Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add module to get a Key from the GCP Project #84

Open
wants to merge 10 commits into
base: revamp-cloud
Choose a base branch
from
Open

feat: Add module to get a Key from the GCP Project #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4740e21
feat: add module to get a key from the project
hbitoun-aneo Aug 31, 2023
916ca64
fix: changes from CI
hbitoun-aneo Aug 31, 2023
0b93d69
terraform-docs: automated action
github-actions[bot] Aug 31, 2023
4790e45
fix: changes to fit to the kms module and after review
hbitoun-aneo Sep 7, 2023
a2df6e9
fix: changes from CI
hbitoun-aneo Sep 7, 2023
59d9c94
Merge branch 'hb/gcp-get-key-module' of https://github.com/aneoconsul…
hbitoun-aneo Sep 7, 2023
279a614
terraform-docs: automated action
github-actions[bot] Sep 7, 2023
e3493d1
doc: add explanation about the module get-key
hbitoun-aneo Sep 12, 2023
36b59af
Merge branch 'main' into hb/gcp-get-key-module
hbitoun-aneo Sep 12, 2023
75bbca8
fix: change directory name of the get-kms module to kms-get
hbitoun-aneo Sep 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions security/gcp/get-kms/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Cloud KMS

Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic
operations in a single centralized cloud service. You can use these keys and perform these operations by using Cloud KMS
directly, by using Cloud HSM or Cloud External Key Manager, or by using Customer-Managed Encryption Keys (CMEK) integrations
within other Google Cloud services.

This module retrieve a key from the GCP project. The retrieved keys are used by the service accounts for
encrypt and decrypt the data (by adding decrypt/encrypt rights on the kms key for the service accounts).

<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.75.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | >= 4.75.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
| [google_kms_crypto_key.my_crypto_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_crypto_key) | data source |
| [google_kms_key_ring.my_key_ring](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_key_ring) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_crypto_key_names"></a> [crypto\_key\_names](#input\_crypto\_key\_names) | The names of the crypto keys to retrieve from the GCP project. | `list(string)` | n/a | yes |
| <a name="input_key_ring_name"></a> [key\_ring\_name](#input\_key\_ring\_name) | The key ring name on which the crypto key belongs to. | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_key_ring_id"></a> [key\_ring\_id](#output\_key\_ring\_id) | The ID of the KeyRing. |
| <a name="output_key_ring_location"></a> [key\_ring\_location](#output\_key\_ring\_location) | The location for the KeyRing. |
| <a name="output_key_ring_name"></a> [key\_ring\_name](#output\_key\_ring\_name) | The resource name for the KeyRing. |
| <a name="output_my_crypto_key_output"></a> [my\_crypto\_key\_output](#output\_my\_crypto\_key\_output) | The crypto keys on the GCP project from the specified KeyRing. |
<!-- END_TF_DOCS -->
4 changes: 4 additions & 0 deletions security/gcp/get-kms/examples/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Simple GCP Cloud KMS

Terraform scripts to get a kms key from the GCP project.

38 changes: 38 additions & 0 deletions security/gcp/get-kms/examples/simple/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.75.0 |

## Providers

No providers.

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_simple_kms"></a> [simple\_kms](#module\_simple\_kms) | ../../../get-kms | n/a |

## Resources

No resources.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The GCP region used to deploy the KMS. | `string` | `"europe-west9"` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_key_ring_id"></a> [key\_ring\_id](#output\_key\_ring\_id) | The ID of the KeyRing. |
| <a name="output_key_ring_location"></a> [key\_ring\_location](#output\_key\_ring\_location) | The location for the KeyRing. |
| <a name="output_key_ring_name"></a> [key\_ring\_name](#output\_key\_ring\_name) | The resource name for the KeyRing. |
| <a name="output_my_crypto_key_output"></a> [my\_crypto\_key\_output](#output\_my\_crypto\_key\_output) | The crypto keys on the GCP project from the specified KeyRing. |
<!-- END_TF_DOCS -->
5 changes: 5 additions & 0 deletions security/gcp/get-kms/examples/simple/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module "simple_kms" {
source = "../../../get-kms"
key_ring_name = "test"
crypto_key_names = ["my-key-name", "my-key-name2"]
}
19 changes: 19 additions & 0 deletions security/gcp/get-kms/examples/simple/outputs.tf
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a missing output compared to to the resource module:

output "crypto_key_ids" {
  description = "The Map of the created crypto keys."
  value       = { for key, value in google_kms_crypto_key.keys : key => value.id }
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "my_crypto_key_output" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
output "my_crypto_key_output" {
output "cyprto_keys" {

description = "The crypto keys on the GCP project from the specified KeyRing."
value = module.simple_kms.my_crypto_key_output
}

output "key_ring_name" {
description = "The resource name for the KeyRing."
value = module.simple_kms.key_ring_name
}

output "key_ring_location" {
description = "The location for the KeyRing."
value = module.simple_kms.key_ring_location
}

output "key_ring_id" {
description = "The ID of the KeyRing."
value = module.simple_kms.key_ring_id
}
10 changes: 10 additions & 0 deletions security/gcp/get-kms/examples/simple/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
variable "region" {
description = "The GCP region used to deploy the KMS."
type = string
default = "europe-west9"
}

variable "project" {
description = "Project name"
type = string
}
14 changes: 14 additions & 0 deletions security/gcp/get-kms/examples/simple/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
terraform {
required_version = ">= 1.0"
required_providers {
google = {
source = "hashicorp/google"
version = "~> 4.75.0"
}
}
}

provider "google" {
project = var.project
region = var.region
}
12 changes: 12 additions & 0 deletions security/gcp/get-kms/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
data "google_kms_key_ring" "my_key_ring" {
name = var.key_ring_name
location = data.google_client_config.current.region
}

data "google_kms_crypto_key" "my_crypto_keys" {
for_each = toset(var.crypto_key_names)
name = each.value
key_ring = data.google_kms_key_ring.my_key_ring.id
}

data "google_client_config" "current" {}
19 changes: 19 additions & 0 deletions security/gcp/get-kms/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "my_crypto_key_output" {
description = "The crypto keys on the GCP project from the specified KeyRing."
value = { for key, value in data.google_kms_crypto_key.my_crypto_keys : key => value.id }
}

output "key_ring_name" {
description = "The resource name for the KeyRing."
value = data.google_kms_key_ring.my_key_ring.name
}

output "key_ring_location" {
description = "The location for the KeyRing."
value = data.google_kms_key_ring.my_key_ring.location
}

output "key_ring_id" {
description = "The ID of the KeyRing."
value = data.google_kms_key_ring.my_key_ring.id
}
9 changes: 9 additions & 0 deletions security/gcp/get-kms/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "crypto_key_names" {
description = "The names of the crypto keys to retrieve from the GCP project."
type = list(string)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type = list(string)
type = set(string)

}

variable "key_ring_name" {
description = "The key ring name on which the crypto key belongs to."
type = string
}
9 changes: 9 additions & 0 deletions security/gcp/get-kms/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
terraform {
required_version = ">= 1.0"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.75.0"
}
}
}
52 changes: 52 additions & 0 deletions security/gcp/kms-get/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Cloud KMS

Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic
operations in a single centralized cloud service. You can use these keys and perform these operations by using Cloud KMS
directly, by using Cloud HSM or Cloud External Key Manager, or by using Customer-Managed Encryption Keys (CMEK) integrations
within other Google Cloud services.

This module retrieve a key from the GCP project. The retrieved keys are used by the service accounts for
encrypt and decrypt the data (by adding decrypt/encrypt rights on the kms key for the service accounts).

<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.75.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | >= 4.75.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
| [google_kms_crypto_key.my_crypto_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_crypto_key) | data source |
| [google_kms_key_ring.my_key_ring](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_key_ring) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_crypto_key_names"></a> [crypto\_key\_names](#input\_crypto\_key\_names) | The names of the crypto keys to retrieve from the GCP project. | `list(string)` | n/a | yes |
| <a name="input_key_ring_name"></a> [key\_ring\_name](#input\_key\_ring\_name) | The key ring name on which the crypto key belongs to. | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_key_ring_id"></a> [key\_ring\_id](#output\_key\_ring\_id) | The ID of the KeyRing. |
| <a name="output_key_ring_location"></a> [key\_ring\_location](#output\_key\_ring\_location) | The location for the KeyRing. |
| <a name="output_key_ring_name"></a> [key\_ring\_name](#output\_key\_ring\_name) | The resource name for the KeyRing. |
| <a name="output_my_crypto_key_output"></a> [my\_crypto\_key\_output](#output\_my\_crypto\_key\_output) | The crypto keys on the GCP project from the specified KeyRing. |
<!-- END_TF_DOCS -->
4 changes: 4 additions & 0 deletions security/gcp/kms-get/examples/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Simple GCP Cloud KMS

Terraform scripts to get a kms key from the GCP project.

38 changes: 38 additions & 0 deletions security/gcp/kms-get/examples/simple/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.75.0 |

## Providers

No providers.

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_simple_kms"></a> [simple\_kms](#module\_simple\_kms) | ../../../get-kms | n/a |

## Resources

No resources.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The GCP region used to deploy the KMS. | `string` | `"europe-west9"` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_key_ring_id"></a> [key\_ring\_id](#output\_key\_ring\_id) | The ID of the KeyRing. |
| <a name="output_key_ring_location"></a> [key\_ring\_location](#output\_key\_ring\_location) | The location for the KeyRing. |
| <a name="output_key_ring_name"></a> [key\_ring\_name](#output\_key\_ring\_name) | The resource name for the KeyRing. |
| <a name="output_my_crypto_key_output"></a> [my\_crypto\_key\_output](#output\_my\_crypto\_key\_output) | The crypto keys on the GCP project from the specified KeyRing. |
<!-- END_TF_DOCS -->
5 changes: 5 additions & 0 deletions security/gcp/kms-get/examples/simple/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module "simple_kms" {
source = "../../../get-kms"
key_ring_name = "test"
crypto_key_names = ["my-key-name", "my-key-name2"]
}
19 changes: 19 additions & 0 deletions security/gcp/kms-get/examples/simple/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "my_crypto_key_output" {
description = "The crypto keys on the GCP project from the specified KeyRing."
value = module.simple_kms.my_crypto_key_output
}

output "key_ring_name" {
description = "The resource name for the KeyRing."
value = module.simple_kms.key_ring_name
}

output "key_ring_location" {
description = "The location for the KeyRing."
value = module.simple_kms.key_ring_location
}

output "key_ring_id" {
description = "The ID of the KeyRing."
value = module.simple_kms.key_ring_id
}
10 changes: 10 additions & 0 deletions security/gcp/kms-get/examples/simple/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
variable "region" {
description = "The GCP region used to deploy the KMS."
type = string
default = "europe-west9"
}

variable "project" {
description = "Project name"
type = string
}
14 changes: 14 additions & 0 deletions security/gcp/kms-get/examples/simple/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
terraform {
required_version = ">= 1.0"
required_providers {
google = {
source = "hashicorp/google"
version = "~> 4.75.0"
}
}
}

provider "google" {
project = var.project
region = var.region
}
12 changes: 12 additions & 0 deletions security/gcp/kms-get/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
data "google_kms_key_ring" "my_key_ring" {
name = var.key_ring_name
location = data.google_client_config.current.region
}

data "google_kms_crypto_key" "my_crypto_keys" {
for_each = toset(var.crypto_key_names)
name = each.value
key_ring = data.google_kms_key_ring.my_key_ring.id
}

data "google_client_config" "current" {}
19 changes: 19 additions & 0 deletions security/gcp/kms-get/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "my_crypto_key_output" {
description = "The crypto keys on the GCP project from the specified KeyRing."
value = { for key, value in data.google_kms_crypto_key.my_crypto_keys : key => value.id }
}

output "key_ring_name" {
description = "The resource name for the KeyRing."
value = data.google_kms_key_ring.my_key_ring.name
}

output "key_ring_location" {
description = "The location for the KeyRing."
value = data.google_kms_key_ring.my_key_ring.location
}

output "key_ring_id" {
description = "The ID of the KeyRing."
value = data.google_kms_key_ring.my_key_ring.id
}
9 changes: 9 additions & 0 deletions security/gcp/kms-get/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "crypto_key_names" {
description = "The names of the crypto keys to retrieve from the GCP project."
type = list(string)
}

variable "key_ring_name" {
description = "The key ring name on which the crypto key belongs to."
type = string
}
Loading