Add support for other key purposes in kms secret & ciphertext

[emilymye]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

We should add support for ASYMMETRIC_SIGN/ASYMMETRIC_DECRYPT either to existing google_kms_secret and google_kms_secret_ciphertext resources so that

• users can sign text and use it in config (important for binauthz)
• users can decrypt text and use it in config

New or Affected Resource(s)

• New resources:
  • google_kms_signature
  • google_kms_asymmetric_secret (I don't know how to name things!)

Or we change existing google_kms_secret to support asymm decrypt and google_kms_secret_ciphertext to support signing. I'm less enthusiastic about this because it means we either have to support looking up both the key purpose and cryptoVersion or failing at apply time. Also cryptoKey.encrypt/decrypt is current method for resources, but cryptoKeyVersion.asymmetricSign/Decrypt is what we'd need to call so we'd need extra info about version.

Potential Terraform Configuration

resource "google_foo_bar" "uses_signature" {
    signed_payload = "google_kms_signature.signed.ciphertext" (or .signature)
    key_id = google_kms_crypto_key_version.version.id
}

resource "google_kms_signature" "signed" {
    payload = "here's what I want to sign"
    crypto_key_version = google_kms_crypto_key_version.version.id
}

resource "google_kms_key_ring" "keyring" {
  name = "my-key-ring"
  location = "global"
}

resource "google_kms_crypto_key" "crypto-key" {
  name     = "my-key"
  key_ring = data.google_kms_key_ring.keyring.self_link
  
  purpose = "ASYMMETRIC_SIGN"
  ...
}

data "google_kms_crypto_key_version" "version" {
  crypto_key = data.google_kms_crypto_key.crypto-key.self_link
}

resource "google_foo_bar" "uses_plaintext" {
    secret = "google_kms_asymmetric_decrypt.secret.plaintext"
}

resource "google_kms_asymmetric_decrypt" "secret" {
    ciphertext = "asldkgjlasdkjglkasdjgasignedblob"
    crypto_key_version = google_kms_crypto_key_version.version.id
}

resource "google_kms_key_ring" "keyring" {
  name = "my-key-ring"
  location = "global"
}

resource "google_kms_crypto_key" "crypto-key" {
  name     = "my-key"
  key_ring = data.google_kms_key_ring.keyring.self_link
  
  purpose = "ASYMMETRIC_DECRYPT"
  ...
}

data "google_kms_crypto_key_version" "version" {
  crypto_key = data.google_kms_crypto_key.crypto-key.self_link
}

References

• Related PR: Support containeranalysis Note and Occurence for attestation GoogleCloudPlatform/magic-modules#3564

Docs:

• https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricDecrypt
• https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign

b/299683530