Fix tests for new KMS IAM interface

2023-09-16 18:58:07 +02:00 · 2023-09-16 18:58:07 +02:00 · 9c878dc9cf
parent da883bab8c
commit 9c878dc9cf
9 changed files with 113 additions and 108 deletions
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf
@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -21,26 +21,27 @@ module "kms" {
    location = var.region
  }
  keys = {
-    key-df  = null
-    key-gcs = null
-    key-bq  = null
-  }
-  key_iam = {
-    key-gcs = {
-      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project.service_accounts.robots.storage}"
-      ]
-    },
-    key-bq = {
-      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project.service_accounts.robots.bq}"
-      ]
-    },
    key-df = {
-      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project.service_accounts.robots.dataflow}",
-        "serviceAccount:${module.project.service_accounts.robots.compute}",
-      ]
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+          "serviceAccount:${module.project.service_accounts.robots.dataflow}",
+          "serviceAccount:${module.project.service_accounts.robots.compute}",
+        ]
+      }
+    }
+    key-gcs = {
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+          "serviceAccount:${module.project.service_accounts.robots.storage}"
+        ]
+      }
+    }
+    key-bq = {
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+          "serviceAccount:${module.project.service_accounts.robots.bq}"
+        ]
+      }
    }
  }
 }
--- a/blueprints/data-solutions/shielded-folder/kms.tf
+++ b/blueprints/data-solutions/shielded-folder/kms.tf
@ -17,12 +17,17 @@
 # tfdoc:file:description Security project, Cloud KMS and Secret Manager resources.

 locals {
+  # list of locations with keys
  kms_locations = distinct(flatten([
    for k, v in var.kms_keys : v.locations
  ]))
+  # map { location -> { key_name -> key_details } }
  kms_locations_keys = {
-    for loc in local.kms_locations : loc => {
-      for k, v in var.kms_keys : k => v if contains(v.locations, loc)
+    for loc in local.kms_locations :
+    loc => {
+      for k, v in var.kms_keys :
+      k => v
+      if contains(v.locations, loc)
    }
  }
  kms_log_locations = distinct(flatten([
@ -30,17 +35,14 @@ locals {
  ]))
  kms_log_sink_keys = {
    "storage" = {
-      labels          = {}
      locations       = [var.log_locations.storage]
      rotation_period = "7776000s"
    }
    "bq" = {
-      labels          = {}
      locations       = [var.log_locations.bq]
      rotation_period = "7776000s"
    }
    "pubsub" = {
-      labels          = {}
      locations       = [var.log_locations.pubsub]
      rotation_period = "7776000s"
    }
@ -88,12 +90,6 @@ module "sec-kms" {
    location = each.key
    name     = "sec-${each.key}"
  }
-  key_iam = {
-    for k, v in local.kms_locations_keys[each.key] : k => v.iam
-  }
-  key_iam_bindings_additive = {
-    for k, v in local.kms_locations_keys[each.key] : k => v.iam_bindings_additive
-  }
  keys = local.kms_locations_keys[each.key]
 }

--- a/blueprints/data-solutions/shielded-folder/variables.tf
+++ b/blueprints/data-solutions/shielded-folder/variables.tf
@ -75,11 +75,35 @@ variable "groups" {
 variable "kms_keys" {
  description = "KMS keys to create, keyed by name."
  type = map(object({
-    iam                   = optional(map(list(string)), {})
-    iam_bindings_additive = optional(map(map(any)), {})
-    labels                = optional(map(string), {})
-    locations             = optional(list(string), ["global", "europe", "europe-west1"])
-    rotation_period       = optional(string, "7776000s")
+    labels                        = optional(map(string))
+    locations                     = optional(list(string), ["global", "europe", "europe-west1"])
+    rotation_period               = optional(string, "7776000s")
+    purpose                       = optional(string, "ENCRYPT_DECRYPT")
+    skip_initial_version_creation = optional(bool, false)
+    version_template = optional(object({
+      algorithm        = string
+      protection_level = optional(string, "SOFTWARE")
+    }))
+
+    iam = optional(map(list(string)), {})
+    iam_bindings = optional(map(object({
+      members = list(string)
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+
  }))
  default = {}
 }
@ -92,12 +116,7 @@ variable "log_locations" {
    logging = optional(string, "global")
    pubsub  = optional(string, "global")
  })
-  default = {
-    bq      = "europe"
-    storage = "europe"
-    logging = "global"
-    pubsub  = null
-  }
+  default  = {}
  nullable = false
 }

