From 852ac5ae7b99f5324bdacb3d3f4fe9d199c2aad6 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 14:09:15 +0530 Subject: [PATCH 01/16] Enabling autokey config setup in autokey submodule --- examples/autokey/autokey-setup/README.md | 28 +++++++++++ examples/autokey/autokey-setup/main.tf | 25 ++++++++++ examples/autokey/autokey-setup/outputs.tf | 20 ++++++++ .../autokey-setup}/variables.tf | 11 ++-- .../keyhandle-setup}/README.md | 2 +- examples/autokey/keyhandle-setup/main.tf | 50 +++++++++++++++++++ .../keyhandle-setup}/outputs.tf | 15 ++---- examples/autokey/keyhandle-setup/variables.tf | 35 +++++++++++++ examples/autokey_example/main.tf | 44 ---------------- modules/autokey/iam.tf | 10 +--- modules/autokey/main.tf | 26 +--------- modules/autokey/outputs.tf | 10 ---- modules/autokey/variables.tf | 20 +------- 13 files changed, 173 insertions(+), 123 deletions(-) create mode 100644 examples/autokey/autokey-setup/README.md create mode 100644 examples/autokey/autokey-setup/main.tf create mode 100644 examples/autokey/autokey-setup/outputs.tf rename examples/{autokey_example => autokey/autokey-setup}/variables.tf (60%) rename examples/{autokey_example => autokey/keyhandle-setup}/README.md (97%) create mode 100644 examples/autokey/keyhandle-setup/main.tf rename examples/{autokey_example => autokey/keyhandle-setup}/outputs.tf (65%) create mode 100644 examples/autokey/keyhandle-setup/variables.tf delete mode 100644 examples/autokey_example/main.tf diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md new file mode 100644 index 0000000..ae1c0f4 --- /dev/null +++ b/examples/autokey/autokey-setup/README.md @@ -0,0 +1,28 @@ +# Autokey Example + +This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | +| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | +| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| autokey\_config\_id | An Autokey configuration identifier. | +| autokey\_keyhandles | A map of KeyHandles created. | +| autokey\_project\_id | Project used for autokey. | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf new file mode 100644 index 0000000..aa29ea5 --- /dev/null +++ b/examples/autokey/autokey-setup/main.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "autokey" { + //source = "terraform-google-modules/kms/google//modules/autokey" + source = "../../../modules/autokey" + //version = "3.1.0" + + autokey_kms_project_id = var.kms_project_id + autokey_folder_number = var.folder_id +} + diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf new file mode 100644 index 0000000..9b36548 --- /dev/null +++ b/examples/autokey/autokey-setup/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "autokey_config_id" { + description = "An Autokey configuration identifier." + value = module.autokey.autokey_config_id +} \ No newline at end of file diff --git a/examples/autokey_example/variables.tf b/examples/autokey/autokey-setup/variables.tf similarity index 60% rename from examples/autokey_example/variables.tf rename to examples/autokey/autokey-setup/variables.tf index 35a0fa5..b9d4496 100644 --- a/examples/autokey_example/variables.tf +++ b/examples/autokey/autokey-setup/variables.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -variable "project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." - type = string -} - -variable "autokey_resource_project_id" { - description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)." +variable "kms_project_id" { + description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned." type = string } variable "folder_id" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey." } diff --git a/examples/autokey_example/README.md b/examples/autokey/keyhandle-setup/README.md similarity index 97% rename from examples/autokey_example/README.md rename to examples/autokey/keyhandle-setup/README.md index ddd2966..ed8dbff 100644 --- a/examples/autokey_example/README.md +++ b/examples/autokey/keyhandle-setup/README.md @@ -1,6 +1,6 @@ # Autokey Example -This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. +This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket. ## Inputs diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf new file mode 100644 index 0000000..4d87394 --- /dev/null +++ b/examples/autokey/keyhandle-setup/main.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_kms_key_handle" "bucket_keyhandle" { + provider = google-beta + + project = var.resource_project_id + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + location = var.bucket_location + resource_type_selector = var.resource_type_selector + + lifecycle { + ignore_changes = [name] + } +} + +module "bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "8.0" + + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + project_id = var.resource_project_id + location = var.bucket_location + encryption = { + default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key + } + + depends_on = [resource.google_kms_key_handle.bucket_keyhandle] +} diff --git a/examples/autokey_example/outputs.tf b/examples/autokey/keyhandle-setup/outputs.tf similarity index 65% rename from examples/autokey_example/outputs.tf rename to examples/autokey/keyhandle-setup/outputs.tf index 45f188b..44870b5 100644 --- a/examples/autokey_example/outputs.tf +++ b/examples/autokey/keyhandle-setup/outputs.tf @@ -14,17 +14,12 @@ * limitations under the License. */ -output "autokey_config_id" { +output "bucket_keyhandle" { description = "An Autokey configuration identifier." - value = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : "" + value = resource.google_kms_key_handle.bucket_keyhandle } -output "autokey_keyhandles" { +output "bucket_name" { description = "A map of KeyHandles created." - value = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {} -} - -output "autokey_project_id" { - description = "Project used for autokey." - value = var.project_id -} + value = module.bucket.name +} \ No newline at end of file diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf new file mode 100644 index 0000000..ae76a44 --- /dev/null +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "resource_project_id" { + description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" + type = string +} + +variable "bucket_name_prefix" { + type = string + description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" +} + +variable "resource_type_selector" { + type = string + description = "The resource type selector for bucket" +} + +variable "bucket_location" { + type = string + description = "The gcp location where storage bucket will be created" +} diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf deleted file mode 100644 index bb95e2d..0000000 --- a/examples/autokey_example/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" - - project_id = var.project_id - autokey_folder_number = var.folder_id - autokey_handles = { - storage_bucket = { - name = "bucket-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "storage.googleapis.com/Bucket", - location = "us-central1" - } - compute_disk = { - name = "disk-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "compute.googleapis.com/Disk", - location = "us-central1" - } - bigquery_dataset = { - name = "dataset-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "bigquery.googleapis.com/Dataset", - location = "us-central1" - } - } -} - diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf index 29e9df6..da05c14 100644 --- a/modules/autokey/iam.tf +++ b/modules/autokey/iam.tf @@ -15,12 +15,11 @@ */ data "google_project" "kms_project" { - project_id = var.project_id + project_id = var.autokey_kms_project_id } #Create KMS Service Agent resource "google_project_service_identity" "kms_service_agent" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta service = "cloudkms.googleapis.com" @@ -29,18 +28,15 @@ resource "google_project_service_identity" "kms_service_agent" { # Wait delay after creating service agent. resource "time_sleep" "wait_service_agent" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_service_identity.kms_service_agent] } #Grant the KMS Service Agent the Cloud KMS Admin role resource "google_project_iam_member" "autokey_project_admin" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta - project = var.project_id + project = var.autokey_kms_project_id role = "roles/cloudkms.admin" member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" depends_on = [time_sleep.wait_service_agent] @@ -48,8 +44,6 @@ resource "google_project_iam_member" "autokey_project_admin" { # Wait delay after granting IAM permissions resource "time_sleep" "wait_srv_acc_permissions" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_iam_member.autokey_project_admin] } diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index f6d37ba..b5d4f61 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -18,27 +18,5 @@ resource "google_kms_autokey_config" "primary" { provider = google-beta folder = var.autokey_folder_number - key_project = "projects/${var.project_id}" -} - -resource "random_string" "suffix" { - length = 4 - special = false - upper = false -} - -resource "google_kms_key_handle" "primary" { - for_each = var.autokey_handles != null ? var.autokey_handles : tomap({}) - provider = google-beta - - project = each.value.project - name = "${each.value.name}-${random_string.suffix.result}" - location = each.value.location - resource_type_selector = each.value.resource_type_selector - - lifecycle { - ignore_changes = [name] - } - - depends_on = [time_sleep.wait_srv_acc_permissions] -} + key_project = "projects/${var.autokey_kms_project_id}" +} \ No newline at end of file diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf index a198889..1c8e036 100644 --- a/modules/autokey/outputs.tf +++ b/modules/autokey/outputs.tf @@ -18,13 +18,3 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = google_kms_autokey_config.primary.id } - -output "autokey_keyhandles" { - description = "A map of KeyHandles created." - value = var.autokey_handles != null ? google_kms_key_handle.primary : {} -} - -output "random_suffix" { - description = "Random 4 digits suffix used in Autokey submodule." - value = random_string.suffix.result -} diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 0fb78ad..04555e1 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -14,8 +14,8 @@ * limitations under the License. */ -variable "project_id" { - description = "Project id where the Autokey configuration and KeyHandles will be created." +variable "autokey_kms_project_id" { + description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." type = string } @@ -24,19 +24,3 @@ variable "autokey_folder_number" { description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." } -variable "autokey_handles" { - type = map(object({ - name = string - resource_type_selector = string - location = string - project = string - })) - description = <<-EOF - (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service. - - name: The resource name for the KeyHandle. - - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services. - - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list. - - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. - EOF - default = null -} From db065d1216bb5010f1f80a0c85f749058cc75571 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:27:35 +0530 Subject: [PATCH 02/16] updated comments --- examples/autokey/autokey-setup/main.tf | 5 ++--- modules/autokey/variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf index aa29ea5..00f5908 100644 --- a/examples/autokey/autokey-setup/main.tf +++ b/examples/autokey/autokey-setup/main.tf @@ -15,9 +15,8 @@ */ module "autokey" { - //source = "terraform-google-modules/kms/google//modules/autokey" - source = "../../../modules/autokey" - //version = "3.1.0" + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 04555e1..79fa1b2 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -15,12 +15,12 @@ */ variable "autokey_kms_project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." + description = "The ID of the project in which to provision Autokey resources (autokey keyring and keys)." type = string } variable "autokey_folder_number" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The folder number on which autokey will be configured. Required when using Autokey." } From 9ea551ab293f1e0853bd8d0aeaf2629ae54c3886 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:37:07 +0530 Subject: [PATCH 03/16] fmt change --- examples/autokey/autokey-setup/main.tf | 2 +- examples/autokey/keyhandle-setup/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf index 00f5908..67a932e 100644 --- a/examples/autokey/autokey-setup/main.tf +++ b/examples/autokey/autokey-setup/main.tf @@ -19,6 +19,6 @@ module "autokey" { version = "3.1.0" autokey_kms_project_id = var.kms_project_id - autokey_folder_number = var.folder_id + autokey_folder_number = var.folder_id } diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf index ae76a44..0419ad1 100644 --- a/examples/autokey/keyhandle-setup/variables.tf +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -31,5 +31,5 @@ variable "resource_type_selector" { variable "bucket_location" { type = string - description = "The gcp location where storage bucket will be created" + description = "The gcp location where storage bucket will be created" } From 4444348fa18202d40bb7da849e3d20510df8aea5 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:46:35 +0530 Subject: [PATCH 04/16] fmt --- examples/autokey/keyhandle-setup/main.tf | 2 +- examples/autokey/keyhandle-setup/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf index 4d87394..9728d9a 100644 --- a/examples/autokey/keyhandle-setup/main.tf +++ b/examples/autokey/keyhandle-setup/main.tf @@ -40,7 +40,7 @@ module "bucket" { version = "8.0" name = "${var.bucket_name_prefix}-${random_string.suffix.result}" - project_id = var.resource_project_id + project_id = var.resource_project_id location = var.bucket_location encryption = { default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf index 0419ad1..f6916d4 100644 --- a/examples/autokey/keyhandle-setup/variables.tf +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -27,7 +27,7 @@ variable "bucket_name_prefix" { variable "resource_type_selector" { type = string description = "The resource type selector for bucket" -} +} variable "bucket_location" { type = string From d96d2dead04c15827c0f0010028b5f5b45632abe Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 12:25:34 +0000 Subject: [PATCH 05/16] updating readme.md --- examples/autokey/autokey-setup/README.md | 7 ++----- examples/autokey/keyhandle-setup/README.md | 12 ++++++------ modules/autokey/README.md | 7 ++----- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md index ae1c0f4..12d7529 100644 --- a/examples/autokey/autokey-setup/README.md +++ b/examples/autokey/autokey-setup/README.md @@ -7,17 +7,14 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | -| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to enable and configure Autokey. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| autokey\_project\_id | Project used for autokey. | diff --git a/examples/autokey/keyhandle-setup/README.md b/examples/autokey/keyhandle-setup/README.md index ed8dbff..89adbc8 100644 --- a/examples/autokey/keyhandle-setup/README.md +++ b/examples/autokey/keyhandle-setup/README.md @@ -7,17 +7,17 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | -| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | +| bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | +| bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | +| resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | +| resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| autokey\_project\_id | Project used for autokey. | +| bucket\_keyhandle | An Autokey configuration identifier. | +| bucket\_name | A map of KeyHandles created. | diff --git a/modules/autokey/README.md b/modules/autokey/README.md index 772e8c0..5e4e6f7 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -7,16 +7,13 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_folder\_number | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| autokey\_handles | (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.
