feat!: Restricting autokey module to autokey configuration use case #163
Conversation
nb-goog
changed the title
|
/gcbrun |
| @@ -0,0 +1,25 @@ | |||
| # Autokey Example | |||
|
|
|||
There was a problem hiding this comment.
Importing Autokey Key Handles Guidance will be impacted with this PR. The migrating instructions provided there won't work anymore.
Since the changes in this PR are totally removing the Key Handle creation responsibility from terraform-google-kms module, I would recommend deleting that guidance file, since it won't make sense to provide an importing path to a resource that the KMS terraform module won't be creating/managing anymore. (If we delete that, we should also delete the scripts folder)
There was a problem hiding this comment.
make sense, keeping this comment open till I have approval from all of you reviewers.
| @@ -0,0 +1,25 @@ | |||
| # Autokey Example | |||
|
|
|||
There was a problem hiding this comment.
We need to update the existing autokey tests in order to make CI test the changes implemented in this PR.
There was a problem hiding this comment.
Do you know how to run the test locally to verify its working?
There was a problem hiding this comment.
Basically, you need to run a terraform apply in test/setup, and then go test -v in test/integration/autokey_example.
Here's the blueprint-test doc part explaining with more details!
There was a problem hiding this comment.
FYI the CI is still failing due to this reason
There was a problem hiding this comment.
tested in local , the test are running fine. Will check the logs
nb-goog
changed the title
KMS has two personas
key admin should only focus on key management policies and setups AND shouldnt have access to kms keys created. The keyhandle creation and access to keys is for second persona (key users) thats why we are separating it out |
If the only motivation to cut Suggestion: we could turn To be more clear, the module's usage would be something like that: # Key admins usage example
module "autokey" {
source = "terraform-google-modules/kms/google//modules/autokey"
version = "3.1.0"
project_id = "project-bar"
autokey_configuration_folder = "123456789"
}
}
# Key users usage example
module "autokey" {
source = "terraform-google-modules/kms/google//modules/autokey"
version = "3.1.0"
autokey_handles = {
storage_bucket = {
name = "bucket-key-handle",
project = "project-foo",
resource_type_selector = "storage.googleapis.com/Bucket",
location = "us-central1"
},
compute_disk = {
name = "disk-key-handle",
project = "project-foo2",
resource_type_selector = "compute.googleapis.com/Disk",
location = "us-central1"
}
# It would be possible to create multiple Key Handles here, if desired.
}
}Some benefits of using the KMS module approach:
Let me know what you think about that! Thanks! |
|
/gcbrun |
|
/gcbrun |
examples/autokey-setup/main.tf
Outdated
| //source = "terraform-google-modules/kms/google//modules/autokey" | ||
| //version = "3.1.0" |
There was a problem hiding this comment.
We should remove this comment block.
There was a problem hiding this comment.
Which version shall i use here? I think i need the version generated after this pr merged right?
There was a problem hiding this comment.
You should keep it as source = "../../modules/autokey". It's correct, we just can update it with a version number after the PR is merged and the next release is cut.
My comment here was just to remove the comment block, deleting the unused code, not to uncomment. We can update it later when we have a release.
See this makes a lot more sense if Security admin and Key admin are the same person. Your suggestion makes sense but the expectation from the perspective of the personas are quite differnt. |
|
/gcbrun |
1 similar comment
|
/gcbrun |
|
/gcbrun |
In this PR,
2.1 for enabling autokey config on a project
2.2 for creating a bucket using autokey