├── .github ├── conventional-commit-lint.yaml ├── release-please.yml ├── renovate.json ├── trusted-contribution.yml └── workflows │ ├── lint.yaml │ └── stale.yml ├── .gitignore ├── CHANGELOG.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── build ├── int.cloudbuild.yaml └── lint.cloudbuild.yaml ├── docs └── upgrading_to_v4.0.md ├── examples ├── autokey_setup │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── bucket_setup_using_autokey │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── import_only_example │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── monitoring_alerts │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── simple_example │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── main.tf ├── modules └── autokey │ ├── README.md │ ├── iam.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── outputs.tf ├── test ├── .gitignore ├── fixtures │ ├── autokey_setup_fixture │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── bucket_setup_using_autokey_fixture │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── monitoring_alerts_on_project │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── monitoring_alerts_specific_key │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── simple_example │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── versions.tf ├── integration │ ├── autokey_setup │ │ └── autokey_setup_test.go │ ├── bucket_setup_using_autokey │ │ └── bucket_setup_using_autokey_test.go │ ├── discover_test.go │ ├── go.mod │ ├── go.sum │ ├── import_only_example │ │ └── import_only_example_test.go │ ├── monitoring_alerts │ │ └── monitoring_alerts_test.go │ └── simple_example │ │ └── simple_example_test.go └── setup │ ├── .gitignore │ ├── iam.tf │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf └── versions.tf /.github/conventional-commit-lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | enabled: true 19 | always_check_pr_title: true 20 | -------------------------------------------------------------------------------- /.github/release-please.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | releaseType: terraform-module 16 | handleGHRelease: true 17 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["github>GoogleCloudPlatform/cloud-foundation-toolkit//infra/terraform/test-org/github/resources/renovate"] 4 | } 5 | -------------------------------------------------------------------------------- /.github/trusted-contribution.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | annotations: 19 | - type: comment 20 | text: "/gcbrun" 21 | trustedContributors: 22 | - release-please[bot] 23 | - renovate[bot] 24 | - renovate-bot 25 | - forking-renovate[bot] 26 | - dependabot[bot] 27 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2023-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from values at: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 17 | 18 | name: 'lint' 19 | 20 | on: 21 | workflow_dispatch: 22 | pull_request: 23 | branches: 24 | - main 25 | 26 | concurrency: 27 | group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}' 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | lint: 32 | name: 'lint' 33 | runs-on: 'ubuntu-latest' 34 | steps: 35 | - uses: 'actions/checkout@v4' 36 | - id: variables 37 | run: | 38 | MAKEFILE=$(find . -name Makefile -print -quit) 39 | if [ -z "$MAKEFILE" ]; then 40 | echo dev-tools=gcr.io/cloud-foundation-cicd/cft/developer-tools:1 >> "$GITHUB_OUTPUT" 41 | else 42 | VERSION=$(grep "DOCKER_TAG_VERSION_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 43 | IMAGE=$(grep "DOCKER_IMAGE_DEVELOPER_TOOLS := " $MAKEFILE | cut -d\ -f3) 44 | REGISTRY=$(grep "REGISTRY_URL := " $MAKEFILE | cut -d\ -f3) 45 | echo dev-tools=${REGISTRY}/${IMAGE}:${VERSION} >> "$GITHUB_OUTPUT" 46 | fi 47 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} module-swapper 48 | - run: docker run --rm -v ${{ github.workspace }}:/workspace ${{ steps.variables.outputs.dev-tools }} /usr/local/bin/test_lint.sh 49 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022-2025 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # NOTE: This file is automatically generated from: 16 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github 17 | 18 | name: "Close stale issues" 19 | on: 20 | schedule: 21 | - cron: "0 23 * * *" 22 | 23 | jobs: 24 | stale: 25 | if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules' 26 | runs-on: ubuntu-latest 27 | steps: 28 | - uses: actions/stale@v9 29 | with: 30 | repo-token: ${{ secrets.GITHUB_TOKEN }} 31 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 32 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 33 | exempt-issue-labels: 'triaged' 34 | exempt-pr-labels: 'dependencies,autorelease: pending' 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .terraform 2 | terraform.tfstate* 3 | *.pyc 4 | .kitchen 5 | credentials.json 6 | terraform.tfvars 7 | 8 | # tf lock file 9 | .terraform.lock.hcl 10 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on 6 | [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 7 | and this project adheres to 8 | [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 9 | 10 | ## [4.0.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v3.2.0...v4.0.0) (2025-02-05) 11 | 12 | 13 | ### ⚠ BREAKING CHANGES 14 | 15 | * **TF>=1.3:** Update go modules and dev-tools ([#161](https://github.com/terraform-google-modules/terraform-google-kms/issues/161)) 16 | * Restricting autokey module to autokey configuration use case ([#163](https://github.com/terraform-google-modules/terraform-google-kms/issues/163)) 17 | 18 | ### Features 19 | 20 | * Restricting autokey module to autokey configuration use case ([#163](https://github.com/terraform-google-modules/terraform-google-kms/issues/163)) ([28f3072](https://github.com/terraform-google-modules/terraform-google-kms/commit/28f307203389a839995af8e420b2858a4538c9bb)) 21 | 22 | 23 | ### Bug Fixes 24 | 25 | * **TF>=1.3:** Update go modules and dev-tools ([#161](https://github.com/terraform-google-modules/terraform-google-kms/issues/161)) ([1f29092](https://github.com/terraform-google-modules/terraform-google-kms/commit/1f2909209cd1c1e54031757570dd073d9a1b98de)) 26 | 27 | ## [3.2.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v3.1.0...v3.2.0) (2024-10-16) 28 | 29 | 30 | ### Features 31 | 32 | * add autokey plus migration ([#156](https://github.com/terraform-google-modules/terraform-google-kms/issues/156)) ([661c103](https://github.com/terraform-google-modules/terraform-google-kms/commit/661c103ee13bf95e88e36c8b9f047a84d20cb99d)) 33 | 34 | 35 | ### Bug Fixes 36 | 37 | * Remove non-needed counts on Autokey submodule ([#158](https://github.com/terraform-google-modules/terraform-google-kms/issues/158)) ([c50e2d5](https://github.com/terraform-google-modules/terraform-google-kms/commit/c50e2d514851938d328c1da4916249f2dca231b9)) 38 | 39 | ## [3.1.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v3.0.0...v3.1.0) (2024-09-17) 40 | 41 | 42 | ### Features 43 | 44 | * Introduce autokey feature ([#151](https://github.com/terraform-google-modules/terraform-google-kms/issues/151)) ([f4471fd](https://github.com/terraform-google-modules/terraform-google-kms/commit/f4471fd65b36775f10f50f3624f573beadc77b81)) 45 | 46 | ## [3.0.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.3.0...v3.0.0) (2024-08-29) 47 | 48 | 49 | ### ⚠ BREAKING CHANGES 50 | 51 | * **TPG>=5.23:** bump TPG for crypto_key_backend ([#139](https://github.com/terraform-google-modules/terraform-google-kms/issues/139)) 52 | * Add import flags ([#133](https://github.com/terraform-google-modules/terraform-google-kms/issues/133)) 53 | 54 | ### Features 55 | 56 | * Add import flags ([#133](https://github.com/terraform-google-modules/terraform-google-kms/issues/133)) ([70d2718](https://github.com/terraform-google-modules/terraform-google-kms/commit/70d27186756a8fd2860f8107eba511dca5771f8f)) 57 | * Add support for EXTERNAL_VPC ([#137](https://github.com/terraform-google-modules/terraform-google-kms/issues/137)) ([f553b67](https://github.com/terraform-google-modules/terraform-google-kms/commit/f553b67d5e8143200a9368e2dd7cbd7e9f455094)) 58 | * **deps:** Update Terraform google to v6 ([#150](https://github.com/terraform-google-modules/terraform-google-kms/issues/150)) ([b7d99e3](https://github.com/terraform-google-modules/terraform-google-kms/commit/b7d99e382972642cd5dc33ebc6d4fac7e7e6a36c)) 59 | 60 | 61 | ### Bug Fixes 62 | 63 | * **TPG>=5.23:** bump TPG for crypto_key_backend ([#139](https://github.com/terraform-google-modules/terraform-google-kms/issues/139)) ([36d0319](https://github.com/terraform-google-modules/terraform-google-kms/commit/36d0319740c7fd751e879df01180e32dcb1cc924)) 64 | 65 | ## [2.3.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.2.3...v2.3.0) (2024-01-30) 66 | 67 | 68 | ### Features 69 | 70 | * add support for destroy_scheduled_duration ([#109](https://github.com/terraform-google-modules/terraform-google-kms/issues/109)) ([c26f3fb](https://github.com/terraform-google-modules/terraform-google-kms/commit/c26f3fb91186d809bbc4c7856fe6a73c9b193344)) 71 | 72 | 73 | ### Bug Fixes 74 | 75 | * Change default rotation period from 28 hours to 90 days ([#111](https://github.com/terraform-google-modules/terraform-google-kms/issues/111)) ([44d01da](https://github.com/terraform-google-modules/terraform-google-kms/commit/44d01da9fc471b03b48bbf67bc977b7d98a19d79)) 76 | 77 | ## [2.2.3](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.2.2...v2.2.3) (2023-10-16) 78 | 79 | 80 | ### Bug Fixes 81 | 82 | * upgraded versions.tf to include minor bumps from tpg v5 ([#102](https://github.com/terraform-google-modules/terraform-google-kms/issues/102)) ([f35c882](https://github.com/terraform-google-modules/terraform-google-kms/commit/f35c8822ba48b1deff1c996a2cffe83bc9ba59c9)) 83 | 84 | ## [2.2.2](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.2.1...v2.2.2) (2023-04-13) 85 | 86 | 87 | ### Bug Fixes 88 | 89 | * updates for tflint and dev-tools 1.11 ([#86](https://github.com/terraform-google-modules/terraform-google-kms/issues/86)) ([ba59dab](https://github.com/terraform-google-modules/terraform-google-kms/commit/ba59dabda03d1375f63ed2b0c224d99c3bd5702b)) 90 | 91 | ## [2.2.1](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.2.0...v2.2.1) (2022-07-20) 92 | 93 | 94 | ### Bug Fixes 95 | 96 | * adding missing purpose field for ephemeral keys ([#61](https://github.com/terraform-google-modules/terraform-google-kms/issues/61)) ([1d6b259](https://github.com/terraform-google-modules/terraform-google-kms/commit/1d6b259d9796ac1cc76ee424966e2771ee93ee4b)) 97 | 98 | ## [2.2.0](https://github.com/terraform-google-modules/terraform-google-kms/compare/v2.1.0...v2.2.0) (2022-06-10) 99 | 100 | 101 | ### Features 102 | 103 | * expose purpose field ([#59](https://github.com/terraform-google-modules/terraform-google-kms/issues/59)) ([ec9dd06](https://github.com/terraform-google-modules/terraform-google-kms/commit/ec9dd06b654b482dd9896adc7ae27f39cf483cf7)) 104 | 105 | ## [2.1.0](https://www.github.com/terraform-google-modules/terraform-google-kms/compare/v2.0.1...v2.1.0) (2021-12-13) 106 | 107 | 108 | ### Features 109 | 110 | * update TPG version constraints to allow 4.0 ([#50](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/50)) ([14d80d7](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/14d80d70966ff2ea64481cca83e8acbfff3fa65b)) 111 | 112 | ### [2.0.1](https://www.github.com/terraform-google-modules/terraform-google-kms/compare/v2.0.0...v2.0.1) (2021-08-11) 113 | 114 | 115 | ### Bug Fixes 116 | 117 | * Create dependency with grant ([#46](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/46)) ([9f4129d](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/9f4129d87799c1c22c388e1a3808717b09a58ab3)) 118 | 119 | ## [2.0.0](https://www.github.com/terraform-google-modules/terraform-google-kms/compare/v1.2.0...v2.0.0) (2021-03-15) 120 | 121 | 122 | ### ⚠ BREAKING CHANGES 123 | 124 | * add Terraform 0.13 constraint and module attribution (#40) 125 | 126 | ### Features 127 | 128 | * add Terraform 0.13 constraint and module attribution ([#40](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/40)) ([e46c56c](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/e46c56c683961ceb750684409cbdfdff4492031d)) 129 | 130 | ## [1.2.0](https://www.github.com/terraform-google-modules/terraform-google-kms/compare/v1.1.1...v1.2.0) (2020-06-01) 131 | 132 | 133 | ### Features 134 | 135 | * Add support for var.labels ([#29](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/29)) ([ca19209](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/ca19209f19c4679d9f5d663b05a8c7b9b7edc702)) 136 | * Add variables to configure key_algorithm and key_protection_level ([#27](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/27)) ([3f01a09](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/3f01a09f816da0b39f1ab35bed8f6cea694bed57)) 137 | 138 | ### [1.1.1](https://www.github.com/terraform-google-modules/terraform-google-kms/compare/v1.1.0...v1.1.1) (2020-05-20) 139 | 140 | 141 | ### Bug Fixes 142 | 143 | * Map outputs by slicing the outputs to the length of inputs ([#20](https://www.github.com/terraform-google-modules/terraform-google-kms/issues/20)) ([338fff6](https://www.github.com/terraform-google-modules/terraform-google-kms/commit/338fff65ea1ae1cefcb40ed8166268d4400b7038)) 144 | 145 | ## [Unreleased] 146 | 147 | ## [1.1.0] 148 | 149 | ### Added 150 | 151 | - Allow setting prevent_destroy lifecycle value on keys, add keyring resource output [#14] 152 | - Added continuous integration using Cloud Build. [#11] 153 | 154 | ## [1.0.0] - 2019-07-19 155 | 156 | ### Changed 157 | 158 | - Supported version of Terraform is 0.12. [#3] 159 | 160 | ## [0.1.0] - 2019-05-16 161 | 162 | ### Added 163 | 164 | - Initial release 165 | 166 | [Unreleased]: https://github.com/terraform-google-modules/terraform-google-kms/compare/v1.0.0...HEAD 167 | [1.1.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v1.1.0 168 | [1.0.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v1.0.0 169 | [0.1.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v0.1.0 170 | 171 | [#14]: https://github.com/terraform-google-modules/terraform-google-kms/pull/11 172 | [#11]: https://github.com/terraform-google-modules/terraform-google-kms/pull/11 173 | [#3]: https://github.com/terraform-google-modules/terraform-google-kms/pull/3 174 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # NOTE: This file is automatically generated from values at: 2 | # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/org/locals.tf 3 | 4 | * @terraform-google-modules/cft-admins 5 | 6 | # NOTE: GitHub CODEOWNERS locations: 7 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection 8 | 9 | CODEOWNERS @terraform-google-modules/cft-admins 10 | .github/CODEOWNERS @terraform-google-modules/cft-admins 11 | docs/CODEOWNERS @terraform-google-modules/cft-admins 12 | 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This document provides guidelines for contributing to the module. 4 | 5 | ## Dependencies 6 | 7 | The following dependencies must be installed on the development system: 8 | 9 | - [Docker Engine][docker-engine] 10 | - [Google Cloud SDK][google-cloud-sdk] 11 | - [make] 12 | 13 | ## Generating Documentation for Inputs and Outputs 14 | 15 | The Inputs and Outputs tables in the READMEs of the root module, 16 | submodules, and example modules are automatically generated based on 17 | the `variables` and `outputs` of the respective modules. These tables 18 | must be refreshed if the module interfaces are changed. 19 | 20 | ### Execution 21 | 22 | Run `make generate_docs` to generate new Inputs and Outputs tables. 23 | 24 | ## Integration Testing 25 | 26 | Integration tests are used to verify the behaviour of the root module, 27 | submodules, and example modules. Additions, changes, and fixes should 28 | be accompanied with tests. 29 | 30 | The integration tests are run using [Kitchen][kitchen], 31 | [Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These 32 | tools are packaged within a Docker image for convenience. 33 | 34 | The general strategy for these tests is to verify the behaviour of the 35 | [example modules](./examples/), thus ensuring that the root module, 36 | submodules, and example modules are all functionally correct. 37 | 38 | ### Test Environment 39 | The easiest way to test the module is in an isolated test project. The setup for such a project is defined in [test/setup](./test/setup/) directory. 40 | 41 | To use this setup, you need a service account with Project Creator access on a folder. Export the Service Account credentials to your environment like so: 42 | 43 | ``` 44 | export SERVICE_ACCOUNT_JSON=$(< credentials.json) 45 | ``` 46 | 47 | You will also need to set a few environment variables: 48 | ``` 49 | export TF_VAR_org_id="your_org_id" 50 | export TF_VAR_folder_id="your_folder_id" 51 | export TF_VAR_billing_account="your_billing_account_id" 52 | ``` 53 | 54 | With these settings in place, you can prepare a test project using Docker: 55 | 56 | ``` 57 | make docker_test_prepare 58 | ``` 59 | 60 | ### Noninteractive Execution 61 | 62 | Run `make docker_test_integration` to test all of the example modules 63 | noninteractively, using the prepared test project. 64 | 65 | ### Interactive Execution 66 | 67 | 1. Run `make docker_run` to start the testing Docker container in 68 | interactive mode. 69 | 70 | 1. Run `kitchen_do create ` to initialize the working 71 | directory for an example module. 72 | 73 | 1. Run `kitchen_do converge ` to apply the example module. 74 | 75 | 1. Run `kitchen_do verify ` to test the example module. 76 | 77 | 1. Run `kitchen_do destroy ` to destroy the example module 78 | state. 79 | 80 | ## Linting and Formatting 81 | 82 | Many of the files in the repository can be linted or formatted to 83 | maintain a standard of quality. 84 | 85 | ### Execution 86 | 87 | Run `make docker_test_lint`. 88 | 89 | [docker-engine]: https://www.docker.com/products/docker-engine 90 | [flake8]: http://flake8.pycqa.org/en/latest/ 91 | [gofmt]: https://golang.org/cmd/gofmt/ 92 | [google-cloud-sdk]: https://cloud.google.com/sdk/install 93 | [hadolint]: https://github.com/hadolint/hadolint 94 | [inspec]: https://inspec.io/ 95 | [kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform 96 | [kitchen]: https://kitchen.ci/ 97 | [make]: https://en.wikipedia.org/wiki/Make_(software) 98 | [shellcheck]: https://www.shellcheck.net/ 99 | [terraform-docs]: https://github.com/segmentio/terraform-docs 100 | [terraform]: https://terraform.io/ 101 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Please note that this file was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template). 16 | # Please make sure to contribute relevant changes upstream! 17 | 18 | # Make will use bash instead of sh 19 | SHELL := /usr/bin/env bash 20 | 21 | DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23 22 | DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools 23 | REGISTRY_URL := gcr.io/cloud-foundation-cicd 24 | 25 | # Enter docker container for local development 26 | .PHONY: docker_run 27 | docker_run: 28 | docker run --rm -it \ 29 | -e SERVICE_ACCOUNT_JSON \ 30 | -v "$(CURDIR)":/workspace \ 31 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 32 | /bin/bash 33 | 34 | # Execute prepare tests within the docker container 35 | .PHONY: docker_test_prepare 36 | docker_test_prepare: 37 | docker run --rm -it \ 38 | -e SERVICE_ACCOUNT_JSON \ 39 | -e TF_VAR_org_id \ 40 | -e TF_VAR_folder_id \ 41 | -e TF_VAR_billing_account \ 42 | -v "$(CURDIR)":/workspace \ 43 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 44 | /usr/local/bin/execute_with_credentials.sh prepare_environment 45 | 46 | # Clean up test environment within the docker container 47 | .PHONY: docker_test_cleanup 48 | docker_test_cleanup: 49 | docker run --rm -it \ 50 | -e SERVICE_ACCOUNT_JSON \ 51 | -e TF_VAR_org_id \ 52 | -e TF_VAR_folder_id \ 53 | -e TF_VAR_billing_account \ 54 | -v "$(CURDIR)":/workspace \ 55 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 56 | /usr/local/bin/execute_with_credentials.sh cleanup_environment 57 | 58 | # Execute integration tests within the docker container 59 | .PHONY: docker_test_integration 60 | docker_test_integration: 61 | docker run --rm -it \ 62 | -e SERVICE_ACCOUNT_JSON \ 63 | -v "$(CURDIR)":/workspace \ 64 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 65 | /usr/local/bin/test_integration.sh 66 | 67 | # Execute lint tests within the docker container 68 | .PHONY: docker_test_lint 69 | docker_test_lint: 70 | docker run --rm -it \ 71 | -v "$(CURDIR)":/workspace \ 72 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 73 | /usr/local/bin/test_lint.sh 74 | 75 | # Generate documentation 76 | .PHONY: docker_generate_docs 77 | docker_generate_docs: 78 | docker run --rm -it \ 79 | -v "$(CURDIR)":/workspace \ 80 | $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ 81 | /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' 82 | 83 | # Alias for backwards compatibility 84 | .PHONY: generate_docs 85 | generate_docs: docker_generate_docs 86 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Google KMS Terraform Module 2 | 3 | Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys. 4 | 5 | The resources/services/activations/deletions that this module will create/trigger are: 6 | 7 | - Create a KMS keyring in the provided project 8 | - Create zero or more keys in the keyring 9 | - Create IAM role bindings for owners, encrypters, decrypters 10 | 11 | ## Compatibility 12 | This module is meant for use with Terraform v1.3+ and tested using Terraform v1.10+. 13 | If you haven't 14 | [upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform 15 | 0.12.x-compatible version of this module, the last released version 16 | intended for Terraform 0.12.x is [v1.2.0](https://registry.terraform.io/modules/terraform-google-modules/-kms/google/v1.2.0). 17 | 18 | ## Usage 19 | 20 | Basic usage of this module is as follows: 21 | 22 | ```hcl 23 | module "kms" { 24 | source = "terraform-google-modules/kms/google" 25 | version = "~> 4.0" 26 | 27 | project_id = "" 28 | location = "europe" 29 | keyring = "sample-keyring" 30 | keys = ["foo", "spam"] 31 | set_owners_for = ["foo", "spam"] 32 | owners = [ 33 | "group:one@example.com,group:two@example.com", 34 | "group:one@example.com", 35 | ] 36 | } 37 | ``` 38 | 39 | Functional examples are included in the 40 | [examples](./examples/) directory. 41 | 42 | 43 | ## Inputs 44 | 45 | | Name | Description | Type | Default | Required | 46 | |------|-------------|------|---------|:--------:| 47 | | crypto\_key\_backend | (Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL\_VPC' keys. | `string` | `null` | no | 48 | | decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no | 49 | | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no | 50 | | import\_only | Whether these keys may contain imported versions only. | `bool` | `false` | no | 51 | | key\_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | `string` | `"GOOGLE_SYMMETRIC_ENCRYPTION"` | no | 52 | | key\_destroy\_scheduled\_duration | Set the period of time that versions of keys spend in the DESTROY\_SCHEDULED state before transitioning to DESTROYED. | `string` | `null` | no | 53 | | key\_protection\_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL\_VPC"] | `string` | `"SOFTWARE"` | no | 54 | | key\_rotation\_period | Generate a new key every time this period passes. | `string` | `"7776000s"` | no | 55 | | keyring | Keyring name. | `string` | n/a | yes | 56 | | keys | Key names. | `list(string)` | `[]` | no | 57 | | labels | Labels, provided as a map | `map(string)` | `{}` | no | 58 | | location | Location for the keyring. | `string` | n/a | yes | 59 | | owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no | 60 | | prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no | 61 | | project\_id | Project id where the keyring will be created. | `string` | n/a | yes | 62 | | purpose | The immutable purpose of the CryptoKey. Default value is ENCRYPT\_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. | `string` | `"ENCRYPT_DECRYPT"` | no | 63 | | set\_decrypters\_for | Name of keys for which decrypters will be set. | `list(string)` | `[]` | no | 64 | | set\_encrypters\_for | Name of keys for which encrypters will be set. | `list(string)` | `[]` | no | 65 | | set\_owners\_for | Name of keys for which owners will be set. | `list(string)` | `[]` | no | 66 | | skip\_initial\_version\_creation | If set to true, the request will create CryptoKeys without any CryptoKeyVersions. | `bool` | `false` | no | 67 | 68 | ## Outputs 69 | 70 | | Name | Description | 71 | |------|-------------| 72 | | keyring | Self link of the keyring. | 73 | | keyring\_name | Name of the keyring. | 74 | | keyring\_resource | Keyring resource. | 75 | | keys | Map of key name => key self link. | 76 | 77 | 78 | 79 | ## Requirements 80 | 81 | These sections describe requirements for using this module. 82 | 83 | ### Software 84 | 85 | The following dependencies must be available: 86 | 87 | - [Terraform](https://www.terraform.io/downloads.html) >= 1.3 88 | - [Terraform Provider for GCP][terraform-provider-gcp] plugin >= v5.31 89 | 90 | ### Service Account 91 | 92 | A service account with one of the following roles must be used to provision 93 | the resources of this module: 94 | 95 | - Cloud KMS Admin: `roles/cloudkms.admin` or 96 | - Owner: `roles/owner` 97 | 98 | The [Project Factory module][project-factory-module] and the 99 | [IAM module][iam-module] may be used in combination to provision a 100 | service account with the necessary roles applied. 101 | 102 | ### APIs 103 | 104 | A project with the following APIs enabled must be used to host the 105 | resources of this module: 106 | 107 | - Google Cloud Key Management Service: `cloudkms.googleapis.com` 108 | 109 | The [Project Factory module][project-factory-module] can be used to 110 | provision a project with the necessary APIs enabled. 111 | 112 | ## Contributing 113 | 114 | Refer to the [contribution guidelines](./CONTRIBUTING.md) for 115 | information on contributing to this module. 116 | 117 | [iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google 118 | [project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google 119 | [terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html 120 | [terraform]: https://www.terraform.io/downloads.html 121 | -------------------------------------------------------------------------------- /build/int.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - id: swap-module-refs 17 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 18 | args: ['module-swapper'] 19 | - id: prepare 20 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 21 | args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] 22 | env: 23 | - 'TF_VAR_org_id=$_ORG_ID' 24 | - 'TF_VAR_folder_id=$_FOLDER_ID' 25 | - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' 26 | - id: create 27 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 28 | args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose'] 29 | - id: converge 30 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 31 | args: ['/bin/bash', '-c', 'cft test run all --stage apply --verbose'] 32 | - id: verify 33 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 34 | args: ['/bin/bash', '-c', 'cft test run all --stage verify --verbose'] 35 | - id: destroy 36 | name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 37 | args: ['/bin/bash', '-c', 'cft test run all --stage teardown --verbose'] 38 | tags: 39 | - 'ci' 40 | - 'integration' 41 | substitutions: 42 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 43 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' 44 | -------------------------------------------------------------------------------- /build/lint.cloudbuild.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | steps: 16 | - name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' 17 | id: 'lint' 18 | args: ['/usr/local/bin/test_lint.sh'] 19 | tags: 20 | - 'ci' 21 | - 'lint' 22 | substitutions: 23 | _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' 24 | _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' 25 | -------------------------------------------------------------------------------- /docs/upgrading_to_v4.0.md: -------------------------------------------------------------------------------- 1 | # Upgrading to v4.0 2 | The v4.0 release of *kms* is a backwards incompatible release. 3 | 4 | ### Autokey Submodule 5 | The current users of Autokey submodules needs to 6 | - Switch `project_id` to `key_project_id` 7 | - Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). 8 | 9 | 10 | ### To Migrate from v3.0 to v4.0 11 | Using V3.0 of Autokey modules if you have created keyhandles and wants to use them with V4.0 version then they need to be imported using below steps 12 | 13 | 1. Retrieve the keyhandles created: 14 | - Run `terraform state list module.autokey.google_kms_key_handle.primary` to list all keyhandles created using v3.0 15 | - For each item in the output of above CLI, run `terraform state show 'module.autokey.google_kms_key_handle.primary[""]'` and copy the resulting `id` field from the cli output to notepad 16 | 2. Delete all keyhandles from the state: run `terraform state rm module.autokey.google_kms_key_handle.primary` 17 | 3. Update the main root module to use V4.0 version. Add the keyhandle config definition to the main root module for all the keyhandle found in step1. 18 | 4. Import all the keyhandles configs using id copied in setp1 to the terraform state 19 | - for each keyhandle id found in step1, Run `terraform import resource.google_kms_key_handle. ""` 20 | 21 | 22 | -------------------------------------------------------------------------------- /examples/autokey_setup/README.md: -------------------------------------------------------------------------------- 1 | # Autokey Example 2 | 3 | This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | 11 | | key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | 12 | 13 | ## Outputs 14 | 15 | | Name | Description | 16 | |------|-------------| 17 | | autokey\_config\_id | An Autokey configuration identifier. | 18 | | key\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | 19 | 20 | 21 | 22 | To provision this example, run the following from within this directory: 23 | - `terraform init` to get the plugins 24 | - `terraform plan` to see the infrastructure plan 25 | - `terraform apply` to apply the infrastructure build 26 | - `terraform destroy` to destroy the built infrastructure 27 | -------------------------------------------------------------------------------- /examples/autokey_setup/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "autokey" { 18 | source = "terraform-google-modules/kms/google//modules/autokey" 19 | version = "~> 4.0" 20 | 21 | key_project_id = var.key_project_id 22 | autokey_folder_number = var.folder_id 23 | } 24 | 25 | -------------------------------------------------------------------------------- /examples/autokey_setup/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "autokey_config_id" { 18 | description = "An Autokey configuration identifier." 19 | value = module.autokey.autokey_config_id 20 | } 21 | 22 | output "key_project_id" { 23 | description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." 24 | value = var.key_project_id 25 | } 26 | -------------------------------------------------------------------------------- /examples/autokey_setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "key_project_id" { 18 | description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." 19 | type = string 20 | } 21 | 22 | variable "folder_id" { 23 | type = string 24 | description = "The ID of the folder for which to configure and enable Autokey feature." 25 | } 26 | 27 | -------------------------------------------------------------------------------- /examples/bucket_setup_using_autokey/README.md: -------------------------------------------------------------------------------- 1 | # Autokey Example 2 | 3 | This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no | 11 | | folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | 12 | | key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | 13 | | resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | | Name | Description | 18 | |------|-------------| 19 | | bucket\_keyhandle | Keyhandle configuration created for the bucket. | 20 | | bucket\_name | Name of the bucket created. | 21 | 22 | 23 | 24 | To provision this example, run the following from within this directory: 25 | - `terraform init` to get the plugins 26 | - `terraform plan` to see the infrastructure plan 27 | - `terraform apply` to apply the infrastructure build 28 | - `terraform destroy` to destroy the built infrastructure 29 | -------------------------------------------------------------------------------- /examples/bucket_setup_using_autokey/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "autokey" { 18 | source = "terraform-google-modules/kms/google//modules/autokey" 19 | version = "~> 4.0" 20 | 21 | key_project_id = var.key_project_id 22 | autokey_folder_number = var.folder_id 23 | } 24 | 25 | # Wait delay for autokey configuration. 26 | resource "time_sleep" "wait_autokey_config" { 27 | create_duration = "20s" 28 | depends_on = [module.autokey] 29 | } 30 | 31 | resource "random_string" "suffix" { 32 | length = 4 33 | special = false 34 | upper = false 35 | } 36 | 37 | resource "google_kms_key_handle" "bucket_keyhandle" { 38 | provider = google-beta 39 | name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" 40 | project = var.resource_project_id 41 | location = var.bucket_location 42 | resource_type_selector = "storage.googleapis.com/Bucket" 43 | 44 | lifecycle { 45 | ignore_changes = [name] 46 | } 47 | depends_on = [time_sleep.wait_autokey_config] 48 | } 49 | 50 | module "bucket" { 51 | source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" 52 | version = "~> 9.0" 53 | 54 | name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" 55 | project_id = var.resource_project_id 56 | location = var.bucket_location 57 | encryption = { 58 | default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key 59 | } 60 | 61 | depends_on = [resource.google_kms_key_handle.bucket_keyhandle] 62 | } 63 | -------------------------------------------------------------------------------- /examples/bucket_setup_using_autokey/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "bucket_keyhandle" { 18 | description = "Keyhandle configuration created for the bucket." 19 | value = resource.google_kms_key_handle.bucket_keyhandle 20 | } 21 | 22 | output "bucket_name" { 23 | description = "Name of the bucket created." 24 | value = module.bucket.name 25 | } 26 | -------------------------------------------------------------------------------- /examples/bucket_setup_using_autokey/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "key_project_id" { 18 | description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." 19 | type = string 20 | } 21 | 22 | variable "folder_id" { 23 | type = string 24 | description = "The ID of the folder for which to configure and enable Autokey feature." 25 | } 26 | 27 | variable "resource_project_id" { 28 | description = "The ID of the project in which to provision cloud storage bucket resource." 29 | type = string 30 | } 31 | 32 | variable "bucket_location" { 33 | type = string 34 | description = "The GCP location where storage bucket will be created" 35 | default = "us-central1" 36 | } 37 | -------------------------------------------------------------------------------- /examples/import_only_example/README.md: -------------------------------------------------------------------------------- 1 | # Import Only Example 2 | 3 | This example illustrates how to use the `kms` module when you want to create a CryptoKey with no CryptoKeyVersion in order to import the key material. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | keyring | The name of the keyring. | 17 | | keys | List of created kkey names. | 18 | | location | The location of the keyring. | 19 | | project\_id | The ID of the project in which resources are provisioned. | 20 | 21 | 22 | 23 | To provision this example, run the following from within this directory: 24 | - `terraform init` to get the plugins 25 | - `terraform plan` to see the infrastructure plan 26 | - `terraform apply` to apply the infrastructure build 27 | - `terraform destroy` to destroy the built infrastructure 28 | -------------------------------------------------------------------------------- /examples/import_only_example/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_pet" "main" { 18 | length = 1 19 | prefix = "simple-example" 20 | separator = "-" 21 | } 22 | 23 | module "kms" { 24 | source = "terraform-google-modules/kms/google" 25 | version = "~> 3.2" 26 | 27 | project_id = var.project_id 28 | keyring = random_pet.main.id 29 | location = "global" 30 | keys = ["one", "two"] 31 | # keys can be destroyed by Terraform 32 | prevent_destroy = false 33 | import_only = true 34 | skip_initial_version_creation = true 35 | key_rotation_period = "" 36 | purpose = "RAW_ENCRYPT_DECRYPT" 37 | key_algorithm = "AES_256_GCM" 38 | } 39 | -------------------------------------------------------------------------------- /examples/import_only_example/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "keyring" { 18 | description = "The name of the keyring." 19 | value = module.kms.keyring_resource.name 20 | } 21 | 22 | output "location" { 23 | description = "The location of the keyring." 24 | value = module.kms.keyring_resource.location 25 | } 26 | 27 | output "keys" { 28 | description = "List of created kkey names." 29 | value = keys(module.kms.keys) 30 | } 31 | 32 | output "project_id" { 33 | description = "The ID of the project in which resources are provisioned." 34 | value = var.project_id 35 | } 36 | -------------------------------------------------------------------------------- /examples/import_only_example/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | -------------------------------------------------------------------------------- /examples/import_only_example/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_providers { 19 | google = { 20 | source = "hashicorp/google" 21 | } 22 | } 23 | required_version = ">= 0.13" 24 | } 25 | -------------------------------------------------------------------------------- /examples/monitoring_alerts/README.md: -------------------------------------------------------------------------------- 1 | # Monitoring Alert Example 2 | 3 | This example provides monitoring e-mail alerts for KMS key versions scheduled for destruction. If multiple key versions are deleted in less than 5 minutes, a single notification will be sent. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | email\_addresses\_to\_be\_notified | Email addresses used for sending notifications to. | `list(string)` | n/a | yes | 11 | | location | Location to create the KMS key and keyring. | `string` | `"us-central1"` | no | 12 | | monitor\_all\_keys\_in\_the\_project | True for all KMS key versions under the same project to be monitored, false for only the KMS key version created in this example to be monitored. Default: false. | `bool` | n/a | yes | 13 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | | Name | Description | 18 | |------|-------------| 19 | | key | The version of the created KMS key. | 20 | | keyring | The keyring created. | 21 | | notification\_channel\_names | Notification channel names. | 22 | | project\_id | GCP Project ID where key version was created. | 23 | 24 | 25 | -------------------------------------------------------------------------------- /examples/monitoring_alerts/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /** 18 | * Send a warning email when a KMS key version is scheduled for destruction. 19 | * If multiple key versions are deleted in less than 5 minutes, a single notification will be sent. 20 | */ 21 | 22 | # See all the request types available for google.cloud.kms.v1 here: https://cloud.google.com/kms/docs/reference/rpc/google.cloud.kms.v1. For this example specifically we are monitoring and alerting DestroyCryptoKeyVersionRequest. 23 | locals { 24 | all_keys_filter = "protoPayload.request.@type=\"type.googleapis.com/google.cloud.kms.v1.DestroyCryptoKeyVersionRequest\"" 25 | single_key_filter = "${local.all_keys_filter} AND protoPayload.request.name=~\"${values(module.kms.keys)[0]}/.*\"" 26 | # It's possible to replace "${values(module.kms.keys)[0]}" with your own existing KMS key's name. It's not required to create a new KMS key to take leverage from this example. 27 | } 28 | 29 | resource "random_string" "suffix" { 30 | length = 4 31 | special = false 32 | upper = false 33 | } 34 | 35 | module "kms" { 36 | source = "terraform-google-modules/kms/google" 37 | version = "~> 3.2" 38 | 39 | project_id = var.project_id 40 | keyring = "alert-keyring-${random_string.suffix.result}" 41 | location = var.location 42 | keys = ["alert-key"] 43 | prevent_destroy = false 44 | } 45 | 46 | resource "google_monitoring_alert_policy" "main" { 47 | project = var.project_id 48 | display_name = "KMS Key Version Destruction Alert" 49 | documentation { 50 | content = "KMS Key Version alert: one or more key versions from ${var.project_id} project were scheduled for destruction." 51 | } 52 | combiner = "OR" 53 | conditions { 54 | display_name = "Destroy condition" 55 | condition_matched_log { 56 | filter = var.monitor_all_keys_in_the_project ? local.all_keys_filter : local.single_key_filter 57 | } 58 | } 59 | 60 | alert_strategy { 61 | notification_rate_limit { 62 | period = "300s" 63 | } 64 | } 65 | 66 | notification_channels = [for email_ch in google_monitoring_notification_channel.email_channel : email_ch.name] 67 | 68 | severity = "WARNING" 69 | } 70 | 71 | resource "google_monitoring_notification_channel" "email_channel" { 72 | for_each = toset(var.email_addresses_to_be_notified) 73 | 74 | project = var.project_id 75 | display_name = "KMS version scheduled for destruction alert channel" 76 | type = "email" 77 | description = "Sends email notifications for KMS key versions scheduled for destruction alerts" 78 | 79 | labels = { 80 | email_address = each.value 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /examples/monitoring_alerts/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "key" { 18 | value = values(module.kms.keys)[0] 19 | description = "The version of the created KMS key." 20 | } 21 | 22 | output "keyring" { 23 | value = module.kms.keyring_name 24 | description = "The keyring created." 25 | } 26 | 27 | output "project_id" { 28 | value = var.project_id 29 | description = "GCP Project ID where key version was created." 30 | } 31 | 32 | output "notification_channel_names" { 33 | value = [for channel in google_monitoring_notification_channel.email_channel : channel.name] 34 | description = "Notification channel names." 35 | } 36 | -------------------------------------------------------------------------------- /examples/monitoring_alerts/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "monitor_all_keys_in_the_project" { 23 | type = bool 24 | description = "True for all KMS key versions under the same project to be monitored, false for only the KMS key version created in this example to be monitored. Default: false." 25 | } 26 | 27 | variable "email_addresses_to_be_notified" { 28 | type = list(string) 29 | description = "Email addresses used for sending notifications to." 30 | } 31 | 32 | variable "location" { 33 | type = string 34 | description = "Location to create the KMS key and keyring." 35 | default = "us-central1" 36 | } 37 | -------------------------------------------------------------------------------- /examples/simple_example/README.md: -------------------------------------------------------------------------------- 1 | # Simple Example 2 | 3 | This example illustrates how to use the `kms` module. 4 | 5 | 6 | ## Inputs 7 | 8 | | Name | Description | Type | Default | Required | 9 | |------|-------------|------|---------|:--------:| 10 | | keyring | Keyring name. | `string` | n/a | yes | 11 | | keys | Key names. | `list(string)` | `[]` | no | 12 | | location | Location for the keyring. | `string` | `"global"` | no | 13 | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | 14 | 15 | ## Outputs 16 | 17 | | Name | Description | 18 | |------|-------------| 19 | | keyring | The name of the keyring. | 20 | | keys | List of created kkey names. | 21 | | location | The location of the keyring. | 22 | 23 | 24 | 25 | To provision this example, run the following from within this directory: 26 | - `terraform init` to get the plugins 27 | - `terraform plan` to see the infrastructure plan 28 | - `terraform apply` to apply the infrastructure build 29 | - `terraform destroy` to destroy the built infrastructure 30 | -------------------------------------------------------------------------------- /examples/simple_example/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "kms" { 18 | source = "terraform-google-modules/kms/google" 19 | version = "~> 3.0" 20 | 21 | project_id = var.project_id 22 | keyring = var.keyring 23 | location = var.location 24 | keys = var.keys 25 | # keys can be destroyed by Terraform 26 | prevent_destroy = false 27 | } 28 | 29 | -------------------------------------------------------------------------------- /examples/simple_example/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "keyring" { 18 | description = "The name of the keyring." 19 | value = module.kms.keyring_resource.name 20 | } 21 | 22 | output "location" { 23 | description = "The location of the keyring." 24 | value = module.kms.keyring_resource.location 25 | } 26 | 27 | output "keys" { 28 | description = "List of created kkey names." 29 | value = keys(module.kms.keys) 30 | } 31 | -------------------------------------------------------------------------------- /examples/simple_example/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | 22 | variable "location" { 23 | description = "Location for the keyring." 24 | type = string 25 | default = "global" 26 | } 27 | 28 | variable "keyring" { 29 | description = "Keyring name." 30 | type = string 31 | } 32 | 33 | variable "keys" { 34 | description = "Key names." 35 | type = list(string) 36 | default = [] 37 | } 38 | -------------------------------------------------------------------------------- /examples/simple_example/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_providers { 19 | google = { 20 | source = "hashicorp/google" 21 | } 22 | } 23 | required_version = ">= 0.13" 24 | } 25 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | keys_by_name = zipmap(var.keys, var.prevent_destroy ? slice(google_kms_crypto_key.key[*].id, 0, length(var.keys)) : slice(google_kms_crypto_key.key_ephemeral[*].id, 0, length(var.keys))) 19 | } 20 | 21 | resource "google_kms_key_ring" "key_ring" { 22 | name = var.keyring 23 | project = var.project_id 24 | location = var.location 25 | } 26 | 27 | resource "google_kms_crypto_key" "key" { 28 | count = var.prevent_destroy ? length(var.keys) : 0 29 | name = var.keys[count.index] 30 | key_ring = google_kms_key_ring.key_ring.id 31 | rotation_period = var.key_rotation_period 32 | purpose = var.purpose 33 | import_only = var.import_only 34 | skip_initial_version_creation = var.skip_initial_version_creation 35 | crypto_key_backend = var.crypto_key_backend 36 | 37 | lifecycle { 38 | prevent_destroy = true 39 | } 40 | 41 | destroy_scheduled_duration = var.key_destroy_scheduled_duration 42 | 43 | version_template { 44 | algorithm = var.key_algorithm 45 | protection_level = var.key_protection_level 46 | } 47 | 48 | labels = var.labels 49 | } 50 | 51 | resource "google_kms_crypto_key" "key_ephemeral" { 52 | count = var.prevent_destroy ? 0 : length(var.keys) 53 | name = var.keys[count.index] 54 | key_ring = google_kms_key_ring.key_ring.id 55 | rotation_period = var.key_rotation_period 56 | purpose = var.purpose 57 | import_only = var.import_only 58 | skip_initial_version_creation = var.skip_initial_version_creation 59 | crypto_key_backend = var.crypto_key_backend 60 | 61 | lifecycle { 62 | prevent_destroy = false 63 | } 64 | 65 | destroy_scheduled_duration = var.key_destroy_scheduled_duration 66 | 67 | version_template { 68 | algorithm = var.key_algorithm 69 | protection_level = var.key_protection_level 70 | } 71 | 72 | labels = var.labels 73 | } 74 | 75 | resource "google_kms_crypto_key_iam_binding" "owners" { 76 | count = length(var.set_owners_for) 77 | role = "roles/owner" 78 | crypto_key_id = local.keys_by_name[var.set_owners_for[count.index]] 79 | members = compact(split(",", var.owners[count.index])) 80 | } 81 | 82 | resource "google_kms_crypto_key_iam_binding" "decrypters" { 83 | count = length(var.set_decrypters_for) 84 | role = "roles/cloudkms.cryptoKeyDecrypter" 85 | crypto_key_id = local.keys_by_name[var.set_decrypters_for[count.index]] 86 | members = compact(split(",", var.decrypters[count.index])) 87 | } 88 | 89 | resource "google_kms_crypto_key_iam_binding" "encrypters" { 90 | count = length(var.set_encrypters_for) 91 | role = "roles/cloudkms.cryptoKeyEncrypter" 92 | crypto_key_id = local.keys_by_name[element(var.set_encrypters_for, count.index)] 93 | members = compact(split(",", var.encrypters[count.index])) 94 | } 95 | -------------------------------------------------------------------------------- /modules/autokey/README.md: -------------------------------------------------------------------------------- 1 | # Autokey submodule 2 | 3 | This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project. 4 | 5 | ## Inputs 6 | 7 | | Name | Description | Type | Default | Required | 8 | |------|-------------|------|---------|:--------:| 9 | | autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes | 10 | | key\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | autokey\_config\_id | An Autokey configuration identifier. | 17 | 18 | 19 | -------------------------------------------------------------------------------- /modules/autokey/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | data "google_project" "kms_project" { 18 | project_id = var.key_project_id 19 | } 20 | 21 | #Create KMS Service Agent 22 | resource "google_project_service_identity" "kms_service_agent" { 23 | provider = google-beta 24 | 25 | service = "cloudkms.googleapis.com" 26 | project = data.google_project.kms_project.number 27 | } 28 | 29 | # Wait delay after creating service agent. 30 | resource "time_sleep" "wait_service_agent" { 31 | create_duration = "10s" 32 | depends_on = [google_project_service_identity.kms_service_agent] 33 | } 34 | 35 | #Grant the KMS Service Agent the Cloud KMS Admin role 36 | resource "google_project_iam_member" "autokey_project_admin" { 37 | provider = google-beta 38 | 39 | project = var.key_project_id 40 | role = "roles/cloudkms.admin" 41 | member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" 42 | depends_on = [time_sleep.wait_service_agent] 43 | } 44 | 45 | # Wait delay after granting IAM permissions 46 | resource "time_sleep" "wait_srv_acc_permissions" { 47 | create_duration = "10s" 48 | depends_on = [google_project_iam_member.autokey_project_admin] 49 | } 50 | -------------------------------------------------------------------------------- /modules/autokey/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "google_kms_autokey_config" "primary" { 18 | provider = google-beta 19 | 20 | folder = var.autokey_folder_number 21 | key_project = "projects/${var.key_project_id}" 22 | depends_on = [time_sleep.wait_srv_acc_permissions] 23 | } 24 | -------------------------------------------------------------------------------- /modules/autokey/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "autokey_config_id" { 18 | description = "An Autokey configuration identifier." 19 | value = google_kms_autokey_config.primary.id 20 | } 21 | -------------------------------------------------------------------------------- /modules/autokey/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "key_project_id" { 18 | description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey." 19 | type = string 20 | } 21 | 22 | variable "autokey_folder_number" { 23 | type = string 24 | description = "The folder number on which autokey will be configured and enabled. Required when using Autokey." 25 | } 26 | 27 | -------------------------------------------------------------------------------- /modules/autokey/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 5.31.0" 24 | } 25 | google-beta = { 26 | source = "hashicorp/google-beta" 27 | version = ">= 5.31.0" 28 | } 29 | time = { 30 | source = "hashicorp/time" 31 | version = ">= 0.12.0" 32 | } 33 | random = { 34 | source = "hashicorp/random" 35 | version = ">= 3.6.2" 36 | } 37 | } 38 | 39 | provider_meta "google" { 40 | module_name = "blueprints/terraform/terraform-google-kms:autokey/v4.0.0" 41 | } 42 | provider_meta "google-beta" { 43 | module_name = "blueprints/terraform/terraform-google-kms:autokey/v4.0.0" 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "keyring" { 18 | description = "Self link of the keyring." 19 | value = google_kms_key_ring.key_ring.id 20 | 21 | # The grants are important to the key be ready to use. 22 | depends_on = [ 23 | google_kms_crypto_key_iam_binding.owners, 24 | google_kms_crypto_key_iam_binding.decrypters, 25 | google_kms_crypto_key_iam_binding.encrypters, 26 | ] 27 | } 28 | 29 | output "keyring_resource" { 30 | description = "Keyring resource." 31 | value = google_kms_key_ring.key_ring 32 | 33 | # The grants are important to the key be ready to use. 34 | depends_on = [ 35 | google_kms_crypto_key_iam_binding.owners, 36 | google_kms_crypto_key_iam_binding.decrypters, 37 | google_kms_crypto_key_iam_binding.encrypters, 38 | ] 39 | } 40 | 41 | output "keys" { 42 | description = "Map of key name => key self link." 43 | value = local.keys_by_name 44 | 45 | # The grants are important to the key be ready to use. 46 | depends_on = [ 47 | google_kms_crypto_key_iam_binding.owners, 48 | google_kms_crypto_key_iam_binding.decrypters, 49 | google_kms_crypto_key_iam_binding.encrypters, 50 | ] 51 | } 52 | 53 | output "keyring_name" { 54 | description = "Name of the keyring." 55 | value = google_kms_key_ring.key_ring.name 56 | 57 | # The grants are important to the key be ready to use. 58 | depends_on = [ 59 | google_kms_crypto_key_iam_binding.owners, 60 | google_kms_crypto_key_iam_binding.decrypters, 61 | google_kms_crypto_key_iam_binding.encrypters, 62 | ] 63 | } 64 | -------------------------------------------------------------------------------- /test/.gitignore: -------------------------------------------------------------------------------- 1 | source.sh 2 | -------------------------------------------------------------------------------- /test/fixtures/autokey_setup_fixture/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | module "autokey_setup_fixture" { 17 | source = "../../../examples/autokey_setup" 18 | key_project_id = var.project_id 19 | folder_id = var.folder_id 20 | } 21 | -------------------------------------------------------------------------------- /test/fixtures/autokey_setup_fixture/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "autokey_config_id" { 18 | description = "An Autokey configuration identifier." 19 | value = module.autokey_setup_fixture.autokey_config_id 20 | } 21 | 22 | output "key_project_id" { 23 | description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." 24 | value = var.project_id 25 | } 26 | -------------------------------------------------------------------------------- /test/fixtures/autokey_setup_fixture/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." 19 | type = string 20 | } 21 | 22 | variable "folder_id" { 23 | description = "The ID of the folder for which to configure and enable Autokey feature." 24 | type = string 25 | 26 | } 27 | -------------------------------------------------------------------------------- /test/fixtures/bucket_setup_using_autokey_fixture/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | module "bucket_setup_using_autokey_fixture" { 17 | source = "../../../examples/bucket_setup_using_autokey" 18 | key_project_id = var.project_id 19 | folder_id = var.folder_id 20 | resource_project_id = var.resource_project_id 21 | bucket_location = var.bucket_location 22 | } 23 | -------------------------------------------------------------------------------- /test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "bucket_keyhandle" { 18 | description = "Keyhandle configuration created for the bucket." 19 | value = module.bucket_setup_using_autokey_fixture.bucket_keyhandle 20 | } 21 | 22 | output "bucket_name" { 23 | description = "Name of the bucket created." 24 | value = module.bucket_setup_using_autokey_fixture.bucket_name 25 | } 26 | -------------------------------------------------------------------------------- /test/fixtures/bucket_setup_using_autokey_fixture/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." 19 | type = string 20 | } 21 | 22 | variable "folder_id" { 23 | type = string 24 | description = "The ID of the folder for which to configure and enable Autokey feature." 25 | } 26 | 27 | variable "resource_project_id" { 28 | description = "The ID of the project in which to provision cloud storage bucket resources." 29 | type = string 30 | } 31 | 32 | variable "bucket_location" { 33 | type = string 34 | description = "The GCP location where storage bucket will be created" 35 | default = "us-central1" 36 | } 37 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_on_project/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "monitoring_alert_on_project" { 18 | source = "../../../examples/monitoring_alerts" 19 | 20 | monitor_all_keys_in_the_project = true 21 | project_id = var.project_id 22 | email_addresses_to_be_notified = ["email@example.com", "email2@example.com"] 23 | } 24 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_on_project/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "key" { 18 | value = module.monitoring_alert_on_project.key 19 | description = "The version of the created KMS key." 20 | } 21 | 22 | output "keyring" { 23 | value = module.monitoring_alert_on_project.keyring 24 | description = "The keyring created." 25 | } 26 | 27 | output "project_id" { 28 | value = module.monitoring_alert_on_project.project_id 29 | description = "GCP Project ID where key version was created." 30 | } 31 | 32 | output "notification_channel_names" { 33 | value = module.monitoring_alert_on_project.notification_channel_names 34 | description = "Notification channel names." 35 | } 36 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_on_project/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_specific_key/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | module "monitoring_alert_specific_key" { 18 | source = "../../../examples/monitoring_alerts" 19 | 20 | monitor_all_keys_in_the_project = false 21 | project_id = var.project_id 22 | email_addresses_to_be_notified = ["email@example.com", "email2@example.com"] 23 | } 24 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_specific_key/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "key" { 18 | value = module.monitoring_alert_specific_key.key 19 | description = "The version of the created KMS key." 20 | } 21 | 22 | output "keyring" { 23 | value = module.monitoring_alert_specific_key.keyring 24 | description = "The keyring created." 25 | } 26 | 27 | output "project_id" { 28 | value = module.monitoring_alert_specific_key.project_id 29 | description = "GCP Project ID where key version was created." 30 | } 31 | 32 | output "notification_channel_names" { 33 | value = module.monitoring_alert_specific_key.notification_channel_names 34 | description = "Notification channel names." 35 | } 36 | -------------------------------------------------------------------------------- /test/fixtures/monitoring_alerts_specific_key/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The ID of the project in which to provision resources." 19 | type = string 20 | } 21 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_pet" "main" { 18 | length = 1 19 | prefix = "simple-example" 20 | separator = "-" 21 | } 22 | 23 | module "example" { 24 | source = "../../../examples/simple_example" 25 | project_id = var.project_id 26 | keyring = random_pet.main.id 27 | location = "global" 28 | keys = ["one", "two"] 29 | } 30 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "keyring" { 18 | description = "The name of the keyring." 19 | value = module.example.keyring 20 | } 21 | 22 | output "keys" { 23 | description = "Name of generated keys." 24 | value = module.example.keys 25 | } 26 | 27 | output "location" { 28 | description = "Location for the keyring." 29 | value = module.example.location 30 | } 31 | 32 | output "project_id" { 33 | description = "The ID of the project in which resources are provisioned." 34 | value = var.project_id 35 | } 36 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | type = string 19 | description = "The ID of the project in which to provision resources." 20 | } 21 | -------------------------------------------------------------------------------- /test/fixtures/simple_example/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2023 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | random = { 21 | source = "hashicorp/random" 22 | version = ">= 3.0" 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /test/integration/autokey_setup/autokey_setup_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package autokey_setup 16 | 17 | import ( 18 | "context" 19 | "fmt" 20 | "io" 21 | "testing" 22 | 23 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 24 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" 25 | "github.com/stretchr/testify/assert" 26 | "golang.org/x/oauth2/google" 27 | ) 28 | 29 | func TestAutokeySetup(t *testing.T) { 30 | bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture")) 31 | bpt.DefineVerify(func(assert *assert.Assertions) { 32 | bpt.DefaultVerify(assert) 33 | 34 | kmsProjectId := bpt.GetStringOutput("key_project_id") 35 | autokeyConfig := bpt.GetStringOutput("autokey_config_id") 36 | 37 | // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. 38 | autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) 39 | 40 | httpClient, err := google.DefaultClient(context.Background(), "https://www.googleapis.com/auth/cloud-platform") 41 | 42 | if err != nil { 43 | t.Fatal(err.Error()) 44 | } 45 | 46 | resp, err := httpClient.Get(autokeyConfigUrl) 47 | if err != nil { 48 | t.Fatal(err.Error()) 49 | } 50 | 51 | defer resp.Body.Close() 52 | body, err := io.ReadAll(resp.Body) 53 | if err != nil { 54 | t.Fatal(err.Error()) 55 | } 56 | 57 | result := utils.ParseJSONResult(t, string(body)) 58 | 59 | // Asserting if Autokey configuration was enabled with correct kms project id 60 | autokeyConfigProject := result.Get("keyProject").String() 61 | assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", kmsProjectId), "autokey expected for project %s", kmsProjectId) 62 | }) 63 | 64 | bpt.Test() 65 | } 66 | -------------------------------------------------------------------------------- /test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package bucket_setup_using_autokey 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" 21 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 22 | "github.com/stretchr/testify/assert" 23 | ) 24 | 25 | func TestBucketSetupUsingAutokey(t *testing.T) { 26 | bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture")) 27 | bpt.DefineVerify(func(assert *assert.Assertions) { 28 | bpt.DefaultVerify(assert) 29 | 30 | bucketKeyHandle := bpt.GetJsonOutput("bucket_keyhandle") 31 | bucketName := bpt.GetStringOutput("bucket_name") 32 | 33 | keyHandleKmsKey := bucketKeyHandle.Get("kms_key").String() 34 | op1 := gcloud.Runf(t, "storage buckets describe gs://%s", bucketName).Array() 35 | bucketKmsKey := op1[0].Map()["default_kms_key"].Str 36 | assert.True(keyHandleKmsKey != "", "Invalid KMS