feat!: Restricting autokey module to autokey configuration use case

docs/upgrading_to_v4.0.md

@@ -0,0 +1,21 @@
+# Upgrading to v4.0
+The v4.0 release of *kms* is a backwards incompatible release.
+
+### Autokey Submodule
+The current users of Autokey submodules needs to
+- Switch `project_id` to `key_project_id`
+- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/).
+
+
+### To Migrate from v3.0 to v4.0
+Using V3.0 of Autokey modules if you have created keyhandles and wants to use them with V4.0 version then they need to be imported using below steps
+
+1. Retrieve the keyhandles created:
+    -  Run `terraform  state list module.autokey.google_kms_key_handle.primary` to list all keyhandles created using v3.0
+    -  For each item in the output of above CLI, run `terraform state show 'module.autokey.google_kms_key_handle.primary["<an id from the output of list>"]'` and copy the resulting `id` field from the cli output to notepad
+2. Delete all keyhandles from the state: run `terraform state rm module.autokey.google_kms_key_handle.primary`
+3. Update the main root module to use V4.0 version. Add the keyhandle config definition to the main root module for all the keyhandle found in step1.
+4. Import all the keyhandles configs using id copied in setp1 to the terraform state
+    - for each keyhandle id found in step1, Run `terraform  import resource.google_kms_key_handle.<key_handle_name_given_in_step3> "<paste corresponding keyhandle id copied in step 1>"`
+
+

examples/autokey_setup/README.md

@@ -0,0 +1,26 @@
+# Autokey Example
+
+This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes |
+| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| autokey\_config\_id | An Autokey configuration identifier. |
+| key\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/autokey_setup/main.tf

@@ -0,0 +1,24 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "autokey" {
+  source  = "terraform-google-modules/kms/google//modules/autokey"
+  version = "~> 4.0"
+
+  key_project_id        = var.key_project_id
+  autokey_folder_number = var.folder_id
+}
+

examples/autokey_setup/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "autokey_config_id" {
+  description = "An Autokey configuration identifier."
+  value       = module.autokey.autokey_config_id
+}
+
+output "key_project_id" {
+  description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey."
+  value       = var.key_project_id
+}

examples/autokey_setup/variables.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
+  type        = string
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The ID of the folder for which to configure and enable Autokey feature."
+}
+

examples/autokey_example/README.md → examples/bucket_setup_using_autokey/README.md

@@ -1,23 +1,23 @@
 # Autokey Example
 
-This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes |
-| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes |
-| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes |
+| bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no |
+| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes |
+| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes |
+| resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| autokey\_config\_id | An Autokey configuration identifier. |
-| autokey\_keyhandles | A map of KeyHandles created. |
-| autokey\_project\_id | Project used for autokey. |
+| bucket\_keyhandle | Keyhandle configuration created for the bucket. |
+| bucket\_name | Name of the bucket created. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/bucket_setup_using_autokey/main.tf

@@ -0,0 +1,62 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "autokey" {
+  source  = "terraform-google-modules/kms/google//modules/autokey"
+  version = "~> 4.0"
+
+  key_project_id        = var.key_project_id
+  autokey_folder_number = var.folder_id
+}
+
+# Wait delay for autokey configuration.
+resource "time_sleep" "wait_autokey_config" {
+  create_duration = "20s"
+  depends_on      = [module.autokey]
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+resource "google_kms_key_handle" "bucket_keyhandle" {
+  provider               = google-beta
+  name                   = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}"
+  project                = var.resource_project_id
+  location               = var.bucket_location
+  resource_type_selector = "storage.googleapis.com/Bucket"
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+  depends_on = [time_sleep.wait_autokey_config]
+}
+
+module "bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 9.0"
+
+  name       = "${var.resource_project_id}-bucket-${random_string.suffix.result}"
+  project_id = var.resource_project_id
+  location   = var.bucket_location
+  encryption = {
+    default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key
+  }
+
+  depends_on = [resource.google_kms_key_handle.bucket_keyhandle]
+}

examples/bucket_setup_using_autokey/outputs.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "bucket_keyhandle" {
+  description = "Keyhandle configuration created for the bucket."
+  value       = resource.google_kms_key_handle.bucket_keyhandle
+}
+
+output "bucket_name" {
+  description = "Name of the bucket created."
+  value       = module.bucket.name
+}

examples/bucket_setup_using_autokey/variables.tf

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
+  type        = string
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The ID of the folder for which to configure and enable Autokey feature."
+}
+
+variable "resource_project_id" {
+  description = "The ID of the project in which to provision cloud storage bucket resource."
+  type        = string
+}
+
+variable "bucket_location" {
+  type        = string
+  description = "The GCP location where storage bucket will be created"
+  default     = "us-central1"
+}