-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Support for KMS KeyRings / CryptoKeys #441
Comments
Hi, |
Hey @mrparkers, my team was planning on taking this on in Q4 but if you'd like to do it go for it! Feel free to reach out if you have any questions, and keep me updated on your progress 😃 |
Hi @mayakacz and @danawillow, thanks for the replies! I did have one question about the implementation, and I wasn't able to find an example in the codebase that answered my question. Since it doesn't look like you can delete a KeyRing or a CryptoKey using the KMS API, what is the expected behavior for the Thanks! |
Oh, that's a good question. I don't like the idea of throwing an error since that means you can never do a Just to confirm @mayakacz, is this intentional based on how KMS works that these can't be deleted or is it just that it can't be done via the API (looks like gcloud doesn't have delete functionality either) |
Okay, I'll go with your suggestion of removing it from state and allowing it to be "re-created" to add it back. Speaking of the |
Hey @danawillow, yes that's correct, KeyRings and CryptoKeys can never be deleted - allowing for complete history of how these resources were used. @mrparkers Yes that's a good idea. We recommend you run Cloud KMS in its own project, so a good way of avoiding this would indeed be to spin up a new project with Cloud KMS resources, then destroy that project when done. |
@danawillow @mayakacz I created a PR in my fork for creating a KeyRing resource with a basic acceptance test. Please take a look when you have time and let me know if you have any suggestions: mrparkers#1 I'm going to work on another acceptance test that ensures you can re-create KeyRings with the same name after removing them from state. |
Instead of a PR to your fork, can you send it as a PR to this repo? |
@danawillow Sure thing. I opened #518 |
I'm going to re-use this issue to talk about At the moment, I'm struggling a little bit with what I think this resource should look like when it's managed by terraform. Creating the resource "google_kms_key_ring" "key_ring" {
name = "key-ring"
location = "us-central1"
}
resource "google_kms_crypto_key" "crypto_key" {
key_ring = "${google_kms_key_ring.key_ring.id}"
name = "crypto-key"
} A However, it starts to get confusing (at least for me) when you factor in the ability to "rotate" the So yeah, I'm really not sure how this functionality can be captured in a terraform resource. At first, I thought that the A @danawillow, @mayakacz Any advice here? If we come to the consensus that a Thanks! Some helpful reading material: |
@mrparkers I've been poking at this too. I think the I'd be interested to see if anyone has a use case for it. I certainly (or would like ... ) the key rotation params as the ease of key rotation is one of the big selling points for the service for me. I'd started work on a PR before I saw your comment but will pause if you're working on it. |
Yeah, that's exactly what I was thinking. The only reason I can see a I also agree that
I haven't started any work on this, I just started thinking about it last night since I have some free time. If you want to take this on, feel free. I also wanted to work on the KMS data source requested in #495, so I could do that instead. |
Sounds good - I'll take this one. |
I'm not a KMS expert, but from looking around at the docs I definitely think the initial version of this should support automatic rotation. Manual can probably come later- right now a |
Hi all, we're having a bit of trouble acceptance testing this on account of the required environment variables: what should GOOGLE_XPN_HOST_PROJECT be set to? And should this really be mandatory for running any acceptance tests - it only seems to be used in about three of them? |
@tragiclifestories If you're only running the KMS tests, you can set that to anything and it won't matter. |
Thanks - thought as much. |
@mrparkers I'm working with @tragiclifestories on adding CryptoKeys. We are attempting to run your test and having some trouble.
From the root of this repository, I get the following
It seems like the key section is: Do you happen to know what a project's "Parent id" is, since https://www.terraform.io/docs/providers/google/r/google_project.html doesn't indicate any parent attribute of a project? |
@amfarrell I believe that your issue is that the |
It looks like based on https://cloud.google.com/resource-manager/docs/creating-managing-organization I don't actually have an organisation ID yet and I need to sign up for either G-suite or Cloud Identity. However, in signing up for Cloud Identity, I get stuck at this screen Do you know of a way to get an organisation ID without either G-Suite or Cloud Identity, or were you already signed up for one of these? |
I was already signed up for an organization (via my personal domain). You probably don't need an organization to run these tests, but I can't say for sure, since I've only ever used GCP within the context of an organization. If you want to run these tests without an organization, you can comment out a few lines in the test file. This function generates the terraform definition for the test, and you can remove the parts containing the organization ID to try and create a test project without an organization. Alternatively, you can comment out the entire project altogether and update the |
I think that a |
See #692 for me and @amfarrell's take on the first version of the CryptoKey resource. |
Closing. We now have resources to manage kms entities: google_kms_key_ring and google_kms_crypto_key. We also have resources to manage IAM for crypto keys and key rings. Please open a separate issue if you want support for a new feature for KMS. |
Signed-off-by: Modular Magician <[email protected]>
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Hi everyone,
I was looking into using Terraform to create my next GCP project and I noticed that there are no resources for Google's KMS, which I use in most of my projects.
I was wondering if there was already a plan to add support for these resources. If not, I'd like to take a stab at submitting a PR to implement them (if there are no objections).
Relevant links:
The text was updated successfully, but these errors were encountered: