google_binary_authorization_attestor KMS public_key id does not reference cloudkms v1

[cliles]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.26

• provider.google v3.24.0
• provider.google-beta v3.24.0

Affected Resource(s)

• google_binary_authorization_attestor

Terraform Configuration Files

resource "google_binary_authorization_attestor" "attestor" {
  name = "test-attestor"
  attestation_authority_note {
    note_reference = google_container_analysis_note.note.name
    public_keys {
      id = data.google_kms_crypto_key_version.version.id
      pkix_public_key {
        public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
        signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
      }
    }
  }
}

data "google_kms_crypto_key_version" "version" {
  crypto_key = google_kms_crypto_key.crypto-key.id
}

resource "google_container_analysis_note" "note" {
  name = "test-attestor-note"
  attestation_authority {
    hint {
      human_readable_name = "Attestor Note"
    }
  }
}

resource "google_kms_crypto_key" "crypto-key" {
  name     = "test-attestor-key"
  key_ring = google_kms_key_ring.keyring.id
  purpose  = "ASYMMETRIC_SIGN"

  version_template {
    algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
  }

  lifecycle {
    prevent_destroy = false
  }
}

resource "google_kms_key_ring" "keyring" {
  name     = "test-attestor-key-ring"
  location = "us-central1"
}

resource "google_binary_authorization_policy" "policy" {
  global_policy_evaluation_mode = "ENABLE"

  admission_whitelist_patterns {
    name_pattern = "gcr.io/google_containers/*"
  }

  default_admission_rule {
    evaluation_mode         = "REQUIRE_ATTESTATION"
    enforcement_mode        = "DRYRUN_AUDIT_LOG_ONLY"
    require_attestations_by = [google_binary_authorization_attestor.attestor.name]
  }

}

Debug Output

Panic Output

NA

Expected Behavior

Attestor created with public key from kms that is able to sign and create attestations.

Actual Behavior

The attestor is created, but the id of the attestor public key version resource ID references //cloudkms.googleapis.com/projects...
NOT
/cloudkms.googleapis.com/v1/projects...

This is a problem attempting to use the gcloud cli to then sign and create an attestation as the ID will not match. Thus attestation will not be signed correctly and will fail admission.

WARNING: No public key with ID [//cloudkms.googleapis.com/v1/projects/...] found on attestor [projects/...]
Create and upload Attestation anyway? (Y/n)?

Steps to Reproduce

1. terraform apply
2. Sign and create an attestation.

gcloud beta container binauthz attestations sign-and-create \
    --project "${PROJECT_ID}" \
    --artifact-url "gcr.io/${PROJECT_ID}/${IMAGE}@${DIGEST}" \
    --attestor "test-attestor" \
    --attestor-project "${PROJECT_ID}" \
    --keyversion "1" \
    --keyversion-key "test-attestor-key" \
    --keyversion-location "${REGION}" \
    --keyversion-keyring "test-attestor-key-ring" \
    --keyversion-project "${PROJECT_ID}"

Important Factoids

Terraform does not provide a resource for managing attestations.

References

• https://www.terraform.io/docs/providers/google/r/binary_authorization_attestor.html
• https://cloud.google.com/binary-authorization/docs/making-attestations#create_an_attestation_with_a-based_pkix_signature

[rileykarson]

To clarify the behaviour- creating the google_binary_authorization_attestor resource works correctly but when trying to use it, it fails?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!