From c2380a88fa6ac01d6e4751272ea5f795c21cf6bf Mon Sep 17 00:00:00 2001 From: Chaitanya Malpe Date: Thu, 26 Oct 2023 18:12:58 +0530 Subject: [PATCH 1/7] added import job support for kms module --- modules/kms/README.md | 37 ++++++++++++++++++++++++++++++------- modules/kms/main.tf | 7 +++++++ modules/kms/outputs.tf | 9 +++++++++ modules/kms/variables.tf | 9 +++++++++ 4 files changed, 55 insertions(+), 7 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index ddbf4b5c86..6e22120687 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,13 +5,15 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Protecting against destroy](#protecting-against-destroy) -- [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) -- [Variables](#variables) -- [Outputs](#outputs) +- [Google KMS Module](#google-kms-module) + - [Protecting against destroy](#protecting-against-destroy) + - [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) + - [Variables](#variables) + - [Outputs](#outputs) ## Protecting against destroy @@ -94,6 +96,27 @@ module "kms" { } # tftest modules=1 resources=2 inventory=purpose.yaml ``` + +### Import job + +```hcl +module "kms" { + source = "./fabric/modules/kms" + project_id = "my-project" + iam = { + "roles/cloudkms.admin" = ["user:user1@example.com"] + } + keyring = { + location = "europe-west1" + name = "test" + } + import_job = { + id = "my-import-job" + import_method = "RSA_OAEP_3072_SHA1_AES_256" + protection_level = "SOFTWARE" + } +} +``` ## Variables diff --git a/modules/kms/main.tf b/modules/kms/main.tf index 6be7c812da..a1f74902c7 100644 --- a/modules/kms/main.tf +++ b/modules/kms/main.tf @@ -53,3 +53,10 @@ resource "google_kms_crypto_key" "default" { } } } + +resource "google_kms_key_ring_import_job" "default" { + key_ring = local.keyring.id + import_job_id = var.import_job.id + import_method = var.import_job.import_method + protection_level = var.import_job.protection_level +} \ No newline at end of file diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf index 191db82b74..acfb69b3e6 100644 --- a/modules/kms/outputs.tf +++ b/modules/kms/outputs.tf @@ -23,6 +23,15 @@ output "id" { ] } +output "import_job" { + description = "Keyring import job resources." + value = google_kms_key_ring_import_job.default + depends_on = [ + google_kms_key_ring_iam_binding.authoritative, + google_kms_key_ring_iam_binding.bindings + ] +} + output "key_ids" { description = "Fully qualified key ids." value = { diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index 3086176417..161c55e0ea 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -51,6 +51,15 @@ variable "iam_bindings_additive" { default = {} } +variable "import_job" { + description = "Keyring import job attributes." + type = object({ + id = string + import_method = string + protection_level = string + }) +} + variable "keyring" { description = "Keyring attributes." type = object({ From c83b6c229f8057076a4e67500222f04c3105edfa Mon Sep 17 00:00:00 2001 From: cmalpe Date: Thu, 26 Oct 2023 14:05:39 +0000 Subject: [PATCH 2/7] added tfdoc changes --- modules/kms/README.md | 41 +++++++++++++++++++++------------------- modules/kms/main.tf | 1 + modules/kms/variables.tf | 7 +++++++ 3 files changed, 30 insertions(+), 19 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index 6e22120687..110ab1a475 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,15 +5,14 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Google KMS Module](#google-kms-module) - - [Protecting against destroy](#protecting-against-destroy) - - [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) - - [Import job](#import-job) - - [Variables](#variables) - - [Outputs](#outputs) +- [Protecting against destroy](#protecting-against-destroy) +- [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) +- [Variables](#variables) +- [Outputs](#outputs) ## Protecting against destroy @@ -110,6 +109,7 @@ module "kms" { location = "europe-west1" name = "test" } + import_job_create = true import_job = { id = "my-import-job" import_method = "RSA_OAEP_3072_SHA1_AES_256" @@ -122,23 +122,26 @@ module "kms" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [keyring](variables.tf#L54) | Keyring attributes. | object({…}) | ✓ | | -| [project_id](variables.tf#L103) | Project id where the keyring will be created. | string | ✓ | | +| [keyring](variables.tf#L70) | Keyring attributes. | object({…}) | ✓ | | +| [project_id](variables.tf#L119) | Project id where the keyring will be created. | string | ✓ | | | [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | | [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | -| [keyring_create](variables.tf#L62) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true | -| [keys](variables.tf#L68) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} | -| [tag_bindings](variables.tf#L108) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} | +| [import_job](variables.tf#L54) | Keyring