Skip to content

Commit

Permalink
Merge pull request #1817 from GoogleCloudPlatform/cmalpe/kms-import-job
Browse files Browse the repository at this point in the history
KMS module: Import job feature
  • Loading branch information
cmalpe authored Oct 30, 2023
2 parents 4c17dea + b8bb000 commit 5ada65a
Show file tree
Hide file tree
Showing 5 changed files with 88 additions and 10 deletions.
42 changes: 32 additions & 10 deletions modules/kms/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi
- [Using an existing keyring](#using-an-existing-keyring)
- [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles)
- [Crypto key purpose](#crypto-key-purpose)
- [Import job](#import-job)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
Expand Down Expand Up @@ -94,28 +95,49 @@ module "kms" {
}
# tftest modules=1 resources=2 inventory=purpose.yaml
```

### Import job

```hcl
module "kms" {
source = "./fabric/modules/kms"
project_id = "my-project"
keyring = {
location = "europe-west1"
name = "test"
}
import_job = {
id = "my-import-job"
import_method = "RSA_OAEP_3072_SHA1_AES_256"
protection_level = "SOFTWARE"
}
}
# tftest modules=1 resources=2 inventory=import-job.yaml
```
<!-- BEGIN TFDOC -->
## Variables

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [keyring](variables.tf#L54) | Keyring attributes. | <code title="object&#40;&#123;&#10; location &#61; string&#10; name &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || |
| [project_id](variables.tf#L103) | Project id where the keyring will be created. | <code>string</code> || |
| [keyring](variables.tf#L64) | Keyring attributes. | <code title="object&#40;&#123;&#10; location &#61; string&#10; name &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || |
| [project_id](variables.tf#L113) | Project id where the keyring will be created. | <code>string</code> || |
| [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [keyring_create](variables.tf#L62) | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
| [keys](variables.tf#L68) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10; rotation_period &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; purpose &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10; skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10; version_template &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; string&#10; protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [tag_bindings](variables.tf#L108) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [import_job](variables.tf#L54) | Keyring import job attributes. | <code title="object&#40;&#123;&#10; id &#61; string&#10; import_method &#61; string&#10; protection_level &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [keyring_create](variables.tf#L72) | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10; rotation_period &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10; purpose &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10; skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10; version_template &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; string&#10; protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10; &#125;&#41;&#41;&#10;&#10;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10; iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [tag_bindings](variables.tf#L118) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |

## Outputs

| name | description | sensitive |
|---|---|:---:|
| [id](outputs.tf#L17) | Fully qualified keyring id. | |
| [key_ids](outputs.tf#L26) | Fully qualified key ids. | |
| [keyring](outputs.tf#L38) | Keyring resource. | |
| [keys](outputs.tf#L47) | Key resources. | |
| [location](outputs.tf#L56) | Keyring location. | |
| [name](outputs.tf#L65) | Keyring name. | |
| [import_job](outputs.tf#L26) | Keyring import job resources. | |
| [key_ids](outputs.tf#L35) | Fully qualified key ids. | |
| [keyring](outputs.tf#L47) | Keyring resource. | |
| [keys](outputs.tf#L56) | Key resources. | |
| [location](outputs.tf#L65) | Keyring location. | |
| [name](outputs.tf#L74) | Keyring name. | |
<!-- END TFDOC -->
8 changes: 8 additions & 0 deletions modules/kms/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,11 @@ resource "google_kms_crypto_key" "default" {
}
}
}

resource "google_kms_key_ring_import_job" "default" {
count = var.import_job != null ? 1 : 0
key_ring = local.keyring.id
import_job_id = var.import_job.id
import_method = var.import_job.import_method
protection_level = var.import_job.protection_level
}
9 changes: 9 additions & 0 deletions modules/kms/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ output "id" {
]
}

output "import_job" {
description = "Keyring import job resources."
value = google_kms_key_ring_import_job.default
depends_on = [
google_kms_key_ring_iam_binding.authoritative,
google_kms_key_ring_iam_binding.bindings
]
}

output "key_ids" {
description = "Fully qualified key ids."
value = {
Expand Down
10 changes: 10 additions & 0 deletions modules/kms/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,16 @@ variable "iam_bindings_additive" {
default = {}
}

variable "import_job" {
description = "Keyring import job attributes."
type = object({
id = string
import_method = string
protection_level = string
})
default = null
}

variable "keyring" {
description = "Keyring attributes."
type = object({
Expand Down
29 changes: 29 additions & 0 deletions tests/modules/kms/examples/import-job.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

values:
module.kms.google_kms_key_ring_import_job.default[0]:
import_job_id: my-import-job
import_method: RSA_OAEP_3072_SHA1_AES_256
protection_level: SOFTWARE
module.kms.google_kms_key_ring.default[0]:
location: europe-west1
name: test
project: my-project

counts:
google_kms_key_ring_import_job: 1
google_kms_key_ring: 1
modules: 1
resources: 2

0 comments on commit 5ada65a

Please sign in to comment.