feat: add autokey plus migration (#156)

.gitignore

@@ -3,6 +3,7 @@ terraform.tfstate*
 *.pyc
 .kitchen
 credentials.json
+terraform.tfvars
 
 # tf lock file
 .terraform.lock.hcl

docs/importing_autokey_key_handles.md

@@ -0,0 +1,54 @@
+# Importing Autokey Key Handles Guidance
+
+If you have any existing [Autokey Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) previously created using [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module, it is recommended to import them to [autokey submodule](../modules/autokey/README.md) Terraform state by following the steps below.
+
+**Note:** You don't need to import the existing state for [Autokey configuration](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) resource. The [autokey submodule](../modules/autokey/README.md) apply process will handle that automatically.
+
+**Note 2:** These instructions were made using [terraform-google-autokey v1.1.1](https://github.com/GoogleCloudPlatform/terraform-google-autokey/releases/tag/v1.1.1) as reference. Future releases versions might require changes in this document.
+
+**WARNING:** [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module can be used to create your Autokey folder, Autokey KMS project, Autokey resource project and additional resources (e.g: a Cloud Storage Bucket configured with Autokey), so **DO NOT RUN** a `terraform destroy` for the existing module, even after the Key Handle import process is completed.
+
+## Getting the existing Autokey state from terraform-google-autokey module
+1. Run `cd REPLACE-WITH-YOUR-PATH` to your `terraform-google-autokey/examples/cloud_autokey_example` local module path;
+   1. If you didn't use `examples/cloud_autokey_example`, make sure you update the output names in the script according your terraform files and the relative path in the command below.
+1. Run the following helper script to perform `terraform output` and export the Autokey folder number, Autokey Key project, KeyHandle's names, locations and resource projects as environment variables:
+    ```shell
+    cp ../../../terraform-google-kms/scripts/export_autokey_env_vars.sh .
+    chmod +x export_autokey_env_vars.sh
+    source ./export_autokey_env_vars.sh
+    ```
+    **Note:** You must see values set for echos: `AUTOKEY_FOLDER_NUMBER` and `AUTOKEY_KMS_PROJECT_ID`.
+
+    **Note 2:** You must see values just for the KeyHandles you have deployed. In other words: If you just have a KeyHandle for Bigquery, you'll just see values for: `AUTOKEY_BQ_KEY_HANDLE_PROJECT`, `AUTOKEY_BQ_KEY_HANDLE_LOCATION` and `AUTOKEY_BQ_KEY_HANDLE_NAME` echos.
+
+## Creating the .tfvars file
+1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder;
+1. Run the following helper script to automate the `terraform output` file creation:
+    ```shell
+    chmod +x ../../scripts/create_autokey_tfvars_file.sh
+    ../../scripts/create_autokey_tfvars_file.sh
+    ```
+
+## Importing the existing Autokey state from terraform-google-autokey module using autokey submodule
+1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder;
+1. Run the following helper script to automate the `terraform import` process:
+    ```shell
+    chmod +x ../../scripts/import_autokey_state.sh
+    ../../scripts/import_autokey_state.sh
+    ```
+1. **Note:** For each import, you should receive the following output:
+    ```
+    Import successful!
+
+    The resources that were imported are shown above. These resources are now in
+    your Terraform state and will henceforth be managed by Terraform.
+    ```
+1. Run `terraform plan`.
+1. Run `terraform apply`. **You have successfully imported the Autokey configuration and KeyHandle states**.
+
+## Cleaning your local environment
+1. Run the following helper script to unset all the environment variables used in this import process:
+    ```shell
+    chmod +x ../../scripts/unset_autokey_env_vars.sh
+    source ../../scripts/unset_autokey_env_vars.sh
+    ```

examples/autokey_example/main.tf

@@ -15,7 +15,8 @@
  */
 
 module "autokey" {
-  source = "terraform-google-modules/kms/google//modules/autokey"
+  source  = "terraform-google-modules/kms/google//modules/autokey"
+  version = "3.1.0"
 
   project_id            = var.project_id
   autokey_folder_number = var.folder_id

modules/autokey/README.md

@@ -17,5 +17,6 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc
 |------|-------------|
 | autokey\_config\_id | An Autokey configuration identifier. |
 | autokey\_keyhandles | A map of KeyHandles created. |
+| random\_suffix | Random 4 digits suffix used in Autokey submodule. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/autokey/main.tf

@@ -27,8 +27,6 @@ resource "google_kms_autokey_config" "primary" {
 }
 
 resource "random_string" "suffix" {
-  count = local.create_autokey_key_handles ? 1 : 0
-
   length  = 4
   special = false
   upper   = false
@@ -39,9 +37,13 @@ resource "google_kms_key_handle" "primary" {
   provider = google-beta
 
   project                = each.value.project
-  name                   = "${each.value.name}-${random_string.suffix[0].result}"
+  name                   = "${each.value.name}-${random_string.suffix.result}"
   location               = each.value.location
   resource_type_selector = each.value.resource_type_selector
 
