Fix tests for new KMS IAM interface
This commit is contained in:
parent
da883bab8c
commit
9c878dc9cf
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -21,26 +21,27 @@ module "kms" {
|
|||
location = var.region
|
||||
}
|
||||
keys = {
|
||||
key-df = null
|
||||
key-gcs = null
|
||||
key-bq = null
|
||||
}
|
||||
key_iam = {
|
||||
key-gcs = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.storage}"
|
||||
]
|
||||
},
|
||||
key-bq = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.bq}"
|
||||
]
|
||||
},
|
||||
key-df = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.dataflow}",
|
||||
"serviceAccount:${module.project.service_accounts.robots.compute}",
|
||||
]
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.dataflow}",
|
||||
"serviceAccount:${module.project.service_accounts.robots.compute}",
|
||||
]
|
||||
}
|
||||
}
|
||||
key-gcs = {
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.storage}"
|
||||
]
|
||||
}
|
||||
}
|
||||
key-bq = {
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.bq}"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,12 +17,17 @@
|
|||
# tfdoc:file:description Security project, Cloud KMS and Secret Manager resources.
|
||||
|
||||
locals {
|
||||
# list of locations with keys
|
||||
kms_locations = distinct(flatten([
|
||||
for k, v in var.kms_keys : v.locations
|
||||
]))
|
||||
# map { location -> { key_name -> key_details } }
|
||||
kms_locations_keys = {
|
||||
for loc in local.kms_locations : loc => {
|
||||
for k, v in var.kms_keys : k => v if contains(v.locations, loc)
|
||||
for loc in local.kms_locations :
|
||||
loc => {
|
||||
for k, v in var.kms_keys :
|
||||
k => v
|
||||
if contains(v.locations, loc)
|
||||
}
|
||||
}
|
||||
kms_log_locations = distinct(flatten([
|
||||
|
@ -30,17 +35,14 @@ locals {
|
|||
]))
|
||||
kms_log_sink_keys = {
|
||||
"storage" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.storage]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
"bq" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.bq]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
"pubsub" = {
|
||||
labels = {}
|
||||
locations = [var.log_locations.pubsub]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
|
@ -88,12 +90,6 @@ module "sec-kms" {
|
|||
location = each.key
|
||||
name = "sec-${each.key}"
|
||||
}
|
||||
key_iam = {
|
||||
for k, v in local.kms_locations_keys[each.key] : k => v.iam
|
||||
}
|
||||
key_iam_bindings_additive = {
|
||||
for k, v in local.kms_locations_keys[each.key] : k => v.iam_bindings_additive
|
||||
}
|
||||
keys = local.kms_locations_keys[each.key]
|
||||
}
|
||||
|
||||
|
|
|
@ -75,11 +75,35 @@ variable "groups" {
|
|||
variable "kms_keys" {
|
||||
description = "KMS keys to create, keyed by name."
|
||||
type = map(object({
|
||||
iam = optional(map(list(string)), {})
|
||||
iam_bindings_additive = optional(map(map(any)), {})
|
||||
labels = optional(map(string), {})
|
||||
locations = optional(list(string), ["global", "europe", "europe-west1"])
|
||||
rotation_period = optional(string, "7776000s")
|
||||
labels = optional(map(string))
|
||||
locations = optional(list(string), ["global", "europe", "europe-west1"])
|
||||
rotation_period = optional(string, "7776000s")
|
||||
purpose = optional(string, "ENCRYPT_DECRYPT")
|
||||
skip_initial_version_creation = optional(bool, false)
|
||||
version_template = optional(object({
|
||||
algorithm = string
|
||||
protection_level = optional(string, "SOFTWARE")
|
||||
}))
|
||||
|
||||
iam = optional(map(list(string)), {})
|
||||
iam_bindings = optional(map(object({
|
||||
members = list(string)
|
||||
condition = optional(object({
|
||||
expression = string
|
||||
title = string
|
||||
description = optional(string)
|
||||
}))
|
||||
})), {})
|
||||
iam_bindings_additive = optional(map(object({
|
||||
member = string
|
||||
role = string
|
||||
condition = optional(object({
|
||||
expression = string
|
||||
title = string
|
||||
description = optional(string)
|
||||
}))
|
||||
})), {})
|
||||
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
@ -92,12 +116,7 @@ variable "log_locations" {
|
|||
logging = optional(string, "global")
|
||||
pubsub = optional(string, "global")
|
||||
})
|
||||
default = {
|
||||
bq = "europe"
|
||||
storage = "europe"
|
||||
logging = "global"
|
||||
pubsub = null
|
||||
}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -115,20 +115,16 @@ module "kms" {
|
|||
project_id = module.project.project_id
|
||||
keyring = { location = var.region, name = "test-keyring" }
|
||||
keyring_create = true
|
||||
keys = { test-key = null }
|
||||
key_purpose = {
|
||||
keys = {
|
||||
test-key = {
|
||||
