Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: Restricting autokey module to autokey configuration use case #163

Merged
merged 39 commits into from
Dec 31, 2024
Merged

feat!: Restricting autokey module to autokey configuration use case #163

merged 39 commits into from
Dec 31, 2024

Conversation

nb-goog
Copy link
Contributor

@nb-goog nb-goog commented Nov 11, 2024

In this PR,

  1. Restricting autokey module function to only configure and enable autokey on an input folder number. Deleted configuration responsible for creating keyhandle from the input map.
  2. Added two examples
    2.1 for enabling autokey config on a project
    2.2 for creating a bucket using autokey

@nb-goog nb-goog requested a review from a team as a code owner November 11, 2024 12:00
@nb-goog nb-goog changed the title Restricting autokey module to autokey configuration use case feat: Restricting autokey module to autokey configuration use case Nov 11, 2024
@romanini-ciandt
Copy link
Member

/gcbrun

romanini-ciandt
romanini-ciandt reviewed Nov 11, 2024
View reviewed changes
Copy link
Member

@romanini-ciandt romanini-ciandt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my own understanding, why is it better to keep google_kms_key_handle resource outside the terraform-google-kms module scope?

examples/autokey/autokey-setup/README.md Outdated Show resolved Hide resolved
examples/autokey/autokey-setup/README.md Outdated Show resolved Hide resolved
examples/autokey/autokey-setup/README.md Outdated Show resolved Hide resolved
examples/autokey/autokey-setup/README.md Outdated Show resolved Hide resolved
@nb-goog nb-goog changed the title feat: Restricting autokey module to autokey configuration use case feat!: Restricting autokey module to autokey configuration use case Nov 12, 2024
@nb-goog
Copy link
Contributor Author

nb-goog commented Nov 12, 2024

Just for my own understanding, why is it better to keep google_kms_key_handle resource outside the terraform-google-kms module scope?

KMS has two personas

  1. key admin
  2. Key users (developers, etc

key admin should only focus on key management policies and setups AND shouldnt have access to kms keys created.

The keyhandle creation and access to keys is for second persona (key users) thats why we are separating it out

@romanini-ciandt
Copy link
Member

Just for my own understanding, why is it better to keep google_kms_key_handle resource outside the terraform-google-kms module scope?

KMS has two personas

  1. key admin
  2. Key users (developers, etc

key admin should only focus on key management policies and setups AND shouldnt have access to kms keys created.

The keyhandle creation and access to keys is for second persona (key users) thats why we are separating it out

If the only motivation to cut google_kms_key_handle from KMS module is to handle the different personas, how about we implement a change that would accommodate that capability while still keep the benefits of the module?

Suggestion: we could turn google_kms_autokey_config creation optional when using autokey's submodule. google_kms_key_handle is already optional, based on user inputs. That way, key admins could use autokey's submodule passing the desired inputs to create just the Autokey Configuration, while key users could also use autokey's submodule but passing different inputs in order to just create the Key Handle.

To be more clear, the module's usage would be something like that:

# Key admins usage example
module "autokey" {
  source  = "terraform-google-modules/kms/google//modules/autokey"
  version = "3.1.0"

  project_id            = "project-bar"
  autokey_configuration_folder = "123456789"
  }
}

# Key users usage example
module "autokey" {
  source  = "terraform-google-modules/kms/google//modules/autokey"
  version = "3.1.0"

  autokey_handles = {
    storage_bucket = {
      name                   = "bucket-key-handle",
      project                = "project-foo",
      resource_type_selector = "storage.googleapis.com/Bucket",
      location               = "us-central1"
    },
    compute_disk = {
          name                   = "disk-key-handle",
          project                = "project-foo2",
          resource_type_selector = "compute.googleapis.com/Disk",
          location               = "us-central1"
    }
   # It would be possible to create multiple Key Handles here, if desired.
  }
}

Some benefits of using the KMS module approach:

  • Customers (key users) could create multiple Key Handles using a single terraform module call;
  • By using modules, customers could take leverage from "version", bringing more stability to their environments;
  • We can keep the instructions that would help customers to migrate from the old autokey module to this one;
  • We provide an opinionated way for customers to interact with terraform resources using a module, like most of the Google services have;

Let me know what you think about that!
Also, I'm available to implement this proposed change, if you think it's a good idea.

Thanks!

