diff --git a/examples/simple_bucket_autokey/README.md b/examples/simple_bucket_autokey/README.md new file mode 100644 index 00000000..97a8a365 --- /dev/null +++ b/examples/simple_bucket_autokey/README.md @@ -0,0 +1,24 @@ +# Simple Example + +This example illustrates how to use the `simple-bucket` submodule. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| folder\_id | The folder where project is created | `string` | n/a | yes | +| key\_project\_id | The project where autokey is setup | `string` | n/a | yes | +| project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | + +## Outputs + +No outputs. + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_bucket_autokey/main.tf b/examples/simple_bucket_autokey/main.tf new file mode 100644 index 00000000..a613f599 --- /dev/null +++ b/examples/simple_bucket_autokey/main.tf @@ -0,0 +1,74 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 9.0" + + name = "${var.project_id}-bucket" + project_id = var.project_id + location = "us" + + website = { + main_page_suffix = "index.html" + not_found_page = "404.html" + } + + cors = [{ + origin = ["http://image-store.com"] + method = ["GET", "HEAD", "PUT", "POST", "DELETE"] + response_header = ["*"] + max_age_seconds = 3600 + }] + + lifecycle_rules = [{ + action = { + type = "Delete" + } + condition = { + age = 365 + with_state = "ANY" + matches_prefix = var.project_id + } + }] + + custom_placement_config = { + data_locations : ["US-EAST4", "US-WEST1"] + } + + iam_members = [{ + role = "roles/storage.objectViewer" + member = "group:test-gcp-ops@test.blueprints.joonix.net" + }] + + autoclass = true + internal_encryption_config = { + create_encryption_key = true + use_autokey = true + } + depends_on = [time_sleep.wait_autokey_config] +} + +resource "google_kms_autokey_config" "autokey_config" { + provider = google-beta + folder = var.folder_id + key_project = "projects/${var.key_project_id}" +} + +resource "time_sleep" "wait_autokey_config" { + create_duration = "10s" + depends_on = [google_kms_autokey_config.autokey_config] +} diff --git a/examples/simple_bucket_autokey/variables.tf b/examples/simple_bucket_autokey/variables.tf new file mode 100644 index 00000000..d2756031 --- /dev/null +++ b/examples/simple_bucket_autokey/variables.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The ID of the project in which to provision resources." + type = string +} + +variable "key_project_id" { + type = string + description = "The project where autokey is setup" +} + +variable "folder_id" { + type = string + description = "The folder where project is created" +} diff --git a/examples/simple_bucket_autokey/versions.tf b/examples/simple_bucket_autokey/versions.tf new file mode 100644 index 00000000..42dbd4f2 --- /dev/null +++ b/examples/simple_bucket_autokey/versions.tf @@ -0,0 +1,24 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + } + } +} diff --git a/modules/simple_bucket/README.md b/modules/simple_bucket/README.md index 47b0709f..65853ce9 100644 --- a/modules/simple_bucket/README.md +++ b/modules/simple_bucket/README.md @@ -45,7 +45,7 @@ Functional examples are included in the | encryption | A Cloud KMS key that will be used to encrypt objects inserted into this bucket. The key name should follow the format of `projects//locations//keyRings//cryptoKeys/`. To use a Cloud KMS key automatically created by this module use the `internal_encryption_config` input variable. | 
object({
    default_kms_key_name = string
  })
| `null` | no | | force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no | | iam\_members | The list of IAM members to grant permissions on the bucket. | 
list(object({
    role   = string
    member = string
  }))
| `[]` | no | -| internal\_encryption\_config | Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket
instead of creating one in advance and providing the key in the variable `encryption.default_kms_key_name`.
create\_encryption\_key: If `true` a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created
prevent\_destroy: Set the prevent\_destroy lifecycle attribute on keys.
key\_destroy\_scheduled\_duration: Set the period of time that versions of keys spend in the `DESTROY_SCHEDULED` state before transitioning to `DESTROYED`.
key\_rotation\_period: Generate a new key every time this period passes. | 
object({
    create_encryption_key          = optional(bool, false)
    prevent_destroy                = optional(bool, false)
    key_destroy_scheduled_duration = optional(string, null)
    key_rotation_period            = optional(string, "7776000s")
  })
| `{}` | no | +| internal\_encryption\_config | Configuration for the creation of an internal Google Cloud Key Management Service (KMS) Key for use as Customer-managed encryption key (CMEK) for the GCS Bucket
instead of creating one in advance and providing the key in the variable `encryption.default_kms_key_name`.
create\_encryption\_key: If `true` a Google Cloud Key Management Service (KMS) KeyRing and a Key will be created.
use\_autokey: If `true`, KMS key is created in configured autokey project automatically and used as default encryption key.
