-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
166 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,32 @@ module "iam_admin" { | |
member = "gcp-${var.application_name}[email protected]" | ||
} | ||
|
||
// Vault server key management | ||
// prod | ||
module "kms" { | ||
source = "../../../modules/kms" | ||
project_id = module.project_factory.project_id | ||
location = "us-central1" | ||
keyring = "vault-server" | ||
keys = [ "vault-seal" ] | ||
set_owners_for = [ "vault-seal" ] | ||
decrypters = var.vault_server_service_accounts | ||
encrypters = var.vault_server_service_accounts | ||
owners = var.vault_server_service_accounts | ||
} | ||
// dev | ||
module "kms_2" { | ||
source = "../../../modules/kms" | ||
project_id = module.project_factory.project_id | ||
location = "us-central1" | ||
keyring = "vault-server-dev" | ||
keys = [ "vault-seal" ] | ||
set_owners_for = [ "vault-seal" ] | ||
decrypters = var.vault_server_dev_service_accounts | ||
encrypters = var.vault_server_dev_service_accounts | ||
owners = var.vault_server_dev_service_accounts | ||
} | ||
|
||
|
||
// Vault Server Storage Bucket | ||
module "storage_bucket" { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
module "kms" { | ||
source = "terraform-google-modules/kms/google" | ||
version = "~> 2.0" | ||
|
||
project_id = var.project_id | ||
location = var.location | ||
keyring = var.keyring | ||
keys = var.keys | ||
set_decrypters_for = var.set_decrypters_for | ||
set_encrypters_for = var.set_encrypters_for | ||
set_owners_for = var.set_owners_for | ||
decrypters = var.decrypters | ||
encrypters = var.encrypters | ||
owners = var.owners | ||
labels = var.labels | ||
key_algorithm = var.key_algorithm | ||
key_destroy_scheduled_duration = var.key_destroy_scheduled_duration | ||
key_protection_level = var.key_protection_level | ||
key_rotation_period = var.key_rotation_period | ||
prevent_destroy = var.prevent_destroy | ||
purpose = var.purpose | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
output "keyring" { | ||
description = "Self link of the keyring." | ||
value = module.kms.keyring | ||
} | ||
|
||
output "keyring_name" { | ||
description = "Name of the keyring." | ||
value = module.kms.keyring_name | ||
} | ||
|
||
output "keyring_resource" { | ||
description = "Keyring resource." | ||
value = module.kms.keyring_resource | ||
} | ||
|
||
output "keys" { | ||
description = "Map of key name => key self link." | ||
value = module.kms.keys | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
variable "project_id" { | ||
description = "Project id where the keyring will be created." | ||
type = string | ||
} | ||
|
||
variable "location" { | ||
description = "Location for the keyring." | ||
type = string | ||
} | ||
|
||
variable "keyring" { | ||
description = "Keyring name." | ||
type = string | ||
} | ||
|
||
variable "keys" { | ||
description = "Key names." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "set_decrypters_for" { | ||
description = "Name of keys for which decrypters will be set." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "set_encrypters_for" { | ||
description = "Name of keys for which encrypters will be set." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "set_owners_for" { | ||
description = "Name of keys for which owners will be set." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "decrypters" { | ||
description = "List of comma-separated decrypters for each key declared in set_decrypters_for." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "encrypters" { | ||
description = "List of comma-separated encrypters for each key declared in set_encrypters_for." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "owners" { | ||
description = "List of comma-separated owners for each key declared in set_owners_for." | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "key_algorithm" { | ||
description = "The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs." | ||
type = string | ||
default = "GOOGLE_SYMMETRIC_ENCRYPTION" | ||
} | ||
|
||
variable "key_destroy_scheduled_duration" { | ||
description = "Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED." | ||
type = string | ||
default = null | ||
} | ||
|
||
variable key_protection_level { | ||
description = "The protection level to use when creating a version based on this template. Possible values are SOFTWARE and HSM." | ||
type = string | ||
default = "SOFTWARE" | ||
} | ||
|
||
variable "key_rotation_period" { | ||
description = "Generate a new key every time this period passes." | ||
type = string | ||
default = "7776000s" | ||
} | ||
|
||
variable "labels" { | ||
description = "Labels, provided as a map." | ||
type = map(string) | ||
default = {} | ||
} | ||
|
||
variable "prevent_destroy" { | ||
description = "Set the prevent_destroy lifecycle attribute on keys." | ||
type = bool | ||
default = true | ||
} | ||
|
||
variable "purpose" { | ||
description = "The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT." | ||
type = string | ||
default = "ENCRYPT_DECRYPT" | ||
} |