import job attributes. | object({…}) | | null | +| [import_job_create](variables.tf#L64) | Set to true to create an import job for a keyring. | bool | | false | +| [keyring_create](variables.tf#L78) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true | +| [keys](variables.tf#L84) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L124) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} | ## Outputs | name | description | sensitive | |---|---|:---:| | [id](outputs.tf#L17) | Fully qualified keyring id. | | -| [key_ids](outputs.tf#L26) | Fully qualified key ids. | | -| [keyring](outputs.tf#L38) | Keyring resource. | | -| [keys](outputs.tf#L47) | Key resources. | | -| [location](outputs.tf#L56) | Keyring location. | | -| [name](outputs.tf#L65) | Keyring name. | | +| [import_job](outputs.tf#L26) | Keyring import job resources. | | +| [key_ids](outputs.tf#L35) | Fully qualified key ids. | | +| [keyring](outputs.tf#L47) | Keyring resource. | | +| [keys](outputs.tf#L56) | Key resources. | | +| [location](outputs.tf#L65) | Keyring location. | | +| [name](outputs.tf#L74) | Keyring name. | | diff --git a/modules/kms/main.tf b/modules/kms/main.tf index a1f74902c7..bb9f05a802 100644 --- a/modules/kms/main.tf +++ b/modules/kms/main.tf @@ -55,6 +55,7 @@ resource "google_kms_crypto_key" "default" { } resource "google_kms_key_ring_import_job" "default" { + count = var.import_job_create ? 1 : 0 key_ring = local.keyring.id import_job_id = var.import_job.id import_method = var.import_job.import_method diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index 161c55e0ea..669d2e8a78 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -58,6 +58,13 @@ variable "import_job" { import_method = string protection_level = string }) + default = null +} + +variable "import_job_create" { + description = "Set to true to create an import job for a keyring." + type = bool + default = false } variable "keyring" { From d9e09bb9c3a6eac074799063e4a00fb894fa529e Mon Sep 17 00:00:00 2001 From: Chaitanya Malpe Date: Thu, 26 Oct 2023 20:23:06 +0530 Subject: [PATCH 3/7] removed unneeded variable --- modules/kms/README.md | 29 ++++++++++++++--------------- modules/kms/main.tf | 2 +- modules/kms/variables.tf | 6 ------ 3 files changed, 15 insertions(+), 22 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index 110ab1a475..c79ddb6ad8 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,14 +5,15 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Protecting against destroy](#protecting-against-destroy) -- [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) - - [Import job](#import-job) -- [Variables](#variables) -- [Outputs](#outputs) +- [Google KMS Module](#google-kms-module) + - [Protecting against destroy](#protecting-against-destroy) + - [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) + - [Variables](#variables) + - [Outputs](#outputs) ## Protecting against destroy @@ -109,7 +110,6 @@ module "kms" { location = "europe-west1" name = "test" } - import_job_create = true import_job = { id = "my-import-job" import_method = "RSA_OAEP_3072_SHA1_AES_256" @@ -122,16 +122,15 @@ module "kms" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [keyring](variables.tf#L70) | Keyring attributes. | object({…}) | ✓ | | -| [project_id](variables.tf#L119) | Project id where the keyring will be created. | string | ✓ | | +| [keyring](variables.tf#L64) | Keyring attributes. | object({…}) | ✓ | | +| [project_id](variables.tf#L113) | Project id where the keyring will be created. | string | ✓ | | | [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | | [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | [import_job](variables.tf#L54) | Keyring import job attributes. | object({…}) | | null | -| [import_job_create](variables.tf#L64) | Set to true to create an import job for a keyring. | bool | | false | -| [keyring_create](variables.tf#L78) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true | -| [keys](variables.tf#L84) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} | -| [tag_bindings](variables.tf#L124) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} | +| [keyring_create](variables.tf#L72) | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true | +| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) | | {} | +| [tag_bindings](variables.tf#L118) | Tag bindings for this keyring, in key => tag value id format. | map(string) | | {} | ## Outputs diff --git a/modules/kms/main.tf b/modules/kms/main.tf index bb9f05a802..b240706b10 100644 --- a/modules/kms/main.tf +++ b/modules/kms/main.tf @@ -55,7 +55,7 @@ resource "google_kms_crypto_key" "default" { } resource "google_kms_key_ring_import_job" "default" { - count = var.import_job_create ? 1 : 0 + count = var.import_job != null ? 