-
Notifications
You must be signed in to change notification settings - Fork 0
/
kms.tf
108 lines (83 loc) · 3.02 KB
/
kms.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// See https://docs.relaycorp.tech/awala-keystore-cloud-js/gcp
resource "google_kms_key_ring" "keystores" {
project = var.project_id
# Key rings can be deleted from the Terraform state but not GCP, so let's add a suffix in case
# we need to recreate it.
name = "endpoint-${var.backend_name}-${random_id.unique_suffix.hex}"
location = var.region
}
resource "random_id" "key_suffix" {
byte_length = 3
keepers = {
kms_protection_level = var.kms_protection_level
}
}
resource "google_kms_crypto_key" "identity_key" {
name = "identity-key-${random_id.key_suffix.hex}"
key_ring = google_kms_key_ring.keystores.id
purpose = "ASYMMETRIC_SIGN"
version_template {
algorithm = "RSA_SIGN_PSS_2048_SHA256"
protection_level = var.kms_protection_level
}
lifecycle {
prevent_destroy = false
}
}
// Ideally, we'd just manage the key version explicitly, but we can't due to two limitations
// in the Google provider:
// 1.- This bug with HSM keys: https://github.com/hashicorp/terraform-provider-google/issues/13924
// 2.- The lack of support for reading the public key as soon as the key is created.
data "google_kms_crypto_key_version" "initial_identity_key" {
crypto_key = google_kms_crypto_key.identity_key.id
depends_on = [time_sleep.wait_for_id_key_creation]
}
resource "google_kms_crypto_key" "session_keys" {
name = "session-keys-${random_id.key_suffix.hex}"
key_ring = google_kms_key_ring.keystores.id
rotation_period = "2592000s" // 30 days
purpose = "ENCRYPT_DECRYPT"
version_template {
algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"
protection_level = var.kms_protection_level
}
lifecycle {
prevent_destroy = false
}
}
resource "time_sleep" "wait_for_id_key_creation" {
depends_on = [google_kms_crypto_key.identity_key]
create_duration = "30s"
triggers = {
kms_protection_level = var.kms_protection_level
}
}
// IAM
// https://docs.relaycorp.tech/awala-keystore-cloud-js/gcp#iam-permissions
resource "google_project_iam_custom_role" "keystore_kms_admin" {
project = var.project_id
role_id = "awala_endpoint.keystore_kms_manager"
title = "Permissions to manage KMS resources related to the Awala keystore"
permissions = [
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeyVersions.create",
]
}
resource "google_project_iam_binding" "keystore_kms_admin" {
project = var.project_id
role = google_project_iam_custom_role.keystore_kms_admin.id
members = ["serviceAccount:${google_service_account.main.email}"]
condition {
title = "Limit app access to KMS key ring"
expression = "resource.name.startsWith(\"${google_kms_key_ring.keystores.id}\")"
}
}
resource "google_project_iam_member" "keystore_kms_user" {
project = var.project_id
role = "roles/cloudkms.cryptoOperator"
member = "serviceAccount:${google_service_account.main.email}"
condition {
title = "Limit app access to KMS key ring"
expression = "resource.name.startsWith(\"${google_kms_key_ring.keystores.id}\")"
}
}