@romanini-ciandt
Copy link
Member

/gcbrun

@romanini-ciandt
Copy link
Member

/gcbrun

@nb-goog
Copy link
Contributor Author

nb-goog commented Nov 19, 2024

Just for my own understanding, why is it better to keep google_kms_key_handle resource outside the terraform-google-kms module scope?

KMS has two personas

  1. key admin
  2. Key users (developers, etc

key admin should only focus on key management policies and setups AND shouldnt have access to kms keys created.
The keyhandle creation and access to keys is for second persona (key users) thats why we are separating it out

If the only motivation to cut google_kms_key_handle from KMS module is to handle the different personas, how about we implement a change that would accommodate that capability while still keep the benefits of the module?

Suggestion: we could turn google_kms_autokey_config creation optional when using autokey's submodule. google_kms_key_handle is already optional, based on user inputs. That way, key admins could use autokey's submodule passing the desired inputs to create just the Autokey Configuration, while key users could also use autokey's submodule but passing different inputs in order to just create the Key Handle.

To be more clear, the module's usage would be something like that:

# Key admins usage example
module "autokey" {
  source  = "terraform-google-modules/kms/google//modules/autokey"
  version = "3.1.0"

  project_id            = "project-bar"
  autokey_configuration_folder = "123456789"
  }
}

# Key users usage example
module "autokey" {
  source  = "terraform-google-modules/kms/google//modules/autokey"
  version = "3.1.0"

  autokey_handles = {
    storage_bucket = {
      name                   = "bucket-key-handle",
      project                = "project-foo",
      resource_type_selector = "storage.googleapis.com/Bucket",
      location               = "us-central1"
    },
    compute_disk = {
          name                   = "disk-key-handle",
          project                = "project-foo2",
          resource_type_selector = "compute.googleapis.com/Disk",
          location               = "us-central1"
    }
   # It would be possible to create multiple Key Handles here, if desired.
  }
}

Some benefits of using the KMS module approach:

  • Customers (key users) could create multiple Key Handles using a single terraform module call;
  • By using modules, customers could take leverage from "version", bringing more stability to their environments;
  • We can keep the instructions that would help customers to migrate from the old autokey module to this one;
  • We provide an opinionated way for customers to interact with terraform resources using a module, like most of the Google services have;

Let me know what you think about that! Also, I'm available to implement this proposed change, if you think it's a good idea.

Thanks!

See this makes a lot more sense if Security admin and Key admin are the same person.
There is clear guidance from the PMs and Autokey customers that configuration and key creation should be clearly separated..

Your suggestion makes sense but the expectation from the perspective of the personas are quite differnt.

@nb-goog nb-goog closed this Nov 19, 2024
@nb-goog nb-goog reopened this Nov 19, 2024
@romanini-ciandt
Copy link
Member

/gcbrun

@romanini-ciandt
Copy link
Member

/gcbrun

@apeabody
Copy link
Contributor

/gcbrun

@nb-goog nb-goog requested review from bharathkkb and apeabody and removed request for bharathkkb December 18, 2024 18:54
@nb-goog
Copy link
Contributor Author

nb-goog commented Dec 21, 2024

/gcbrun

@romanini-ciandt
Copy link
Member

/gcbrun

bharathkkb
bharathkkb reviewed Dec 31, 2024
View reviewed changes
docs/upgrading_to_v4.0.md Outdated Show resolved Hide resolved
docs/upgrading_to_v4.0.md Show resolved Hide resolved
bharathkkb
bharathkkb approved these changes Dec 31, 2024
View reviewed changes
docs/upgrading_to_v4.0.md Outdated Show resolved Hide resolved
@bharathkkb bharathkkb enabled auto-merge (squash) December 31, 2024 19:38
@nb-goog nb-goog requested review from apeabody and removed request for apeabody December 31, 2024 19:55
@nb-goog nb-goog dismissed apeabody’s stale review December 31, 2024 19:58

requested changes already accomodated

@bharathkkb bharathkkb merged commit 28f3072 into terraform-google-modules:master Dec 31, 2024
4 checks passed
@nb-goog nb-goog deleted the setup-only branch December 31, 2024 19:58
This was referenced Dec 31, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erlanderlo erlanderlo erlanderlo requested changes

@romanini-ciandt romanini-ciandt romanini-ciandt approved these changes

@tdbhacks tdbhacks tdbhacks approved these changes

@bharathkkb bharathkkb bharathkkb approved these changes

@apeabody apeabody Awaiting requested review from apeabody

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@nb-goog @romanini-ciandt @apeabody @bharathkkb @erlanderlo @tdbhacks