Remove *_roles variables in kms module
This commit is contained in:
parent
bf86fb8a96
commit
53cb8359ee
|
@ -79,10 +79,6 @@ module "kms" {
|
|||
location = var.location
|
||||
}
|
||||
keys = { key-gce = null, key-gcs = null }
|
||||
key_iam_roles = {
|
||||
key-gce = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
key-gcs = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
}
|
||||
key_iam_members = {
|
||||
key-gce = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
|
|
|
@ -120,11 +120,6 @@ module "kms" {
|
|||
location = var.location
|
||||
}
|
||||
keys = { key-gce = null, key-gcs = null, key-bq = null }
|
||||
key_iam_roles = {
|
||||
key-gce = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
key-gcs = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
key-bq = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
}
|
||||
key_iam_members = {
|
||||
key-gce = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
|
@ -155,9 +150,6 @@ module "kms-regional" {
|
|||
location = var.region
|
||||
}
|
||||
keys = { key-df = null }
|
||||
key_iam_roles = {
|
||||
key-df = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
|
||||
}
|
||||
key_iam_members = {
|
||||
key-df = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
|
|
|
@ -16,7 +16,6 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
|
|||
module "kms" {
|
||||
source = "../modules/kms"
|
||||
project_id = "my-project"
|
||||
iam_roles = ["roles/owner"]
|
||||
iam_members = {
|
||||
"roles/owner" = ["user:user1@example.com"]
|
||||
}
|
||||
|
@ -32,9 +31,6 @@ module "kms" {
|
|||
module "kms" {
|
||||
source = "../modules/kms"
|
||||
project_id = "my-project"
|
||||
key_iam_roles = {
|
||||
key-a = ["roles/owner"]
|
||||
}
|
||||
key_iam_members = {
|
||||
key-a = {
|
||||
"roles/owner" = ["user:user1@example.com"]
|
||||
|
@ -76,10 +72,8 @@ module "kms" {
|
|||
|---|---|:---: |:---:|:---:|
|
||||
| keyring | Keyring attributes. | <code title="object({ location = string name = string })">object({...})</code> | ✓ | |
|
||||
| project_id | Project id where the keyring will be created. | <code title="">string</code> | ✓ | |
|
||||
| *iam_members* | Keyring IAM members. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | Keyring IAM roles. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
| *key_iam_members* | IAM members keyed by key name and role. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *key_iam_roles* | IAM roles keyed by key name. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_members* | Keyring IAM members. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *key_iam_members* | IAM members keyed by key name and role. | <code title="map(map(set(string)))">map(map(set(string)))</code> | | <code title="">{}</code> |
|
||||
| *key_purpose* | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="map(object({ purpose = string version_template = object({ algorithm = string protection_level = string }) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *key_purpose_defaults* | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | <code title="object({ purpose = string version_template = object({ algorithm = string protection_level = string }) })">object({...})</code> | | <code title="{ purpose = null version_template = null }">...</code> |
|
||||
| *keyring_create* | Set to false to manage keys and IAM bindings in an existing keyring. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
|
|
|
@ -15,14 +15,15 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
key_iam_pairs = flatten([
|
||||
for name, roles in var.key_iam_roles :
|
||||
[for role in roles : { name = name, role = role }]
|
||||
])
|
||||
key_iam_keypairs = {
|
||||
for pair in local.key_iam_pairs :
|
||||
"${pair.name}-${pair.role}" => pair
|
||||
key_iam_members = flatten([
|
||||
for key, roles in var.key_iam_members : [
|
||||
for role, members in roles : {
|
||||
key = key
|
||||
role = role
|
||||
members = members
|
||||
}
|
||||
]
|
||||
])
|
||||
key_purpose = {
|
||||
for key, attrs in var.keys : key => try(
|
||||
var.key_purpose[key], var.key_purpose_defaults
|
||||
|
@ -47,16 +48,13 @@ resource "google_kms_key_ring" "default" {
|
|||
project = var.project_id
|
||||
name = var.keyring.name
|
||||
location = var.keyring.location
|
||||
# lifecycle {
|
||||
# prevent_destroy = true
|
||||
# }
|
||||
}
|
||||
|
||||
resource "google_kms_key_ring_iam_binding" "default" {
|
||||
for_each = toset(var.iam_roles)
|
||||
for_each = var.iam_members
|
||||
key_ring_id = local.keyring.self_link
|
||||
role = each.value
|
||||
members = lookup(var.iam_members, each.value, [])
|
||||
role = each.key
|
||||
members = each.value
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key" "default" {
|
||||
|
@ -73,16 +71,14 @@ resource "google_kms_crypto_key" "default" {
|
|||
protection_level = local.key_purpose[each.key].version_template.protection_level
|
||||
}
|
||||
}
|
||||
# lifecycle {
|
||||
# prevent_destroy = true
|
||||
# }
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key_iam_binding" "default" {
|
||||
for_each = local.key_iam_keypairs
|
||||
role = each.value.role
|
||||
crypto_key_id = google_kms_crypto_key.default[each.value.name].self_link
|
||||
members = lookup(
|
||||
lookup(var.key_iam_members, each.value.name, {}), each.value.role, []
|
||||
)
|
||||
for_each = {
|
||||
for binding in local.key_iam_members :
|
||||
"${binding.key}.${binding.role}" => binding
|
||||
}
|
||||
role = each.value.role
|
||||
crypto_key_id = google_kms_crypto_key.default[each.value.key].self_link
|
||||
members = each.value.members
|
||||
}
|
||||
|
|
|
@ -16,25 +16,13 @@
|
|||
|
||||
variable "iam_members" {
|
||||
description = "Keyring IAM members."
|
||||
type = map(list(string))
|
||||
type = map(set(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "Keyring IAM roles."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "key_iam_members" {
|
||||
description = "IAM members keyed by key name and role."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "key_iam_roles" {
|
||||
description = "IAM roles keyed by key name."
|
||||
type = map(list(string))
|
||||
type = map(map(set(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
|
|
|
@ -17,9 +17,7 @@
|
|||
module "test" {
|
||||
source = "../../../../modules/kms"
|
||||
iam_members = var.iam_members
|
||||
iam_roles = var.iam_roles
|
||||
key_iam_members = var.key_iam_members
|
||||
key_iam_roles = var.key_iam_roles
|
||||
key_purpose = var.key_purpose
|
||||
key_purpose_defaults = var.key_purpose_defaults
|
||||
keyring = var.keyring
|
||||
|
|
|
@ -21,11 +21,6 @@ variable "iam_members" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
type = list(string)
|
||||
default = ["roles/owner"]
|
||||
}
|
||||
|
||||
variable "key_iam_members" {
|
||||
type = map(map(list(string)))
|
||||
default = {
|
||||
|
@ -35,13 +30,6 @@ variable "key_iam_members" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "key_iam_roles" {
|
||||
type = map(list(string))
|
||||
default = {
|
||||
key-a = ["roles/owner"]
|
||||
}
|
||||
}
|
||||
|
||||
variable "key_purpose" {
|
||||
type = map(object({
|
||||
purpose = string
|
||||
|
|
Loading…
Reference in New Issue