Fixes #1605: Customizable metadata key on encryption key providers (#2080)

Signed-off-by: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com>

internal/encryption/keyprovider.go

@@ -30,15 +30,20 @@ func (e *targetBuilder) setupKeyProviders() hcl.Diagnostics {
 
 	e.keyValues = make(map[string]map[string]cty.Value)
 
+	kpMap := make(map[string]cty.Value)
 	for _, keyProviderConfig := range e.cfg.KeyProviderConfigs {
 		diags = append(diags, e.setupKeyProvider(keyProviderConfig, nil)...)
+		if diags.HasErrors() {
+			return diags
+		}
+		for name, kps := range e.keyValues {
+			kpMap[name] = cty.ObjectVal(kps)
+		}
+		e.ctx.Variables["key_provider"] = cty.ObjectVal(kpMap)
 	}
 
-	// Regenerate the context now that the key provider is loaded
-	kpMap := make(map[string]cty.Value)
-	for name, kps := range e.keyValues {
-		kpMap[name] = cty.ObjectVal(kps)
-	}
+	// Make sure that the key_provider variable is set even if no key providers are configured. This will ultimately
+	// result in an error, but we want to avoid unpredictable behavior.
 	e.ctx.Variables["key_provider"] = cty.ObjectVal(kpMap)
 
 	return diags
@@ -82,10 +87,14 @@ func (e *targetBuilder) setupKeyProvider(cfg config.KeyProviderConfig, stack []c
 	stack = append(stack, cfg)
 
 	// Pull the meta key out for error messages and meta storage
-	metakey, diags := cfg.Addr()
+	tmpMetaKey, diags := cfg.Addr()
 	if diags.HasErrors() {
 		return diags
 	}
+	metaKey := keyprovider.MetaStorageKey(tmpMetaKey)
+	if cfg.EncryptedMetadataAlias != "" {
+		metaKey = keyprovider.MetaStorageKey(cfg.EncryptedMetadataAlias)
+	}
 
 	// Lookup the KeyProviderDescriptor from the registry
 	id := keyprovider.ID(cfg.Type)
@@ -209,18 +218,18 @@ func (e *targetBuilder) setupKeyProvider(cfg config.KeyProviderConfig, stack []c
 		return append(diags, &hcl.Diagnostic{
 			Severity: hcl.DiagError,
 			Summary:  "Unable to build encryption key data",
-			Detail:   fmt.Sprintf("%s failed with error: %s", metakey, err.Error()),
+			Detail:   fmt.Sprintf("%s failed with error: %s", metaKey, err.Error()),
 		})
 	}
 
 	// Add the metadata
-	if meta, ok := e.keyProviderMetadata[metakey]; ok {
+	if meta, ok := e.inputKeyProviderMetadata[metaKey]; ok {
 		err := json.Unmarshal(meta, keyMetaIn)
 		if err != nil {
 			return append(diags, &hcl.Diagnostic{
 				Severity: hcl.DiagError,
 				Summary:  "Unable to decode encrypted metadata (did you change your encryption config?)",
-				Detail:   fmt.Sprintf("metadata decoder for %s failed with error: %s", metakey, err.Error()),
+				Detail:   fmt.Sprintf("metadata decoder for %s failed with error: %s", metaKey, err.Error()),
 			})
 		}
 	}
@@ -230,18 +239,25 @@ func (e *targetBuilder) setupKeyProvider(cfg config.KeyProviderConfig, stack []c
 		return append(diags, &hcl.Diagnostic{
 			Severity: hcl.DiagError,
 			Summary:  "Unable to fetch encryption key data",
-			Detail:   fmt.Sprintf("%s failed with error: %s", metakey, err.Error()),
+			Detail:   fmt.Sprintf("%s failed with error: %s", metaKey, err.Error()),
 		})
 	}
 
 	if keyMetaOut != nil {
-		e.keyProviderMetadata[metakey], err = json.Marshal(keyMetaOut)
+		if _, ok := e.outputKeyProviderMetadata[metaKey]; ok {
+			return append(diags, &hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Duplicate metadata key",
+				Detail:   fmt.Sprintf("The metadata key %s is duplicated across multiple key providers for the same method; use the encrypted_metadata_alias option to specify unique metadata keys for each key provider in an encryption method", metaKey),
+			})
+		}
+		e.outputKeyProviderMetadata[metaKey], err = json.Marshal(keyMetaOut)
 
 		if err != nil {
 			return append(diags, &hcl.Diagnostic{
 				Severity: hcl.DiagError,
 				Summary:  "Unable to encode encrypted metadata",
-				Detail:   fmt.Sprintf("metadata encoder for %s failed with error: %s", metakey, err.Error()),
+				Detail:   fmt.Sprintf("The metadata encoder for %s failed with error: %s", metaKey, err.Error()),
 			})
 		}
 	}