From 661c103ee13bf95e88e36c8b9f047a84d20cb99d Mon Sep 17 00:00:00 2001 From: Leonardo Romanini <97033241+romanini-ciandt@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:23:13 -0300 Subject: [PATCH 1/2] feat: add autokey plus migration (#156) --- .gitignore | 1 + docs/importing_autokey_key_handles.md | 54 ++++++++++++++++ examples/autokey_example/main.tf | 3 +- modules/autokey/README.md | 1 + modules/autokey/main.tf | 8 ++- modules/autokey/outputs.tf | 5 ++ scripts/create_autokey_tfvars_file.sh | 64 +++++++++++++++++++ scripts/export_autokey_env_vars.sh | 89 +++++++++++++++++++++++++++ scripts/import_autokey_state.sh | 43 +++++++++++++ scripts/unset_autokey_env_vars.sh | 31 ++++++++++ 10 files changed, 295 insertions(+), 4 deletions(-) create mode 100644 docs/importing_autokey_key_handles.md create mode 100755 scripts/create_autokey_tfvars_file.sh create mode 100644 scripts/export_autokey_env_vars.sh create mode 100755 scripts/import_autokey_state.sh create mode 100755 scripts/unset_autokey_env_vars.sh diff --git a/.gitignore b/.gitignore index b8904dc..3cff1cb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ terraform.tfstate* *.pyc .kitchen credentials.json +terraform.tfvars # tf lock file .terraform.lock.hcl diff --git a/docs/importing_autokey_key_handles.md b/docs/importing_autokey_key_handles.md new file mode 100644 index 0000000..aebb0af --- /dev/null +++ b/docs/importing_autokey_key_handles.md @@ -0,0 +1,54 @@ +# Importing Autokey Key Handles Guidance + +If you have any existing [Autokey Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) previously created using [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module, it is recommended to import them to [autokey submodule](../modules/autokey/README.md) Terraform state by following the steps below. + +**Note:** You don't need to import the existing state for [Autokey configuration](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) resource. The [autokey submodule](../modules/autokey/README.md) apply process will handle that automatically. + +**Note 2:** These instructions were made using [terraform-google-autokey v1.1.1](https://github.com/GoogleCloudPlatform/terraform-google-autokey/releases/tag/v1.1.1) as reference. Future releases versions might require changes in this document. + +**WARNING:** [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module can be used to create your Autokey folder, Autokey KMS project, Autokey resource project and additional resources (e.g: a Cloud Storage Bucket configured with Autokey), so **DO NOT RUN** a `terraform destroy` for the existing module, even after the Key Handle import process is completed. + +## Getting the existing Autokey state from terraform-google-autokey module +1. Run `cd REPLACE-WITH-YOUR-PATH` to your `terraform-google-autokey/examples/cloud_autokey_example` local module path; + 1. If you didn't use `examples/cloud_autokey_example`, make sure you update the output names in the script according your terraform files and the relative path in the command below. +1. Run the following helper script to perform `terraform output` and export the Autokey folder number, Autokey Key project, KeyHandle's names, locations and resource projects as environment variables: + ```shell + cp ../../../terraform-google-kms/scripts/export_autokey_env_vars.sh . + chmod +x export_autokey_env_vars.sh + source ./export_autokey_env_vars.sh + ``` + **Note:** You must see values set for echos: `AUTOKEY_FOLDER_NUMBER` and `AUTOKEY_KMS_PROJECT_ID`. + + **Note 2:** You must see values just for the KeyHandles you have deployed. In other words: If you just have a KeyHandle for Bigquery, you'll just see values for: `AUTOKEY_BQ_KEY_HANDLE_PROJECT`, `AUTOKEY_BQ_KEY_HANDLE_LOCATION` and `AUTOKEY_BQ_KEY_HANDLE_NAME` echos. + +## Creating the .tfvars file +1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; +1. Run the following helper script to automate the `terraform output` file creation: + ```shell + chmod +x ../../scripts/create_autokey_tfvars_file.sh + ../../scripts/create_autokey_tfvars_file.sh + ``` + +## Importing the existing Autokey state from terraform-google-autokey module using autokey submodule +1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; +1. Run the following helper script to automate the `terraform import` process: + ```shell + chmod +x ../../scripts/import_autokey_state.sh + ../../scripts/import_autokey_state.sh + ``` +1. **Note:** For each import, you should receive the following output: + ``` + Import successful! + + The resources that were imported are shown above. These resources are now in + your Terraform state and will henceforth be managed by Terraform. + ``` +1. Run `terraform plan`. +1. Run `terraform apply`. **You have successfully imported the Autokey configuration and KeyHandle states**. + +## Cleaning your local environment +1. Run the following helper script to unset all the environment variables used in this import process: + ```shell + chmod +x ../../scripts/unset_autokey_env_vars.sh + source ../../scripts/unset_autokey_env_vars.sh + ``` diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf index 41d522c..bb95e2d 100644 --- a/examples/autokey_example/main.tf +++ b/examples/autokey_example/main.tf @@ -15,7 +15,8 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" project_id = var.project_id autokey_folder_number = var.folder_id diff --git a/modules/autokey/README.md b/modules/autokey/README.md index d9fdf59..772e8c0 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -17,5 +17,6 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | | autokey\_keyhandles | A map of KeyHandles created. | +| random\_suffix | Random 4 digits suffix used in Autokey submodule. | diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index 9a60255..6a7a70d 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -27,8 +27,6 @@ resource "google_kms_autokey_config" "primary" { } resource "random_string" "suffix" { - count = local.create_autokey_key_handles ? 1 : 0 - length = 4 special = false upper = false @@ -39,9 +37,13 @@ resource "google_kms_key_handle" "primary" { provider = google-beta project = each.value.project - name = "${each.value.name}-${random_string.suffix[0].result}" + name = "${each.value.name}-${random_string.suffix.result}" location = each.value.location resource_type_selector = each.value.resource_type_selector + lifecycle { + ignore_changes = [name] + } + depends_on = [time_sleep.wait_srv_acc_permissions] } diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf index 1d1ffec..b04af0f 100644 --- a/modules/autokey/outputs.tf +++ b/modules/autokey/outputs.tf @@ -23,3 +23,8 @@ output "autokey_keyhandles" { description = "A map of KeyHandles created." value = local.create_autokey_key_handles ? google_kms_key_handle.primary : {} } + +output "random_suffix" { + description = "Random 4 digits suffix used in Autokey submodule." + value = random_string.suffix.result +} diff --git a/scripts/create_autokey_tfvars_file.sh b/scripts/create_autokey_tfvars_file.sh new file mode 100755 index 0000000..cd56a52 --- /dev/null +++ b/scripts/create_autokey_tfvars_file.