--- a/blueprints/gke/binauthz/main.tf
+++ b/blueprints/gke/binauthz/main.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -115,20 +115,16 @@ module "kms" {
  project_id     = module.project.project_id
  keyring        = { location = var.region, name = "test-keyring" }
  keyring_create = true
-  keys           = { test-key = null }
-  key_purpose = {
+  keys = {
    test-key = {
      purpose = "ASYMMETRIC_SIGN"
      version_template = {
-        algorithm        = "RSA_SIGN_PKCS1_4096_SHA512"
-        protection_level = null
+        algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
+      }
+      iam = {
+        "roles/cloudkms.publicKeyViewer" = [module.image_cb_sa.iam_email]
+        "roles/cloudkms.signer"          = [module.image_cb_sa.iam_email]
      }
-    }
-  }
-  key_iam = {
-    test-key = {
-      "roles/cloudkms.publicKeyViewer" = [module.image_cb_sa.iam_email]
-      "roles/cloudkms.signer"          = [module.image_cb_sa.iam_email]
    }
  }
 }
--- a/fast/stages/2-security/core-dev.tf
+++ b/fast/stages/2-security/core-dev.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -45,10 +45,6 @@ module "dev-sec-kms" {
    location = each.key
    name     = "dev-${each.key}"
  }
-  # rename to `key_iam` to switch to authoritative bindings
-  key_iam = {
-    for k, v in local.kms_locations_keys[each.key] : k => v.iam
-  }
  keys = local.kms_locations_keys[each.key]
 }

--- a/fast/stages/2-security/core-prod.tf
+++ b/fast/stages/2-security/core-prod.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -44,10 +44,6 @@ module "prod-sec-kms" {
    location = each.key
    name     = "prod-${each.key}"
  }
-  # rename to `key_iam` to switch to authoritative bindings
-  key_iam = {
-    for k, v in local.kms_locations_keys[each.key] : k => v.iam
-  }
  keys = local.kms_locations_keys[each.key]
 }

--- a/fast/stages/2-security/main.tf
+++ b/fast/stages/2-security/main.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -15,28 +15,17 @@
 */

 locals {
-  kms_keys = {
-    for k, v in var.kms_keys : k => {
-      iam    = coalesce(v.iam, {})
-      labels = coalesce(v.labels, {})
-      locations = (
-        v.locations == null
-        ? var.kms_defaults.locations
-        : v.locations
-      )
-      rotation_period = (
-        v.rotation_period == null
-        ? var.kms_defaults.rotation_period
-        : v.rotation_period
-      )
-    }
-  }
+  # list of locations with keys
  kms_locations = distinct(flatten([
-    for k, v in local.kms_keys : v.locations
+    for k, v in var.kms_keys : v.locations
  ]))
+  # map { location -> { key_name -> key_details } }
  kms_locations_keys = {
-    for loc in local.kms_locations : loc => {
-      for k, v in local.kms_keys : k => v if contains(v.locations, loc)
+    for loc in local.kms_locations :
+    loc => {
+      for k, v in var.kms_keys :
+      k => v
+      if contains(v.locations, loc)
    }
  }
  project_services = [
--- a/fast/stages/2-security/variables.tf
+++ b/fast/stages/2-security/variables.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -58,27 +58,40 @@ variable "groups" {
  }
 }

-variable "kms_defaults" {
-  description = "Defaults used for KMS keys."
-  type = object({
-    locations       = list(string)
-    rotation_period = string
-  })
-  default = {
-    locations       = ["europe", "europe-west1", "europe-west3", "global"]
-    rotation_period = "7776000s"
-  }
-}
-
 variable "kms_keys" {
-  description = "KMS keys to create, keyed by name. Null attributes will be interpolated with defaults."
+  description = "KMS keys to create, keyed by name."
  type = map(object({
-    iam             = map(list(string))
-    labels          = map(string)
-    locations       = list(string)
-    rotation_period = string
+    rotation_period               = optional(string, "7776000s")
+    labels                        = optional(map(string))
+    locations                     = optional(list(string), ["europe", "europe-west1", "europe-west3", "global"])
+    purpose                       = optional(string, "ENCRYPT_DECRYPT")
+    skip_initial_version_creation = optional(bool, false)
+    version_template = optional(object({
+      algorithm        = string
+      protection_level = optional(string, "SOFTWARE")
+    }))
+
+    iam = optional(map(list(string)), {})
+    iam_bindings = optional(map(object({
+      members = list(string)
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
  }))
-  default = {}
+  default  = {}
+  nullable = false
 }

 variable "organization" {
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@ -116,13 +116,12 @@ module "kms" {
    location = var.region
  }
  keys = {
-    key-sql = null
-  }
-  key_iam = {
    key-sql = {
-      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-        "serviceAccount:${module.project.service_accounts.robots.sqladmin}"
-      ]
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+          "serviceAccount:${module.project.service_accounts.robots.sqladmin}"
+        ]
+      }
    }
  }
 }