From 852ac5ae7b99f5324bdacb3d3f4fe9d199c2aad6 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 14:09:15 +0530 Subject: [PATCH 01/38] Enabling autokey config setup in autokey submodule --- examples/autokey/autokey-setup/README.md | 28 +++++++++++ examples/autokey/autokey-setup/main.tf | 25 ++++++++++ examples/autokey/autokey-setup/outputs.tf | 20 ++++++++ .../autokey-setup}/variables.tf | 11 ++-- .../keyhandle-setup}/README.md | 2 +- examples/autokey/keyhandle-setup/main.tf | 50 +++++++++++++++++++ .../keyhandle-setup}/outputs.tf | 15 ++---- examples/autokey/keyhandle-setup/variables.tf | 35 +++++++++++++ examples/autokey_example/main.tf | 44 ---------------- modules/autokey/iam.tf | 10 +--- modules/autokey/main.tf | 26 +--------- modules/autokey/outputs.tf | 10 ---- modules/autokey/variables.tf | 20 +------- 13 files changed, 173 insertions(+), 123 deletions(-) create mode 100644 examples/autokey/autokey-setup/README.md create mode 100644 examples/autokey/autokey-setup/main.tf create mode 100644 examples/autokey/autokey-setup/outputs.tf rename examples/{autokey_example => autokey/autokey-setup}/variables.tf (60%) rename examples/{autokey_example => autokey/keyhandle-setup}/README.md (97%) create mode 100644 examples/autokey/keyhandle-setup/main.tf rename examples/{autokey_example => autokey/keyhandle-setup}/outputs.tf (65%) create mode 100644 examples/autokey/keyhandle-setup/variables.tf delete mode 100644 examples/autokey_example/main.tf diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md new file mode 100644 index 0000000..ae1c0f4 --- /dev/null +++ b/examples/autokey/autokey-setup/README.md @@ -0,0 +1,28 @@ +# Autokey Example + +This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | +| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | +| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| autokey\_config\_id | An Autokey configuration identifier. | +| autokey\_keyhandles | A map of KeyHandles created. | +| autokey\_project\_id | Project used for autokey. | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf new file mode 100644 index 0000000..aa29ea5 --- /dev/null +++ b/examples/autokey/autokey-setup/main.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "autokey" { + //source = "terraform-google-modules/kms/google//modules/autokey" + source = "../../../modules/autokey" + //version = "3.1.0" + + autokey_kms_project_id = var.kms_project_id + autokey_folder_number = var.folder_id +} + diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf new file mode 100644 index 0000000..9b36548 --- /dev/null +++ b/examples/autokey/autokey-setup/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "autokey_config_id" { + description = "An Autokey configuration identifier." + value = module.autokey.autokey_config_id +} \ No newline at end of file diff --git a/examples/autokey_example/variables.tf b/examples/autokey/autokey-setup/variables.tf similarity index 60% rename from examples/autokey_example/variables.tf rename to examples/autokey/autokey-setup/variables.tf index 35a0fa5..b9d4496 100644 --- a/examples/autokey_example/variables.tf +++ b/examples/autokey/autokey-setup/variables.tf @@ -14,18 +14,13 @@ * limitations under the License. */ -variable "project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." - type = string -} - -variable "autokey_resource_project_id" { - description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)." +variable "kms_project_id" { + description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned." type = string } variable "folder_id" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey." } diff --git a/examples/autokey_example/README.md b/examples/autokey/keyhandle-setup/README.md similarity index 97% rename from examples/autokey_example/README.md rename to examples/autokey/keyhandle-setup/README.md index ddd2966..ed8dbff 100644 --- a/examples/autokey_example/README.md +++ b/examples/autokey/keyhandle-setup/README.md @@ -1,6 +1,6 @@ # Autokey Example -This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. +This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket. ## Inputs diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf new file mode 100644 index 0000000..4d87394 --- /dev/null +++ b/examples/autokey/keyhandle-setup/main.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_kms_key_handle" "bucket_keyhandle" { + provider = google-beta + + project = var.resource_project_id + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + location = var.bucket_location + resource_type_selector = var.resource_type_selector + + lifecycle { + ignore_changes = [name] + } +} + +module "bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "8.0" + + name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + project_id = var.resource_project_id + location = var.bucket_location + encryption = { + default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key + } + + depends_on = [resource.google_kms_key_handle.bucket_keyhandle] +} diff --git a/examples/autokey_example/outputs.tf b/examples/autokey/keyhandle-setup/outputs.tf similarity index 65% rename from examples/autokey_example/outputs.tf rename to examples/autokey/keyhandle-setup/outputs.tf index 45f188b..44870b5 100644 --- a/examples/autokey_example/outputs.tf +++ b/examples/autokey/keyhandle-setup/outputs.tf @@ -14,17 +14,12 @@ * limitations under the License. */ -output "autokey_config_id" { +output "bucket_keyhandle" { description = "An Autokey configuration identifier." - value = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : "" + value = resource.google_kms_key_handle.bucket_keyhandle } -output "autokey_keyhandles" { +output "bucket_name" { description = "A map of KeyHandles created." - value = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {} -} - -output "autokey_project_id" { - description = "Project used for autokey." - value = var.project_id -} + value = module.bucket.name +} \ No newline at end of file diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf new file mode 100644 index 0000000..ae76a44 --- /dev/null +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "resource_project_id" { + description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" + type = string +} + +variable "bucket_name_prefix" { + type = string + description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" +} + +variable "resource_type_selector" { + type = string + description = "The resource type selector for bucket" +} + +variable "bucket_location" { + type = string + description = "The gcp location where storage bucket will be created" +} diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf deleted file mode 100644 index bb95e2d..0000000 --- a/examples/autokey_example/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" - - project_id = var.project_id - autokey_folder_number = var.folder_id - autokey_handles = { - storage_bucket = { - name = "bucket-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "storage.googleapis.com/Bucket", - location = "us-central1" - } - compute_disk = { - name = "disk-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "compute.googleapis.com/Disk", - location = "us-central1" - } - bigquery_dataset = { - name = "dataset-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "bigquery.googleapis.com/Dataset", - location = "us-central1" - } - } -} - diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf index 29e9df6..da05c14 100644 --- a/modules/autokey/iam.tf +++ b/modules/autokey/iam.tf @@ -15,12 +15,11 @@ */ data "google_project" "kms_project" { - project_id = var.project_id + project_id = var.autokey_kms_project_id } #Create KMS Service Agent resource "google_project_service_identity" "kms_service_agent" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta service = "cloudkms.googleapis.com" @@ -29,18 +28,15 @@ resource "google_project_service_identity" "kms_service_agent" { # Wait delay after creating service agent. resource "time_sleep" "wait_service_agent" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_service_identity.kms_service_agent] } #Grant the KMS Service Agent the Cloud KMS Admin role resource "google_project_iam_member" "autokey_project_admin" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta - project = var.project_id + project = var.autokey_kms_project_id role = "roles/cloudkms.admin" member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" depends_on = [time_sleep.wait_service_agent] @@ -48,8 +44,6 @@ resource "google_project_iam_member" "autokey_project_admin" { # Wait delay after granting IAM permissions resource "time_sleep" "wait_srv_acc_permissions" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_iam_member.autokey_project_admin] } diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index f6d37ba..b5d4f61 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -18,27 +18,5 @@ resource "google_kms_autokey_config" "primary" { provider = google-beta folder = var.autokey_folder_number - key_project = "projects/${var.project_id}" -} - -resource "random_string" "suffix" { - length = 4 - special = false - upper = false -} - -resource "google_kms_key_handle" "primary" { - for_each = var.autokey_handles != null ? var.autokey_handles : tomap({}) - provider = google-beta - - project = each.value.project - name = "${each.value.name}-${random_string.suffix.result}" - location = each.value.location - resource_type_selector = each.value.resource_type_selector - - lifecycle { - ignore_changes = [name] - } - - depends_on = [time_sleep.wait_srv_acc_permissions] -} + key_project = "projects/${var.autokey_kms_project_id}" +} \ No newline at end of file diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf index a198889..1c8e036 100644 --- a/modules/autokey/outputs.tf +++ b/modules/autokey/outputs.tf @@ -18,13 +18,3 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = google_kms_autokey_config.primary.id } - -output "autokey_keyhandles" { - description = "A map of KeyHandles created." - value = var.autokey_handles != null ? google_kms_key_handle.primary : {} -} - -output "random_suffix" { - description = "Random 4 digits suffix used in Autokey submodule." - value = random_string.suffix.result -} diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 0fb78ad..04555e1 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -14,8 +14,8 @@ * limitations under the License. */ -variable "project_id" { - description = "Project id where the Autokey configuration and KeyHandles will be created." +variable "autokey_kms_project_id" { + description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." type = string } @@ -24,19 +24,3 @@ variable "autokey_folder_number" { description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." } -variable "autokey_handles" { - type = map(object({ - name = string - resource_type_selector = string - location = string - project = string - })) - description = <<-EOF - (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service. - - name: The resource name for the KeyHandle. - - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services. - - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list. - - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. - EOF - default = null -} From db065d1216bb5010f1f80a0c85f749058cc75571 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:27:35 +0530 Subject: [PATCH 02/38] updated comments --- examples/autokey/autokey-setup/main.tf | 5 ++--- modules/autokey/variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf index aa29ea5..00f5908 100644 --- a/examples/autokey/autokey-setup/main.tf +++ b/examples/autokey/autokey-setup/main.tf @@ -15,9 +15,8 @@ */ module "autokey" { - //source = "terraform-google-modules/kms/google//modules/autokey" - source = "../../../modules/autokey" - //version = "3.1.0" + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 04555e1..79fa1b2 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -15,12 +15,12 @@ */ variable "autokey_kms_project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." + description = "The ID of the project in which to provision Autokey resources (autokey keyring and keys)." type = string } variable "autokey_folder_number" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The folder number on which autokey will be configured. Required when using Autokey." } From 9ea551ab293f1e0853bd8d0aeaf2629ae54c3886 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:37:07 +0530 Subject: [PATCH 03/38] fmt change --- examples/autokey/autokey-setup/main.tf | 2 +- examples/autokey/keyhandle-setup/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey/autokey-setup/main.tf index 00f5908..67a932e 100644 --- a/examples/autokey/autokey-setup/main.tf +++ b/examples/autokey/autokey-setup/main.tf @@ -19,6 +19,6 @@ module "autokey" { version = "3.1.0" autokey_kms_project_id = var.kms_project_id - autokey_folder_number = var.folder_id + autokey_folder_number = var.folder_id } diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf index ae76a44..0419ad1 100644 --- a/examples/autokey/keyhandle-setup/variables.tf +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -31,5 +31,5 @@ variable "resource_type_selector" { variable "bucket_location" { type = string - description = "The gcp location where storage bucket will be created" + description = "The gcp location where storage bucket will be created" } From 4444348fa18202d40bb7da849e3d20510df8aea5 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:46:35 +0530 Subject: [PATCH 04/38] fmt --- examples/autokey/keyhandle-setup/main.tf | 2 +- examples/autokey/keyhandle-setup/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/autokey/keyhandle-setup/main.tf index 4d87394..9728d9a 100644 --- a/examples/autokey/keyhandle-setup/main.tf +++ b/examples/autokey/keyhandle-setup/main.tf @@ -40,7 +40,7 @@ module "bucket" { version = "8.0" name = "${var.bucket_name_prefix}-${random_string.suffix.result}" - project_id = var.resource_project_id + project_id = var.resource_project_id location = var.bucket_location encryption = { default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/autokey/keyhandle-setup/variables.tf index 0419ad1..f6916d4 100644 --- a/examples/autokey/keyhandle-setup/variables.tf +++ b/examples/autokey/keyhandle-setup/variables.tf @@ -27,7 +27,7 @@ variable "bucket_name_prefix" { variable "resource_type_selector" { type = string description = "The resource type selector for bucket" -} +} variable "bucket_location" { type = string From d96d2dead04c15827c0f0010028b5f5b45632abe Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 12:25:34 +0000 Subject: [PATCH 05/38] updating readme.md --- examples/autokey/autokey-setup/README.md | 7 ++----- examples/autokey/keyhandle-setup/README.md | 12 ++++++------ modules/autokey/README.md | 7 ++----- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey/autokey-setup/README.md index ae1c0f4..12d7529 100644 --- a/examples/autokey/autokey-setup/README.md +++ b/examples/autokey/autokey-setup/README.md @@ -7,17 +7,14 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | -| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to enable and configure Autokey. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| autokey\_project\_id | Project used for autokey. | diff --git a/examples/autokey/keyhandle-setup/README.md b/examples/autokey/keyhandle-setup/README.md index ed8dbff..89adbc8 100644 --- a/examples/autokey/keyhandle-setup/README.md +++ b/examples/autokey/keyhandle-setup/README.md @@ -7,17 +7,17 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | -| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | +| bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | +| bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | +| resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | +| resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| autokey\_project\_id | Project used for autokey. | +| bucket\_keyhandle | An Autokey configuration identifier. | +| bucket\_name | A map of KeyHandles created. | diff --git a/modules/autokey/README.md b/modules/autokey/README.md index 772e8c0..5e4e6f7 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -7,16 +7,13 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_folder\_number | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| autokey\_handles | (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.