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +echo ---------------------------------------------- +echo Starting terraform.tfvars file creation +echo ---------------------------------------------- + +echo " +project_id = $AUTOKEY_KMS_PROJECT_ID +autokey_folder_number = \"$AUTOKEY_FOLDER_NUMBER\" +autokey_handles = { +" > terraform.tfvars + +if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then + echo " + bq_dataset = { + name = \"$AUTOKEY_BQ_KEY_HANDLE_NAME\", + project = \"$AUTOKEY_BQ_KEY_HANDLE_PROJECT\", + resource_type_selector = \"bigquery.googleapis.com/Dataset\", + location = \"$AUTOKEY_BQ_KEY_HANDLE_LOCATION\" + }, +" >> terraform.tfvars +fi +if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then + echo " + compute_disk = { + name = \"$AUTOKEY_DISK_KEY_HANDLE_NAME\", + project = \"$AUTOKEY_DISK_KEY_HANDLE_PROJECT\", + resource_type_selector = \"compute.googleapis.com/Disk\", + location = \"$AUTOKEY_DISK_KEY_HANDLE_LOCATION\" + }, +" >> terraform.tfvars +fi +if [ -n "$AUTOKEY_GCS_KEY_HANDLE_NAME" ]; then + echo " + gcs_bucket = { + name = \"$AUTOKEY_GCS_KEY_HANDLE_NAME\", + project = \"$AUTOKEY_GCS_KEY_HANDLE_PROJECT\", + resource_type_selector = \"storage.googleapis.com/Bucket\", + location = \"$AUTOKEY_GCS_KEY_HANDLE_LOCATION\" + }, +" >> terraform.tfvars +fi + +echo " +} +" >> terraform.tfvars + +echo ---------------------------------------------- +echo terraform.tfvars file created +echo ---------------------------------------------- diff --git a/scripts/export_autokey_env_vars.sh b/scripts/export_autokey_env_vars.sh new file mode 100644 index 0000000..213ec15 --- /dev/null +++ b/scripts/export_autokey_env_vars.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +echo ---------------------------------------------- +echo Getting Autokey config and project +echo ---------------------------------------------- + +# terraform output format: "folders/{FOLDER_NUMBER}/autokeyConfig". That's why we cut just the second element. +AUTOKEY_FOLDER_NUMBER=$(terraform output -raw autokey_config | cut -d'/' -f2) +export AUTOKEY_FOLDER_NUMBER + +AUTOKEY_KMS_PROJECT_ID=$(echo "module.autokey.key_project_id" | terraform console) +export AUTOKEY_KMS_PROJECT_ID + +echo AUTOKEY_FOLDER_NUMBER: "$AUTOKEY_FOLDER_NUMBER" +echo AUTOKEY_KMS_PROJECT_ID: "$AUTOKEY_KMS_PROJECT_ID" + +echo ---------------------------------------------- +echo Getting Bigquery Dataset KeyHandle +echo ---------------------------------------------- + +# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". +# That's why we have the cut operation. + +AUTOKEY_BQ_KEY_HANDLE_PROJECT=$(terraform output -raw bq_key_handle | cut -d'/' -f2) +export AUTOKEY_BQ_KEY_HANDLE_PROJECT + +AUTOKEY_BQ_KEY_HANDLE_LOCATION=$(terraform output -raw bq_key_handle | cut -d'/' -f4) +export AUTOKEY_BQ_KEY_HANDLE_LOCATION + +AUTOKEY_BQ_KEY_HANDLE_NAME=$(terraform output -raw bq_key_handle | cut -d'/' -f6) +export AUTOKEY_BQ_KEY_HANDLE_NAME + +echo AUTOKEY_BQ_KEY_HANDLE_PROJECT: "$AUTOKEY_BQ_KEY_HANDLE_PROJECT" +echo AUTOKEY_BQ_KEY_HANDLE_LOCATION: "$AUTOKEY_BQ_KEY_HANDLE_LOCATION" +echo AUTOKEY_BQ_KEY_HANDLE_NAME: "$AUTOKEY_BQ_KEY_HANDLE_NAME" + +echo ---------------------------------------------- +echo Getting Compute Disk KeyHandle +echo ---------------------------------------------- + +# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". +# That's why we have the cut operation. + +AUTOKEY_DISK_KEY_HANDLE_PROJECT=$(terraform output -raw disk_key_handle | cut -d'/' -f2) +export AUTOKEY_DISK_KEY_HANDLE_PROJECT + +AUTOKEY_DISK_KEY_HANDLE_LOCATION=$(terraform output -raw disk_key_handle | cut -d'/' -f4) +export AUTOKEY_DISK_KEY_HANDLE_LOCATION + +AUTOKEY_DISK_KEY_HANDLE_NAME=$(terraform output -raw disk_key_handle | cut -d'/' -f6) +export AUTOKEY_DISK_KEY_HANDLE_NAME + +echo AUTOKEY_DISK_KEY_HANDLE_PROJECT: "$AUTOKEY_DISK_KEY_HANDLE_PROJECT" +echo AUTOKEY_DISK_KEY_HANDLE_LOCATION: "$AUTOKEY_DISK_KEY_HANDLE_LOCATION" +echo AUTOKEY_DISK_KEY_HANDLE_NAME: "$AUTOKEY_DISK_KEY_HANDLE_NAME" + +echo ---------------------------------------------- +echo Getting Storage Bucket KeyHandle +echo ---------------------------------------------- + +# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". +# That's