Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please add "name" as an attribute to the data source: kms_crypto_key_version #9729

Closed
dgulli opened this issue Aug 5, 2021 · 3 comments · Fixed by GoogleCloudPlatform/magic-modules#5065, hashicorp/terraform-provider-google-beta#3500 or #9762
Closed

Please add "name" as an attribute to the data source: kms_crypto_key_version #9729

dgulli opened this issue Aug 5, 2021 · 3 comments · Fixed by GoogleCloudPlatform/magic-modules#5065, hashicorp/terraform-provider-google-beta#3500 or #9762
Labels
enhancement priority/2 size/s
Milestone
Near-Term Goals

Comments

@dgulli
Copy link

dgulli commented Aug 5, 2021
edited
Loading

Hi, it would be great if we could get the key of "Name" for kms_crypto_key_version - The API supports it, but the terraform does not. this would provide a full name (rather than ID) such as projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*.
which in turn, is needed for the new GCP CAS (formally PrivateCA) when it asks for a KMS key version in the above expected path when using a CMEK.

Cant figure out another way to get this information dynamically..

This is currently affecting a customers ability to roll out CAS.

  • data source: google_kms_crypto_key_version
  • resource: google_privateca_certificate_authority

Potential Terraform Configuration

#Sub-ca configuration
resource "google_privateca_certificate_authority" "subca" {
  location                 = var.region
  certificate_authority_id = var.caId
  pool                     = google_privateca_ca_pool.ca_pool.name
  config {
    x509_config {
      ca_options {
        is_ca                  = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          crl_sign  = true
          cert_sign = true
        }
        extended_key_usage {
          server_auth      = true
          client_auth      = true
          code_signing     = true
          email_protection = false
        }
      }
    }
    subject_config {
      subject {
        organization        = var.subjectOrg
        common_name         = var.subjectCn
        country_code        = var.subjectCc
        organizational_unit = var.subjectOu
        province            = var.subjectProvince
        locality            = var.subjectLocality
      }
    }
  }
  key_spec {
    cloud_kms_key_version = data.google_kms_crypto_key_version.keyVersion.**name**
  }

data "google_kms_crypto_key_version" "keyVersion" {
  crypto_key = google_kms_crypto_key.key.id
}

In the example above, key_spec expects to be pointed to a key version path, and by having name available, it presents the correct syntax needed by the CA service to successfully build. Current work around is to manually set this as a variable, after the key has been built the first run through..

References

API: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions
Terraform: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_crypto_key_version)

  • #0000
@sankit2020
Copy link

Linked bug : https://b.corp.google.com/issues/195644022

@rileykarson rileykarson added this to the Near-Term Goals milestone Aug 9, 2021
@upodroid upodroid mentioned this issue Aug 9, 2021
Merged
5 tasks
@upodroid
Copy link
Contributor

upodroid commented Aug 9, 2021
edited
Loading

I have submitted a patch.

In the interim, the following should work:

// Create key at the same time or reference with the above datasource and append /1 to it.
  key_spec {
    cloud_kms_key_version = "${google_kms_crypto_key.key}/cryptoKeyVersions/1"
  }

@rileykarson Patching the datasource won't actually be that helpful. There will still be a point in time where the cryptoKeyVersion is unknown in terraform especially if the Cryptokey and the CA are being created simultaneously which is rather common.

The example of the OP requires two applies for it work properly. Unless you do the string interpolation hack at the top of my comment AND you didn't set skipInitialVersionCreation to true.

Right now, we are shortening the name of google_kms_crypto_key to avoid permadiffs but the API returns full self_link including the key version.

Is it worth repurposing self_link field to actually return the full value? and rework #8275?

 REDACTED  MCW0CDP3YY  ~  $  gcloud kms keys create terraform-9729 \
    --keyring terraform-9729 \
    --location global \
    --purpose "encryption" --project REDACTED --log-http
=======================
==== request start ====
uri: https://cloudkms.googleapis.com/v1/projects/REDACTED/locations/global/keyRings/terraform-9729/cryptoKeys?alt=json&cryptoKeyId=terraform-9729
method: POST
== headers start ==
b'X-Goog-User-Project': b'REDACTED'
b'accept': b'application/json'
b'accept-encoding': b'gzip, deflate'
b'authorization': --- Token Redacted ---
b'content-length': b'126'
b'content-type': b'application/json'
b'user-agent': b'google-cloud-sdk gcloud/340.0.0 command/gcloud.kms.keys.create invocation-id/d40d76939c7648e8add6a3352f76babe environment/None environment-version/None interactive/True from-script/False python/3.9.6 term/xterm-256color (Macintosh; Intel Mac OS X 20.5.0)'
== headers end ==
== body start ==
{"purpose": "ENCRYPT_DECRYPT", "versionTemplate": {"algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION", "protectionLevel": "SOFTWARE"}}
== body end ==
==== request end ====
---- response start ----
status: 200
-- headers start --
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Mon, 09 Aug 2021 20:46:10 GMT
Server: ESF
Transfer-Encoding: chunked
Vary: Origin, X-Origin, Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
-- headers end --
-- body start --
{
  "name": "projects/REDACTED/locations/global/keyRings/terraform-9729/cryptoKeys/terraform-9729",
  "primary": {
    "name": "projects/REDACTED/locations/global/keyRings/terraform-9729/cryptoKeys/terraform-9729/cryptoKeyVersions/1",
    "state": "ENABLED",
    "createTime": "2021-08-09T20:46:09.797581701Z",
    "protectionLevel": "SOFTWARE",
    "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
    "generateTime": "2021-08-09T20:46:09.797581701Z"
  },
  "purpose": "ENCRYPT_DECRYPT",
  "createTime": "2021-08-09T20:46:09.797581701Z",
  "versionTemplate": {
    "protectionLevel": "SOFTWARE",
    "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION"
  },
  "destroyScheduledDuration": "86400s"
}

-- body end --
total round trip time (request+response): 0.688 secs
---- response end ----
----------------------

This was referenced Aug 10, 2021
Merged
Merged
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement priority/2 size/s
Projects
None yet
Milestone
Near-Term Goals
4 participants
@rileykarson @dgulli @upodroid @sankit2020