embed testdata/key-max.tf
 	resourceKeyMaxConfig string
+
+	//go:embed testdata/wrapping-key-min.tf
+	resourceWrappingKeyMinConfig string
+
+	//go:embed testdata/wrapping-key-max.tf
+	resourceWrappingKeyMaxConfig string
 )

 // KEY RING - MIN
@ -113,6 +119,49 @@ var testConfigKeyVarsMaxUpdated = func() config.Variables {
 	return updatedConfig
 }

+// WRAPPING KEY - MIN
+
+var testConfigWrappingKeyVarsMin = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"keyring_display_name": config.StringVariable("tf-acc-" + acctest.RandStringFromCharSet(8, acctest.CharSetAlpha)),
+	"display_name":         config.StringVariable("tf-acc-" + acctest.RandStringFromCharSet(8, acctest.CharSetAlpha)),
+	"algorithm":            config.StringVariable(string(kms.WRAPPINGALGORITHM__2048_OAEP_SHA256)),
+	"protection":           config.StringVariable(string(kms.PROTECTION_SOFTWARE)),
+	"purpose":              config.StringVariable(string(kms.WRAPPINGPURPOSE_SYMMETRIC_KEY)),
+}
+
+var testConfigWrappingKeyVarsMinUpdated = func() config.Variables {
+	updatedConfig := config.Variables{}
+	maps.Copy(updatedConfig, testConfigWrappingKeyVarsMin)
+	updatedConfig["display_name"] = config.StringVariable(fmt.Sprintf("%s-updated", testutil.ConvertConfigVariable(updatedConfig["display_name"])))
+	updatedConfig["algorithm"] = config.StringVariable(string(kms.WRAPPINGALGORITHM__4096_OAEP_SHA256_AES_256_KEY_WRAP))
+	updatedConfig["purpose"] = config.StringVariable(string(kms.WRAPPINGPURPOSE_ASYMMETRIC_KEY))
+	return updatedConfig
+}
+
+// WRAPPING KEY - MAX
+
+var testConfigWrappingKeyVarsMax = config.Variables{
+	"project_id":           config.StringVariable(testutil.ProjectId),
+	"keyring_display_name": config.StringVariable("tf-acc-" + acctest.RandStringFromCharSet(8, acctest.CharSetAlpha)),
+	"display_name":         config.StringVariable("tf-acc-" + acctest.RandStringFromCharSet(8, acctest.CharSetAlpha)),
+	"algorithm":            config.StringVariable(string(kms.WRAPPINGALGORITHM__2048_OAEP_SHA256)),
+	"protection":           config.StringVariable(string(kms.PROTECTION_SOFTWARE)),
+	"purpose":              config.StringVariable(string(kms.WRAPPINGPURPOSE_SYMMETRIC_KEY)),
+	"description":          config.StringVariable("kms-wrapping-key-description"),
+	"access_scope":         config.StringVariable(string(kms.ACCESSSCOPE_PUBLIC)),
+}
+
+var testConfigWrappingKeyVarsMaxUpdated = func() config.Variables {
+	updatedConfig := config.Variables{}
+	maps.Copy(updatedConfig, testConfigWrappingKeyVarsMax)
+	updatedConfig["display_name"] = config.StringVariable(fmt.Sprintf("%s-updated", testutil.ConvertConfigVariable(updatedConfig["display_name"])))
+	updatedConfig["algorithm"] = config.StringVariable(string(kms.WRAPPINGALGORITHM__4096_OAEP_SHA256_AES_256_KEY_WRAP))
+	updatedConfig["purpose"] = config.StringVariable(string(kms.WRAPPINGPURPOSE_ASYMMETRIC_KEY))
+	updatedConfig["description"] = config.StringVariable("kms-wrapping-key-description-updated")
+	return updatedConfig
+}
+
 func TestAccKeyRingMin(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
@ -561,9 +610,282 @@ func TestAccKeyMax(t *testing.T) {
 	})
 }

+func TestAccWrappingKeyMin(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy,
+		Steps: []resource.TestStep{
+			// Creation
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMin,
+				Config:          fmt.Sprintf("%s\n%s", testutil.KMSProviderConfig(), resourceWrappingKeyMinConfig),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionCreate),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionCreate),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+					resource.TestCheckResourceAttrPair(
+						"stackit_kms_keyring.keyring", "keyring_id",
+						"stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+					),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["algorithm"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["display_name"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["purpose"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["protection"])),
+					resource.TestCheckNoResourceAttr("stackit_kms_wrapping_key.wrapping_key", "description"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "access_scope", string(kms.ACCESSSCOPE_PUBLIC)),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "public_key"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "created_at"),
+				),
+			},
+			// Data Source
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMin,
+				Config: fmt.Sprintf(`
+					%s
+					%s
+
+					data "stackit_kms_wrapping_key" "wrapping_key" {
+						project_id = stackit_kms_wrapping_key.wrapping_key.project_id
+						keyring_id = stackit_kms_wrapping_key.wrapping_key.keyring_id
+						wrapping_key_id = stackit_kms_wrapping_key.wrapping_key.wrapping_key_id
+					}
+					`,
+					testutil.KMSProviderConfig(), resourceWrappingKeyMinConfig,
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionNoop),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionNoop),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+						resource.TestCheckResourceAttrPair(
+							"stackit_kms_keyring.keyring", "keyring_id",
+							"data.stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+						),
+						resource.TestCheckResourceAttrPair(
+							"stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id",
+							"data.stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id",
+						),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["algorithm"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["display_name"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["purpose"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMin["protection"])),
+						resource.TestCheckNoResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "description"),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "access_scope", string(kms.ACCESSSCOPE_PUBLIC)),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "public_key"),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "created_at"),
+					),
+				),
+			},
+			// Import
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMin,
+				ResourceName:    "stackit_kms_wrapping_key.wrapping_key",
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					r, ok := s.RootModule().Resources["stackit_kms_wrapping_key.wrapping_key"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find resource stackit_kms_wrapping_key.wrapping_key")
+					}
+					keyRingId, ok := r.Primary.Attributes["keyring_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute keyring_id")
+					}
+					wrappingKeyId, ok := r.Primary.Attributes["wrapping_key_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute wrapping_key_id")
+					}
+
+					return fmt.Sprintf("%s,%s,%s,%s", testutil.ProjectId, testutil.Region, keyRingId, wrappingKeyId), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Update
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMinUpdated(),
+				Config:          fmt.Sprintf("%s\n%s", testutil.KMSProviderConfig(), resourceWrappingKeyMinConfig),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionNoop),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionReplace),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+					resource.TestCheckResourceAttrPair(
+						"stackit_kms_keyring.keyring", "keyring_id",
+						"stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+					),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMinUpdated()["algorithm"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMinUpdated()["display_name"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMinUpdated()["purpose"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMinUpdated()["protection"])),
+					resource.TestCheckNoResourceAttr("stackit_kms_wrapping_key.wrapping_key", "description"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "access_scope", string(kms.ACCESSSCOPE_PUBLIC)),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "public_key"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "created_at"),
+				),
+			},
+			// Deletion is done by the framework implicitly
+		},
+	})
+}
+
+func TestAccWrappingKeyMax(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy,
+		Steps: []resource.TestStep{
+			// Creation
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMax,
+				Config:          fmt.Sprintf("%s\n%s", testutil.KMSProviderConfig(), resourceWrappingKeyMaxConfig),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionCreate),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionCreate),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+					resource.TestCheckResourceAttrPair(
+						"stackit_kms_keyring.keyring", "keyring_id",
+						"stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+					),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["algorithm"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["display_name"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["purpose"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["protection"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "description", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["description"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "access_scope", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["access_scope"])),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "public_key"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "created_at"),
+				),
+			},
+			// Data Source
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMax,
+				Config: fmt.Sprintf(`
+					%s
+					%s
+
+					data "stackit_kms_wrapping_key" "wrapping_key" {
+						project_id = stackit_kms_wrapping_key.wrapping_key.project_id
+						keyring_id = stackit_kms_wrapping_key.wrapping_key.keyring_id
+						wrapping_key_id = stackit_kms_wrapping_key.wrapping_key.wrapping_key_id
+					}
+					`,
+					testutil.KMSProviderConfig(), resourceWrappingKeyMaxConfig,
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionNoop),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionNoop),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.ComposeAggregateTestCheckFunc(
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+						resource.TestCheckResourceAttrPair(
+							"stackit_kms_keyring.keyring", "keyring_id",
+							"data.stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+						),
+						resource.TestCheckResourceAttrPair(
+							"stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id",
+							"data.stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id",
+						),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["algorithm"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["display_name"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["purpose"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["protection"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "description", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["description"])),
+						resource.TestCheckResourceAttr("data.stackit_kms_wrapping_key.wrapping_key", "access_scope", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMax["access_scope"])),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "public_key"),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+						resource.TestCheckResourceAttrSet("data.stackit_kms_wrapping_key.wrapping_key", "created_at"),
+					),
+				),
+			},
+			// Import
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMax,
+				ResourceName:    "stackit_kms_wrapping_key.wrapping_key",
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					r, ok := s.RootModule().Resources["stackit_kms_wrapping_key.wrapping_key"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find resource stackit_kms_wrapping_key.wrapping_key")
+					}
+					keyRingId, ok := r.Primary.Attributes["keyring_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute keyring_id")
+					}
+					wrappingKeyId, ok := r.Primary.Attributes["wrapping_key_id"]
+					if !ok {
+						return "", fmt.Errorf("couldn't find attribute wrapping_key_id")
+					}
+
+					return fmt.Sprintf("%s,%s,%s,%s", testutil.ProjectId, testutil.Region, keyRingId, wrappingKeyId), nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Update
+			{
+				ConfigVariables: testConfigWrappingKeyVarsMaxUpdated(),
+				Config:          fmt.Sprintf("%s\n%s", testutil.KMSProviderConfig(), resourceWrappingKeyMaxConfig),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("stackit_kms_keyring.keyring", plancheck.ResourceActionNoop),
+						plancheck.ExpectResourceAction("stackit_kms_wrapping_key.wrapping_key", plancheck.ResourceActionReplace),
+					},
+				},
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "project_id", testutil.ProjectId),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "region", testutil.Region),
+					resource.TestCheckResourceAttrPair(
+						"stackit_kms_keyring.keyring", "keyring_id",
+						"stackit_kms_wrapping_key.wrapping_key", "keyring_id",
+					),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "wrapping_key_id"),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "algorithm", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["algorithm"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "display_name", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["display_name"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "purpose", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["purpose"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "protection", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["protection"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "description", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["description"])),
+					resource.TestCheckResourceAttr("stackit_kms_wrapping_key.wrapping_key", "access_scope", testutil.ConvertConfigVariable(testConfigWrappingKeyVarsMaxUpdated()["access_scope"])),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "public_key"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "expires_at"),
+					resource.TestCheckResourceAttrSet("stackit_kms_wrapping_key.wrapping_key", "created_at"),
+				),
+			},
+			// Deletion is done by the framework implicitly
+		},
+	})
+}
+
 func testAccCheckDestroy(s *terraform.State) error {
 	checkFunctions := []func(s *terraform.State) error{
 		testAccCheckKeyDestroy,
+		testAccCheckWrappingKeyDestroy,
 		testAccCheckKeyRingDestroy,
 	}

@ -673,3 +995,41 @@ func testAccCheckKeyDestroy(s *terraform.State) error {

 	return errors.Join(errs...)
 }
+
+func testAccCheckWrappingKeyDestroy(s *terraform.State) error {
+	ctx := context.Background()
+	var client *kms.APIClient
+	var err error
+	if testutil.KMSCustomEndpoint == "" {
+		client, err = kms.NewAPIClient()
+	} else {
+		client, err = kms.NewAPIClient(
+			coreConfig.WithEndpoint(testutil.KMSCustomEndpoint),
+		)
+	}
+	if err != nil {
+		return fmt.Errorf("creating client: %w", err)
+	}
+
+	var errs []error
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "stackit_kms_wrapping_key" {
+			continue
+		}
+		keyRingId := strings.Split(rs.Primary.ID, core.Separator)[2]
+		wrappingKeyId := strings.Split(rs.Primary.ID, core.Separator)[3]
+		err := client.DeleteWrappingKeyExecute(ctx, testutil.ProjectId, testutil.Region, keyRingId, wrappingKeyId)
+		if err != nil {
+			var oapiErr *oapierror.GenericOpenAPIError
+			if errors.As(err, &oapiErr) {
+				if oapiErr.StatusCode == http.StatusNotFound {
+					continue
+				}
+			}
+			errs = append(errs, fmt.Errorf("cannot trigger wrapping key deletion %q: %w", keyRingId, err))
+		}
+	}
+
+	return errors.Join(errs...)
+}