zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/kms/README.md

7.4 KiB
Raw Permalink Blame History

Google KMS Module

This module allows creating and managing KMS crypto keys and IAM bindings at both the keyring and crypto key level. An existing keyring can be used, or a new one can be created and managed by the module if needed.

When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator.

Protecting against destroy

In this module no lifecycle blocks are set on resources to prevent destroy, in order to allow for experimentation and testing where rapid apply/destroy cycles are needed. If you plan on using this module to manage non-development resources, clone it and uncomment the lifecycle blocks found in main.tf.

Examples

Using an existing keyring

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  iam = {
    "roles/cloudkms.admin" = ["user:user1@example.com"]
  }
  keyring        = { location = "europe-west1", name = "test" }
  keyring_create = false
  keys           = { key-a = {}, key-b = {}, key-c = {} }
}
# tftest skip (uses data sources)

Keyring creation and crypto key rotation and IAM roles

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  keys = {
    key-a = {
      iam = {
        "roles/cloudkms.admin" = ["user:user3@example.com"]
      }
    }
    key-b = {
      rotation_period = "604800s"
      iam_bindings_additive = {
        key-b-iam1 = {
          key    = "key-b"
          member = "user:am1@example.com"
          role   = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
        }
      }
    }
    key-c = {
      labels = {
        env = "test"
      }
    }
  }
}
# tftest modules=1 resources=6 inventory=basic.yaml

Crypto key purpose

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  keys = {
    key-a = {
      purpose = "ASYMMETRIC_SIGN"
      version_template = {
        algorithm        = "EC_SIGN_P384_SHA384"
        protection_level = "HSM"
      }
    }
  }
}
# tftest modules=1 resources=2 inventory=purpose.yaml

Import job

module "kms" {
  source     = "./fabric/modules/kms"
  project_id = "my-project"
  keyring = {
    location = "europe-west1"
    name     = "test"
  }
  import_job = {
    id               = "my-import-job"
    import_method    = "RSA_OAEP_3072_SHA1_AES_256"
    protection_level = "SOFTWARE"
  }
}
# tftest modules=1 resources=2 inventory=import-job.yaml

Variables

name description type required default
keyring Keyring attributes. object({…})
project_id Project id where the keyring will be created. string
iam Keyring IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Keyring individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
import_job Keyring import job attributes. object({…}) null
keyring_create Set to false to manage keys and IAM bindings in an existing keyring. bool true
keys Key names and base attributes. Set attributes to null if not needed. map(object({…})) {}
tag_bindings Tag bindings for this keyring, in key => tag value id format. map(string) {}

Outputs

name description sensitive
id Fully qualified keyring id.
import_job Keyring import job resources.
key_ids Fully qualified key ids.
keyring Keyring resource.
keys Key resources.
location Keyring location.
name Keyring name.