diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md new file mode 100644 index 0000000..ae1c0f4 --- /dev/null +++ b/examples/autokey/autokey-setup/README.md @@ -0,0 +1,28 @@ +# Autokey Example + +This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | +| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | +| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| autokey\_config\_id | An Autokey configuration identifier. | +| autokey\_keyhandles | A map of KeyHandles created. | +| autokey\_project\_id | Project used for autokey. | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf new file mode 100644 index 0000000..aa29ea5 --- /dev/null +++ b/examples/autokey/autokey-setup/main.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "autokey" { + //source = "terraform-google-modules/kms/google//modules/autokey" + source = "../../../modules/autokey" + //version = "3.1.0" + + autokey_kms_project_id = var.kms_project_id + autokey_folder_number = var.folder_id +} + diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf new file mode 100644 index 0000000..9b36548 --- /dev/null +++ b/examples/autokey/autokey-setup/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "autokey_config_id" { + description = "An Autokey configuration identifier." + value = module.autokey.autokey_config_id +} \ No newline at end of file diff --git a/examples/autokey_example/variables.tf b/examples/autokey/autokey-setup/variables.tf similarity index 60% rename from examples/autokey_example/variables.tf rename to examples/autokey/autokey-setup/variables.tf index 35a0fa5..b9d4496 100644 --- a/examples/autokey_example/variables.tf +++ b/examples/autokey/autokey-setup/variables.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -variable "project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." - type = string -} - -variable "autokey_resource_project_id" { - description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)." +variable "kms_project_id" { + description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned." type = string } variable "folder_id" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey." } diff --git a/examples/autokey_example/README.md b/examples/autokey/keyhandle-setup/README.md similarity index 97% rename from examples/autokey_example/README.md rename to examples/autokey/keyhandle-setup/README.md index ddd2966..ed8dbff 100644 --- a/examples/autokey_example/README.md +++ b/examples/autokey/keyhandle-setup/README.md @@ -1,6 +1,6 @@ # Autokey Example -This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. +This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket. ## Inputs diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf new file mode 100644 index 0000000..4d87394 --- /dev/null +++ b/examples/autokey/keyhandle-setup/main.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_kms_key_handle" "bucket_keyhandle" { + provider = google-beta + + project = var.resource_project_id + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + location = var.bucket_location + resource_type_selector = var.resource_type_selector + + lifecycle { + ignore_changes = [name] + } +} + +module "bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "8.0" + + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + project_id = var.resource_project_id + location = var.bucket_location + encryption = { + default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key + } + + depends_on = [resource.google_kms_key_handle.bucket_keyhandle] +} diff --git a/examples/autokey_example/outputs.tf b/examples/autokey/keyhandle-setup/outputs.tf similarity index 65% rename from examples/autokey_example/outputs.tf rename to examples/autokey/keyhandle-setup/outputs.tf index 45f188b..44870b5 100644 --- a/examples/autokey_example/outputs.tf +++ b/examples/autokey/keyhandle-setup/outputs.tf @@ -14,17 +14,12 @@ * limitations under the License. */ -output "autokey_config_id" { +output "bucket_keyhandle" { description = "An Autokey configuration identifier." - value = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : "" + value = resource.google_kms_key_handle.bucket_keyhandle } -output "autokey_keyhandles" { +output "bucket_name" { description = "A map of KeyHandles created." - value = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {} -} - -output "autokey_project_id" { - description = "Project used for autokey." - value = var.project_id -} + value = module.bucket.name +} \ No newline at end of file diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf new file mode 100644 index 0000000..ae76a44 --- /dev/null +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "resource_project_id" { + description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" + type = string +} + +variable "bucket_name_prefix" { + type = string + description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" +} + +variable "resource_type_selector" { + type = string + description = "The resource type selector for bucket" +} + +variable "bucket_location" { + type = string + description = "The gcp location where storage bucket will be created" +} diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf deleted file mode 100644 index bb95e2d..0000000 --- a/examples/autokey_example/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" - - project_id = var.project_id - autokey_folder_number = var.folder_id - autokey_handles = { - storage_bucket = { - name = "bucket-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "storage.googleapis.com/Bucket", - location = "us-central1" - } - compute_disk = { - name = "disk-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "compute.googleapis.com/Disk", - location = "us-central1" - } - bigquery_dataset = { - name = "dataset-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "bigquery.googleapis.com/Dataset", - location = "us-central1" - } - } -} - diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf index 29e9df6..da05c14 100644 --- a/modules/autokey/iam.tf +++ b/modules/autokey/iam.tf @@ -15,12 +15,11 @@ */ data "google_project" "kms_project" { - project_id = var.project_id + project_id = var.autokey_kms_project_id } #Create KMS Service Agent resource "google_project_service_identity" "kms_service_agent" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta service = "cloudkms.googleapis.com" @@ -29,18 +28,15 @@ resource "google_project_service_identity" "kms_service_agent" { # Wait delay after creating service agent. resource "time_sleep" "wait_service_agent" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_service_identity.kms_service_agent] } #Grant the KMS Service Agent the Cloud KMS Admin role resource "google_project_iam_member" "autokey_project_admin" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta - project = var.project_id + project = var.autokey_kms_project_id role = "roles/cloudkms.admin" member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" depends_on = [time_sleep.wait_service_agent] @@ -48,8 +44,6 @@ resource "google_project_iam_member" "autokey_project_admin" { # Wait delay after granting IAM permissions resource "time_sleep" "wait_srv_acc_permissions" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_iam_member.autokey_project_admin] } diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index f6d37ba..b5d4f61 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -18,27 +18,5 @@ resource "google_kms_autokey_config" "primary" { provider = google-beta folder = var.autokey_folder_number - key_project = "projects/${var.project_id}" -} - -resource "random_string" "suffix" { - length = 4 - special = false - upper = false -} - -resource "google_kms_key_handle" "primary" { - for_each = var.autokey_handles != null ? var.autokey_handles : tomap({}) - provider = google-beta - - project = each.value.project - name = "${each.value.name}-${random_string.suffix.result}" - location = each.value.location - resource_type_selector = each.value.resource_type_selector - - lifecycle { - ignore_changes = [name] - } - - depends_on = [time_sleep.wait_srv_acc_permissions] -} + key_project = "projects/${var.autokey_kms_project_id}" +} \ No newline at end of file diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf index a198889..1c8e036 100644 --- a/modules/autokey/outputs.tf +++ b/modules/autokey/outputs.tf @@ -18,13 +18,3 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = google_kms_autokey_config.primary.id } - -output "autokey_keyhandles" { - description = "A map of KeyHandles created." - value = var.autokey_handles != null ? google_kms_key_handle.primary : {} -} - -output "random_suffix" { - description = "Random 4 digits suffix used in Autokey submodule." - value = random_string.suffix.result -} diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 0fb78ad..04555e1 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -14,8 +14,8 @@ * limitations under the License. */ -variable "project_id" { - description = "Project id where the Autokey configuration and KeyHandles will be created." +variable "autokey_kms_project_id" { + description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." type = string } @@ -24,19 +24,3 @@ variable "autokey_folder_number" { description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." } -variable "autokey_handles" { - type = map(object({ - name = string - resource_type_selector = string - location = string - project = string - })) - description = <<-EOF - (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service. - - name: The resource name for the KeyHandle. - - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services. - - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list. - - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. - EOF - default = null -}