+  lifecycle {
+    ignore_changes = [name]
+  }
+
   depends_on = [time_sleep.wait_srv_acc_permissions]
 }

modules/autokey/outputs.tf

@@ -23,3 +23,8 @@ output "autokey_keyhandles" {
   description = "A map of KeyHandles created."
   value       = local.create_autokey_key_handles ? google_kms_key_handle.primary : {}
 }
+
+output "random_suffix" {
+  description = "Random 4 digits suffix used in Autokey submodule."
+  value       = random_string.suffix.result
+}

scripts/create_autokey_tfvars_file.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo ----------------------------------------------
+echo Starting terraform.tfvars file creation
+echo ----------------------------------------------
+
+echo "
+project_id            = $AUTOKEY_KMS_PROJECT_ID
+autokey_folder_number = \"$AUTOKEY_FOLDER_NUMBER\"
+autokey_handles = {
+" > terraform.tfvars
+
+if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then
+  echo "
+    bq_dataset = {
+        name                   = \"$AUTOKEY_BQ_KEY_HANDLE_NAME\",
+        project                = \"$AUTOKEY_BQ_KEY_HANDLE_PROJECT\",
+        resource_type_selector = \"bigquery.googleapis.com/Dataset\",
+        location               = \"$AUTOKEY_BQ_KEY_HANDLE_LOCATION\"
+    },
+" >> terraform.tfvars
+fi
+if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then
+  echo "
+    compute_disk = {
+        name                   = \"$AUTOKEY_DISK_KEY_HANDLE_NAME\",
+        project                = \"$AUTOKEY_DISK_KEY_HANDLE_PROJECT\",
+        resource_type_selector = \"compute.googleapis.com/Disk\",
+        location               = \"$AUTOKEY_DISK_KEY_HANDLE_LOCATION\"
+    },
+" >> terraform.tfvars
+fi
+if [ -n "$AUTOKEY_GCS_KEY_HANDLE_NAME" ]; then
+  echo "
+    gcs_bucket = {
+        name                   = \"$AUTOKEY_GCS_KEY_HANDLE_NAME\",
+        project                = \"$AUTOKEY_GCS_KEY_HANDLE_PROJECT\",
+        resource_type_selector = \"storage.googleapis.com/Bucket\",
+        location               = \"$AUTOKEY_GCS_KEY_HANDLE_LOCATION\"
+    },
+" >> terraform.tfvars
+fi
+
+echo "
+}
+" >> terraform.tfvars
+
+echo ----------------------------------------------
+echo terraform.tfvars file created
+echo ----------------------------------------------

scripts/export_autokey_env_vars.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo ----------------------------------------------
+echo Getting Autokey config and project
+echo ----------------------------------------------
+
+# terraform output format: "folders/{FOLDER_NUMBER}/autokeyConfig". That's why we cut just the second element.
+AUTOKEY_FOLDER_NUMBER=$(terraform output -raw autokey_config | cut -d'/' -f2)
+export AUTOKEY_FOLDER_NUMBER
+
+AUTOKEY_KMS_PROJECT_ID=$(echo "module.autokey.key_project_id" | terraform console)
+export AUTOKEY_KMS_PROJECT_ID
+
+echo AUTOKEY_FOLDER_NUMBER: "$AUTOKEY_FOLDER_NUMBER"
+echo AUTOKEY_KMS_PROJECT_ID: "$AUTOKEY_KMS_PROJECT_ID"
+
+echo ----------------------------------------------
+echo Getting Bigquery Dataset KeyHandle
+echo ----------------------------------------------
+
+# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}".
+# That's why we have the cut operation.
+
+AUTOKEY_BQ_KEY_HANDLE_PROJECT=$(terraform output -raw bq_key_handle | cut -d'/' -f2)
+export AUTOKEY_BQ_KEY_HANDLE_PROJECT
+
+AUTOKEY_BQ_KEY_HANDLE_LOCATION=$(terraform output -raw bq_key_handle | cut -d'/' -f4)
+export AUTOKEY_BQ_KEY_HANDLE_LOCATION
+
+AUTOKEY_BQ_KEY_HANDLE_NAME=$(terraform output -raw bq_key_handle | cut -d'/' -f6)
+export AUTOKEY_BQ_KEY_HANDLE_NAME
+
+echo AUTOKEY_BQ_KEY_HANDLE_PROJECT: "$AUTOKEY_BQ_KEY_HANDLE_PROJECT"
+echo AUTOKEY_BQ_KEY_HANDLE_LOCATION: "$AUTOKEY_BQ_KEY_HANDLE_LOCATION"
+echo AUTOKEY_BQ_KEY_HANDLE_NAME: "$AUTOKEY_BQ_KEY_HANDLE_NAME"
+
+echo ----------------------------------------------
+echo Getting Compute Disk KeyHandle
+echo ----------------------------------------------
+
+# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}".
+# That's why we have the cut operation.
+
+AUTOKEY_DISK_KEY_HANDLE_PROJECT=$(terraform output -raw disk_key_handle | cut -d'/' -f2)
+export AUTOKEY_DISK_KEY_HANDLE_PROJECT
+
+AUTOKEY_DISK_KEY_HANDLE_LOCATION=$(terraform output -raw disk_key_handle | cut -d'/' -f4)
+export AUTOKEY_DISK_KEY_HANDLE_LOCATION
+
+AUTOKEY_DISK_KEY_HANDLE_NAME=$(terraform output -raw disk_key_handle | cut -d'/' -f6)
+export AUTOKEY_DISK_KEY_HANDLE_NAME
+
+echo AUTOKEY_DISK_KEY_HANDLE_PROJECT: "$AUTOKEY_DISK_KEY_HANDLE_PROJECT"
+echo AUTOKEY_DISK_KEY_HANDLE_LOCATION: "$AUTOKEY_DISK_KEY_HANDLE_LOCATION"
+echo AUTOKEY_DISK_KEY_HANDLE_NAME: "$AUTOKEY_DISK_KEY_HANDLE_NAME"
+
+echo ----------------------------------------------
+echo Getting Storage Bucket KeyHandle
+echo ----------------------------------------------
+
+# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}".
+# That's why we have the cut operation.
+
+AUTOKEY_GCS_KEY_HANDLE_PROJECT=$(terraform output -raw gcs_key_handle | cut -d'/' -f2)
+export AUTOKEY_GCS_KEY_HANDLE_PROJECT
+
+AUTOKEY_GCS_KEY_HANDLE_LOCATION=$(terraform output -raw gcs_key_handle | cut -d'/' -f4)
+export AUTOKEY_GCS_KEY_HANDLE_LOCATION
+
+AUTOKEY_GCS_KEY_HANDLE_NAME=$(terraform output -raw gcs_key_handle | cut -d'/' -f6)
+export AUTOKEY_GCS_KEY_HANDLE_NAME
+
+echo AUTOKEY_GCS_KEY_HANDLE_PROJECT: "$AUTOKEY_GCS_KEY_HANDLE_PROJECT"
+echo AUTOKEY_GCS_KEY_HANDLE_LOCATION: "$AUTOKEY_GCS_KEY_HANDLE_LOCATION"
+echo AUTOKEY_GCS_KEY_HANDLE_NAME: "$AUTOKEY_GCS_KEY_HANDLE_NAME"

scripts/import_autokey_state.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo ----------------------------------------------
+echo Starting terraform init process
+echo ----------------------------------------------
+
+terraform init
+
+echo ----------------------------------------------
+echo terraform init process completed
+echo ----------------------------------------------
+
+echo ----------------------------------------------
+echo Starting terraform import process
+echo ----------------------------------------------
+
+if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then
+terraform import google_kms_key_handle.primary\[\"bq_dataset\"\] projects/"$AUTOKEY_BQ_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_BQ_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_BQ_KEY_HANDLE_NAME"
+fi
+if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then
+terraform import google_kms_key_handle.primary\[\"compute_disk\"\] projects/"$AUTOKEY_DISK_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_DISK_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_DISK_KEY_HANDLE_NAME"
+fi
+if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then
+terraform import google_kms_key_handle.primary\[\"gcs_bucket\"\] projects/"$AUTOKEY_GCS_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_GCS_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_GCS_KEY_HANDLE_NAME"
+fi
+
+echo ----------------------------------------------
+echo terraform import completed
+echo ----------------------------------------------

scripts/unset_autokey_env_vars.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+unset AUTOKEY_FOLDER_NUMBER
+unset AUTOKEY_KMS_PROJECT_ID
+unset AUTOKEY_BQ_KEY_HANDLE_PROJECT
+unset AUTOKEY_BQ_KEY_HANDLE_LOCATION
+unset AUTOKEY_BQ_KEY_HANDLE_NAME
+unset AUTOKEY_DISK_KEY_HANDLE_PROJECT
+unset AUTOKEY_DISK_KEY_HANDLE_LOCATION
+unset AUTOKEY_DISK_KEY_HANDLE_NAME
+unset AUTOKEY_GCS_KEY_HANDLE_PROJECT
+unset AUTOKEY_GCS_KEY_HANDLE_LOCATION
+unset AUTOKEY_GCS_KEY_HANDLE_NAME
+
+echo ----------------------------------------------
+echo unset env vars process completed
+echo ----------------------------------------------