terraform-google-modules · morgante · May 27, 2020 · May 21, 2020 · May 22, 2020 · May 23, 2020
@@ -0,0 +1,42 @@
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "${var.attestor-name}-attestor"
+  attestation_authority_note {
+    note_reference = google_container_analysis_note.build-note.name
+    public_keys {
+      id = data.google_kms_crypto_key_version.version.id
+      pkix_public_key {
+        public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
+        signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
+      }
+    }
+  }
+}
+
+resource "google_container_analysis_note" "build-note" {
+  name = "${var.attestor-name}-attestor-note"
+  attestation_authority {
+    hint {
+      human_readable_name = "${var.attestor-name} Attestor"
+    }
+  }
+}
+
+# KEYS
+
+data "google_kms_crypto_key_version" "version" {
+  crypto_key = google_kms_crypto_key.crypto-key.id
+}
+
+resource "google_kms_crypto_key" "crypto-key" {
+  name     = "${var.attestor-name}-attestor-key"
+  key_ring = var.keyring-id
+  purpose  = "ASYMMETRIC_SIGN"
+
+  version_template {
+    algorithm = var.crypto-algorithm
+  }
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}
@@ -0,0 +1,9 @@
+output key {
+  value       = google_kms_crypto_key.crypto-key.name
+  description = "Name of the Key created for the attestor"
+}
+
+output attestor {
+  value       = google_binary_authorization_attestor.attestor.name
+  description = "Name of the built attestor"
+}
@@ -0,0 +1,15 @@
+variable attestor-name {
+  type        = string
+  description = "Name of the attestor"
+}
+
+variable keyring-id {
+  type        = string
+  description = "Keyring ID to attach attestor keys"
+}
+
+variable crypto-algorithm {
+  type        = string
+  default     = "RSA_SIGN_PKCS1_4096_SHA512"
+  description = "Algorithm used for the async signing keys"
+}