Key generated for bucket keyhandle") 37 | assert.True(bucketKmsKey == keyHandleKmsKey, "KMS Key generated for bucket keyhandle %s is not matching with kms key used in bucket %s", keyHandleKmsKey, bucketKmsKey) 38 | }) 39 | 40 | bpt.Test() 41 | } 42 | -------------------------------------------------------------------------------- /test/integration/discover_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package test 16 | 17 | import ( 18 | "testing" 19 | 20 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 21 | ) 22 | 23 | func TestAll(t *testing.T) { 24 | tft.AutoDiscoverAndTest(t) 25 | } 26 | -------------------------------------------------------------------------------- /test/integration/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/terraform-google-modules/terraform-google-kms/test/integration 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.6 6 | 7 | require ( 8 | github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.17.5 9 | github.com/stretchr/testify v1.10.0 10 | github.com/tidwall/gjson v1.18.0 11 | golang.org/x/oauth2 v0.25.0 12 | ) 13 | 14 | require ( 15 | cloud.google.com/go v0.116.0 // indirect 16 | cloud.google.com/go/compute/metadata v0.5.2 // indirect 17 | cloud.google.com/go/iam v1.2.2 // indirect 18 | cloud.google.com/go/storage v1.47.0 // indirect 19 | github.com/agext/levenshtein v1.2.3 // indirect 20 | github.com/alexflint/go-filemutex v1.3.0 // indirect 21 | github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect 22 | github.com/aws/aws-sdk-go v1.45.5 // indirect 23 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect 24 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 25 | github.com/go-errors/errors v1.5.0 // indirect 26 | github.com/go-openapi/jsonpointer v0.21.0 // indirect 27 | github.com/go-openapi/jsonreference v0.20.2 // indirect 28 | github.com/go-openapi/swag v0.23.0 // indirect 29 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 30 | github.com/golang/protobuf v1.5.4 // indirect 31 | github.com/google/gnostic-models v0.6.9 // indirect 32 | github.com/google/go-cmp v0.6.0 // indirect 33 | github.com/google/s2a-go v0.1.8 // indirect 34 | github.com/google/uuid v1.6.0 // indirect 35 | github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect 36 | github.com/googleapis/gax-go/v2 v2.14.0 // indirect 37 | github.com/gruntwork-io/terratest v0.48.1 // indirect 38 | github.com/hashicorp/errwrap v1.1.0 // indirect 39 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 40 | github.com/hashicorp/go-getter v1.7.6 // indirect 41 | github.com/hashicorp/go-getter/v2 v2.2.3 // indirect 42 | github.com/hashicorp/go-multierror v1.1.1 // indirect 43 | github.com/hashicorp/go-safetemp v1.0.0 // indirect 44 | github.com/hashicorp/go-version v1.7.0 // indirect 45 | github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect 46 | github.com/hashicorp/hcl/v2 v2.22.0 // indirect 47 | github.com/hashicorp/terraform-config-inspect v0.0.0-20241129133400-c404f8227ea6 // indirect 48 | github.com/hashicorp/terraform-json v0.24.0 // indirect 49 | github.com/jinzhu/copier v0.4.0 // indirect 50 | github.com/jmespath/go-jmespath v0.4.0 // indirect 51 | github.com/josharian/intern v1.0.0 // indirect 52 | github.com/klauspost/compress v1.16.7 // indirect 53 | github.com/mailru/easyjson v0.7.7 // indirect 54 | github.com/mattn/go-shellwords v1.0.12 // indirect 55 | github.com/mattn/go-zglob v0.0.4 // indirect 56 | github.com/mitchellh/go-homedir v1.1.0 // indirect 57 | github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 // indirect 58 | github.com/mitchellh/go-wordwrap v1.0.1 // indirect 59 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 60 | github.com/tidwall/match v1.1.1 // indirect 61 | github.com/tidwall/pretty v1.2.1 // indirect 62 | github.com/tidwall/sjson v1.2.5 // indirect 63 | github.com/tmccombs/hcl2json v0.6.4 // indirect 64 | github.com/ulikunitz/xz v0.5.11 // indirect 65 | github.com/zclconf/go-cty v1.15.1 // indirect 66 | go.opencensus.io v0.24.0 // indirect 67 | golang.org/x/crypto v0.31.0 // indirect 68 | golang.org/x/mod v0.22.0 // indirect 69 | golang.org/x/net v0.33.0 // indirect 70 | golang.org/x/sync v0.10.0 // indirect 71 | golang.org/x/sys v0.28.0 // indirect 72 | golang.org/x/text v0.21.0 // indirect 73 | golang.org/x/tools v0.26.0 // indirect 74 | golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect 75 | google.golang.org/api v0.206.0 // indirect 76 | google.golang.org/appengine v1.6.8 // indirect 77 | google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f // indirect 78 | google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect 79 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect 80 | google.golang.org/grpc v1.67.1 // indirect 81 | google.golang.org/protobuf v1.35.1 // indirect 82 | gopkg.in/yaml.v3 v3.0.1 // indirect 83 | k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect 84 | sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect 85 | sigs.k8s.io/yaml v1.4.0 // indirect 86 | ) 87 | -------------------------------------------------------------------------------- /test/integration/import_only_example/import_only_example_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package simple_example 16 | 17 | import ( 18 | "fmt" 19 | "testing" 20 | 21 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" 22 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 23 | "github.com/stretchr/testify/assert" 24 | ) 25 | 26 | func TestImportOnlyExample(t *testing.T) { 27 | bpt := tft.NewTFBlueprintTest(t) 28 | bpt.DefineVerify(func(assert *assert.Assertions) { 29 | bpt.DefaultVerify(assert) 30 | 31 | projectId := bpt.GetStringOutput("project_id") 32 | keyring := bpt.GetStringOutput("keyring") 33 | location := bpt.GetStringOutput("location") 34 | keys := [2]string{"one", "two"} 35 | 36 | op := gcloud.Runf(t, "--project=%s kms keyrings list --location %s --filter name:%s", projectId, location, keyring).Array()[0].Get("name") 37 | assert.Contains(op.String(), fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", projectId, location, keyring), "Contains KeyRing") 38 | 39 | op1 := gcloud.Runf(t, "kms keys list --project=%s --keyring %s --location %s", projectId, keyring, location).Array() 40 | for index, element := range op1 { 41 | assert.Equal(element.Get("name").String(), fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", projectId, location, keyring, keys[index]), "Contains Keys") 42 | assert.True(element.Get("importOnly").Bool(), "ImportOnly flag") 43 | } 44 | }) 45 | 46 | bpt.Test() 47 | } 48 | -------------------------------------------------------------------------------- /test/integration/monitoring_alerts/monitoring_alerts_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package monitoring_alert 16 | 17 | import ( 18 | "errors" 19 | "fmt" 20 | "strings" 21 | "testing" 22 | "time" 23 | 24 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" 25 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 26 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" 27 | "github.com/stretchr/testify/assert" 28 | "github.com/tidwall/gjson" 29 | ) 30 | 31 | func TestMonitoringAlertKeyVersion(t *testing.T) { 32 | 33 | // This test will run 2 iterations based on the following TfInputs variable. 34 | // Map's key (monitor_all_keys_in_the_project): 35 | // - "true" means we are testing the use case where we monitor all the KMS keys in the project. 36 | // - "false" means we are testing the use case where we monitor a single KMS key in the project. 37 | // Map's values (fixture_path): 38 | // We are loading the fixture instead of the example directly because we need to pass the mentioned 39 | // above's boolean to terraform input in order to have the described behavior. 40 | 41 | TfInputs := map[bool]string{ 42 | true: "../../fixtures/monitoring_alerts_on_project", 43 | false: "../../fixtures/monitoring_alerts_specific_key", 44 | } 45 | 46 | for monitor_all_keys_in_the_project, fixture_path := range TfInputs { 47 | 48 | kmsAlertT := tft.NewTFBlueprintTest(t, 49 | tft.WithTFDir(fixture_path), 50 | ) 51 | 52 | kmsAlertT.DefineVerify(func(assert *assert.Assertions) { 53 | kmsAlertT.DefaultVerify(assert) 54 | 55 | projectId := kmsAlertT.GetStringOutput("project_id") 56 | keyVersion := kmsAlertT.GetStringOutput("key") 57 | keyring := kmsAlertT.GetStringOutput("keyring") 58 | notificationChannelNames := kmsAlertT.GetJsonOutput("notification_channel_names").Array() 59 | 60 | assert.Len(notificationChannelNames, 2) 61 | notificationChannelEmailAddresses := []string{} 62 | notificationChannelStringNames := []string{} 63 | for _, notificationChannelName := range notificationChannelNames { 64 | notificationChannelStringNames = append(notificationChannelStringNames, notificationChannelName.String()) 65 | monitoringChannel := gcloud.Runf(t, "beta monitoring channels list --project %s --filter 'name=\"%s\"'", projectId, notificationChannelName.String()).Array() 66 | assert.Len(monitoringChannel, 1) 67 | notificationChannelEmailAddresses = append(notificationChannelEmailAddresses, monitoringChannel[0].Get("labels.email_address").String()) 68 | } 69 | assert.ElementsMatch([]string{"email@example.com", "email2@example.com"}, notificationChannelEmailAddresses) 70 | 71 | var expectedFilter string 72 | if monitor_all_keys_in_the_project { 73 | expectedFilter = fmt.Sprintf("protoPayload.request.@type=\"type.googleapis.com/google.cloud.kms.v1.DestroyCryptoKeyVersionRequest\"") 74 | } else { 75 | expectedFilter = fmt.Sprintf("protoPayload.request.@type=\"type.googleapis.com/google.cloud.kms.v1.DestroyCryptoKeyVersionRequest\" AND protoPayload.request.name=~\"%s/.*\"", keyVersion) 76 | } 77 | 78 | monitoringAlerts := gcloud.Runf(t, "alpha monitoring policies list --project %s", projectId).Array() 79 | var monitoringAlert gjson.Result 80 | for _, monitoringAlertLoop := range monitoringAlerts { 81 | conditions := monitoringAlertLoop.Get("conditions").Array() 82 | if len(conditions) > 0 && conditions[0].Get("conditionMatchedLog.filter").String() == expectedFilter { 83 | monitoringAlert = monitoringAlertLoop 84 | break 85 | } 86 | } 87 | alertCondition := monitoringAlert.Get("conditions").Array() 88 | assert.Len(alertCondition, 1) 89 | assert.Equal(expectedFilter, alertCondition[0].Get("conditionMatchedLog.filter").String()) 90 | notificationChannels := monitoringAlert.Get("notificationChannels").Array() 91 | for _, notificationChannel := range notificationChannels { 92 | assert.Contains(notificationChannelStringNames, notificationChannel.String()) 93 | } 94 | assert.Equal("WARNING", monitoringAlert.Get("severity").String()) 95 | assert.Equal("300s", monitoringAlert.Get("alertStrategy.notificationRateLimit.period").String()) 96 | assert.True(monitoringAlert.Get("enabled").Bool()) 97 | 98 | if !monitor_all_keys_in_the_project { 99 | time.Sleep(1 * time.Minute) 100 | // Deleting a key will be tested just for a specific key use case in order 101 | // to avoid increasing too much the testing runtime. 