zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/kms
History
Ludovico Magnocavallo 6941313c7d
Factories refactor (#1843) 
* factories refactor doc

* Adds file schema and filesystem organization

* Update 20231106-factories.md

* move factories out of blueprints and create new factories  README

* align factory in billing-account module

* align factory in dataplex-datascan module

* align factory in billing-account module

* align factory in net-firewall-policy module

* align factory in dns-response-policy module

* align factory in net-vpc-firewall module

* align factory in net-vpc module

* align factory variable names in FAST

* remove decentralized firewall blueprint

* bump terraform version

* bump module versions

* update top-level READMEs

* move project factory to modules

* fix variable names and tests

* tfdoc

* remove changelog link

* add project factory to top-level README

* fix cludrun eventarc diff

* fix README

* fix cludrun eventarc diff

---------

Co-authored-by: Simone Ruffilli <sruffilli@google.com>
 		2024-02-26 10:16:52 +00:00
..
README.md Added destroy_scheduled_duration variable (#2053) 2024-02-07 15:47:49 +00:00
iam.tf Update kms module key-level IAM 2023-09-17 00:21:36 +02:00
main.tf Added destroy_scheduled_duration variable (#2053) 2024-02-07 15:47:49 +00:00
outputs.tf added import job support for kms module 2023-10-26 18:12:58 +05:30
tags.tf Update kms module key-level IAM 2023-09-17 00:21:36 +02:00
variables.tf Added destroy_scheduled_duration variable (#2053) 2024-02-07 15:47:49 +00:00
versions.tf Factories refactor (#1843) 2024-02-26 10:16:52 +00:00

README.md

Google KMS Module

This module allows creating and managing KMS crypto keys and IAM bindings at both the keyring and crypto key level. An existing keyring can be used, or a new one can be created and managed by the module if needed.

When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator.

Protecting against destroy

In this module no lifecycle blocks are set on resources to prevent destroy, in order to allow for experimentation and testing where rapid apply/destroy cycles are needed. If you plan on using this module to manage non-development resources, clone it and uncomment the lifecycle blocks found in main.tf.

Examples

Using an existing keyring

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  iam = {
    "roles/cloudkms.admin" = ["user:user1@example.com"]
  }
  keyring        = { location = "europe-west1", name = "test" }
  keyring_create = false
  keys           = { key-a = {}, key-b = {}, key-c = {} }
}
# tftest skip (uses data sources)

Keyring creation and crypto key rotation and IAM roles

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  keys = {
    key-a = {
      iam = {
        "roles/cloudkms.admin" = ["user:user3@example.com"]
      }
    }
    key-b = {
      rotation_period = "604800s"
      iam_bindings_additive = {
        key-b-iam1 = {
          key    = "key-b"
          member = "user:am1@example.com"
          role   = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
        }
      }
    }
    key-c = {
      labels = {
        env = "test"
      }
    }
  }
}
# tftest modules=1 resources=6 inventory=basic.yaml

Crypto key purpose

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  keys = {
    key-a = {
      purpose = "ASYMMETRIC_SIGN"
      version_template = {
        algorithm        = "EC_SIGN_P384_SHA384"
        protection_level = "HSM"
      }
    }
  }
}
# tftest modules=1 resources=2 inventory=purpose.yaml

Import job

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  import_job = {
    id               = "my-import-job"
    import_method    = "RSA_OAEP_3072_SHA1_AES_256"
    protection_level = "SOFTWARE"
  }
}
# tftest modules=1 resources=2 inventory=import-job.yaml

Variables

name description type required default
keyring Keyring attributes. object({…})
project_id Project id where the keyring will be created. string
iam Keyring IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Keyring individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
import_job Keyring import job attributes. object({…}) null
keyring_create Set to false to manage keys and IAM bindings in an existing keyring. bool true
keys Key names and base attributes. Set attributes to null if not needed. map(object({…})) {}
tag_bindings Tag bindings for this keyring, in key => tag value id format. map(string) {}

Outputs

name description sensitive
id Fully qualified keyring id.
import_job Keyring import job resources.
key_ids Fully qualified key ids.
keyring Keyring resource.
keys Key resources.
location Keyring location.
name Keyring name.