- name: The resource name for the KeyHandle.
- resource\_type\_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.
- location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.
- project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. | 
map(object({
    name                   = string
    resource_type_selector = string
    location               = string
    project                = string
  }))
| `null` | no | -| project\_id | Project id where the Autokey configuration and KeyHandles will be created. | `string` | n/a | yes | +| autokey\_folder\_number | The folder number on which autokey will be configured. Required when using Autokey. | `string` | n/a | yes | +| autokey\_kms\_project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keys). | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| random\_suffix | Random 4 digits suffix used in Autokey submodule. | From af032d99f9cc492764d18471f56397b9b6756e7a Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:59:06 +0530 Subject: [PATCH 06/16] fmt change --- examples/autokey/autokey-setup/outputs.tf | 2 +- examples/autokey/keyhandle-setup/outputs.tf | 2 +- modules/autokey/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf index 9b36548..6f5d206 100644 --- a/examples/autokey/autokey-setup/outputs.tf +++ b/examples/autokey/autokey-setup/outputs.tf @@ -17,4 +17,4 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = module.autokey.autokey_config_id -} \ No newline at end of file +} diff --git a/examples/autokey/keyhandle-setup/outputs.tf b/examples/autokey/keyhandle-setup/outputs.tf index 44870b5..2a77391 100644 --- a/examples/autokey/keyhandle-setup/outputs.tf +++ b/examples/autokey/keyhandle-setup/outputs.tf @@ -22,4 +22,4 @@ output "bucket_keyhandle" { output "bucket_name" { description = "A map of KeyHandles created." value = module.bucket.name -} \ No newline at end of file +} diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index b5d4f61..1a8001f 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -19,4 +19,4 @@ resource "google_kms_autokey_config" "primary" { folder = var.autokey_folder_number key_project = "projects/${var.autokey_kms_project_id}" -} \ No newline at end of file +} From fb4bd3359015dc7411b7a082b48d32b1131901cb Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 12 Nov 2024 09:56:08 +0530 Subject: [PATCH 07/16] addressing review comments --- examples/{autokey => }/autokey-setup/README.md | 0 examples/{autokey => }/autokey-setup/main.tf | 0 examples/{autokey => }/autokey-setup/outputs.tf | 0 examples/{autokey => }/autokey-setup/variables.tf | 4 ++-- .../keyhandle-setup => bucket-setup-using-autokey}/README.md | 0 .../keyhandle-setup => bucket-setup-using-autokey}/main.tf | 0 .../keyhandle-setup => bucket-setup-using-autokey}/outputs.tf | 0 .../variables.tf | 0 modules/autokey/variables.tf | 4 ++-- 9 files changed, 4 insertions(+), 4 deletions(-) rename examples/{autokey => }/autokey-setup/README.md (100%) rename examples/{autokey => }/autokey-setup/main.tf (100%) rename examples/{autokey => }/autokey-setup/outputs.tf (100%) rename examples/{autokey => }/autokey-setup/variables.tf (74%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/README.md (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/main.tf (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/outputs.tf (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/variables.tf (100%) diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey-setup/README.md similarity index 100% rename from examples/autokey/autokey-setup/README.md rename to examples/autokey-setup/README.md diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey-setup/main.tf similarity index 100% rename from examples/autokey/autokey-setup/main.tf rename to examples/autokey-setup/main.tf diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey-setup/outputs.tf similarity index 100% rename from examples/autokey/autokey-setup/outputs.tf rename to examples/autokey-setup/outputs.tf diff --git a/examples/autokey/autokey-setup/variables.tf b/examples/autokey-setup/variables.tf similarity index 74% rename from examples/autokey/autokey-setup/variables.tf rename to examples/autokey-setup/variables.tf index b9d4496..8639df6 100644 --- a/examples/autokey/autokey-setup/variables.tf +++ b/examples/autokey-setup/variables.tf @@ -15,12 +15,12 @@ */ variable "kms_project_id" { - description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned." + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." type = string } variable "folder_id" { type = string - description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey." + description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." } diff --git a/examples/autokey/keyhandle-setup/README.md b/examples/bucket-setup-using-autokey/README.md similarity index 100% rename from examples/autokey/keyhandle-setup/README.md rename to examples/bucket-setup-using-autokey/README.md diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/bucket-setup-using-autokey/main.tf similarity index 100% rename from examples/autokey/keyhandle-setup/main.tf rename to examples/bucket-setup-using-autokey/main.tf diff --git a/examples/autokey/keyhandle-setup/outputs.tf b/examples/bucket-setup-using-autokey/outputs.tf similarity index 100% rename from examples/autokey/keyhandle-setup/outputs.tf rename to examples/bucket-setup-using-autokey/outputs.tf diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/bucket-setup-using-autokey/variables.tf similarity index 100% rename from examples/autokey/keyhandle-setup/variables.tf rename to examples/bucket-setup-using-autokey/variables.tf diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 79fa1b2..0593f66 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -15,12 +15,12 @@ */ variable "autokey_kms_project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keys)." + description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey." type = string } variable "autokey_folder_number" { type = string - description = "The folder number on which autokey will be configured. Required when using Autokey." + description = "The folder number on which autokey will be configured and enabled. Required when using Autokey." } From 19e7be416ebb68499604002c9c7c0cd9752947d4 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 12 Nov 2024 04:27:22 +0000 Subject: [PATCH 08/16] fmt --- examples/autokey-setup/README.md | 4 ++-- modules/autokey/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/autokey-setup/README.md b/examples/autokey-setup/README.md index 12d7529..649b248 100644 --- a/examples/autokey-setup/README.md +++ b/examples/autokey-setup/README.md @@ -7,8 +7,8 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_id | The ID of the folder for which to enable and configure Autokey. Required when using Autokey. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned. | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | ## Outputs diff --git a/modules/autokey/README.md b/modules/autokey/README.md index 5e4e6f7..bd18d0a 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -7,8 +7,8 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_folder\_number | The folder number on which autokey will be configured. Required when using Autokey. | `string` | n/a | yes | -| autokey\_kms\_project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keys). | `string` | n/a | yes | +| autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes | +| autokey\_kms\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | ## Outputs From 6de0c29a38ab8c5f6bd84a29e28cc41a330e1286 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 18 Nov 2024 18:55:06 +0530 Subject: [PATCH 09/16] correcting tests --- examples/autokey-setup/main.tf | 5 +++-- examples/bucket-setup-using-autokey/main.tf | 2 +- .../bucket-setup-using-autokey/variables.tf | 2 +- test/setup/outputs.tf | 18 +++++++++++++++--- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/examples/autokey-setup/main.tf b/examples/autokey-setup/main.tf index 67a932e..c0b86eb 100644 --- a/examples/autokey-setup/main.tf +++ b/examples/autokey-setup/main.tf @@ -15,8 +15,9 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + //source = "terraform-google-modules/kms/google//modules/autokey" + //version = "3.1.0" + source = "../../modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket-setup-using-autokey/main.tf b/examples/bucket-setup-using-autokey/main.tf index 9728d9a..47ce2ff 100644 --- a/examples/bucket-setup-using-autokey/main.tf +++ b/examples/bucket-setup-using-autokey/main.tf @@ -28,7 +28,7 @@ resource "google_kms_key_handle" "bucket_keyhandle" { project = var.resource_project_id name = "${var.bucket_name_prefix}-${random_string.suffix.result}" location = var.bucket_location - resource_type_selector = var.resource_type_selector + resource_type_selector = var.bucket_resource_type_selector lifecycle { ignore_changes = [name] diff --git a/examples/bucket-setup-using-autokey/variables.tf b/examples/bucket-setup-using-autokey/variables.tf index f6916d4..697bbf1 100644 --- a/examples/bucket-setup-using-autokey/variables.tf +++ b/examples/bucket-setup-using-autokey/variables.tf @@ -24,7 +24,7 @@ variable "bucket_name_prefix" { description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" } -variable "resource_type_selector" { +variable "bucket_resource_type_selector" { type = string description = "The resource type selector for bucket" } diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 63f42bc..06d0395 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,18 +14,30 @@ * limitations under the License. */ -output "project_id" { +output "kms_project_id" { value = module.project_ci_kms.project_id } -output "autokey_resource_project_id" { +output "resource_project_id" { value = module.autokey_resource_project.project_id } -output "autokey_resource_project_number" { +output "resource_project_number" { value = module.autokey_resource_project.project_number } +output "bucket_name_prefix" { + value = "ci-kms-bucket" +} + +output "bucket_resource_type_selector" { + value = "storage.googleapis.com/Bucket" +} + +output "bucket_location" { + value = "us-central1" +} + output "sa_key" { value = google_service_account_key.int_test.private_key sensitive = true From 74789dbcde78d696b8d7fff857787c4ca62ebf04 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 18 Nov 2024 13:36:43 +0000 Subject: [PATCH 10/16] fmt --- examples/bucket-setup-using-autokey/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bucket-setup-using-autokey/README.md b/examples/bucket-setup-using-autokey/README.md index 89adbc8..57b5f37 100644 --- a/examples/bucket-setup-using-autokey/README.md +++ b/examples/bucket-setup-using-autokey/README.md @@ -9,8 +9,8 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey |------|-------------|------|---------|:--------:| | bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | | bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | +| bucket\_resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | -| resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | ## Outputs From a220f6293467e7bc92ecfaa94070173894a12296 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:18:55 +0530 Subject: [PATCH 11/16] renaming dir and updating test --- .../README.md | 0 .../{autokey-setup => autokey_setup}/main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 0 .../main.tf | 4 +- .../outputs.tf | 0 .../variables.tf | 10 --- .../autokey_setup/autokey_setup_test.go | 72 +++++++++++++++++++ .../bucket_setup_using_autokey_test.go} | 4 +- test/setup/outputs.tf | 12 ---- 11 files changed, 76 insertions(+), 26 deletions(-) rename examples/{autokey-setup => autokey_setup}/README.md (100%) rename examples/{autokey-setup => autokey_setup}/main.tf (100%) rename examples/{autokey-setup => autokey_setup}/outputs.tf (100%) rename examples/{autokey-setup => autokey_setup}/variables.tf (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/README.md (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/main.tf (89%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/outputs.tf (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/variables.tf (75%) create mode 100755 test/integration/autokey_setup/autokey_setup_test.go rename test/integration/{autokey_example/autokey_example_test.go => bucket_setup_using_autokey/bucket_setup_using_autokey_test.go} (94%) diff --git a/examples/autokey-setup/README.md b/examples/autokey_setup/README.md similarity index 100% rename from examples/autokey-setup/README.md rename to examples/autokey_setup/README.md diff --git a/examples/autokey-setup/main.tf b/examples/autokey_setup/main.tf similarity index 100% rename from examples/autokey-setup/main.tf rename to examples/autokey_setup/main.tf diff --git a/examples/autokey-setup/outputs.tf b/examples/autokey_setup/outputs.tf similarity index 100% rename from examples/autokey-setup/outputs.tf rename to examples/autokey_setup/outputs.tf diff --git a/examples/autokey-setup/variables.tf b/examples/autokey_setup/variables.tf similarity index 100% rename from examples/autokey-setup/variables.tf rename to examples/autokey_setup/variables.tf diff --git a/examples/bucket-setup-using-autokey/README.md b/examples/bucket_setup_using_autokey/README.md similarity index 100% rename from examples/bucket-setup-using-autokey/README.md rename to examples/bucket_setup_using_autokey/README.md diff --git a/examples/bucket-setup-using-autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf similarity index 89% rename from examples/bucket-setup-using-autokey/main.tf rename to examples/bucket_setup_using_autokey/main.tf index 47ce2ff..6834b9b 100644 --- a/examples/bucket-setup-using-autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -26,9 +26,9 @@ resource "google_kms_key_handle" "bucket_keyhandle" { provider = google-beta project = var.resource_project_id - name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" location = var.bucket_location - resource_type_selector = var.bucket_resource_type_selector + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] diff --git a/examples/bucket-setup-using-autokey/outputs.tf b/examples/bucket_setup_using_autokey/outputs.tf similarity index 100% rename from examples/bucket-setup-using-autokey/outputs.tf rename to examples/bucket_setup_using_autokey/outputs.tf diff --git a/examples/bucket-setup-using-autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf similarity index 75% rename from examples/bucket-setup-using-autokey/variables.tf rename to examples/bucket_setup_using_autokey/variables.tf index 697bbf1..e3e8846 100644 --- a/examples/bucket-setup-using-autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -19,16 +19,6 @@ variable "resource_project_id" { type = string } -variable "bucket_name_prefix" { - type = string - description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" -} - -variable "bucket_resource_type_selector" { - type = string - description = "The resource type selector for bucket" -} - variable "bucket_location" { type = string description = "The gcp location where storage bucket will be created" diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go new file mode 100755 index 0000000..e69e208 --- /dev/null +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -0,0 +1,72 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package autokey_example + +import ( + "context" + "fmt" + "io" + "regexp" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/stretchr/testify/assert" + "golang.org/x/oauth2/google" +) + +func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { + pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource) + regex := regexp.MustCompile(pattern) + return regex.MatchString(input) +} + +func TestAutokeyExample(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t) + bpt.DefineVerify(func(assert *assert.Assertions) { + bpt.DefaultVerify(assert) + + kmsProjectId := bpt.GetStringOutput("kms_project_id") + autokeyConfig := bpt.GetStringOutput("autokey_config_id") + + // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. + autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) + + httpClient, err := google.DefaultClient(context.Background(), "https://www.googleapis.com/auth/cloud-platform") + + if err != nil { + t.Fatal(err.Error()) + } + + resp, err := httpClient.Get(autokeyConfigUrl) + if err != nil { + t.Fatal(err.Error()) + } + + defer resp.Body.Close() + body, err := io.ReadAll(resp.Body) + if err != nil { + t.Fatal(err.Error()) + } + + result := utils.ParseJSONResult(t, string(body)) + + // Asserting if Autokey configuration was enabled with correct kms project id + autokeyConfigProject := result.Get("keyProject").String() + assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", kmsProjectId), "autokey expected for project %s", kmsProjectId) + }) + + bpt.Test() +} diff --git a/test/integration/autokey_example/autokey_example_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go similarity index 94% rename from test/integration/autokey_example/autokey_example_test.go rename to test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index b793bda..46d8da8 100755 --- a/test/integration/autokey_example/autokey_example_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -41,7 +41,7 @@ func TestAutokeyExample(t *testing.T) { projectId := bpt.GetStringOutput("autokey_project_id") autokeyConfig := bpt.GetStringOutput("autokey_config_id") - autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("autokey_resource_project_number") + autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("resource_project_number") // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) @@ -65,7 +65,7 @@ func TestAutokeyExample(t *testing.T) { result := utils.ParseJSONResult(t, string(body)) - // Asserting if Autokey configuration was created + // Asserting if Autokey configuration was enabled with correct kms project id autokeyConfigProject := result.Get("keyProject").String() assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", projectId), "autokey expected for project %s", projectId) diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 06d0395..2ed4ad5 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -26,18 +26,6 @@ output "resource_project_number" { value = module.autokey_resource_project.project_number } -output "bucket_name_prefix" { - value = "ci-kms-bucket" -} - -output "bucket_resource_type_selector" { - value = "storage.googleapis.com/Bucket" -} - -output "bucket_location" { - value = "us-central1" -} - output "sa_key" { value = google_service_account_key.int_test.private_key sensitive = true From 1174f5a712029b6d689102db8db39773ddaf37de Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:41:30 +0530 Subject: [PATCH 12/16] compile time error resolution --- examples/autokey_setup/main.tf | 5 ++--- examples/bucket_setup_using_autokey/main.tf | 9 +++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index c0b86eb..67a932e 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,9 +15,8 @@ */ module "autokey" { - //source = "terraform-google-modules/kms/google//modules/autokey" - //version = "3.1.0" - source = "../../modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 6834b9b..20fa6c9 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -14,7 +14,13 @@ * limitations under the License. */ +module "autokey" { + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" + autokey_kms_project_id = var.kms_project_id + autokey_folder_number = var.folder_id +} resource "random_string" "suffix" { length = 4 @@ -26,7 +32,6 @@ resource "google_kms_key_handle" "bucket_keyhandle" { provider = google-beta project = var.resource_project_id - name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" location = var.bucket_location resource_type_selector = "storage.googleapis.com/Bucket" @@ -39,7 +44,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { From d63ea27880cb2f9379e99cad9250b0dea9367763 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 13:02:00 +0530 Subject: [PATCH 13/16] fmt --- examples/bucket_setup_using_autokey/main.tf | 8 ++++---- examples/bucket_setup_using_autokey/variables.tf | 10 ++++++++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 20fa6c9..bf99805 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -29,11 +29,11 @@ resource "random_string" "suffix" { } resource "google_kms_key_handle" "bucket_keyhandle" { - provider = google-beta - + provider = google-beta + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project = var.resource_project_id location = var.bucket_location - resource_type_selector = "storage.googleapis.com/Bucket" + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] @@ -44,7 +44,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index e3e8846..5242672 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -14,6 +14,16 @@ * limitations under the License. */ +variable "kms_project_id" { + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." +} + variable "resource_project_id" { description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" type = string From 98715b317d579abf34a6cea2b796686df15e475b Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:54:44 +0000 Subject: [PATCH 14/16] correcting the test --- examples/autokey_setup/main.tf | 3 +-- examples/bucket_setup_using_autokey/README.md | 4 ++-- examples/bucket_setup_using_autokey/main.tf | 3 +-- examples/import_only_example/main.tf | 2 +- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 67a932e..d5dbc4b 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + source = "./../..//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index 57b5f37..24a5ed8 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -8,8 +8,8 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | -| bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | -| bucket\_resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | ## Outputs diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index bf99805..c4cc9f0 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + source = "./../..//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/import_only_example/main.tf b/examples/import_only_example/main.tf index f0a7745..969ee13 100644 --- a/examples/import_only_example/main.tf +++ b/examples/import_only_example/main.tf @@ -21,7 +21,7 @@ resource "random_pet" "main" { } module "kms" { - source = "../.." + source = "nb-goog/kms/google" project_id = var.project_id keyring = random_pet.main.id From 9adbeca513b23d84160ca034d32596f45e56ed09 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 13:00:14 +0000 Subject: [PATCH 15/16] correcting import key exa --- examples/import_only_example/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/import_only_example/main.tf b/examples/import_only_example/main.tf index 969ee13..f0a7745 100644 --- a/examples/import_only_example/main.tf +++ b/examples/import_only_example/main.tf @@ -21,7 +21,7 @@ resource "random_pet" "main" { } module "kms" { - source = "nb-goog/kms/google" + source = "../.." project_id = var.project_id keyring = random_pet.main.id From 0076c7ac674362d4df75c1461b639ba7f58431d2 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 14:36:11 +0000 Subject: [PATCH 16/16] correcting variables --- examples/bucket_setup_using_autokey/README.md | 2 +- examples/bucket_setup_using_autokey/variables.tf | 1 + test/setup/outputs.tf | 4 ++++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index 24a5ed8..ad90643 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -7,7 +7,7 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | +| bucket\_location | The gcp location where storage bucket will be created | `string` | `"us-central1"` | no | | folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | | kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index 5242672..cc02c2a 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -32,4 +32,5 @@ variable "resource_project_id" { variable "bucket_location" { type = string description = "The gcp location where storage bucket will be created" + default = "us-central1" } diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 2ed4ad5..5bf5c7a 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -18,6 +18,10 @@ output "kms_project_id" { value = module.project_ci_kms.project_id } +output "project_id" { + value = module.project_ci_kms.project_id +} + output "resource_project_id" { value = module.autokey_resource_project.project_id }