Enabling autokey config setup in autokey submodule

terraform-google-modules · Nov 11, 2024 · 852ac5a · 852ac5a
1 parent 8a28c2f
commit 852ac5a
Show file tree

Hide file tree

Showing 13 changed files with 173 additions and 123 deletions.
diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md
@@ -0,0 +1,28 @@
+# Autokey Example
+
+This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes |
+| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes |
+| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| autokey\_config\_id | An Autokey configuration identifier. |
+| autokey\_keyhandles | A map of KeyHandles created. |
+| autokey\_project\_id | Project used for autokey. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure
diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "autokey" {
+  //source  = "terraform-google-modules/kms/google//modules/autokey"
+  source  = "../../../modules/autokey"
+  //version = "3.1.0"
+
+  autokey_kms_project_id = var.kms_project_id
+  autokey_folder_number = var.folder_id
+}
+
diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "autokey_config_id" {
+  description = "An Autokey configuration identifier."
+  value       = module.autokey.autokey_config_id
+}
diff --git a/examples/autokey_example/variables.tf → examples/autokey/autokey-setup/variables.tf b/examples/autokey_example/variables.tf → examples/autokey/autokey-setup/variables.tf
@@ -14,18 +14,13 @@
  * limitations under the License.
  */
 
-variable "project_id" {
-  description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)."
-  type        = string
-}
-
-variable "autokey_resource_project_id" {
-  description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)."
+variable "kms_project_id" {
+  description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned."
   type        = string
 }
 
 variable "folder_id" {
   type        = string
-  description = "The Autokey folder number used by Autokey config resource. Required when using Autokey."
+  description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey."
 }
 
diff --git a/examples/autokey_example/README.md → examples/autokey/keyhandle-setup/README.md b/examples/autokey_example/README.md → examples/autokey/keyhandle-setup/README.md
@@ -1,6 +1,6 @@
 # Autokey Example
 
-This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs

diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf
@@ -0,0 +1,50 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+resource "google_kms_key_handle" "bucket_keyhandle" {
+  provider = google-beta
+
+  project                = var.resource_project_id
+  name                   = "${var.bucket_name_prefix}-${random_string.suffix.result}"
+  location               = var.bucket_location
+  resource_type_selector = var.resource_type_selector
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}
+
+module "bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "8.0"
+
+  name       = "${var.bucket_name_prefix}-${random_string.suffix.result}"
+  project_id =  var.resource_project_id
+  location   = var.bucket_location
+  encryption = {
+    default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key
+  }
+
+  depends_on = [resource.google_kms_key_handle.bucket_keyhandle]
+}
diff --git a/examples/autokey_example/outputs.tf → examples/autokey/keyhandle-setup/outputs.tf b/examples/autokey_example/outputs.tf → examples/autokey/keyhandle-setup/outputs.tf
@@ -14,17 +14,12 @@
  * limitations under the License.
  */
 
-output "autokey_config_id" {
+output "bucket_keyhandle" {
   description = "An Autokey configuration identifier."
-  value       = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : ""
+  value       = resource.google_kms_key_handle.bucket_keyhandle
 }
 
-output "autokey_keyhandles" {
+output "bucket_name" {
   description = "A map of KeyHandles created."
-  value       = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {}
-}
-
-output "autokey_project_id" {
-  description = "Project used for autokey."
-  value       = var.project_id
-}
+  value       = module.bucket.name
+}
diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf
@@ -0,0 +1,35 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "resource_project_id" {
+  description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)"
+  type        = string
+}
+
+variable "bucket_name_prefix" {
+  type        = string
+  description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}"
+}
+
+variable "resource_type_selector" {
+  type        = string
+  description = "The resource type selector for bucket"
+} 
+
+variable "bucket_location" {
+  type        = string
+  description = "The gcp location where storage bucket will be created" 
+}
diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf
diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf
@@ -15,12 +15,11 @@
  */
 
 data "google_project" "kms_project" {
-  project_id = var.project_id
+  project_id = var.autokey_kms_project_id
 }
 
 #Create KMS Service Agent
 resource "google_project_service_identity" "kms_service_agent" {
-  count    = var.autokey_handles != null ? 1 : 0
   provider = google-beta
 
   service = "cloudkms.googleapis.com"
@@ -29,27 +28,22 @@ resource "google_project_service_identity" "kms_service_agent" {
 
 # Wait delay after creating service agent.
 resource "time_sleep" "wait_service_agent" {
-  count = var.autokey_handles != null ? 1 : 0
-
   create_duration = "10s"
   depends_on      = [google_project_service_identity.kms_service_agent]
 }
 
 #Grant the KMS Service Agent the Cloud KMS Admin role
 resource "google_project_iam_member" "autokey_project_admin" {
-  count    = var.autokey_handles != null ? 1 : 0
   provider = google-beta
 
-  project    = var.project_id
+  project    = var.autokey_kms_project_id
   role       = "roles/cloudkms.admin"
   member     = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
   depends_on = [time_sleep.wait_service_agent]
 }
 
 # Wait delay after granting IAM permissions
 resource "time_sleep" "wait_srv_acc_permissions" {
-  count = var.autokey_handles != null ? 1 : 0
-
   create_duration = "10s"
   depends_on      = [google_project_iam_member.autokey_project_admin]
 }
diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf
@@ -18,27 +18,5 @@ resource "google_kms_autokey_config" "primary" {
   provider = google-beta
 
   folder      = var.autokey_folder_number
-  key_project = "projects/${var.project_id}"
-}
-
-resource "random_string" "suffix" {
-  length  = 4
-  special = false
-  upper   = false
-}
-
-resource "google_kms_key_handle" "primary" {
-  for_each = var.autokey_handles != null ? var.autokey_handles : tomap({})
-  provider = google-beta
-
-  project                = each.value.project
-  name                   = "${each.value.name}-${random_string.suffix.result}"
-  location               = each.value.location
-  resource_type_selector = each.value.resource_type_selector
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-
-  depends_on = [time_sleep.wait_srv_acc_permissions]
-}
+  key_project = "projects/${var.autokey_kms_project_id}"
+}
diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf
@@ -18,13 +18,3 @@ output "autokey_config_id" {
   description = "An Autokey configuration identifier."
   value       = google_kms_autokey_config.primary.id
 }
-
-output "autokey_keyhandles" {
-  description = "A map of KeyHandles created."
-  value       = var.autokey_handles != null ? google_kms_key_handle.primary : {}
-}
-
-output "random_suffix" {
-  description = "Random 4 digits suffix used in Autokey submodule."
-  value       = random_string.suffix.result
-}
diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf
@@ -14,8 +14,8 @@
  * limitations under the License.
  */
 
-variable "project_id" {
-  description = "Project id where the Autokey configuration and KeyHandles will be created."
+variable "autokey_kms_project_id" {
+  description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)."
   type        = string
 }
 
@@ -24,19 +24,3 @@ variable "autokey_folder_number" {
   description = "The Autokey folder number used by Autokey config resource. Required when using Autokey."
 }
 
-variable "autokey_handles" {
-  type = map(object({
-    name                   = string
-    resource_type_selector = string
-    location               = string
-    project                = string
-  }))
-  description = <<-EOF
-    (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.
-    - name: The resource name for the KeyHandle.
-    - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.
-    - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.
-    - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-  EOF
-  default     = null
-}