You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.
Description
We should add support for ASYMMETRIC_SIGN/ASYMMETRIC_DECRYPT either to existing google_kms_secret and google_kms_secret_ciphertext resources so that
users can sign text and use it in config (important for binauthz)
users can decrypt text and use it in config
New or Affected Resource(s)
New resources:
google_kms_signature
google_kms_asymmetric_secret (I don't know how to name things!)
Or we change existing google_kms_secret to support asymm decrypt and google_kms_secret_ciphertext to support signing. I'm less enthusiastic about this because it means we either have to support looking up both the key purpose and cryptoVersion or failing at apply time. Also cryptoKey.encrypt/decrypt is current method for resources, but cryptoKeyVersion.asymmetricSign/Decrypt is what we'd need to call so we'd need extra info about version.
Potential Terraform Configuration
resource"google_foo_bar""uses_signature" {
signed_payload="google_kms_signature.signed.ciphertext" (or .signature)
key_id=google_kms_crypto_key_version.version.id
}
resource"google_kms_signature""signed" {
payload="here's what I want to sign"crypto_key_version=google_kms_crypto_key_version.version.id
}
resource"google_kms_key_ring""keyring" {
name="my-key-ring"location="global"
}
resource"google_kms_crypto_key""crypto-key" {
name="my-key"key_ring=data.google_kms_key_ring.keyring.self_linkpurpose="ASYMMETRIC_SIGN"...
}
data"google_kms_crypto_key_version""version" {
crypto_key=data.google_kms_crypto_key.crypto-key.self_link
}
Community Note
Description
We should add support for
ASYMMETRIC_SIGN
/ASYMMETRIC_DECRYPT
either to existinggoogle_kms_secret
andgoogle_kms_secret_ciphertext
resources so thatNew or Affected Resource(s)
google_kms_signature
google_kms_asymmetric_secret
(I don't know how to name things!)Or we change existing
google_kms_secret
to support asymm decrypt andgoogle_kms_secret_ciphertext
to support signing. I'm less enthusiastic about this because it means we either have to support looking up both the key purpose and cryptoVersion or failing at apply time. Also cryptoKey.encrypt/decrypt is current method for resources, but cryptoKeyVersion.asymmetricSign/Decrypt is what we'd need to call so we'd need extra info about version.Potential Terraform Configuration
References
Docs:
b/299683530
The text was updated successfully, but these errors were encountered: