From c464a3c8cc0d6d674e87a8aadf2ef1067644654c Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Mon, 20 Jun 2022 17:13:25 +0200
Subject: [PATCH] Improve KMS: add custom role to handle keys

---
 fast/stages/00-bootstrap/organization.tf |  6 ++++++
 fast/stages/00-bootstrap/variables.tf    |  2 ++
 fast/stages/02-security/core-dev.tf      |  3 ++-
 fast/stages/02-security/core-prod.tf     |  3 ++-
 fast/stages/02-security/main.tf          |  1 +
 fast/stages/02-security/variables.tf     | 11 +++++++++++
 6 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index ea7c2e58f..935f9ca0e 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -171,6 +171,12 @@ module "organization" {
       "dns.networks.bindPrivateDNSZone",
       "resourcemanager.projects.get",
     ]
+    (var.custom_role_names.cloud_kms_key_role_editor) = [
+      "cloudkms.cryptoKeys.get",
+      "cloudkms.cryptoKeys.list",
+      "cloudkms.cryptoKeys.getIamPolicy",
+      "cloudkms.cryptoKeys.setIamPolicy"
+    ]
   }
   logging_sinks = {
     for name, attrs in var.log_sinks : name => {
diff --git a/fast/stages/00-bootstrap/variables.tf b/fast/stages/00-bootstrap/variables.tf
index a08fedb1c..7d4d9d9f0 100644
--- a/fast/stages/00-bootstrap/variables.tf
+++ b/fast/stages/00-bootstrap/variables.tf
@@ -79,10 +79,12 @@ variable "custom_role_names" {
   type = object({
     organization_iam_admin        = string
     service_project_network_admin = string
+    cloud_kms_key_role_editor     = string
   })
   default = {
     organization_iam_admin        = "organizationIamAdmin"
     service_project_network_admin = "serviceProjectNetworkAdmin"
+    cloud_kms_key_role_editor     = "cloudKmsKeyAdmin"
   }
 }
 
diff --git a/fast/stages/02-security/core-dev.tf b/fast/stages/02-security/core-dev.tf
index 92fcaec0d..9cc7b9177 100644
--- a/fast/stages/02-security/core-dev.tf
+++ b/fast/stages/02-security/core-dev.tf
@@ -27,7 +27,8 @@ module "dev-sec-project" {
   prefix          = var.prefix
   billing_account = var.billing_account.id
   iam = {
-    "roles/cloudkms.viewer" = local.dev_kms_restricted_admins
+    (local.custom_roles.cloud_kms_key_role_editor) = ["serviceAccount:${var.service_accounts.data-platform-dev}"]
+    "roles/cloudkms.viewer"                        = local.dev_kms_restricted_admins
   }
   labels   = { environment = "dev", team = "security" }
   services = local.project_services
diff --git a/fast/stages/02-security/core-prod.tf b/fast/stages/02-security/core-prod.tf
index d00c724da..9456cbb4a 100644
--- a/fast/stages/02-security/core-prod.tf
+++ b/fast/stages/02-security/core-prod.tf
@@ -27,7 +27,8 @@ module "prod-sec-project" {
   prefix          = var.prefix
   billing_account = var.billing_account.id
   iam = {
-    "roles/cloudkms.viewer" = local.prod_kms_restricted_admins
+    (local.custom_roles.cloud_kms_key_role_editor) = ["serviceAccount:${var.service_accounts.data-platform-prod}"]
+    "roles/cloudkms.viewer"                        = local.prod_kms_restricted_admins
   }
   labels   = { environment = "prod", team = "security" }
   services = local.project_services
diff --git a/fast/stages/02-security/main.tf b/fast/stages/02-security/main.tf
index 13078d12d..c1e1aa0f7 100644
--- a/fast/stages/02-security/main.tf
+++ b/fast/stages/02-security/main.tf
@@ -15,6 +15,7 @@
  */
 
 locals {
+  custom_roles = coalesce(var.custom_roles, {})
   kms_keys = {
     for k, v in var.kms_keys : k => {
       iam    = coalesce(v.iam, {})
diff --git a/fast/stages/02-security/variables.tf b/fast/stages/02-security/variables.tf
index 352f4f394..4276b4d2d 100644
--- a/fast/stages/02-security/variables.tf
+++ b/fast/stages/02-security/variables.tf
@@ -31,6 +31,15 @@ variable "billing_account" {
   })
 }
 
+variable "custom_roles" {
+  # tfdoc:variable:source 00-bootstrap
+  description = "Custom roles defined at the org level, in key => id format."
+  type = object({
+    cloud_kms_key_role_editor = string
+  })
+  default = null
+}
+
 variable "folder_ids" {
   # tfdoc:variable:source 01-resman
   description = "Folder name => id mappings, the 'security' folder name must exist."
@@ -81,6 +90,8 @@ variable "service_accounts" {
   # tfdoc:variable:source 01-resman
   description = "Automation service accounts that can assign the encrypt/decrypt roles on keys."
   type = object({
+    data-platform-dev    = string
+    data-platform-prod   = string
     project-factory-dev  = string
     project-factory-prod = string
   })