Skip to content

Commit

Permalink
chore: Include producer example (#28)
Browse files Browse the repository at this point in the history
  • Loading branch information
romanini-ciandt authored May 18, 2024
1 parent 39170ea commit d7c66d4
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 19 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
* limitations under the License.
*/

module "bootstrap" {
module "consumer_bootstrap" {
source = "../../share-encrypted-data-with-partners/consumer/0-bootstrap"

project_id = var.project_id
Expand All @@ -23,3 +23,25 @@ module "bootstrap" {
import_job_public_key_path = "./wrapping-key.pem"
prevent_destroy = false
}

module "producer_key_wrap" {
source = "../../share-encrypted-data-with-partners/producer/"

key_encryption_key_path = "./wrapping-key.pem"
data_encryption_key_path = "./testing_only_dek.bin.index"
wrapped_key_path = "./wrapped-key"

depends_on = [module.consumer_bootstrap]
}

module "consumer_key_import" {
source = "../../share-encrypted-data-with-partners/consumer/1-key-import"

project_id = var.project_id
keyring = module.consumer_bootstrap.keyring
key = module.consumer_bootstrap.key
wrapped_key_path = "./wrapped-key"
import_job_id = module.consumer_bootstrap.import_job_id

depends_on = [module.producer_key_wrap]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
��5�iu��?HS�E����B�J�xi%Ϙ
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ This module provides the key import process for an existing import job and raw e
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| crypto\_key\_algorithm\_import | Algorithm to use when creating a crypto key version through import. See more: https://cloud.google.com/sdk/gcloud/reference/kms/keys/versions/import. | `string` | `"aes-256-gcm"` | no |
| import\_job\_id | ID of the import job created in 0-bootstrap module | `string` | n/a | yes |
| key | Name of the key to be created. | `string` | n/a | yes |
| keyring | Name of the keyring to be created. | `string` | n/a | yes |
| location | Location for the keyring. For available KMS locations see: https://cloud.google.com/kms/docs/locations. | `string` | `"us-central1"` | no |
| project\_id | GCP project ID to use for the creation of resources. | `string` | n/a | yes |
| wrapped\_key\_path | Path to the wrapped key file. | `string` | n/a | yes |

## Outputs
Expand Down
19 changes: 1 addition & 18 deletions share-encrypted-data-with-partners/consumer/1-key-import/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,27 +14,10 @@
* limitations under the License.
*/

data "terraform_remote_state" "bootstrap" {
backend = "local"

config = {
path = "../0-bootstrap/terraform.tfstate"
}
}

locals {
project_id = data.terraform_remote_state.bootstrap.outputs.project_id
import_job_id = data.terraform_remote_state.bootstrap.outputs.import_job_id
keyring = data.terraform_remote_state.bootstrap.outputs.keyring
key = data.terraform_remote_state.bootstrap.outputs.key
location = data.terraform_remote_state.bootstrap.outputs.location
}


// Import wrapped key into the existing import job in Cloud KMS
resource "null_resource" "gcloud-import-wrapped-key-into-an-existing-job" {

provisioner "local-exec" {
command = "gcloud kms keys versions import --import-job ${local.import_job_id} --location ${local.location} --keyring ${local.keyring} --key ${local.key} --algorithm ${var.crypto_key_algorithm_import} --wrapped-key-file ${var.wrapped_key_path} --project ${local.project_id}"
command = "gcloud kms keys versions import --import-job ${var.import_job_id} --location ${var.location} --keyring ${var.keyring} --key ${var.key} --algorithm ${var.crypto_key_algorithm_import} --wrapped-key-file ${var.wrapped_key_path} --project ${var.project_id}"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,29 @@ variable "crypto_key_algorithm_import" {
type = string
default = "aes-256-gcm"
}

variable "project_id" {
description = "GCP project ID to use for the creation of resources."
type = string
}

variable "location" {
description = "Location for the keyring. For available KMS locations see: https://cloud.google.com/kms/docs/locations."
type = string
default = "us-central1"
}

variable "keyring" {
description = "Name of the keyring to be created."
type = string
}

variable "key" {
description = "Name of the key to be created."
type = string
}

variable "import_job_id" {
description = "ID of the import job created in 0-bootstrap module"
type = string
}

0 comments on commit d7c66d4

Please sign in to comment.