add support for additive IAM roles to KMS (#417)
This commit is contained in:
parent
ea17e65652
commit
4b500c2366
|
@ -17,7 +17,7 @@ module "kms" {
|
||||||
source = "./modules/kms"
|
source = "./modules/kms"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
iam = {
|
iam = {
|
||||||
"roles/owner" = ["user:user1@example.com"]
|
"roles/cloudkms.admin" = ["user:user1@example.com"]
|
||||||
}
|
}
|
||||||
keyring = { location = "europe-west1", name = "test" }
|
keyring = { location = "europe-west1", name = "test" }
|
||||||
keyring_create = false
|
keyring_create = false
|
||||||
|
@ -32,9 +32,21 @@ module "kms" {
|
||||||
module "kms" {
|
module "kms" {
|
||||||
source = "./modules/kms"
|
source = "./modules/kms"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
|
iam_additive = {
|
||||||
|
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||||
|
"user:user1@example.com", "user:user2@example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
key_iam = {
|
key_iam = {
|
||||||
key-a = {
|
key-a = {
|
||||||
"roles/owner" = ["user:user1@example.com"]
|
"roles/cloudkms.admin" = ["user:user3@example.com"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
key_iam_additive = {
|
||||||
|
key-b = {
|
||||||
|
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||||
|
"user:user4@example.com", "user:user5@example.com"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
keyring = { location = "europe-west1", name = "test" }
|
keyring = { location = "europe-west1", name = "test" }
|
||||||
|
@ -44,7 +56,7 @@ module "kms" {
|
||||||
key-c = { rotation_period = null, labels = { env = "test" } }
|
key-c = { rotation_period = null, labels = { env = "test" } }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest:modules=1:resources=5
|
# tftest:modules=1:resources=9
|
||||||
```
|
```
|
||||||
|
|
||||||
### Crypto key purpose
|
### Crypto key purpose
|
||||||
|
@ -77,8 +89,10 @@ module "kms" {
|
||||||
|---|---|:---:|:---:|:---:|
|
|---|---|:---:|:---:|:---:|
|
||||||
| keyring | Keyring attributes. | <code title="object({ location = string name = string })">object({…})</code> | ✓ | |
|
| keyring | Keyring attributes. | <code title="object({ location = string name = string })">object({…})</code> | ✓ | |
|
||||||
| project_id | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
| project_id | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||||
| iam | Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| iam | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| key_iam | Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
| iam_additive | Keyring IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
|
| key_iam | Key IAM bindings in {KEY => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||||
|
| key_iam_additive | Key IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||||
| key_purpose | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map(object({ purpose = string version_template = object({ algorithm = string protection_level = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
| key_purpose | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map(object({ purpose = string version_template = object({ algorithm = string protection_level = string }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| key_purpose_defaults | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object({ purpose = string version_template = object({ algorithm = string protection_level = string }) })">object({…})</code> | | <code title="{ purpose = null version_template = null }">{…}</code> |
|
| key_purpose_defaults | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object({ purpose = string version_template = object({ algorithm = string protection_level = string }) })">object({…})</code> | | <code title="{ purpose = null version_template = null }">{…}</code> |
|
||||||
| keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
|
| keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> | | <code>true</code> |
|
||||||
|
@ -97,3 +111,6 @@ module "kms" {
|
||||||
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,25 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
iam_additive_members = flatten([
|
||||||
|
for role, members in var.iam_additive : [
|
||||||
|
for member in members : {
|
||||||
|
member = member
|
||||||
|
role = role
|
||||||
|
}
|
||||||
|
]
|
||||||
|
])
|
||||||
|
key_iam_additive_members = flatten([
|
||||||
|
for key, roles in var.key_iam_additive : [
|
||||||
|
for role, members in roles : [
|
||||||
|
for member in members : {
|
||||||
|
key = key
|
||||||
|
member = member
|
||||||
|
role = role
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
key_iam_members = flatten([
|
key_iam_members = flatten([
|
||||||
for key, roles in var.key_iam : [
|
for key, roles in var.key_iam : [
|
||||||
for role, members in roles : {
|
for role, members in roles : {
|
||||||
|
@ -57,6 +76,16 @@ resource "google_kms_key_ring_iam_binding" "default" {
|
||||||
members = each.value
|
members = each.value
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_kms_key_ring_iam_member" "default" {
|
||||||
|
for_each = {
|
||||||
|
for binding in local.iam_additive_members :
|
||||||
|
"${binding.role}${binding.member}" => binding
|
||||||
|
}
|
||||||
|
key_ring_id = local.keyring.id
|
||||||
|
role = each.value.role
|
||||||
|
member = each.value.member
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_kms_crypto_key" "default" {
|
resource "google_kms_crypto_key" "default" {
|
||||||
for_each = var.keys
|
for_each = var.keys
|
||||||
key_ring = local.keyring.id
|
key_ring = local.keyring.id
|
||||||
|
@ -82,3 +111,13 @@ resource "google_kms_crypto_key_iam_binding" "default" {
|
||||||
crypto_key_id = google_kms_crypto_key.default[each.value.key].id
|
crypto_key_id = google_kms_crypto_key.default[each.value.key].id
|
||||||
members = each.value.members
|
members = each.value.members
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_kms_crypto_key_iam_member" "default" {
|
||||||
|
for_each = {
|
||||||
|
for binding in local.key_iam_additive_members :
|
||||||
|
"${binding.key}.${binding.role}${binding.member}" => binding
|
||||||
|
}
|
||||||
|
role = each.value.role
|
||||||
|
crypto_key_id = google_kms_crypto_key.default[each.value.key].id
|
||||||
|
member = each.value.member
|
||||||
|
}
|
||||||
|
|
|
@ -15,13 +15,25 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "iam" {
|
variable "iam" {
|
||||||
description = "Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format."
|
description = "Keyring IAM bindings in {ROLE => [MEMBERS]} format."
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam_additive" {
|
||||||
|
description = "Keyring IAM additive bindings in {ROLE => [MEMBERS]} format."
|
||||||
type = map(list(string))
|
type = map(list(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "key_iam" {
|
variable "key_iam" {
|
||||||
description = "Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format."
|
description = "Key IAM bindings in {KEY => {ROLE => [MEMBERS]}} format."
|
||||||
|
type = map(map(list(string)))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "key_iam_additive" {
|
||||||
|
description = "Key IAM additive bindings in {ROLE => [MEMBERS]} format."
|
||||||
type = map(map(list(string)))
|
type = map(map(list(string)))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue