diff --git a/modules/kms/README.md b/modules/kms/README.md
index ddbf4b5c86..1d08fce837 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -10,6 +10,7 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi
- [Using an existing keyring](#using-an-existing-keyring)
- [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles)
- [Crypto key purpose](#crypto-key-purpose)
+ - [Import job](#import-job)
- [Variables](#variables)
- [Outputs](#outputs)
@@ -94,28 +95,49 @@ module "kms" {
}
# tftest modules=1 resources=2 inventory=purpose.yaml
```
+
+### Import job
+
+```hcl
+module "kms" {
+ source = "./fabric/modules/kms"
+ project_id = "my-project"
+ keyring = {
+ location = "europe-west1"
+ name = "test"
+ }
+ import_job = {
+ id = "my-import-job"
+ import_method = "RSA_OAEP_3072_SHA1_AES_256"
+ protection_level = "SOFTWARE"
+ }
+}
+# tftest modules=1 resources=2 inventory=import-job.yaml
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [keyring](variables.tf#L54) | Keyring attributes. | object({…}) | ✓ | |
-| [project_id](variables.tf#L103) | Project id where the keyring will be created. | string | ✓ | |
+| [keyring](variables.tf#L64) | Keyring attributes. | object({…}) | ✓ | |
+| [project_id](variables.tf#L113) | Project id where the keyring will be created. | string | ✓ | |
| [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
| [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} |
| [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} |
-| [keyring_create](variables.tf#L62) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true |
-| [keys](variables.tf#L68) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} |
-| [tag_bindings](variables.tf#L108) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} |
+| [import_job](variables.tf#L54) | Keyring import job attributes. | object({…}) | | null |
+| [keyring_create](variables.tf#L72) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true |
+| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} |
+| [tag_bindings](variables.tf#L118) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [id](outputs.tf#L17) | Fully qualified keyring id. | |
-| [key_ids](outputs.tf#L26) | Fully qualified key ids. | |
-| [keyring](outputs.tf#L38) | Keyring resource. | |
-| [keys](outputs.tf#L47) | Key resources. | |
-| [location](outputs.tf#L56) | Keyring location. | |
-| [name](outputs.tf#L65) | Keyring name. | |
+| [import_job](outputs.tf#L26) | Keyring import job resources. | |
+| [key_ids](outputs.tf#L35) | Fully qualified key ids. | |
+| [keyring](outputs.tf#L47) | Keyring resource. | |
+| [keys](outputs.tf#L56) | Key resources. | |
+| [location](outputs.tf#L65) | Keyring location. | |
+| [name](outputs.tf#L74) | Keyring name. | |
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index 6be7c812da..b240706b10 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -53,3 +53,11 @@ resource "google_kms_crypto_key" "default" {
}
}
}
+
+resource "google_kms_key_ring_import_job" "default" {
+ count = var.import_job != null ? 1 : 0
+ key_ring = local.keyring.id
+ import_job_id = var.import_job.id
+ import_method = var.import_job.import_method
+ protection_level = var.import_job.protection_level
+}
\ No newline at end of file
diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf
index 191db82b74..acfb69b3e6 100644
--- a/modules/kms/outputs.tf
+++ b/modules/kms/outputs.tf
@@ -23,6 +23,15 @@ output "id" {
]
}
+output "import_job" {
+ description = "Keyring import job resources."
+ value = google_kms_key_ring_import_job.default
+ depends_on = [
+ google_kms_key_ring_iam_binding.authoritative,
+ google_kms_key_ring_iam_binding.bindings
+ ]
+}
+
output "key_ids" {
description = "Fully qualified key ids."
value = {
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 3086176417..c329154695 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -51,6 +51,16 @@ variable "iam_bindings_additive" {
default = {}
}
+variable "import_job" {
+ description = "Keyring import job attributes."
+ type = object({
+ id = string
+ import_method = string
+ protection_level = string
+ })
+ default = null
+}
+
variable "keyring" {
description = "Keyring attributes."
type = object({
diff --git a/tests/modules/kms/examples/import-job.yaml b/tests/modules/kms/examples/import-job.yaml
new file mode 100644
index 0000000000..79a3fba2c2
--- /dev/null
+++ b/tests/modules/kms/examples/import-job.yaml
@@ -0,0 +1,29 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.kms.google_kms_key_ring_import_job.default[0]:
+ import_job_id: my-import-job
+ import_method: RSA_OAEP_3072_SHA1_AES_256
+ protection_level: SOFTWARE
+ module.kms.google_kms_key_ring.default[0]:
+ location: europe-west1
+ name: test
+ project: my-project
+
+counts:
+ google_kms_key_ring_import_job: 1
+ google_kms_key_ring: 1
+ modules: 1
+ resources: 2
\ No newline at end of file