diff --git a/environment/deployments/roundtable/main.tf b/environment/deployments/roundtable/main.tf index 9ae8df77..761db1d2 100644 --- a/environment/deployments/roundtable/main.tf +++ b/environment/deployments/roundtable/main.tf @@ -21,6 +21,32 @@ module "iam_admin" { member = "gcp-${var.application_name}-administrators@lsst.cloud" } +// Vault server key management +// prod +module "kms" { + source = "../../../modules/kms" + project_id = module.project_factory.project_id + location = "us-central1" + keyring = "vault-server" + keys = [ "vault-seal" ] + set_owners_for = [ "vault-seal" ] + decrypters = var.vault_server_service_accounts + encrypters = var.vault_server_service_accounts + owners = var.vault_server_service_accounts +} +// dev +module "kms_2" { + source = "../../../modules/kms" + project_id = module.project_factory.project_id + location = "us-central1" + keyring = "vault-server-dev" + keys = [ "vault-seal" ] + set_owners_for = [ "vault-seal" ] + decrypters = var.vault_server_dev_service_accounts + encrypters = var.vault_server_dev_service_accounts + owners = var.vault_server_dev_service_accounts +} + // Vault Server Storage Bucket module "storage_bucket" { diff --git a/environment/deployments/roundtable/variables.tf b/environment/deployments/roundtable/variables.tf index bbc18310..f2815197 100644 --- a/environment/deployments/roundtable/variables.tf +++ b/environment/deployments/roundtable/variables.tf @@ -25,6 +25,7 @@ variable "activate_apis" { description = "The api to activate for the GCP project" type = list(string) default = [ + "cloudkms.googleapis.com", "compute.googleapis.com", "container.googleapis.com", "stackdriver.googleapis.com", diff --git a/modules/kms/main.tf b/modules/kms/main.tf new file mode 100644 index 00000000..871b6e57 --- /dev/null +++ b/modules/kms/main.tf @@ -0,0 +1,22 @@ +module "kms" { + source = "terraform-google-modules/kms/google" + version = "~> 2.3" + + project_id = var.project_id + location = var.location + keyring = var.keyring + keys = var.keys + set_decrypters_for = var.set_decrypters_for + set_encrypters_for = var.set_encrypters_for + set_owners_for = var.set_owners_for + decrypters = var.decrypters + encrypters = var.encrypters + owners = var.owners + labels = var.labels + key_algorithm = var.key_algorithm + key_destroy_scheduled_duration = var.key_destroy_scheduled_duration + key_protection_level = var.key_protection_level + key_rotation_period = var.key_rotation_period + prevent_destroy = var.prevent_destroy + purpose = var.purpose +} diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf new file mode 100644 index 00000000..eac3beed --- /dev/null +++ b/modules/kms/outputs.tf @@ -0,0 +1,19 @@ +output "keyring" { + description = "Self link of the keyring." + value = module.kms.keyring +} + +output "keyring_name" { + description = "Name of the keyring." + value = module.kms.keyring_name +} + +output "keyring_resource" { + description = "Keyring resource." + value = module.kms.keyring_resource +} + +output "keys" { + description = "Map of key name => key self link." + value = module.kms.keys +} diff --git a/modules/kms/readme.md b/modules/kms/readme.md new file mode 100644 index 00000000..e69de29b diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf new file mode 100644 index 00000000..138e15c2 --- /dev/null +++ b/modules/kms/variables.tf @@ -0,0 +1,97 @@ +variable "project_id" { + description = "Project id where the keyring will be created." + type = string +} + +variable "location" { + description = "Location for the keyring." + type = string +} + +variable "keyring" { + description = "Keyring name." + type = string +} + +variable "keys" { + description = "Key names." + type = list(string) + default = [] +} + +variable "set_decrypters_for" { + description = "Name of keys for which decrypters will be set." + type = list(str) + default = [] +} + +variable "set_encrypters_for" { + description = "Name of keys for which encrypters will be set." + type = list(str) + default = [] +} + +variable "set_owners_for" { + description = "Name of keys for which owners will be set." + type = list(str) + default = [] +} + +variable "decrypters" { + description = "List of comma-separated decrypters for each key declared in set_decrypters_for." + type = list(str) + default = [] +} + +variable "encrypters" { + description = "List of comma-separated encrypters for each key declared in set_encrypters_for." + type = list(str) + default = [] +} + +variable "owners" { + description = "List of comma-separated owners for each key declared in set_owners_for." + type = list(str) + default = [] +} + +variable "key_algorithm" { + description = "The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs." + type = string + default = "GOOGLE_SYMMETRIC_ENCRYPTION" +} + +variable "key_destroy_scheduled_duration" { + description = "Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED." + type = string + default = null +} + +variable key_protection_level { + description = "The protection level to use when creating a version based on this template. Possible values are SOFTWARE and HSM." + type = string + default = "SOFTWARE" +} + +variable "key_rotation_period" { + description = "Generate a new key every time this period passes." + type = string + default = "7776000s" +} + +variable "labels" { + description = "Labels, provided as a map." + default = {} +} + +variable "prevent_destroy" { + description = "Set the prevent_destroy lifecycle attribute on keys." + type = bool + default = true +} + +variable "purpose" { + description = "The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT." + type = string + default = "ENCRYPT_DECRYPT" +}