prevent\_destroy: Set the prevent\_destroy lifecycle attribute on keys.
key\_destroy\_scheduled\_duration: Set the period of time that versions of keys spend in the `DESTROY_SCHEDULED` state before transitioning to `DESTROYED`.
key\_rotation\_period: Generate a new key every time this period passes. | 
object({
    create_encryption_key          = optional(bool, false)
    use_autokey                    = optional(bool, false)
    prevent_destroy                = optional(bool, false)
    key_destroy_scheduled_duration = optional(string, null)
    key_rotation_period            = optional(string, "7776000s")
  })
| `{}` | no | | labels | A set of key/value label pairs to assign to the bucket. | `map(string)` | `null` | no | | lifecycle\_rules | The bucket's Lifecycle Rules configuration. | 
list(object({
    # Object with keys:
    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
    action = object({
      type          = string
      storage_class = optional(string)
    })

    # Object with keys:
    # - age - (Optional) Minimum age of an object in days to satisfy this condition.
    # - send_age_if_zero - (Optional) While set true, num_newer_versions value will be sent in the request even for zero value of the field.
    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
    # - custom_time_before - (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.
    # - days_since_custom_time - (Optional) Days since the date set in the customTime metadata for the object.
    # - days_since_noncurrent_time - (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.
    # - noncurrent_time_before - (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.
    condition = object({
      age                        = optional(number)
      send_age_if_zero           = optional(bool)
      created_before             = optional(string)
      with_state                 = optional(string)
      matches_storage_class      = optional(string)
      matches_prefix             = optional(string)
      matches_suffix             = optional(string)
      num_newer_versions         = optional(number)
      custom_time_before         = optional(string)
      days_since_custom_time     = optional(number)
      days_since_noncurrent_time = optional(number)
      noncurrent_time_before     = optional(string)
    })
  }))
| `[]` | no | | location | The location of the bucket. See https://cloud.google.com/storage/docs/locations. | `string` | n/a | yes | diff --git a/modules/simple_bucket/main.tf b/modules/simple_bucket/main.tf index 7b3796cd..0dcbd077 100644 --- a/modules/simple_bucket/main.tf +++ b/modules/simple_bucket/main.tf @@ -15,7 +15,7 @@ */ locals { - internal_encryption = var.internal_encryption_config.create_encryption_key ? { default_kms_key_name = module.encryption_key[0].keys[var.name] } : null + internal_encryption = var.internal_encryption_config.create_encryption_key ? var.internal_encryption_config.use_autokey ? { default_kms_key_name = google_kms_key_handle.default[0].kms_key } : { default_kms_key_name = module.encryption_key[0].keys[var.name] } : null encryption = var.internal_encryption_config.create_encryption_key ? local.internal_encryption : var.encryption } @@ -117,6 +117,15 @@ resource "google_storage_bucket" "bucket" { } } +resource "google_kms_key_handle" "default" { + count = var.internal_encryption_config.create_encryption_key ? var.internal_encryption_config.use_autokey ? 1 : 0 : 0 + provider = google-beta + project = var.project_id + name = var.name + location = var.location + resource_type_selector = "storage.googleapis.com/Bucket" +} + resource "google_storage_bucket_iam_member" "members" { for_each = { for m in var.iam_members : "${m.role} ${m.member}" => m @@ -133,7 +142,7 @@ data "google_storage_project_service_account" "gcs_account" { module "encryption_key" { source = "terraform-google-modules/kms/google" version = "~> 4.0" - count = var.internal_encryption_config.create_encryption_key ? 1 : 0 + count = var.internal_encryption_config.create_encryption_key ? var.internal_encryption_config.use_autokey ? 0 : 1 : 0 project_id = var.project_id location = lower(var.location) diff --git a/modules/simple_bucket/outputs.tf b/modules/simple_bucket/outputs.tf index 90d4b6f6..4088de56 100644 --- a/modules/simple_bucket/outputs.tf +++ b/modules/simple_bucket/outputs.tf @@ -31,7 +31,7 @@ output "url" { output "internal_kms_configuration" { description = "The intenal KMS Resource." - value = var.internal_encryption_config.create_encryption_key ? module.encryption_key[0] : null + value = var.internal_encryption_config.create_encryption_key ? var.internal_encryption_config.use_autokey ? google_kms_key_handle.default[0] : module.encryption_key[0] : null } output "apphub_service_uri" { diff --git a/modules/simple_bucket/variables.tf b/modules/simple_bucket/variables.tf index 37f92d59..0022b956 100644 --- a/modules/simple_bucket/variables.tf +++ b/modules/simple_bucket/variables.tf @@ -192,13 +192,15 @@ variable "internal_encryption_config" { description = <