- name: The resource name for the KeyHandle.
- resource\_type\_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.
- location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.
- project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. | 
map(object({
    name                   = string
    resource_type_selector = string
    location               = string
    project                = string
  }))
| `null` | no | -| project\_id | Project id where the Autokey configuration and KeyHandles will be created. | `string` | n/a | yes | +| autokey\_folder\_number | The folder number on which autokey will be configured. Required when using Autokey. | `string` | n/a | yes | +| autokey\_kms\_project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keys). | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| random\_suffix | Random 4 digits suffix used in Autokey submodule. | From af032d99f9cc492764d18471f56397b9b6756e7a Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 11 Nov 2024 17:59:06 +0530 Subject: [PATCH 06/38] fmt change --- examples/autokey/autokey-setup/outputs.tf | 2 +- examples/autokey/keyhandle-setup/outputs.tf | 2 +- modules/autokey/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey/autokey-setup/outputs.tf index 9b36548..6f5d206 100644 --- a/examples/autokey/autokey-setup/outputs.tf +++ b/examples/autokey/autokey-setup/outputs.tf @@ -17,4 +17,4 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = module.autokey.autokey_config_id -} \ No newline at end of file +} diff --git a/examples/autokey/keyhandle-setup/outputs.tf b/examples/autokey/keyhandle-setup/outputs.tf index 44870b5..2a77391 100644 --- a/examples/autokey/keyhandle-setup/outputs.tf +++ b/examples/autokey/keyhandle-setup/outputs.tf @@ -22,4 +22,4 @@ output "bucket_keyhandle" { output "bucket_name" { description = "A map of KeyHandles created." value = module.bucket.name -} \ No newline at end of file +} diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index b5d4f61..1a8001f 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -19,4 +19,4 @@ resource "google_kms_autokey_config" "primary" { folder = var.autokey_folder_number key_project = "projects/${var.autokey_kms_project_id}" -} \ No newline at end of file +} From fb4bd3359015dc7411b7a082b48d32b1131901cb Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 12 Nov 2024 09:56:08 +0530 Subject: [PATCH 07/38] addressing review comments --- examples/{autokey => }/autokey-setup/README.md | 0 examples/{autokey => }/autokey-setup/main.tf | 0 examples/{autokey => }/autokey-setup/outputs.tf | 0 examples/{autokey => }/autokey-setup/variables.tf | 4 ++-- .../keyhandle-setup => bucket-setup-using-autokey}/README.md | 0 .../keyhandle-setup => bucket-setup-using-autokey}/main.tf | 0 .../keyhandle-setup => bucket-setup-using-autokey}/outputs.tf | 0 .../variables.tf | 0 modules/autokey/variables.tf | 4 ++-- 9 files changed, 4 insertions(+), 4 deletions(-) rename examples/{autokey => }/autokey-setup/README.md (100%) rename examples/{autokey => }/autokey-setup/main.tf (100%) rename examples/{autokey => }/autokey-setup/outputs.tf (100%) rename examples/{autokey => }/autokey-setup/variables.tf (74%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/README.md (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/main.tf (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/outputs.tf (100%) rename examples/{autokey/keyhandle-setup => bucket-setup-using-autokey}/variables.tf (100%) diff --git a/examples/autokey/autokey-setup/README.md b/examples/autokey-setup/README.md similarity index 100% rename from examples/autokey/autokey-setup/README.md rename to examples/autokey-setup/README.md diff --git a/examples/autokey/autokey-setup/main.tf b/examples/autokey-setup/main.tf similarity index 100% rename from examples/autokey/autokey-setup/main.tf rename to examples/autokey-setup/main.tf diff --git a/examples/autokey/autokey-setup/outputs.tf b/examples/autokey-setup/outputs.tf similarity index 100% rename from examples/autokey/autokey-setup/outputs.tf rename to examples/autokey-setup/outputs.tf diff --git a/examples/autokey/autokey-setup/variables.tf b/examples/autokey-setup/variables.tf similarity index 74% rename from examples/autokey/autokey-setup/variables.tf rename to examples/autokey-setup/variables.tf index b9d4496..8639df6 100644 --- a/examples/autokey/autokey-setup/variables.tf +++ b/examples/autokey-setup/variables.tf @@ -15,12 +15,12 @@ */ variable "kms_project_id" { - description = "The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned." + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." type = string } variable "folder_id" { type = string - description = "The ID of the folder for which to enable and configure Autokey. Required when using Autokey." + description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." } diff --git a/examples/autokey/keyhandle-setup/README.md b/examples/bucket-setup-using-autokey/README.md similarity index 100% rename from examples/autokey/keyhandle-setup/README.md rename to examples/bucket-setup-using-autokey/README.md diff --git a/examples/autokey/keyhandle-setup/main.tf b/examples/bucket-setup-using-autokey/main.tf similarity index 100% rename from examples/autokey/keyhandle-setup/main.tf rename to examples/bucket-setup-using-autokey/main.tf diff --git a/examples/autokey/keyhandle-setup/outputs.tf b/examples/bucket-setup-using-autokey/outputs.tf similarity index 100% rename from examples/autokey/keyhandle-setup/outputs.tf rename to examples/bucket-setup-using-autokey/outputs.tf diff --git a/examples/autokey/keyhandle-setup/variables.tf b/examples/bucket-setup-using-autokey/variables.tf similarity index 100% rename from examples/autokey/keyhandle-setup/variables.tf rename to examples/bucket-setup-using-autokey/variables.tf diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 79fa1b2..0593f66 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -15,12 +15,12 @@ */ variable "autokey_kms_project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keys)." + description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey." type = string } variable "autokey_folder_number" { type = string - description = "The folder number on which autokey will be configured. Required when using Autokey." + description = "The folder number on which autokey will be configured and enabled. Required when using Autokey." } From 19e7be416ebb68499604002c9c7c0cd9752947d4 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 12 Nov 2024 04:27:22 +0000 Subject: [PATCH 08/38] fmt --- examples/autokey-setup/README.md | 4 ++-- modules/autokey/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/autokey-setup/README.md b/examples/autokey-setup/README.md index 12d7529..649b248 100644 --- a/examples/autokey-setup/README.md +++ b/examples/autokey-setup/README.md @@ -7,8 +7,8 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_id | The ID of the folder for which to enable and configure Autokey. Required when using Autokey. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which Autokey resources (autokey keyring, keyHandle and kms keys) will be provisioned. | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | ## Outputs diff --git a/modules/autokey/README.md b/modules/autokey/README.md index 5e4e6f7..bd18d0a 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -7,8 +7,8 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_folder\_number | The folder number on which autokey will be configured. Required when using Autokey. | `string` | n/a | yes | -| autokey\_kms\_project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keys). | `string` | n/a | yes | +| autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes | +| autokey\_kms\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | ## Outputs From 6de0c29a38ab8c5f6bd84a29e28cc41a330e1286 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 18 Nov 2024 18:55:06 +0530 Subject: [PATCH 09/38] correcting tests --- examples/autokey-setup/main.tf | 5 +++-- examples/bucket-setup-using-autokey/main.tf | 2 +- .../bucket-setup-using-autokey/variables.tf | 2 +- test/setup/outputs.tf | 18 +++++++++++++++--- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/examples/autokey-setup/main.tf b/examples/autokey-setup/main.tf index 67a932e..c0b86eb 100644 --- a/examples/autokey-setup/main.tf +++ b/examples/autokey-setup/main.tf @@ -15,8 +15,9 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + //source = "terraform-google-modules/kms/google//modules/autokey" + //version = "3.1.0" + source = "../../modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket-setup-using-autokey/main.tf b/examples/bucket-setup-using-autokey/main.tf index 9728d9a..47ce2ff 100644 --- a/examples/bucket-setup-using-autokey/main.tf +++ b/examples/bucket-setup-using-autokey/main.tf @@ -28,7 +28,7 @@ resource "google_kms_key_handle" "bucket_keyhandle" { project = var.resource_project_id name = "${var.bucket_name_prefix}-${random_string.suffix.result}" location = var.bucket_location - resource_type_selector = var.resource_type_selector + resource_type_selector = var.bucket_resource_type_selector lifecycle { ignore_changes = [name] diff --git a/examples/bucket-setup-using-autokey/variables.tf b/examples/bucket-setup-using-autokey/variables.tf index f6916d4..697bbf1 100644 --- a/examples/bucket-setup-using-autokey/variables.tf +++ b/examples/bucket-setup-using-autokey/variables.tf @@ -24,7 +24,7 @@ variable "bucket_name_prefix" { description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" } -variable "resource_type_selector" { +variable "bucket_resource_type_selector" { type = string description = "The resource type selector for bucket" } diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 63f42bc..06d0395 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,18 +14,30 @@ * limitations under the License. */ -output "project_id" { +output "kms_project_id" { value = module.project_ci_kms.project_id } -output "autokey_resource_project_id" { +output "resource_project_id" { value = module.autokey_resource_project.project_id } -output "autokey_resource_project_number" { +output "resource_project_number" { value = module.autokey_resource_project.project_number } +output "bucket_name_prefix" { + value = "ci-kms-bucket" +} + +output "bucket_resource_type_selector" { + value = "storage.googleapis.com/Bucket" +} + +output "bucket_location" { + value = "us-central1" +} + output "sa_key" { value = google_service_account_key.int_test.private_key sensitive = true From 74789dbcde78d696b8d7fff857787c4ca62ebf04 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 18 Nov 2024 13:36:43 +0000 Subject: [PATCH 10/38] fmt --- examples/bucket-setup-using-autokey/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bucket-setup-using-autokey/README.md b/examples/bucket-setup-using-autokey/README.md index 89adbc8..57b5f37 100644 --- a/examples/bucket-setup-using-autokey/README.md +++ b/examples/bucket-setup-using-autokey/README.md @@ -9,8 +9,8 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey |------|-------------|------|---------|:--------:| | bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | | bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | +| bucket\_resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | -| resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | ## Outputs From a220f6293467e7bc92ecfaa94070173894a12296 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:18:55 +0530 Subject: [PATCH 11/38] renaming dir and updating test --- .../README.md | 0 .../{autokey-setup => autokey_setup}/main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../README.md | 0 .../main.tf | 4 +- .../outputs.tf | 0 .../variables.tf | 10 --- .../autokey_setup/autokey_setup_test.go | 72 +++++++++++++++++++ .../bucket_setup_using_autokey_test.go} | 4 +- test/setup/outputs.tf | 12 ---- 11 files changed, 76 insertions(+), 26 deletions(-) rename examples/{autokey-setup => autokey_setup}/README.md (100%) rename examples/{autokey-setup => autokey_setup}/main.tf (100%) rename examples/{autokey-setup => autokey_setup}/outputs.tf (100%) rename examples/{autokey-setup => autokey_setup}/variables.tf (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/README.md (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/main.tf (89%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/outputs.tf (100%) rename examples/{bucket-setup-using-autokey => bucket_setup_using_autokey}/variables.tf (75%) create mode 100755 test/integration/autokey_setup/autokey_setup_test.go rename test/integration/{autokey_example/autokey_example_test.go => bucket_setup_using_autokey/bucket_setup_using_autokey_test.go} (94%) diff --git a/examples/autokey-setup/README.md b/examples/autokey_setup/README.md similarity index 100% rename from examples/autokey-setup/README.md rename to examples/autokey_setup/README.md diff --git a/examples/autokey-setup/main.tf b/examples/autokey_setup/main.tf similarity index 100% rename from examples/autokey-setup/main.tf rename to examples/autokey_setup/main.tf diff --git a/examples/autokey-setup/outputs.tf b/examples/autokey_setup/outputs.tf similarity index 100% rename from examples/autokey-setup/outputs.tf rename to examples/autokey_setup/outputs.tf diff --git a/examples/autokey-setup/variables.tf b/examples/autokey_setup/variables.tf similarity index 100% rename from examples/autokey-setup/variables.tf rename to examples/autokey_setup/variables.tf diff --git a/examples/bucket-setup-using-autokey/README.md b/examples/bucket_setup_using_autokey/README.md similarity index 100% rename from examples/bucket-setup-using-autokey/README.md rename to examples/bucket_setup_using_autokey/README.md diff --git a/examples/bucket-setup-using-autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf similarity index 89% rename from examples/bucket-setup-using-autokey/main.tf rename to examples/bucket_setup_using_autokey/main.tf index 47ce2ff..6834b9b 100644 --- a/examples/bucket-setup-using-autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -26,9 +26,9 @@ resource "google_kms_key_handle" "bucket_keyhandle" { provider = google-beta project = var.resource_project_id - name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" location = var.bucket_location - resource_type_selector = var.bucket_resource_type_selector + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] diff --git a/examples/bucket-setup-using-autokey/outputs.tf b/examples/bucket_setup_using_autokey/outputs.tf similarity index 100% rename from examples/bucket-setup-using-autokey/outputs.tf rename to examples/bucket_setup_using_autokey/outputs.tf diff --git a/examples/bucket-setup-using-autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf similarity index 75% rename from examples/bucket-setup-using-autokey/variables.tf rename to examples/bucket_setup_using_autokey/variables.tf index 697bbf1..e3e8846 100644 --- a/examples/bucket-setup-using-autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -19,16 +19,6 @@ variable "resource_project_id" { type = string } -variable "bucket_name_prefix" { - type = string - description = "The storage bucket created will have name {bucket_name_prefix}-{random-suffix}" -} - -variable "bucket_resource_type_selector" { - type = string - description = "The resource type selector for bucket" -} - variable "bucket_location" { type = string description = "The gcp location where storage bucket will be created" diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go new file mode 100755 index 0000000..e69e208 --- /dev/null +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -0,0 +1,72 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package autokey_example + +import ( + "context" + "fmt" + "io" + "regexp" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/stretchr/testify/assert" + "golang.org/x/oauth2/google" +) + +func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { + pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource) + regex := regexp.MustCompile(pattern) + return regex.MatchString(input) +} + +func TestAutokeyExample(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t) + bpt.DefineVerify(func(assert *assert.Assertions) { + bpt.DefaultVerify(assert) + + kmsProjectId := bpt.GetStringOutput("kms_project_id") + autokeyConfig := bpt.GetStringOutput("autokey_config_id") + + // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. + autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) + + httpClient, err := google.DefaultClient(context.Background(), "https://www.googleapis.com/auth/cloud-platform") + + if err != nil { + t.Fatal(err.Error()) + } + + resp, err := httpClient.Get(autokeyConfigUrl) + if err != nil { + t.Fatal(err.Error()) + } + + defer resp.Body.Close() + body, err := io.ReadAll(resp.Body) + if err != nil { + t.Fatal(err.Error()) + } + + result := utils.ParseJSONResult(t, string(body)) + + // Asserting if Autokey configuration was enabled with correct kms project id + autokeyConfigProject := result.Get("keyProject").String() + assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", kmsProjectId), "autokey expected for project %s", kmsProjectId) + }) + + bpt.Test() +} diff --git a/test/integration/autokey_example/autokey_example_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go similarity index 94% rename from test/integration/autokey_example/autokey_example_test.go rename to test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index b793bda..46d8da8 100755 --- a/test/integration/autokey_example/autokey_example_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -41,7 +41,7 @@ func TestAutokeyExample(t *testing.T) { projectId := bpt.GetStringOutput("autokey_project_id") autokeyConfig := bpt.GetStringOutput("autokey_config_id") - autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("autokey_resource_project_number") + autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("resource_project_number") // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) @@ -65,7 +65,7 @@ func TestAutokeyExample(t *testing.T) { result := utils.ParseJSONResult(t, string(body)) - // Asserting if Autokey configuration was created + // Asserting if Autokey configuration was enabled with correct kms project id autokeyConfigProject := result.Get("keyProject").String() assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", projectId), "autokey expected for project %s", projectId) diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 06d0395..2ed4ad5 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -26,18 +26,6 @@ output "resource_project_number" { value = module.autokey_resource_project.project_number } -output "bucket_name_prefix" { - value = "ci-kms-bucket" -} - -output "bucket_resource_type_selector" { - value = "storage.googleapis.com/Bucket" -} - -output "bucket_location" { - value = "us-central1" -} - output "sa_key" { value = google_service_account_key.int_test.private_key sensitive = true From 1174f5a712029b6d689102db8db39773ddaf37de Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:41:30 +0530 Subject: [PATCH 12/38] compile time error resolution --- examples/autokey_setup/main.tf | 5 ++--- examples/bucket_setup_using_autokey/main.tf | 9 +++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index c0b86eb..67a932e 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,9 +15,8 @@ */ module "autokey" { - //source = "terraform-google-modules/kms/google//modules/autokey" - //version = "3.1.0" - source = "../../modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 6834b9b..20fa6c9 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -14,7 +14,13 @@ * limitations under the License. */ +module "autokey" { + source = "terraform-google-modules/kms/google//modules/autokey" + version = "3.1.0" + autokey_kms_project_id = var.kms_project_id + autokey_folder_number = var.folder_id +} resource "random_string" "suffix" { length = 4 @@ -26,7 +32,6 @@ resource "google_kms_key_handle" "bucket_keyhandle" { provider = google-beta project = var.resource_project_id - name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" location = var.bucket_location resource_type_selector = "storage.googleapis.com/Bucket" @@ -39,7 +44,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.bucket_name_prefix}-${random_string.suffix.result}" + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { From d63ea27880cb2f9379e99cad9250b0dea9367763 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 13:02:00 +0530 Subject: [PATCH 13/38] fmt --- examples/bucket_setup_using_autokey/main.tf | 8 ++++---- examples/bucket_setup_using_autokey/variables.tf | 10 ++++++++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 20fa6c9..bf99805 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -29,11 +29,11 @@ resource "random_string" "suffix" { } resource "google_kms_key_handle" "bucket_keyhandle" { - provider = google-beta - + provider = google-beta + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project = var.resource_project_id location = var.bucket_location - resource_type_selector = "storage.googleapis.com/Bucket" + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] @@ -44,7 +44,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index e3e8846..5242672 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -14,6 +14,16 @@ * limitations under the License. */ +variable "kms_project_id" { + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." +} + variable "resource_project_id" { description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" type = string From 98715b317d579abf34a6cea2b796686df15e475b Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 12:54:44 +0000 Subject: [PATCH 14/38] correcting the test --- examples/autokey_setup/main.tf | 3 +-- examples/bucket_setup_using_autokey/README.md | 4 ++-- examples/bucket_setup_using_autokey/main.tf | 3 +-- examples/import_only_example/main.tf | 2 +- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 67a932e..d5dbc4b 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + source = "./../..//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index 57b5f37..24a5ed8 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -8,8 +8,8 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | -| bucket\_name\_prefix | The storage bucket created will have name {bucket\_name\_prefix}-{random-suffix} | `string` | n/a | yes | -| bucket\_resource\_type\_selector | The resource type selector for bucket | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | ## Outputs diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index bf99805..c4cc9f0 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "3.1.0" + source = "./../..//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/import_only_example/main.tf b/examples/import_only_example/main.tf index f0a7745..969ee13 100644 --- a/examples/import_only_example/main.tf +++ b/examples/import_only_example/main.tf @@ -21,7 +21,7 @@ resource "random_pet" "main" { } module "kms" { - source = "../.." + source = "nb-goog/kms/google" project_id = var.project_id keyring = random_pet.main.id From 9adbeca513b23d84160ca034d32596f45e56ed09 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 13:00:14 +0000 Subject: [PATCH 15/38] correcting import key exa --- examples/import_only_example/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/import_only_example/main.tf b/examples/import_only_example/main.tf index 969ee13..f0a7745 100644 --- a/examples/import_only_example/main.tf +++ b/examples/import_only_example/main.tf @@ -21,7 +21,7 @@ resource "random_pet" "main" { } module "kms" { - source = "nb-goog/kms/google" + source = "../.." project_id = var.project_id keyring = random_pet.main.id From 0076c7ac674362d4df75c1461b639ba7f58431d2 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 19 Nov 2024 14:36:11 +0000 Subject: [PATCH 16/38] correcting variables --- examples/bucket_setup_using_autokey/README.md | 2 +- examples/bucket_setup_using_autokey/variables.tf | 1 + test/setup/outputs.tf | 4 ++++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index 24a5ed8..ad90643 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -7,7 +7,7 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| bucket\_location | The gcp location where storage bucket will be created | `string` | n/a | yes | +| bucket\_location | The gcp location where storage bucket will be created | `string` | `"us-central1"` | no | | folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | | kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index 5242672..cc02c2a 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -32,4 +32,5 @@ variable "resource_project_id" { variable "bucket_location" { type = string description = "The gcp location where storage bucket will be created" + default = "us-central1" } diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 2ed4ad5..5bf5c7a 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -18,6 +18,10 @@ output "kms_project_id" { value = module.project_ci_kms.project_id } +output "project_id" { + value = module.project_ci_kms.project_id +} + output "resource_project_id" { value = module.autokey_resource_project.project_id } From f328806d04df070ce3e8e4e2d3bf6298d6d1c564 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 2 Dec 2024 10:19:02 +0530 Subject: [PATCH 17/38] package name change --- examples/autokey_setup/main.tf | 2 +- examples/bucket_setup_using_autokey/main.tf | 12 ++++++------ test/integration/autokey_setup/autokey_setup_test.go | 4 ++-- .../bucket_setup_using_autokey_test.go | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index d5dbc4b..ad1202b 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,7 +15,7 @@ */ module "autokey" { - source = "./../..//modules/autokey" + source = "../../modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index c4cc9f0..410c556 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,8 +15,8 @@ */ module "autokey" { - source = "./../..//modules/autokey" - + source = "../../modules/autokey" + autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } @@ -28,11 +28,11 @@ resource "random_string" "suffix" { } resource "google_kms_key_handle" "bucket_keyhandle" { - provider = google-beta - name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" + provider = google-beta + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project = var.resource_project_id location = var.bucket_location - resource_type_selector = "storage.googleapis.com/Bucket" + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] @@ -43,7 +43,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go index e69e208..b1663a5 100755 --- a/test/integration/autokey_setup/autokey_setup_test.go +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package autokey_example +package autokey_setup import ( "context" @@ -33,7 +33,7 @@ func validateKeyHandleVersion(input string, projectId string, autokeyResource st return regex.MatchString(input) } -func TestAutokeyExample(t *testing.T) { +func TestAutokeySetup(t *testing.T) { bpt := tft.NewTFBlueprintTest(t) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index 46d8da8..3d7150d 100755 --- a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package autokey_example +package bucket_setup_using_autokey import ( "context" @@ -34,7 +34,7 @@ func validateKeyHandleVersion(input string, projectId string, autokeyResource st return regex.MatchString(input) } -func TestAutokeyExample(t *testing.T) { +func TestBucketSetupUsingAutokey(t *testing.T) { bpt := tft.NewTFBlueprintTest(t) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) From ed731b988662600525151f7323fc4ad50fd4bef0 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Mon, 2 Dec 2024 05:01:39 +0000 Subject: [PATCH 18/38] fmt --- examples/autokey_setup/main.tf | 2 +- examples/bucket_setup_using_autokey/main.tf | 12 ++++++------ .../bucket_setup_using_autokey_test.go | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index ad1202b..1063bdc 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,7 +15,7 @@ */ module "autokey" { - source = "../../modules/autokey" + source = "../../modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 410c556..ba39976 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,8 +15,8 @@ */ module "autokey" { - source = "../../modules/autokey" - + source = "../../modules/autokey" + autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } @@ -28,11 +28,11 @@ resource "random_string" "suffix" { } resource "google_kms_key_handle" "bucket_keyhandle" { - provider = google-beta - name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" + provider = google-beta + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" project = var.resource_project_id location = var.bucket_location - resource_type_selector = "storage.googleapis.com/Bucket" + resource_type_selector = "storage.googleapis.com/Bucket" lifecycle { ignore_changes = [name] @@ -43,7 +43,7 @@ module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" version = "8.0" - name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id location = var.bucket_location encryption = { diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index 3d7150d..8e79585 100755 --- a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -39,7 +39,7 @@ func TestBucketSetupUsingAutokey(t *testing.T) { bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) - projectId := bpt.GetStringOutput("autokey_project_id") + projectId := bpt.GetStringOutput("kms_project_id") autokeyConfig := bpt.GetStringOutput("autokey_config_id") autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("resource_project_number") From 7fc4a22a4d645ac0b02a51e7095a5925ef8b5402 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Thu, 5 Dec 2024 09:51:45 +0530 Subject: [PATCH 19/38] integrate test for bucket keyhandle --- examples/bucket_setup_using_autokey/main.tf | 7 +++ .../bucket_setup_using_autokey_test.go | 49 +++---------------- 2 files changed, 14 insertions(+), 42 deletions(-) diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index ba39976..ce61d51 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -21,6 +21,12 @@ module "autokey" { autokey_folder_number = var.folder_id } +# Wait delay for autokey configuration. +resource "time_sleep" "wait_autokey_config" { + create_duration = "20s" + depends_on = [module.autokey] +} + resource "random_string" "suffix" { length = 4 special = false @@ -37,6 +43,7 @@ resource "google_kms_key_handle" "bucket_keyhandle" { lifecycle { ignore_changes = [name] } + depends_on = [time_sleep.wait_autokey_config] } module "bucket" { diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index 8e79585..c44eae3 100755 --- a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -15,17 +15,13 @@ package bucket_setup_using_autokey import ( - "context" "fmt" - "io" "regexp" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" - "golang.org/x/oauth2/google" ) func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { @@ -39,45 +35,14 @@ func TestBucketSetupUsingAutokey(t *testing.T) { bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) - projectId := bpt.GetStringOutput("kms_project_id") - autokeyConfig := bpt.GetStringOutput("autokey_config_id") - autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("resource_project_number") + bucketKeyHandle := bpt.GetJsonOutput("bucket_keyhandle") + bucketName := bpt.GetStringOutput("bucket_name") - // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. - autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) - - httpClient, err := google.DefaultClient(context.Background(), "https://www.googleapis.com/auth/cloud-platform") - - if err != nil { - t.Fatal(err.Error()) - } - - resp, err := httpClient.Get(autokeyConfigUrl) - if err != nil { - t.Fatal(err.Error()) - } - - defer resp.Body.Close() - body, err := io.ReadAll(resp.Body) - if err != nil { - t.Fatal(err.Error()) - } - - result := utils.ParseJSONResult(t, string(body)) - - // Asserting if Autokey configuration was enabled with correct kms project id - autokeyConfigProject := result.Get("keyProject").String() - assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", projectId), "autokey expected for project %s", projectId) - - // Asserting if Autokey keyring was created - op := gcloud.Runf(t, "--project=%s kms keyrings list --location us-central1 --filter name:autokey", projectId).Array()[0].Get("name") - assert.Contains(op.String(), fmt.Sprintf("projects/%s/locations/us-central1/keyRings/autokey", projectId), "Contains Autokey KeyRing") - - // Asserting if Autokey keyHandles were created - op1 := gcloud.Runf(t, "kms keys list --project=%s --keyring autokey --location us-central1", projectId).Array() - for _, element := range op1 { - assert.True(validateKeyHandleVersion(element.Get("primary").Map()["name"].Str, projectId, autokeyResourceProjectNumber.Str), "Contains KeyHandles") - } + keyHandleKmsKey := bucketKeyHandle.Get("kms_key").String() + op1 := gcloud.Runf(t, "storage buckets describe gs://%s", bucketName).Array() + bucketKmsKey := op1[0].Map()["default_kms_key"].Str + assert.True(keyHandleKmsKey != "", "Invalid KMS Key generated for bucket keyhandle") + assert.True(bucketKmsKey == keyHandleKmsKey, "KMS Key generated for bucket keyhandle %s is not matching with kms key used in bucket %s", keyHandleKmsKey, bucketKmsKey) }) bpt.Test() From 463052e340587999663234cecc63453bd733defd Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Thu, 5 Dec 2024 19:16:54 +0530 Subject: [PATCH 20/38] correcting autokey setup test --- examples/autokey_setup/outputs.tf | 5 +++++ modules/autokey/main.tf | 1 + 2 files changed, 6 insertions(+) diff --git a/examples/autokey_setup/outputs.tf b/examples/autokey_setup/outputs.tf index 6f5d206..f6e84fe 100644 --- a/examples/autokey_setup/outputs.tf +++ b/examples/autokey_setup/outputs.tf @@ -18,3 +18,8 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = module.autokey.autokey_config_id } + +output "kms_project_id" { + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + value = var.kms_project_id +} diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index 1a8001f..dcca5e0 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -19,4 +19,5 @@ resource "google_kms_autokey_config" "primary" { folder = var.autokey_folder_number key_project = "projects/${var.autokey_kms_project_id}" + depends_on = [time_sleep.wait_srv_acc_permissions] } From fd4e5e15d13608b67bbcf22c78febc75493400e6 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Thu, 5 Dec 2024 13:49:56 +0000 Subject: [PATCH 21/38] fmt --- .terraform.lock | 0 modules/autokey/main.tf | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 .terraform.lock diff --git a/.terraform.lock b/.terraform.lock new file mode 100644 index 0000000..e69de29 diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index dcca5e0..e0a7ab3 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -19,5 +19,5 @@ resource "google_kms_autokey_config" "primary" { folder = var.autokey_folder_number key_project = "projects/${var.autokey_kms_project_id}" - depends_on = [time_sleep.wait_srv_acc_permissions] + depends_on = [time_sleep.wait_srv_acc_permissions] } From 3991e0203402728a79e8d616adda059839500f6e Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Thu, 5 Dec 2024 13:52:57 +0000 Subject: [PATCH 22/38] documentation --- examples/autokey_setup/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/autokey_setup/README.md b/examples/autokey_setup/README.md index 649b248..2413872 100644 --- a/examples/autokey_setup/README.md +++ b/examples/autokey_setup/README.md @@ -15,6 +15,7 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | +| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | From 8d4b928d7dbe6ff59c92d8ca96c4ea61707dec72 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 11 Dec 2024 16:06:17 +0530 Subject: [PATCH 23/38] Removing redundant variable kms_project_id from setup --- .terraform.lock | 0 examples/autokey_setup/variables.tf | 4 +-- examples/bucket_setup_using_autokey/main.tf | 2 +- .../bucket_setup_using_autokey/outputs.tf | 4 +-- .../bucket_setup_using_autokey/variables.tf | 8 ++--- modules/autokey/README.md | 3 +- test/fixtures/autokey_setup_fixture/main.tf | 5 +++ .../fixtures/autokey_setup_fixture/outputs.tf | 25 +++++++++++++ .../autokey_setup_fixture/variables.tf | 26 ++++++++++++++ .../main.tf | 7 ++++ .../outputs.tf | 25 +++++++++++++ .../variables.tf | 36 +++++++++++++++++++ test/setup/outputs.tf | 4 --- 13 files changed, 134 insertions(+), 15 deletions(-) delete mode 100644 .terraform.lock create mode 100644 test/fixtures/autokey_setup_fixture/main.tf create mode 100644 test/fixtures/autokey_setup_fixture/outputs.tf create mode 100644 test/fixtures/autokey_setup_fixture/variables.tf create mode 100644 test/fixtures/bucket_setup_using_autokey_fixture/main.tf create mode 100644 test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf create mode 100644 test/fixtures/bucket_setup_using_autokey_fixture/variables.tf diff --git a/.terraform.lock b/.terraform.lock deleted file mode 100644 index e69de29..0000000 diff --git a/examples/autokey_setup/variables.tf b/examples/autokey_setup/variables.tf index 8639df6..9dabd4b 100644 --- a/examples/autokey_setup/variables.tf +++ b/examples/autokey_setup/variables.tf @@ -15,12 +15,12 @@ */ variable "kms_project_id" { - description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." type = string } variable "folder_id" { type = string - description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." + description = "The ID of the folder for which to configure and enable Autokey feature." } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index ce61d51..1ba6c08 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -48,7 +48,7 @@ resource "google_kms_key_handle" "bucket_keyhandle" { module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "8.0" + version = "~> 8.0.3" name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id diff --git a/examples/bucket_setup_using_autokey/outputs.tf b/examples/bucket_setup_using_autokey/outputs.tf index 2a77391..9e5ed94 100644 --- a/examples/bucket_setup_using_autokey/outputs.tf +++ b/examples/bucket_setup_using_autokey/outputs.tf @@ -15,11 +15,11 @@ */ output "bucket_keyhandle" { - description = "An Autokey configuration identifier." + description = "Keyhandle configuration created for the bucket." value = resource.google_kms_key_handle.bucket_keyhandle } output "bucket_name" { - description = "A map of KeyHandles created." + description = "Name of the bucket created." value = module.bucket.name } diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index cc02c2a..8e973f4 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -15,22 +15,22 @@ */ variable "kms_project_id" { - description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." type = string } variable "folder_id" { type = string - description = "The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey." + description = "The ID of the folder for which to configure and enable Autokey feature." } variable "resource_project_id" { - description = "The ID of the project in which to provision resources (bucket, persistent disk, etc)" + description = "The ID of the project in which to provision cloud storage bucket resource." type = string } variable "bucket_location" { type = string - description = "The gcp location where storage bucket will be created" + description = "The GCP location where storage bucket will be created" default = "us-central1" } diff --git a/modules/autokey/README.md b/modules/autokey/README.md index bd18d0a..ef6d37d 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -1,7 +1,6 @@ # Autokey submodule -This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project and create [Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) for existing resource projects. - +This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project. ## Inputs diff --git a/test/fixtures/autokey_setup_fixture/main.tf b/test/fixtures/autokey_setup_fixture/main.tf new file mode 100644 index 0000000..85dbf31 --- /dev/null +++ b/test/fixtures/autokey_setup_fixture/main.tf @@ -0,0 +1,5 @@ +module "autokey_setup_fixture" { + source = "../../../examples/autokey_setup" + kms_project_id = var.project_id + folder_id = var.folder_id +} diff --git a/test/fixtures/autokey_setup_fixture/outputs.tf b/test/fixtures/autokey_setup_fixture/outputs.tf new file mode 100644 index 0000000..e2818f9 --- /dev/null +++ b/test/fixtures/autokey_setup_fixture/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "autokey_config_id" { + description = "An Autokey configuration identifier." + value = module.autokey_setup_fixture.autokey_config_id +} + +output "kms_project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + value = var.project_id +} diff --git a/test/fixtures/autokey_setup_fixture/variables.tf b/test/fixtures/autokey_setup_fixture/variables.tf new file mode 100644 index 0000000..d992660 --- /dev/null +++ b/test/fixtures/autokey_setup_fixture/variables.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + description = "The ID of the folder for which to configure and enable Autokey feature." + type = string + +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf new file mode 100644 index 0000000..7938f22 --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf @@ -0,0 +1,7 @@ +module "bucket_setup_using_autokey_fixture" { + source = "../../../examples/bucket_setup_using_autokey" + kms_project_id = var.project_id + folder_id = var.folder_id + resource_project_id = var.resource_project_id + bucket_location = var.bucket_location +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf b/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf new file mode 100644 index 0000000..bc53167 --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "bucket_keyhandle" { + description = "Keyhandle configuration created for the bucket." + value = module.bucket_setup_using_autokey_fixture.bucket_keyhandle +} + +output "bucket_name" { + description = "Name of the bucket created." + value = module.bucket_setup_using_autokey_fixture.bucket_name +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf b/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf new file mode 100644 index 0000000..68cddfa --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature." +} + +variable "resource_project_id" { + description = "The ID of the project in which to provision cloud storage bucket resources." + type = string +} + +variable "bucket_location" { + type = string + description = "The GCP location where storage bucket will be created" + default = "us-central1" +} diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 5bf5c7a..2d9a328 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,10 +14,6 @@ * limitations under the License. */ -output "kms_project_id" { - value = module.project_ci_kms.project_id -} - output "project_id" { value = module.project_ci_kms.project_id } From 985eb3feabc07bc343fb19b55d2364599bc87150 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 11 Dec 2024 10:46:14 +0000 Subject: [PATCH 24/38] fmt --- examples/autokey_setup/README.md | 4 +-- examples/bucket_setup_using_autokey/README.md | 12 ++++----- test/fixtures/autokey_setup_fixture/main.tf | 21 +++++++++++++--- .../autokey_setup_fixture/variables.tf | 2 +- .../main.tf | 25 +++++++++++++++---- 5 files changed, 47 insertions(+), 17 deletions(-) diff --git a/examples/autokey_setup/README.md b/examples/autokey_setup/README.md index 2413872..eb8e06e 100644 --- a/examples/autokey_setup/README.md +++ b/examples/autokey_setup/README.md @@ -7,8 +7,8 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | ## Outputs diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index ad90643..6cffd0c 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -7,17 +7,17 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| bucket\_location | The gcp location where storage bucket will be created | `string` | `"us-central1"` | no | -| folder\_id | The ID of the folder for which to configure and enable Autokey feature. Required when using Autokey. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | `string` | n/a | yes | -| resource\_project\_id | The ID of the project in which to provision resources (bucket, persistent disk, etc) | `string` | n/a | yes | +| bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | +| kms\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | +| resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| bucket\_keyhandle | An Autokey configuration identifier. | -| bucket\_name | A map of KeyHandles created. | +| bucket\_keyhandle | Keyhandle configuration created for the bucket. | +| bucket\_name | Name of the bucket created. | diff --git a/test/fixtures/autokey_setup_fixture/main.tf b/test/fixtures/autokey_setup_fixture/main.tf index 85dbf31..49c53bf 100644 --- a/test/fixtures/autokey_setup_fixture/main.tf +++ b/test/fixtures/autokey_setup_fixture/main.tf @@ -1,5 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ module "autokey_setup_fixture" { - source = "../../../examples/autokey_setup" - kms_project_id = var.project_id - folder_id = var.folder_id + source = "../../../examples/autokey_setup" + kms_project_id = var.project_id + folder_id = var.folder_id } diff --git a/test/fixtures/autokey_setup_fixture/variables.tf b/test/fixtures/autokey_setup_fixture/variables.tf index d992660..4340480 100644 --- a/test/fixtures/autokey_setup_fixture/variables.tf +++ b/test/fixtures/autokey_setup_fixture/variables.tf @@ -20,7 +20,7 @@ variable "project_id" { } variable "folder_id" { - description = "The ID of the folder for which to configure and enable Autokey feature." + description = "The ID of the folder for which to configure and enable Autokey feature." type = string } diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf index 7938f22..80c2755 100644 --- a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf +++ b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf @@ -1,7 +1,22 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ module "bucket_setup_using_autokey_fixture" { - source = "../../../examples/bucket_setup_using_autokey" - kms_project_id = var.project_id - folder_id = var.folder_id - resource_project_id = var.resource_project_id - bucket_location = var.bucket_location + source = "../../../examples/bucket_setup_using_autokey" + kms_project_id = var.project_id + folder_id = var.folder_id + resource_project_id = var.resource_project_id + bucket_location = var.bucket_location } From c6a05cd7afdf0e48f70ffcbe00be4bdec9765c1b Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 11 Dec 2024 17:18:11 +0530 Subject: [PATCH 25/38] removing script and guidance file for migrating terraform-google-autokey module --- docs/importing_autokey_key_handles.md | 54 ---------------- scripts/create_autokey_tfvars_file.sh | 64 ------------------- scripts/export_autokey_env_vars.sh | 89 --------------------------- scripts/import_autokey_state.sh | 43 ------------- scripts/unset_autokey_env_vars.sh | 31 ---------- 5 files changed, 281 deletions(-) delete mode 100644 docs/importing_autokey_key_handles.md delete mode 100755 scripts/create_autokey_tfvars_file.sh delete mode 100644 scripts/export_autokey_env_vars.sh delete mode 100755 scripts/import_autokey_state.sh delete mode 100755 scripts/unset_autokey_env_vars.sh diff --git a/docs/importing_autokey_key_handles.md b/docs/importing_autokey_key_handles.md deleted file mode 100644 index aebb0af..0000000 --- a/docs/importing_autokey_key_handles.md +++ /dev/null @@ -1,54 +0,0 @@ -# Importing Autokey Key Handles Guidance - -If you have any existing [Autokey Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) previously created using [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module, it is recommended to import them to [autokey submodule](../modules/autokey/README.md) Terraform state by following the steps below. - -**Note:** You don't need to import the existing state for [Autokey configuration](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) resource. The [autokey submodule](../modules/autokey/README.md) apply process will handle that automatically. - -**Note 2:** These instructions were made using [terraform-google-autokey v1.1.1](https://github.com/GoogleCloudPlatform/terraform-google-autokey/releases/tag/v1.1.1) as reference. Future releases versions might require changes in this document. - -**WARNING:** [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module can be used to create your Autokey folder, Autokey KMS project, Autokey resource project and additional resources (e.g: a Cloud Storage Bucket configured with Autokey), so **DO NOT RUN** a `terraform destroy` for the existing module, even after the Key Handle import process is completed. - -## Getting the existing Autokey state from terraform-google-autokey module -1. Run `cd REPLACE-WITH-YOUR-PATH` to your `terraform-google-autokey/examples/cloud_autokey_example` local module path; - 1. If you didn't use `examples/cloud_autokey_example`, make sure you update the output names in the script according your terraform files and the relative path in the command below. -1. Run the following helper script to perform `terraform output` and export the Autokey folder number, Autokey Key project, KeyHandle's names, locations and resource projects as environment variables: - ```shell - cp ../../../terraform-google-kms/scripts/export_autokey_env_vars.sh . - chmod +x export_autokey_env_vars.sh - source ./export_autokey_env_vars.sh - ``` - **Note:** You must see values set for echos: `AUTOKEY_FOLDER_NUMBER` and `AUTOKEY_KMS_PROJECT_ID`. - - **Note 2:** You must see values just for the KeyHandles you have deployed. In other words: If you just have a KeyHandle for Bigquery, you'll just see values for: `AUTOKEY_BQ_KEY_HANDLE_PROJECT`, `AUTOKEY_BQ_KEY_HANDLE_LOCATION` and `AUTOKEY_BQ_KEY_HANDLE_NAME` echos. - -## Creating the .tfvars file -1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; -1. Run the following helper script to automate the `terraform output` file creation: - ```shell - chmod +x ../../scripts/create_autokey_tfvars_file.sh - ../../scripts/create_autokey_tfvars_file.sh - ``` - -## Importing the existing Autokey state from terraform-google-autokey module using autokey submodule -1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; -1. Run the following helper script to automate the `terraform import` process: - ```shell - chmod +x ../../scripts/import_autokey_state.sh - ../../scripts/import_autokey_state.sh - ``` -1. **Note:** For each import, you should receive the following output: - ``` - Import successful! - - The resources that were imported are shown above. These resources are now in - your Terraform state and will henceforth be managed by Terraform. - ``` -1. Run `terraform plan`. -1. Run `terraform apply`. **You have successfully imported the Autokey configuration and KeyHandle states**. - -## Cleaning your local environment -1. Run the following helper script to unset all the environment variables used in this import process: - ```shell - chmod +x ../../scripts/unset_autokey_env_vars.sh - source ../../scripts/unset_autokey_env_vars.sh - ``` diff --git a/scripts/create_autokey_tfvars_file.sh b/scripts/create_autokey_tfvars_file.sh deleted file mode 100755 index cd56a52..0000000 --- a/scripts/create_autokey_tfvars_file.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Starting terraform.tfvars file creation -echo ---------------------------------------------- - -echo " -project_id = $AUTOKEY_KMS_PROJECT_ID -autokey_folder_number = \"$AUTOKEY_FOLDER_NUMBER\" -autokey_handles = { -" > terraform.tfvars - -if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then - echo " - bq_dataset = { - name = \"$AUTOKEY_BQ_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_BQ_KEY_HANDLE_PROJECT\", - resource_type_selector = \"bigquery.googleapis.com/Dataset\", - location = \"$AUTOKEY_BQ_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then - echo " - compute_disk = { - name = \"$AUTOKEY_DISK_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_DISK_KEY_HANDLE_PROJECT\", - resource_type_selector = \"compute.googleapis.com/Disk\", - location = \"$AUTOKEY_DISK_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi -if [ -n "$AUTOKEY_GCS_KEY_HANDLE_NAME" ]; then - echo " - gcs_bucket = { - name = \"$AUTOKEY_GCS_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_GCS_KEY_HANDLE_PROJECT\", - resource_type_selector = \"storage.googleapis.com/Bucket\", - location = \"$AUTOKEY_GCS_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi - -echo " -} -" >> terraform.tfvars - -echo ---------------------------------------------- -echo terraform.tfvars file created -echo ---------------------------------------------- diff --git a/scripts/export_autokey_env_vars.sh b/scripts/export_autokey_env_vars.sh deleted file mode 100644 index 213ec15..0000000 --- a/scripts/export_autokey_env_vars.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Getting Autokey config and project -echo ---------------------------------------------- - -# terraform output format: "folders/{FOLDER_NUMBER}/autokeyConfig". That's why we cut just the second element. -AUTOKEY_FOLDER_NUMBER=$(terraform output -raw autokey_config | cut -d'/' -f2) -export AUTOKEY_FOLDER_NUMBER - -AUTOKEY_KMS_PROJECT_ID=$(echo "module.autokey.key_project_id" | terraform console) -export AUTOKEY_KMS_PROJECT_ID - -echo AUTOKEY_FOLDER_NUMBER: "$AUTOKEY_FOLDER_NUMBER" -echo AUTOKEY_KMS_PROJECT_ID: "$AUTOKEY_KMS_PROJECT_ID" - -echo ---------------------------------------------- -echo Getting Bigquery Dataset KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_BQ_KEY_HANDLE_PROJECT=$(terraform output -raw bq_key_handle | cut -d'/' -f2) -export AUTOKEY_BQ_KEY_HANDLE_PROJECT - -AUTOKEY_BQ_KEY_HANDLE_LOCATION=$(terraform output -raw bq_key_handle | cut -d'/' -f4) -export AUTOKEY_BQ_KEY_HANDLE_LOCATION - -AUTOKEY_BQ_KEY_HANDLE_NAME=$(terraform output -raw bq_key_handle | cut -d'/' -f6) -export AUTOKEY_BQ_KEY_HANDLE_NAME - -echo AUTOKEY_BQ_KEY_HANDLE_PROJECT: "$AUTOKEY_BQ_KEY_HANDLE_PROJECT" -echo AUTOKEY_BQ_KEY_HANDLE_LOCATION: "$AUTOKEY_BQ_KEY_HANDLE_LOCATION" -echo AUTOKEY_BQ_KEY_HANDLE_NAME: "$AUTOKEY_BQ_KEY_HANDLE_NAME" - -echo ---------------------------------------------- -echo Getting Compute Disk KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_DISK_KEY_HANDLE_PROJECT=$(terraform output -raw disk_key_handle | cut -d'/' -f2) -export AUTOKEY_DISK_KEY_HANDLE_PROJECT - -AUTOKEY_DISK_KEY_HANDLE_LOCATION=$(terraform output -raw disk_key_handle | cut -d'/' -f4) -export AUTOKEY_DISK_KEY_HANDLE_LOCATION - -AUTOKEY_DISK_KEY_HANDLE_NAME=$(terraform output -raw disk_key_handle | cut -d'/' -f6) -export AUTOKEY_DISK_KEY_HANDLE_NAME - -echo AUTOKEY_DISK_KEY_HANDLE_PROJECT: "$AUTOKEY_DISK_KEY_HANDLE_PROJECT" -echo AUTOKEY_DISK_KEY_HANDLE_LOCATION: "$AUTOKEY_DISK_KEY_HANDLE_LOCATION" -echo AUTOKEY_DISK_KEY_HANDLE_NAME: "$AUTOKEY_DISK_KEY_HANDLE_NAME" - -echo ---------------------------------------------- -echo Getting Storage Bucket KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_GCS_KEY_HANDLE_PROJECT=$(terraform output -raw gcs_key_handle | cut -d'/' -f2) -export AUTOKEY_GCS_KEY_HANDLE_PROJECT - -AUTOKEY_GCS_KEY_HANDLE_LOCATION=$(terraform output -raw gcs_key_handle | cut -d'/' -f4) -export AUTOKEY_GCS_KEY_HANDLE_LOCATION - -AUTOKEY_GCS_KEY_HANDLE_NAME=$(terraform output -raw gcs_key_handle | cut -d'/' -f6) -export AUTOKEY_GCS_KEY_HANDLE_NAME - -echo AUTOKEY_GCS_KEY_HANDLE_PROJECT: "$AUTOKEY_GCS_KEY_HANDLE_PROJECT" -echo AUTOKEY_GCS_KEY_HANDLE_LOCATION: "$AUTOKEY_GCS_KEY_HANDLE_LOCATION" -echo AUTOKEY_GCS_KEY_HANDLE_NAME: "$AUTOKEY_GCS_KEY_HANDLE_NAME" diff --git a/scripts/import_autokey_state.sh b/scripts/import_autokey_state.sh deleted file mode 100755 index adaadc1..0000000 --- a/scripts/import_autokey_state.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Starting terraform init process -echo ---------------------------------------------- - -terraform init - -echo ---------------------------------------------- -echo terraform init process completed -echo ---------------------------------------------- - -echo ---------------------------------------------- -echo Starting terraform import process -echo ---------------------------------------------- - -if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"bq_dataset\"\] projects/"$AUTOKEY_BQ_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_BQ_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_BQ_KEY_HANDLE_NAME" -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"compute_disk\"\] projects/"$AUTOKEY_DISK_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_DISK_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_DISK_KEY_HANDLE_NAME" -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"gcs_bucket\"\] projects/"$AUTOKEY_GCS_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_GCS_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_GCS_KEY_HANDLE_NAME" -fi - -echo ---------------------------------------------- -echo terraform import completed -echo ---------------------------------------------- diff --git a/scripts/unset_autokey_env_vars.sh b/scripts/unset_autokey_env_vars.sh deleted file mode 100755 index c892f74..0000000 --- a/scripts/unset_autokey_env_vars.