102 | 103 | gcloud.Runf(t, fmt.Sprintf("kms keys versions destroy 1 --location us-central1 --keyring %s --key alert-key --project %s", keyring, projectId)) 104 | utils.Poll(t, func() (bool, error) { 105 | alertingLogs := gcloud.Runf(t, "logging read logName:\"projects/%s/logs/monitoring.googleapis.com\" --freshness=2m --project %s", projectId, projectId).Array() 106 | for _, log := range alertingLogs { 107 | expectedLogMessage := "Log match condition fired for Cloud KMS CryptoKeyVersion" 108 | logMessage := log.Get("labels.verbose_message").String() 109 | expectedLogName := fmt.Sprintf("projects/%s/logs/monitoring.googleapis.com", projectId) 110 | logName := log.Get("logName").String() 111 | if strings.Contains(logMessage, expectedLogMessage) && strings.Contains(logName, expectedLogName) { 112 | // Test succeded. 113 | return false, nil 114 | } 115 | } 116 | return true, errors.New("Alert wasn't fired correctly.") 117 | }, 118 | // Wait for the alert trigger to be fired into logs. 119 | // Timeout will occour after 20 retries of 10 seconds 120 | 20, 121 | 10*time.Second) 122 | } 123 | }) 124 | kmsAlertT.Test() 125 | 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /test/integration/simple_example/simple_example_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package simple_example 16 | 17 | import ( 18 | "fmt" 19 | "testing" 20 | 21 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" 22 | "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" 23 | "github.com/stretchr/testify/assert" 24 | ) 25 | 26 | func TestSimpleExample(t *testing.T) { 27 | bpt := tft.NewTFBlueprintTest(t) 28 | bpt.DefineVerify(func(assert *assert.Assertions) { 29 | bpt.DefaultVerify(assert) 30 | 31 | projectId := bpt.GetStringOutput("project_id") 32 | keyring := bpt.GetStringOutput("keyring") 33 | location := bpt.GetStringOutput("location") 34 | keys := [2]string{"one", "two"} 35 | 36 | op := gcloud.Runf(t, "--project=%s kms keyrings list --location %s --filter name:%s", projectId, location, keyring).Array()[0].Get("name") 37 | assert.Contains(op.String(), fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", projectId, location, keyring), "Contains KeyRing") 38 | 39 | op1 := gcloud.Runf(t, "kms keys list --project=%s --keyring %s --location %s", projectId, keyring, location).Array() 40 | for index, element := range op1 { 41 | assert.Equal(element.Get("primary").Map()["name"].Str, fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s/cryptoKeyVersions/1", projectId, location, keyring, keys[index]), "Contains Keys") 42 | assert.False(element.Get("importOnly").Bool(), "ImportOnly flag") 43 | } 44 | }) 45 | 46 | bpt.Test() 47 | } 48 | -------------------------------------------------------------------------------- /test/setup/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | source.sh 3 | -------------------------------------------------------------------------------- /test/setup/iam.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | locals { 18 | int_required_roles = [ 19 | "roles/cloudkms.admin", 20 | 21 | # Needed to run verifications: 22 | "roles/owner" 23 | ] 24 | } 25 | 26 | resource "google_service_account" "int_test" { 27 | project = module.project_ci_kms.project_id 28 | account_id = "kms-int-test" 29 | display_name = "kms-int-test" 30 | } 31 | 32 | resource "google_folder_iam_member" "int_test" { 33 | count = length(local.int_required_roles) 34 | 35 | folder = google_folder.test_folder.folder_id 36 | role = local.int_required_roles[count.index] 37 | member = "serviceAccount:${google_service_account.int_test.email}" 38 | } 39 | 40 | resource "google_service_account_key" "int_test" { 41 | service_account_id = google_service_account.int_test.id 42 | } 43 | -------------------------------------------------------------------------------- /test/setup/main.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | resource "random_string" "suffix" { 18 | length = 6 19 | special = false 20 | upper = false 21 | } 22 | 23 | resource "google_folder" "test_folder" { 24 | display_name = "test_kms_fldr_${random_string.suffix.result}" 25 | parent = "folders/${var.folder_id}" 26 | } 27 | 28 | module "project_ci_kms" { 29 | source = "terraform-google-modules/project-factory/google" 30 | version = "~> 18.0" 31 | 32 | name = "ci-kms-module" 33 | random_project_id = "true" 34 | org_id = var.org_id 35 | folder_id = google_folder.test_folder.folder_id 36 | billing_account = var.billing_account 37 | 38 | activate_apis = [ 39 | "cloudkms.googleapis.com", 40 | "serviceusage.googleapis.com", 41 | "cloudresourcemanager.googleapis.com", 42 | "monitoring.googleapis.com", 43 | "logging.googleapis.com" 44 | ] 45 | 46 | activate_api_identities = [{ 47 | api = "cloudkms.googleapis.com" 48 | roles = [ 49 | "roles/cloudkms.admin" 50 | ] 51 | }] 52 | } 53 | 54 | module "autokey_resource_project" { 55 | source = "terraform-google-modules/project-factory/google" 56 | version = "~> 18.0" 57 | 58 | name = "autokey-resource" 59 | random_project_id = "true" 60 | org_id = var.org_id 61 | folder_id = google_folder.test_folder.folder_id 62 | billing_account = var.billing_account 63 | 64 | activate_apis = [ 65 | "serviceusage.googleapis.com", 66 | "cloudresourcemanager.googleapis.com" 67 | ] 68 | } 69 | -------------------------------------------------------------------------------- /test/setup/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "project_id" { 18 | value = module.project_ci_kms.project_id 19 | } 20 | 21 | output "resource_project_id" { 22 | value = module.autokey_resource_project.project_id 23 | } 24 | 25 | output "resource_project_number" { 26 | value = module.autokey_resource_project.project_number 27 | } 28 | 29 | output "sa_key" { 30 | value = google_service_account_key.int_test.private_key 31 | sensitive = true 32 | } 33 | 34 | output "folder_id" { 35 | value = split("/", google_folder.test_folder.id)[1] 36 | } 37 | -------------------------------------------------------------------------------- /test/setup/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | variable "org_id" { 17 | } 18 | 19 | variable "folder_id" { 20 | } 21 | 22 | variable "billing_account" { 23 | } 24 | -------------------------------------------------------------------------------- /test/setup/versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 0.13" 19 | required_providers { 20 | google = { 21 | source = "hashicorp/google" 22 | version = ">= 5.31.0" 23 | } 24 | google-beta = { 25 | source = "hashicorp/google-beta" 26 | version = ">= 5.31.0" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "Project id where the keyring will be created." 19 | type = string 20 | } 21 | 22 | # cf https://cloud.google.com/kms/docs/locations 23 | variable "location" { 24 | description = "Location for the keyring." 25 | type = string 26 | } 27 | 28 | variable "keyring" { 29 | description = "Keyring name." 30 | type = string 31 | } 32 | 33 | variable "keys" { 34 | description = "Key names." 35 | type = list(string) 36 | default = [] 37 | } 38 | 39 | variable "prevent_destroy" { 40 | description = "Set the prevent_destroy lifecycle attribute on keys." 41 | type = bool 42 | default = true 43 | } 44 | 45 | variable "key_destroy_scheduled_duration" { 46 | description = "Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED." 47 | type = string 48 | default = null 49 | } 50 | 51 | variable "purpose" { 52 | type = string 53 | description = "The immutable purpose of the CryptoKey. Default value is ENCRYPT_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs." 54 | default = "ENCRYPT_DECRYPT" 55 | } 56 | 57 | variable "set_owners_for" { 58 | description = "Name of keys for which owners will be set." 59 | type = list(string) 60 | default = [] 61 | } 62 | 63 | variable "owners" { 64 | description = "List of comma-separated owners for each key declared in set_owners_for." 65 | type = list(string) 66 | default = [] 67 | } 68 | 69 | variable "set_encrypters_for" { 70 | description = "Name of keys for which encrypters will be set." 71 | type = list(string) 72 | default = [] 73 | } 74 | 75 | variable "encrypters" { 76 | description = "List of comma-separated owners for each key declared in set_encrypters_for." 77 | type = list(string) 78 | default = [] 79 | } 80 | 81 | variable "set_decrypters_for" { 82 | description = "Name of keys for which decrypters will be set." 83 | type = list(string) 84 | default = [] 85 | } 86 | 87 | variable "decrypters" { 88 | description = "List of comma-separated owners for each key declared in set_decrypters_for." 89 | type = list(string) 90 | default = [] 91 | } 92 | 93 | variable "key_rotation_period" { 94 | description = "Generate a new key every time this period passes." 95 | type = string 96 | default = "7776000s" 97 | } 98 | 99 | variable "key_algorithm" { 100 | type = string 101 | description = "The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs." 102 | default = "GOOGLE_SYMMETRIC_ENCRYPTION" 103 | } 104 | 105 | variable "key_protection_level" { 106 | type = string 107 | description = "The protection level to use when creating a version based on this template. Default value: \"SOFTWARE\" Possible values: [\"SOFTWARE\", \"HSM\", \"EXTERNAL\", \"EXTERNAL_VPC\"]" 108 | default = "SOFTWARE" 109 | } 110 | 111 | variable "labels" { 112 | type = map(string) 113 | description = "Labels, provided as a map" 114 | default = {} 115 | } 116 | 117 | variable "import_only" { 118 | type = bool 119 | description = "Whether these keys may contain imported versions only." 120 | default = false 121 | } 122 | 123 | variable "skip_initial_version_creation" { 124 | type = bool 125 | description = "If set to true, the request will create CryptoKeys without any CryptoKeyVersions." 126 | default = false 127 | } 128 | 129 | variable "crypto_key_backend" { 130 | type = string 131 | description = "(Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL_VPC' keys." 132 | default = null 133 | } 134 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2021 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | terraform { 18 | required_version = ">= 1.3" 19 | required_providers { 20 | 21 | google = { 22 | source = "hashicorp/google" 23 | version = ">= 5.31.0, < 7" 24 | } 25 | } 26 | 27 | provider_meta "google" { 28 | module_name = "blueprints/terraform/terraform-google-kms/v4.0.0" 29 | } 30 | 31 | } 32 | --------------------------------------------------------------------------------