Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: alternate approach for external crn support #547

Merged
merged 19 commits into from
Sep 11, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -968,7 +968,7 @@ statement instead the previous block.
| <a name="input_f5_vsi"></a> [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | <pre>list(<br> object({<br> name = string<br> vpc_name = string<br> primary_subnet_name = string<br> secondary_subnet_names = list(string)<br> secondary_subnet_security_group_names = list(<br> object({<br> group_name = string<br> interface_name = string<br> })<br> )<br> ssh_keys = list(string)<br> f5_image_name = string<br> machine_type = string<br> resource_group = optional(string)<br> enable_management_floating_ip = optional(bool)<br> enable_external_floating_ip = optional(bool)<br> security_groups = optional(list(string))<br> boot_volume_encryption_key_name = optional(string)<br> hostname = string<br> domain = string<br> access_tags = optional(list(string), [])<br> security_group = optional(<br> object({<br> name = string<br> rules = list(<br> object({<br> name = string<br> direction = string<br> source = string<br> tcp = optional(<br> object({<br> port_max = number<br> port_min = number<br> })<br> )<br> udp = optional(<br> object({<br> port_max = number<br> port_min = number<br> })<br> )<br> icmp = optional(<br> object({<br> type = number<br> code = number<br> })<br> )<br> })<br> )<br> })<br> )<br> block_storage_volumes = optional(list(<br> object({<br> name = string<br> profile = string<br> capacity = optional(number)<br> iops = optional(number)<br> encryption_key = optional(string)<br> })<br> ))<br> load_balancers = optional(list(<br> object({<br> name = string<br> type = string<br> listener_port = number<br> listener_protocol = string<br> connection_limit = number<br> algorithm = string<br> protocol = string<br> health_delay = number<br> health_retries = number<br> health_timeout = number<br> health_type = string<br> pool_member_port = string<br> security_group = optional(<br> object({<br> name = string<br> rules = list(<br> object({<br> name = string<br> direction = string<br> source = string<br> tcp = optional(<br> object({<br> port_max = number<br> port_min = number<br> })<br> )<br> udp = optional(<br> object({<br> port_max = number<br> port_min = number<br> })<br> )<br> icmp = optional(<br> object({<br> type = number<br> code = number<br> })<br> )<br> })<br> )<br> })<br> )<br> })<br> ))<br> })<br> )</pre> | `[]` | no |
| <a name="input_iam_account_settings"></a> [iam\_account\_settings](#input\_iam\_account\_settings) | IAM Account Settings. | <pre>object({<br> enable = bool<br> mfa = optional(string)<br> allowed_ip_addresses = optional(string)<br> include_history = optional(bool)<br> if_match = optional(string)<br> max_sessions_per_identity = optional(string)<br> restrict_create_service_id = optional(string)<br> restrict_create_platform_apikey = optional(string)<br> session_expiration_in_seconds = optional(string)<br> session_invalidation_in_seconds = optional(string)<br> })</pre> | <pre>{<br> "enable": false<br>}</pre> | no |
| <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are required. | `string` | `null` | no |
| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br> name = string<br> resource_group = string<br> use_data = optional(bool)<br> use_hs_crypto = optional(bool)<br> access_tags = optional(list(string), [])<br> keys = optional(<br> list(<br> object({<br> name = string<br> root_key = optional(bool)<br> payload = optional(string)<br> key_ring = optional(string) # Any key_ring added will be created<br> force_delete = optional(bool)<br> endpoint = optional(string) # can be public or private<br> iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br> encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br> policies = optional(<br> object({<br> rotation = optional(<br> object({<br> interval_month = number<br> })<br> )<br> dual_auth_delete = optional(<br> object({<br> enabled = bool<br> })<br> )<br> })<br> )<br> })<br> )<br> )<br> })</pre> | n/a | yes |
| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br> name = optional(string)<br> resource_group = optional(string)<br> use_data = optional(bool)<br> use_hs_crypto = optional(bool)<br> access_tags = optional(list(string), [])<br> keys = optional(<br> list(<br> object({<br> name = string<br> root_key = optional(bool)<br> payload = optional(string)<br> key_ring = optional(string) # Any key_ring added will be created<br> force_delete = optional(bool)<br> existing_key_crn = optional(string) # CRN of an existing key in the same or different account.<br> endpoint = optional(string) # can be public or private<br> iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br> encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br> policies = optional(<br> object({<br> rotation = optional(<br> object({<br> interval_month = number<br> })<br> )<br> dual_auth_delete = optional(<br> object({<br> enabled = bool<br> })<br> )<br> })<br> )<br> })<br> )<br> )<br> })</pre> | n/a | yes |
| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |
Expand Down
2 changes: 1 addition & 1 deletion bastion_host.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ module "bastion_host" {
vsi_per_subnet = 1
boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
for keys in module.key_management.keys :
keys.id if keys.name == each.value.boot_volume_encryption_key_name
keys.crn if keys.name == each.value.boot_volume_encryption_key_name
][0]
image_id = data.ibm_is_image.image["${var.prefix}-${each.value.name}"].id
user_data = module.teleport_config[0].cloud_init
Expand Down
2 changes: 1 addition & 1 deletion cos.tf
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ resource "ibm_cos_bucket" "buckets" {
hard_quota = each.value.hard_quota
key_protect = each.value.kms_key == null ? null : [
for key in module.key_management.keys :
key.id if key.name == each.value.kms_key
key.crn if key.name == each.value.kms_key
][0]

dynamic "archive_rule" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ variable "atracker_cos_bucket" {
##############################################################################

locals {
target_key_management_service = lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms"
target_key_management_service = lookup(var.key_management, "name", null) != null ? lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms" : null
}

module "kms_to_block_storage" {
Expand All @@ -51,7 +51,7 @@ module "kms_to_block_storage" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
}
} if local.target_key_management_service != null
]
}