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -unset AUTOKEY_FOLDER_NUMBER -unset AUTOKEY_KMS_PROJECT_ID -unset AUTOKEY_BQ_KEY_HANDLE_PROJECT -unset AUTOKEY_BQ_KEY_HANDLE_LOCATION -unset AUTOKEY_BQ_KEY_HANDLE_NAME -unset AUTOKEY_DISK_KEY_HANDLE_PROJECT -unset AUTOKEY_DISK_KEY_HANDLE_LOCATION -unset AUTOKEY_DISK_KEY_HANDLE_NAME -unset AUTOKEY_GCS_KEY_HANDLE_PROJECT -unset AUTOKEY_GCS_KEY_HANDLE_LOCATION -unset AUTOKEY_GCS_KEY_HANDLE_NAME - -echo ---------------------------------------------- -echo unset env vars process completed -echo ---------------------------------------------- From c8663612c90db31dfd6e2a6e529a9063b7e1269e Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 11 Dec 2024 17:35:06 +0530 Subject: [PATCH 26/38] correcting test --- test/integration/autokey_setup/autokey_setup_test.go | 2 +- .../bucket_setup_using_autokey_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go index b1663a5..7760533 100755 --- a/test/integration/autokey_setup/autokey_setup_test.go +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -34,7 +34,7 @@ func validateKeyHandleVersion(input string, projectId string, autokeyResource st } func TestAutokeySetup(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture"),) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index c44eae3..51ffc7c 100755 --- a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -31,7 +31,7 @@ func validateKeyHandleVersion(input string, projectId string, autokeyResource st } func TestBucketSetupUsingAutokey(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture"),) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) From 74ff65ff76e2390dd6c1eebe2c729f02021a6a3a Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 18 Dec 2024 00:44:23 +0530 Subject: [PATCH 27/38] Documentation and version change --- docs/upgrading_to_v4.0.md | 7 +++++++ examples/autokey_setup/main.tf | 5 +++-- examples/bucket_setup_using_autokey/main.tf | 5 +++-- 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 docs/upgrading_to_v4.0.md diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md new file mode 100644 index 0000000..76e4547 --- /dev/null +++ b/docs/upgrading_to_v4.0.md @@ -0,0 +1,7 @@ +# Upgrading to v4.0 +The v4.0 release of *kms* is a backwards incompatible release. + +### Autokey Submodule +The current users of Autokey submodules needs to +- Switch `project_id` to `autokey_kms_project_id` +- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). \ No newline at end of file diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 1063bdc..efc64c6 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,8 +15,9 @@ */ module "autokey" { - source = "../../modules/autokey" - + source = "terraform-google-modules/terraform-google-kms/google//modules/autokey" + version = "~> 4.0" + autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 1ba6c08..99ebf92 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,7 +15,8 @@ */ module "autokey" { - source = "../../modules/autokey" + source = "terraform-google-modules/terraform-google-kms/google//modules/autokey" + version = "~> 4.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id @@ -48,7 +49,7 @@ resource "google_kms_key_handle" "bucket_keyhandle" { module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 8.0.3" + version = "~> 9.0" name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" project_id = var.resource_project_id From 5f8b0aa8fbceb684b3ef859b3c55e190eef77116 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 18 Dec 2024 04:13:10 +0000 Subject: [PATCH 28/38] reverting autokey module reference to dir based in examples --- docs/upgrading_to_v4.0.md | 3 ++- examples/autokey_setup/main.tf | 5 ++--- examples/bucket_setup_using_autokey/main.tf | 3 +-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index 76e4547..b1f820f 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -4,4 +4,5 @@ The v4.0 release of *kms* is a backwards incompatible release. ### Autokey Submodule The current users of Autokey submodules needs to - Switch `project_id` to `autokey_kms_project_id` -- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). \ No newline at end of file +- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). + diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index efc64c6..d5dbc4b 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,9 +15,8 @@ */ module "autokey" { - source = "terraform-google-modules/terraform-google-kms/google//modules/autokey" - version = "~> 4.0" - + source = "./../..//modules/autokey" + autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 99ebf92..d7bda8c 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/terraform-google-kms/google//modules/autokey" - version = "~> 4.0" + source = "./../..//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id From c478e594fe2484d394b051cb9631e34ced2cf44f Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 18 Dec 2024 23:45:54 +0530 Subject: [PATCH 29/38] restoring module path --- examples/autokey_setup/main.tf | 3 +-- examples/bucket_setup_using_autokey/main.tf | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index d5dbc4b..29593bf 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,8 +15,7 @@ */ module "autokey" { - source = "./../..//modules/autokey" - + source = "terraform-google-modules/kms/google//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index d7bda8c..2520055 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,7 +15,7 @@ */ module "autokey" { - source = "./../..//modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id From 1e225e59d32cb5de9283845eeef9ffd55f668e61 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Thu, 19 Dec 2024 00:15:30 +0530 Subject: [PATCH 30/38] adding version --- examples/autokey_setup/main.tf | 2 ++ examples/bucket_setup_using_autokey/main.tf | 1 + 2 files changed, 3 insertions(+) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 29593bf..d1752d4 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -16,6 +16,8 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" + version = "~> 4.0" + autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 2520055..f4f20c7 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -16,6 +16,7 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" + version = "~> 4.0" autokey_kms_project_id = var.kms_project_id autokey_folder_number = var.folder_id From 6569373959fe1a05d2bf5b11b46e2388f593c9c7 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Wed, 18 Dec 2024 18:46:36 +0000 Subject: [PATCH 31/38] fmt --- examples/bucket_setup_using_autokey/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index f4f20c7..9815f25 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -15,7 +15,7 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" autokey_kms_project_id = var.kms_project_id From 6546bcc577e1caf874a1963cea09cdc767c4e2e7 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Sat, 21 Dec 2024 10:47:29 +0530 Subject: [PATCH 32/38] renaming autokey_kms_project_id to key_project_id --- docs/upgrading_to_v4.0.md | 2 +- examples/autokey_setup/main.tf | 2 +- examples/bucket_setup_using_autokey/main.tf | 2 +- modules/autokey/iam.tf | 4 ++-- modules/autokey/main.tf | 2 +- modules/autokey/variables.tf | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index b1f820f..f923e90 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -3,6 +3,6 @@ The v4.0 release of *kms* is a backwards incompatible release. ### Autokey Submodule The current users of Autokey submodules needs to -- Switch `project_id` to `autokey_kms_project_id` +- Switch `project_id` to `key_project_id` - Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index d1752d4..3fba981 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -18,7 +18,7 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - autokey_kms_project_id = var.kms_project_id + key_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index 9815f25..c39d5d8 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -18,7 +18,7 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - autokey_kms_project_id = var.kms_project_id + key_project_id = var.kms_project_id autokey_folder_number = var.folder_id } diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf index da05c14..4ce64c9 100644 --- a/modules/autokey/iam.tf +++ b/modules/autokey/iam.tf @@ -15,7 +15,7 @@ */ data "google_project" "kms_project" { - project_id = var.autokey_kms_project_id + project_id = var.key_project_id } #Create KMS Service Agent @@ -36,7 +36,7 @@ resource "time_sleep" "wait_service_agent" { resource "google_project_iam_member" "autokey_project_admin" { provider = google-beta - project = var.autokey_kms_project_id + project = var.key_project_id role = "roles/cloudkms.admin" member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" depends_on = [time_sleep.wait_service_agent] diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index e0a7ab3..50eb321 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -18,6 +18,6 @@ resource "google_kms_autokey_config" "primary" { provider = google-beta folder = var.autokey_folder_number - key_project = "projects/${var.autokey_kms_project_id}" + key_project = "projects/${var.key_project_id}" depends_on = [time_sleep.wait_srv_acc_permissions] } diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 0593f66..ac2f5db 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -14,7 +14,7 @@ * limitations under the License. */ -variable "autokey_kms_project_id" { +variable "key_project_id" { description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey." type = string } From f2f1f5a45bd64c6d4283ac94d0145ef5a4af5b25 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Sat, 21 Dec 2024 10:57:00 +0530 Subject: [PATCH 33/38] renaming kms_project_id to key_project_id --- examples/autokey_setup/main.tf | 2 +- examples/autokey_setup/outputs.tf | 4 ++-- examples/autokey_setup/variables.tf | 2 +- examples/bucket_setup_using_autokey/main.tf | 2 +- examples/bucket_setup_using_autokey/variables.tf | 2 +- test/fixtures/autokey_setup_fixture/main.tf | 2 +- test/fixtures/autokey_setup_fixture/outputs.tf | 2 +- test/fixtures/bucket_setup_using_autokey_fixture/main.tf | 2 +- test/integration/autokey_setup/autokey_setup_test.go | 4 ++-- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 3fba981..05fa018 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -18,7 +18,7 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - key_project_id = var.kms_project_id + key_project_id = var.key_project_id autokey_folder_number = var.folder_id } diff --git a/examples/autokey_setup/outputs.tf b/examples/autokey_setup/outputs.tf index f6e84fe..a879da4 100644 --- a/examples/autokey_setup/outputs.tf +++ b/examples/autokey_setup/outputs.tf @@ -19,7 +19,7 @@ output "autokey_config_id" { value = module.autokey.autokey_config_id } -output "kms_project_id" { +output "key_project_id" { description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." - value = var.kms_project_id + value = var.key_project_id } diff --git a/examples/autokey_setup/variables.tf b/examples/autokey_setup/variables.tf index 9dabd4b..e671a03 100644 --- a/examples/autokey_setup/variables.tf +++ b/examples/autokey_setup/variables.tf @@ -14,7 +14,7 @@ * limitations under the License. */ -variable "kms_project_id" { +variable "key_project_id" { description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." type = string } diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index c39d5d8..ad9ddd0 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -18,7 +18,7 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - key_project_id = var.kms_project_id + key_project_id = var.key_project_id autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf index 8e973f4..5d3082f 100644 --- a/examples/bucket_setup_using_autokey/variables.tf +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -14,7 +14,7 @@ * limitations under the License. */ -variable "kms_project_id" { +variable "key_project_id" { description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." type = string } diff --git a/test/fixtures/autokey_setup_fixture/main.tf b/test/fixtures/autokey_setup_fixture/main.tf index 49c53bf..c1d0000 100644 --- a/test/fixtures/autokey_setup_fixture/main.tf +++ b/test/fixtures/autokey_setup_fixture/main.tf @@ -15,6 +15,6 @@ */ module "autokey_setup_fixture" { source = "../../../examples/autokey_setup" - kms_project_id = var.project_id + key_project_id = var.project_id folder_id = var.folder_id } diff --git a/test/fixtures/autokey_setup_fixture/outputs.tf b/test/fixtures/autokey_setup_fixture/outputs.tf index e2818f9..150795a 100644 --- a/test/fixtures/autokey_setup_fixture/outputs.tf +++ b/test/fixtures/autokey_setup_fixture/outputs.tf @@ -19,7 +19,7 @@ output "autokey_config_id" { value = module.autokey_setup_fixture.autokey_config_id } -output "kms_project_id" { +output "key_project_id" { description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." value = var.project_id } diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf index 80c2755..9d1f04a 100644 --- a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf +++ b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf @@ -15,7 +15,7 @@ */ module "bucket_setup_using_autokey_fixture" { source = "../../../examples/bucket_setup_using_autokey" - kms_project_id = var.project_id + key_project_id = var.project_id folder_id = var.folder_id resource_project_id = var.resource_project_id bucket_location = var.bucket_location diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go index 7760533..d8574cb 100755 --- a/test/integration/autokey_setup/autokey_setup_test.go +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -34,11 +34,11 @@ func validateKeyHandleVersion(input string, projectId string, autokeyResource st } func TestAutokeySetup(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture"),) + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture")) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) - kmsProjectId := bpt.GetStringOutput("kms_project_id") + kmsProjectId := bpt.GetStringOutput("key_project_id") autokeyConfig := bpt.GetStringOutput("autokey_config_id") // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. From d80f643350c2096bd0f080d24775a3654519d4fe Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Sat, 21 Dec 2024 05:29:17 +0000 Subject: [PATCH 34/38] fmt --- examples/autokey_setup/README.md | 4 ++-- examples/autokey_setup/main.tf | 6 +++--- examples/bucket_setup_using_autokey/README.md | 2 +- examples/bucket_setup_using_autokey/main.tf | 4 ++-- modules/autokey/README.md | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/autokey_setup/README.md b/examples/autokey_setup/README.md index eb8e06e..45e2861 100644 --- a/examples/autokey_setup/README.md +++ b/examples/autokey_setup/README.md @@ -8,14 +8,14 @@ This example illustrates how to setup the `autokey` kms submodule for [KMS Autok | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| kms\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | +| key\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf index 05fa018..ba893b8 100644 --- a/examples/autokey_setup/main.tf +++ b/examples/autokey_setup/main.tf @@ -15,10 +15,10 @@ */ module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" + source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - key_project_id = var.key_project_id - autokey_folder_number = var.folder_id + key_project_id = var.key_project_id + autokey_folder_number = var.folder_id } diff --git a/examples/bucket_setup_using_autokey/README.md b/examples/bucket_setup_using_autokey/README.md index 6cffd0c..711c277 100644 --- a/examples/bucket_setup_using_autokey/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -9,7 +9,7 @@ This example illustrates how to use the `autokey` kms submodule for [KMS Autokey |------|-------------|------|---------|:--------:| | bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no | | folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | -| kms\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | | resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes | ## Outputs diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf index ad9ddd0..8abb460 100644 --- a/examples/bucket_setup_using_autokey/main.tf +++ b/examples/bucket_setup_using_autokey/main.tf @@ -18,8 +18,8 @@ module "autokey" { source = "terraform-google-modules/kms/google//modules/autokey" version = "~> 4.0" - key_project_id = var.key_project_id - autokey_folder_number = var.folder_id + key_project_id = var.key_project_id + autokey_folder_number = var.folder_id } # Wait delay for autokey configuration. diff --git a/modules/autokey/README.md b/modules/autokey/README.md index ef6d37d..59d223e 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -7,7 +7,7 @@ This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/doc | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes | -| autokey\_kms\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | ## Outputs From 88dbadba7dc9151d3361beb1bc14ee7befc5bf56 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Fri, 27 Dec 2024 20:52:09 +0530 Subject: [PATCH 35/38] adding process to reimport the autokey config --- docs/upgrading_to_v4.0.md | 8 +++++++- test/integration/autokey_setup/autokey_setup_test.go | 7 ------- .../bucket_setup_using_autokey_test.go | 10 +--------- 3 files changed, 8 insertions(+), 17 deletions(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index f923e90..8915c23 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -3,6 +3,12 @@ The v4.0 release of *kms* is a backwards incompatible release. ### Autokey Submodule The current users of Autokey submodules needs to -- Switch `project_id` to `key_project_id` +- Switch `project_id` to `key_project_id` (For steps check [here](#to-migrate-from-project_id-to-key_project_id)) - Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). + +### To Migrate from `project_id` to `key_project_id` + +1. Retrieve the autokey config id: Run `terraform state show module.autokey.google_kms_autokey_config.primary` and copy the resulting `id` field from the cli output to notepad +2. Delete autokey config from the state: run `terraform state rm module.autokey.google_kms_autokey_config.primary` +3. Import the autokey config id: Run `terraform import module.autokey.google_kms_autokey_config.primary ""` \ No newline at end of file diff --git a/test/integration/autokey_setup/autokey_setup_test.go b/test/integration/autokey_setup/autokey_setup_test.go index d8574cb..8f2deaa 100755 --- a/test/integration/autokey_setup/autokey_setup_test.go +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -18,7 +18,6 @@ import ( "context" "fmt" "io" - "regexp" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" @@ -27,12 +26,6 @@ import ( "golang.org/x/oauth2/google" ) -func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { - pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource) - regex := regexp.MustCompile(pattern) - return regex.MatchString(input) -} - func TestAutokeySetup(t *testing.T) { bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture")) bpt.DefineVerify(func(assert *assert.Assertions) { diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go index 51ffc7c..fedd0ee 100755 --- a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -15,8 +15,6 @@ package bucket_setup_using_autokey import ( - "fmt" - "regexp" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" @@ -24,14 +22,8 @@ import ( "github.com/stretchr/testify/assert" ) -func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { - pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource) - regex := regexp.MustCompile(pattern) - return regex.MatchString(input) -} - func TestBucketSetupUsingAutokey(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture"),) + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture")) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) From 1c1e42c4603039ef7d6bc34a46a68057ad5946a1 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Fri, 27 Dec 2024 15:31:36 +0000 Subject: [PATCH 36/38] fmt --- docs/upgrading_to_v4.0.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index 8915c23..85b0611 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -11,4 +11,5 @@ The current users of Autokey submodules needs to 1. Retrieve the autokey config id: Run `terraform state show module.autokey.google_kms_autokey_config.primary` and copy the resulting `id` field from the cli output to notepad 2. Delete autokey config from the state: run `terraform state rm module.autokey.google_kms_autokey_config.primary` -3. Import the autokey config id: Run `terraform import module.autokey.google_kms_autokey_config.primary ""` \ No newline at end of file +3. Import the autokey config id: Run `terraform import module.autokey.google_kms_autokey_config.primary ""` + From 0124e61def070f29432849d24be877ed035a9459 Mon Sep 17 00:00:00 2001 From: Nikhil Bhoyar Date: Tue, 31 Dec 2024 12:21:56 +0530 Subject: [PATCH 37/38] addressing comments --- docs/upgrading_to_v4.0.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index 85b0611..2e38b3d 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -7,9 +7,15 @@ The current users of Autokey submodules needs to - Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). -### To Migrate from `project_id` to `key_project_id` +### To Migrate from v3.0 to v4.0 +Using V3.0 of Autokey modules if you have created keyhandles and wants to use them with V4.0 version then they need to be imported using below steps + +1. Retrieve the keyhandles created: + - Run `terraform state list module.autokey.google_kms_key_handle.primary` to list all keyhandles created using v3.0 + - For each item in the output of above CLI, run `terraform state show 'module.autokey.google_kms_key_handle.primary[""]'` and copy the resulting `id` field from the cli output to notepad +2. Delete all keyhandles from the state: run `terraform state rm module.autokey.google_kms_key_handle.primary` +3. Update the main root module to use V4.0 version. Add the keyhandle config definition to the main root module for all the keyhandle found in step1. +4. Import all the keyhandles configs using id copied in setp1 to the terraform state + - for each keyhandle id found in step1, Run `terraform import resource.google_kms_key_handle. ""` -1. Retrieve the autokey config id: Run `terraform state show module.autokey.google_kms_autokey_config.primary` and copy the resulting `id` field from the cli output to notepad -2. Delete autokey config from the state: run `terraform state rm module.autokey.google_kms_autokey_config.primary` -3. Import the autokey config id: Run `terraform import module.autokey.google_kms_autokey_config.primary ""` From 4e2b03aaabe81f4e05d0fc9bb9eaf57f2baf2e9d Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Tue, 31 Dec 2024 13:38:10 -0600 Subject: [PATCH 38/38] Update docs/upgrading_to_v4.0.md --- docs/upgrading_to_v4.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md index 2e38b3d..f20be05 100644 --- a/docs/upgrading_to_v4.0.md +++ b/docs/upgrading_to_v4.0.md @@ -3,7 +3,7 @@ The v4.0 release of *kms* is a backwards incompatible release. ### Autokey Submodule The current users of Autokey submodules needs to -- Switch `project_id` to `key_project_id` (For steps check [here](#to-migrate-from-project_id-to-key_project_id)) +- Switch `project_id` to `key_project_id` - Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/).