why we have the cut operation. + +AUTOKEY_GCS_KEY_HANDLE_PROJECT=$(terraform output -raw gcs_key_handle | cut -d'/' -f2) +export AUTOKEY_GCS_KEY_HANDLE_PROJECT + +AUTOKEY_GCS_KEY_HANDLE_LOCATION=$(terraform output -raw gcs_key_handle | cut -d'/' -f4) +export AUTOKEY_GCS_KEY_HANDLE_LOCATION + +AUTOKEY_GCS_KEY_HANDLE_NAME=$(terraform output -raw gcs_key_handle | cut -d'/' -f6) +export AUTOKEY_GCS_KEY_HANDLE_NAME + +echo AUTOKEY_GCS_KEY_HANDLE_PROJECT: "$AUTOKEY_GCS_KEY_HANDLE_PROJECT" +echo AUTOKEY_GCS_KEY_HANDLE_LOCATION: "$AUTOKEY_GCS_KEY_HANDLE_LOCATION" +echo AUTOKEY_GCS_KEY_HANDLE_NAME: "$AUTOKEY_GCS_KEY_HANDLE_NAME" diff --git a/scripts/import_autokey_state.sh b/scripts/import_autokey_state.sh new file mode 100755 index 0000000..adaadc1 --- /dev/null +++ b/scripts/import_autokey_state.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +echo ---------------------------------------------- +echo Starting terraform init process +echo ---------------------------------------------- + +terraform init + +echo ---------------------------------------------- +echo terraform init process completed +echo ---------------------------------------------- + +echo ---------------------------------------------- +echo Starting terraform import process +echo ---------------------------------------------- + +if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then +terraform import google_kms_key_handle.primary\[\"bq_dataset\"\] projects/"$AUTOKEY_BQ_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_BQ_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_BQ_KEY_HANDLE_NAME" +fi +if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then +terraform import google_kms_key_handle.primary\[\"compute_disk\"\] projects/"$AUTOKEY_DISK_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_DISK_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_DISK_KEY_HANDLE_NAME" +fi +if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then +terraform import google_kms_key_handle.primary\[\"gcs_bucket\"\] projects/"$AUTOKEY_GCS_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_GCS_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_GCS_KEY_HANDLE_NAME" +fi + +echo ---------------------------------------------- +echo terraform import completed +echo ---------------------------------------------- diff --git a/scripts/unset_autokey_env_vars.sh b/scripts/unset_autokey_env_vars.sh new file mode 100755 index 0000000..c892f74 --- /dev/null +++ b/scripts/unset_autokey_env_vars.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unset AUTOKEY_FOLDER_NUMBER +unset AUTOKEY_KMS_PROJECT_ID +unset AUTOKEY_BQ_KEY_HANDLE_PROJECT +unset AUTOKEY_BQ_KEY_HANDLE_LOCATION +unset AUTOKEY_BQ_KEY_HANDLE_NAME +unset AUTOKEY_DISK_KEY_HANDLE_PROJECT +unset AUTOKEY_DISK_KEY_HANDLE_LOCATION +unset AUTOKEY_DISK_KEY_HANDLE_NAME +unset AUTOKEY_GCS_KEY_HANDLE_PROJECT +unset AUTOKEY_GCS_KEY_HANDLE_LOCATION +unset AUTOKEY_GCS_KEY_HANDLE_NAME + +echo ---------------------------------------------- +echo unset env vars process completed +echo ---------------------------------------------- From abb9b962447a4687d00f7d4c4db73ef312ce76cb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 20:34:52 +0000 Subject: [PATCH 2/2] chore(deps): Update Terraform terraform-google-modules/kms/google to v3 (#152) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/simple_example/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_example/main.tf b/examples/simple_example/main.tf index 3d5941c..363406e 100644 --- a/examples/simple_example/main.tf +++ b/examples/simple_example/main.tf @@ -16,7 +16,7 @@ module "kms" { source = "terraform-google-modules/kms/google" - version = "~> 2.0" + version = "~> 3.0" project_id = var.project_id keyring = var.keyring