1 : 0 key_ring = local.keyring.id import_job_id = var.import_job.id import_method = var.import_job.import_method diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index 669d2e8a78..c329154695 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -61,12 +61,6 @@ variable "import_job" { default = null } -variable "import_job_create" { - description = "Set to true to create an import job for a keyring." - type = bool - default = false -} - variable "keyring" { description = "Keyring attributes." type = object({ From 5d8ff924713b1a292ca6c5b85021be601a5acbcf Mon Sep 17 00:00:00 2001 From: cmalpe Date: Thu, 26 Oct 2023 15:02:59 +0000 Subject: [PATCH 4/7] added linting changes for readme file --- modules/kms/README.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index c79ddb6ad8..e2ad757e8e 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,15 +5,14 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Google KMS Module](#google-kms-module) - - [Protecting against destroy](#protecting-against-destroy) - - [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) - - [Import job](#import-job) - - [Variables](#variables) - - [Outputs](#outputs) +- [Protecting against destroy](#protecting-against-destroy) +- [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) +- [Variables](#variables) +- [Outputs](#outputs) ## Protecting against destroy From 8a76b10161372d213debdd03a1ae5cf0b576affc Mon Sep 17 00:00:00 2001 From: Chaitanya Malpe Date: Fri, 27 Oct 2023 11:53:35 +0530 Subject: [PATCH 5/7] added test for import job --- modules/kms/README.md | 18 ++++++++------ tests/modules/kms/examples/import-job.yaml | 29 ++++++++++++++++++++++ 2 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 tests/modules/kms/examples/import-job.yaml diff --git a/modules/kms/README.md b/modules/kms/README.md index e2ad757e8e..282bdaf7d3 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,14 +5,15 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Protecting against destroy](#protecting-against-destroy) -- [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) - - [Import job](#import-job) -- [Variables](#variables) -- [Outputs](#outputs) +- [Google KMS Module](#google-kms-module) + - [Protecting against destroy](#protecting-against-destroy) + - [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) + - [Variables](#variables) + - [Outputs](#outputs) ## Protecting against destroy @@ -115,6 +116,7 @@ module "kms" { protection_level = "SOFTWARE" } } +# tftest modules=1 resources=2 inventory=import-job.yaml ``` ## Variables diff --git a/tests/modules/kms/examples/import-job.yaml b/tests/modules/kms/examples/import-job.yaml new file mode 100644 index 0000000000..79a3fba2c2 --- /dev/null +++ b/tests/modules/kms/examples/import-job.yaml @@ -0,0 +1,29 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.kms.google_kms_key_ring_import_job.default[0]: + import_job_id: my-import-job + import_method: RSA_OAEP_3072_SHA1_AES_256 + protection_level: SOFTWARE + module.kms.google_kms_key_ring.default[0]: + location: europe-west1 + name: test + project: my-project + +counts: + google_kms_key_ring_import_job: 1 + google_kms_key_ring: 1 + modules: 1 + resources: 2 \ No newline at end of file From 9a3ac136872d574bc03ecde6c2b221cb69d2906f Mon Sep 17 00:00:00 2001 From: cmalpe Date: Fri, 27 Oct 2023 06:52:55 +0000 Subject: [PATCH 6/7] corrected linting and test example --- modules/kms/README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index 282bdaf7d3..8a4fa8a638 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,10 +5,9 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Google KMS Module](#google-kms-module) - - [Protecting against destroy](#protecting-against-destroy) - - [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) +- [Protecting against destroy](#protecting-against-destroy) +- [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - [Crypto key purpose](#crypto-key-purpose) - [Import job](#import-job) @@ -103,9 +102,6 @@ module "kms" { module "kms" { source = "./fabric/modules/kms" project_id = "my-project" - iam = { - "roles/cloudkms.admin" = ["user:user1@example.com"] - } keyring = { location = "europe-west1" name = "test" From af339aad154de3ee29cab365e20e6fe4aea9418c Mon Sep 17 00:00:00 2001 From: cmalpe Date: Fri, 27 Oct 2023 07:22:59 +0000 Subject: [PATCH 7/7] corrected readme linting --- modules/kms/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index 8a4fa8a638..1d08fce837 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -8,11 +8,11 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi - [Protecting against destroy](#protecting-against-destroy) - [Examples](#examples) - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) - - [Import job](#import-job) - - [Variables](#variables) - - [Outputs](#outputs) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) +- [Variables](#variables) +- [Outputs](#outputs) ## Protecting against destroy