Expand All @@ -73,7 +73,7 @@ module "cos_to_key_management" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
}
} if local.target_key_management_service != null
]
}

Expand Down Expand Up @@ -105,7 +105,7 @@ module "secrets_manager_to_cos" {
roles = ["Reader"]
target_service_name = local.target_key_management_service
target_resource_instance_id = var.key_management_guid
}
} if local.target_key_management_service != null
]
}

Expand Down
4 changes: 2 additions & 2 deletions f5_vsi.tf
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ module "f5_vsi" {
# Get boot volume
boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
for keys in module.key_management.keys :
keys.id if keys.name == each.value.boot_volume_encryption_key_name
keys.crn if keys.name == each.value.boot_volume_encryption_key_name
][0]
# Get security group ids
security_group_ids = each.value.security_groups == null ? [] : [
Expand All @@ -169,7 +169,7 @@ module "f5_vsi" {
iops = volume.iops
encryption_key = lookup(volume, "encryption_key", null) == null ? null : [
for key in module.key_management.keys :
key.id if key.name == volume.encryption_key
key.crn if key.name == volume.encryption_key
][0]
}
]
Expand Down
2 changes: 2 additions & 0 deletions kms/dynamic_values.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ module "dynamic_values" {
kms_data = data.ibm_resource_instance.kms
kms_resource = ibm_resource_instance.kms
keys = var.keys
name = var.key_management.name
}

##############################################################################
Expand Down Expand Up @@ -59,6 +60,7 @@ module "unit_test_kms_resource" {
source = "./dynamic_values"
hpcs_data = []
kms_data = []
name = "test-kms"
kms_resource = [{
guid = "resource"
crn = "resource"
Expand Down
13 changes: 11 additions & 2 deletions kms/dynamic_values/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ variable "keys" {
default = []
}

variable "name" {
description = "Name of the kms instance"
default = null
}

##############################################################################

##############################################################################
Expand All @@ -42,13 +47,15 @@ variable "keys" {

locals {
# Get key management type
key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : "resource"
key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : var.name == null ? null : "resource"
# Get GUID
key_management_guid = (
local.key_management_type == "hs-crypto"
? var.hpcs_data[0].guid
: local.key_management_type == "data"
? var.kms_data[0].guid
: var.name == null
? null
: var.kms_resource[0].guid
)
# Get CRN
Expand All @@ -57,12 +64,14 @@ locals {
? var.hpcs_data[0].crn
: local.key_management_type == "data"
? var.kms_data[0].crn
: var.name == null
? null
: var.kms_resource[0].crn
)
# Keys
key_management_keys = {
for encryption_key in var.keys :
(encryption_key.name) => encryption_key
(encryption_key.name) => encryption_key if lookup(encryption_key, "existing_key_crn", null) == null
}
# Rings
key_rings = distinct([
Expand Down
31 changes: 23 additions & 8 deletions kms/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@

output "key_management_name" {
description = "Name of key management service"
value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : ibm_resource_instance.kms[0].name
value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : var.key_management.name == null ? null : ibm_resource_instance.kms[0].name
}

output "key_management_crn" {
description = "CRN for KMS instance"
value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : ibm_resource_instance.kms[0].crn
value = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : var.key_management.name == null ? null : ibm_resource_instance.kms[0].crn
}

output "key_management_guid" {
Expand Down Expand Up @@ -38,28 +38,43 @@ output "key_rings" {

output "keys" {
description = "List of names and ids for keys created."
value = [
value = concat([
for kms_key in var.keys :
{
name = kms_key.name
id = ibm_kms_key.key[kms_key.name].id
crn = ibm_kms_key.key[kms_key.name].crn
key_id = ibm_kms_key.key[kms_key.name].key_id
}
]
} if lookup(kms_key, "existing_key_crn", null) == null
],
[
for kms_key in var.keys :
{
name = kms_key.name
crn = kms_key.existing_key_crn
} if lookup(kms_key, "existing_key_crn", null) != null
]
)
}

output "key_map" {
description = "Map of ids and keys for keys created"
value = {
value = merge({
for kms_key in var.keys :
(kms_key.name) => {
name = kms_key.name
id = ibm_kms_key.key[kms_key.name].id
crn = ibm_kms_key.key[kms_key.name].crn
key_id = ibm_kms_key.key[kms_key.name].key_id
}
}
} if lookup(kms_key, "existing_key_crn", null) == null
},
{
for kms_key in var.keys :
(kms_key.name) => {
name = kms_key.name
crn = kms_key.existing_key_crn
} if lookup(kms_key, "existing_key_crn", null) != null
})
}

##############################################################################
17 changes: 9 additions & 8 deletions kms/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,15 @@ variable "keys" {
description = "List of keys to be created for the service"
type = list(
object({
name = string
root_key = optional(bool)
payload = optional(string)
key_ring = optional(string) # Any key_ring added will be created
force_delete = optional(bool)
endpoint = optional(string) # can be public or private
iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
name = string
root_key = optional(bool)
payload = optional(string)
key_ring = optional(string) # Any key_ring added will be created
force_delete = optional(bool)
existing_key_crn = optional(string)
endpoint = optional(string) # can be public or private
iv_value = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
policies = optional(
object({
rotation = optional(
Expand Down
Loading