Add KMS resources

environment/deployments/roundtable/main.tf

@@ -21,6 +21,32 @@ module "iam_admin" {
   member                  = "gcp-${var.application_name}[email protected]"
 }
 
+// Vault server key management
+// prod
+module "kms" {
+  source         = "../../../modules/kms"
+  project_id     = module.project_factory.project_id
+  location       = "us-central1"  
+  keyring        = "vault-server"
+  keys           = [ "vault-seal" ]
+  set_owners_for = [ "vault-seal" ]
+  decrypters     = var.vault_server_service_accounts
+  encrypters     = var.vault_server_service_accounts
+  owners         = var.vault_server_service_accounts
+}
+// dev
+module "kms_2" {
+  source         = "../../../modules/kms"
+  project_id     = module.project_factory.project_id
+  location       = "us-central1"  
+  keyring        = "vault-server-dev"
+  keys           = [ "vault-seal" ]
+  set_owners_for = [ "vault-seal" ]
+  decrypters     = var.vault_server_dev_service_accounts
+  encrypters     = var.vault_server_dev_service_accounts
+  owners         = var.vault_server_dev_service_accounts
+}
+
 
 // Vault Server Storage Bucket
 module "storage_bucket" {

environment/deployments/roundtable/variables.tf

@@ -25,6 +25,7 @@ variable "activate_apis" {
   description = "The api to activate for the GCP project"
   type        = list(string)
   default = [
+    "cloudkms.googleapis.com",
     "compute.googleapis.com",
     "container.googleapis.com",
     "stackdriver.googleapis.com",

modules/kms/main.tf

@@ -0,0 +1,22 @@
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 2.0"
+
+  project_id                     = var.project_id
+  location                       = var.location
+  keyring                        = var.keyring
+  keys                           = var.keys
+  set_decrypters_for             = var.set_decrypters_for
+  set_encrypters_for             = var.set_encrypters_for
+  set_owners_for                 = var.set_owners_for
+  decrypters                     = var.decrypters
+  encrypters                     = var.encrypters
+  owners                         = var.owners
+  labels                         = var.labels
+  key_algorithm                  = var.key_algorithm
+  key_destroy_scheduled_duration = var.key_destroy_scheduled_duration
+  key_protection_level           = var.key_protection_level
+  key_rotation_period            = var.key_rotation_period
+  prevent_destroy                = var.prevent_destroy
+  purpose                        = var.purpose
+}

modules/kms/outputs.tf

@@ -0,0 +1,19 @@
+output "keyring" {
+  description = "Self link of the keyring."
+  value = module.kms.keyring
+}
+
+output "keyring_name" {
+  description = "Name of the keyring."
+  value = module.kms.keyring_name
+}
+
+output "keyring_resource" {
+  description = "Keyring resource."
+  value = module.kms.keyring_resource
+}
+
+output "keys" {
+  description = "Map of key name => key self link."
+  value = module.kms.keys
+}

modules/kms/variables.tf

@@ -0,0 +1,98 @@
+variable "project_id" {
+  description = "Project id where the keyring will be created."
+  type        = string
+}
+
+variable "location" {
+  description = "Location for the keyring."
+  type        = string
+}
+
+variable "keyring" {
+  description = "Keyring name."
+  type        = string
+}
+
+variable "keys" {
+  description = "Key names."
+  type        = list(string)
+  default     = []
+}
+
+variable "set_decrypters_for" {
+  description = "Name of keys for which decrypters will be set."
+  type        = list(string)
+  default     = []
+}
+
+variable "set_encrypters_for" {
+  description = "Name of keys for which encrypters will be set."
+  type        = list(string)
+  default     = []
+}
+
+variable "set_owners_for" {
+  description = "Name of keys for which owners will be set."
+  type        = list(string)
+  default     = []
+}
+
+variable "decrypters" {
+  description = "List of comma-separated decrypters for each key declared in set_decrypters_for."
+  type        = list(string)
+  default     = []
+}
+
+variable "encrypters" {
+  description = "List of comma-separated encrypters for each key declared in set_encrypters_for."
+  type        = list(string)
+  default     = []
+}
+
+variable "owners" {
+  description = "List of comma-separated owners for each key declared in set_owners_for."
+  type        = list(string)
+  default     = []
+}
+
+variable "key_algorithm" {
+  description = "The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs."
+  type                   = string
+  default                = "GOOGLE_SYMMETRIC_ENCRYPTION"
+}
+
+variable "key_destroy_scheduled_duration" {
+  description = "Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED."
+  type        = string
+  default     = null
+}
+
+variable key_protection_level {
+  description = "The protection level to use when creating a version based on this template. Possible values are SOFTWARE and HSM."
+  type        = string
+  default     = "SOFTWARE"
+}
+
+variable "key_rotation_period" {
+  description = "Generate a new key every time this period passes."
+  type        = string
+  default     = "7776000s"
+}
+
+variable "labels" {
+  description = "Labels, provided as a map."
+  type        = map(string)
+  default     = {}
+}
+
+variable "prevent_destroy" {
+  description = "Set the prevent_destroy lifecycle attribute on keys."
+  type        = bool
+  default     = true
+}
+
+variable "purpose" {
+  description = "The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT."
+  type        = string
+  default     = "ENCRYPT_DECRYPT"
+}