purpose = "ASYMMETRIC_SIGN"
|
||||
version_template = {
|
||||
algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
|
||||
protection_level = null
|
||||
algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
|
||||
}
|
||||
iam = {
|
||||
"roles/cloudkms.publicKeyViewer" = [module.image_cb_sa.iam_email]
|
||||
"roles/cloudkms.signer" = [module.image_cb_sa.iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
key_iam = {
|
||||
test-key = {
|
||||
"roles/cloudkms.publicKeyViewer" = [module.image_cb_sa.iam_email]
|
||||
"roles/cloudkms.signer" = [module.image_cb_sa.iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -45,10 +45,6 @@ module "dev-sec-kms" {
|
|||
location = each.key
|
||||
name = "dev-${each.key}"
|
||||
}
|
||||
# rename to `key_iam` to switch to authoritative bindings
|
||||
key_iam = {
|
||||
for k, v in local.kms_locations_keys[each.key] : k => v.iam
|
||||
}
|
||||
keys = local.kms_locations_keys[each.key]
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -44,10 +44,6 @@ module "prod-sec-kms" {
|
|||
location = each.key
|
||||
name = "prod-${each.key}"
|
||||
}
|
||||
# rename to `key_iam` to switch to authoritative bindings
|
||||
key_iam = {
|
||||
for k, v in local.kms_locations_keys[each.key] : k => v.iam
|
||||
}
|
||||
keys = local.kms_locations_keys[each.key]
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -15,28 +15,17 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
kms_keys = {
|
||||
for k, v in var.kms_keys : k => {
|
||||
iam = coalesce(v.iam, {})
|
||||
labels = coalesce(v.labels, {})
|
||||
locations = (
|
||||
v.locations == null
|
||||
? var.kms_defaults.locations
|
||||
: v.locations
|
||||
)
|
||||
rotation_period = (
|
||||
v.rotation_period == null
|
||||
? var.kms_defaults.rotation_period
|
||||
: v.rotation_period
|
||||
)
|
||||
}
|
||||
}
|
||||
# list of locations with keys
|
||||
kms_locations = distinct(flatten([
|
||||
for k, v in local.kms_keys : v.locations
|
||||
for k, v in var.kms_keys : v.locations
|
||||
]))
|
||||
# map { location -> { key_name -> key_details } }
|
||||
kms_locations_keys = {
|
||||
for loc in local.kms_locations : loc => {
|
||||
for k, v in local.kms_keys : k => v if contains(v.locations, loc)
|
||||
for loc in local.kms_locations :
|
||||
loc => {
|
||||
for k, v in var.kms_keys :
|
||||
k => v
|
||||
if contains(v.locations, loc)
|
||||
}
|
||||
}
|
||||
project_services = [
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
@ -58,27 +58,40 @@ variable "groups" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "kms_defaults" {
|
||||
description = "Defaults used for KMS keys."
|
||||
type = object({
|
||||
locations = list(string)
|
||||
rotation_period = string
|
||||
})
|
||||
default = {
|
||||
locations = ["europe", "europe-west1", "europe-west3", "global"]
|
||||
rotation_period = "7776000s"
|
||||
}
|
||||
}
|
||||
|
||||
variable "kms_keys" {
|
||||
description = "KMS keys to create, keyed by name. Null attributes will be interpolated with defaults."
|
||||
description = "KMS keys to create, keyed by name."
|
||||
type = map(object({
|
||||
iam = map(list(string))
|
||||
labels = map(string)
|
||||
locations = list(string)
|
||||
rotation_period = string
|
||||
rotation_period = optional(string, "7776000s")
|
||||
labels = optional(map(string))
|
||||
locations = optional(list(string), ["europe", "europe-west1", "europe-west3", "global"])
|
||||
purpose = optional(string, "ENCRYPT_DECRYPT")
|
||||
skip_initial_version_creation = optional(bool, false)
|
||||
version_template = optional(object({
|
||||
algorithm = string
|
||||
protection_level = optional(string, "SOFTWARE")
|
||||
}))
|
||||
|
||||
iam = optional(map(list(string)), {})
|
||||
iam_bindings = optional(map(object({
|
||||
members = list(string)
|
||||
condition = optional(object({
|
||||
expression = string
|
||||
title = string
|
||||
description = optional(string)
|
||||
}))
|
||||
})), {})
|
||||
iam_bindings_additive = optional(map(object({
|
||||
member = string
|
||||
role = string
|
||||
condition = optional(object({
|
||||
expression = string
|
||||
title = string
|
||||
description = optional(string)
|
||||
}))
|
||||
})), {})
|
||||
}))
|
||||
default = {}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "organization" {
|
||||
|
|
|
@ -116,13 +116,12 @@ module "kms" {
|
|||
location = var.region
|
||||
}
|
||||
keys = {
|
||||
key-sql = null
|
||||
}
|
||||
key_iam = {
|
||||
key-sql = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.sqladmin}"
|
||||
]
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${module.project.service_accounts.robots.sqladmin}"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue