From c2380a88fa6ac01d6e4751272ea5f795c21cf6bf Mon Sep 17 00:00:00 2001 From: Chaitanya Malpe Date: Thu, 26 Oct 2023 18:12:58 +0530 Subject: [PATCH] added import job support for kms module --- modules/kms/README.md | 37 ++++++++++++++++++++++++++++++------- modules/kms/main.tf | 7 +++++++ modules/kms/outputs.tf | 9 +++++++++ modules/kms/variables.tf | 9 +++++++++ 4 files changed, 55 insertions(+), 7 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index ddbf4b5c8..6e2212068 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -5,13 +5,15 @@ This module allows creating and managing KMS crypto keys and IAM bindings at bot When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator. -- [Protecting against destroy](#protecting-against-destroy) -- [Examples](#examples) - - [Using an existing keyring](#using-an-existing-keyring) - - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) - - [Crypto key purpose](#crypto-key-purpose) -- [Variables](#variables) -- [Outputs](#outputs) +- [Google KMS Module](#google-kms-module) + - [Protecting against destroy](#protecting-against-destroy) + - [Examples](#examples) + - [Using an existing keyring](#using-an-existing-keyring) + - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles) + - [Crypto key purpose](#crypto-key-purpose) + - [Import job](#import-job) + - [Variables](#variables) + - [Outputs](#outputs) ## Protecting against destroy @@ -94,6 +96,27 @@ module "kms" { } # tftest modules=1 resources=2 inventory=purpose.yaml ``` + +### Import job + +```hcl +module "kms" { + source = "./fabric/modules/kms" + project_id = "my-project" + iam = { + "roles/cloudkms.admin" = ["user:user1@example.com"] + } + keyring = { + location = "europe-west1" + name = "test" + } + import_job = { + id = "my-import-job" + import_method = "RSA_OAEP_3072_SHA1_AES_256" + protection_level = "SOFTWARE" + } +} +``` ## Variables diff --git a/modules/kms/main.tf b/modules/kms/main.tf index 6be7c812d..a1f74902c 100644 --- a/modules/kms/main.tf +++ b/modules/kms/main.tf @@ -53,3 +53,10 @@ resource "google_kms_crypto_key" "default" { } } } + +resource "google_kms_key_ring_import_job" "default" { + key_ring = local.keyring.id + import_job_id = var.import_job.id + import_method = var.import_job.import_method + protection_level = var.import_job.protection_level +} \ No newline at end of file diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf index 191db82b7..acfb69b3e 100644 --- a/modules/kms/outputs.tf +++ b/modules/kms/outputs.tf @@ -23,6 +23,15 @@ output "id" { ] } +output "import_job" { + description = "Keyring import job resources." + value = google_kms_key_ring_import_job.default + depends_on = [ + google_kms_key_ring_iam_binding.authoritative, + google_kms_key_ring_iam_binding.bindings + ] +} + output "key_ids" { description = "Fully qualified key ids." value = { diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index 308617641..161c55e0e 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -51,6 +51,15 @@ variable "iam_bindings_additive" { default = {} } +variable "import_job" { + description = "Keyring import job attributes." + type = object({ + id = string + import_method = string + protection_level = string + }) +} + variable "keyring" { description = "Keyring attributes." type = object({