Merge pull request #2 from terraform-google-modules/initial-import

Initial import from internal version

Author: morgante

README.md

@@ -1,10 +1,12 @@
 # terraform-google-kms
 
-This module was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template/), which by default generates a module that simply creates a GCS bucket. As the module develops, this README should be updated.
+Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
 
 The resources/services/activations/deletions that this module will create/trigger are:
 
-- Create a GCS bucket with the provided name
+- Create a KMS keyring in the provided project
+- Create zero or more keys in the keyring
+- Create IAM role bindings for owners, encrypters, decrypters
 
 ## Usage
 
@@ -16,7 +18,14 @@ module "kms" {
   version = "~> 0.1"
 
   project_id  = "<PROJECT ID>"
-  bucket_name = "gcs-test-bucket"
+  location           = "europe"
+  name               = "sample-keyring"
+  keys               = ["foo", "spam"]
+  set_owners_for     = ["foo", "spam"]
+  owners = [
+    "group:[email protected],group:[email protected]",
+    "group:[email protected]",
+  ]
 }
 ```
 
@@ -40,10 +49,11 @@ The following dependencies must be available:
 
 ### Service Account
 
-A service account with the following roles must be used to provision
+A service account with one of the following roles must be used to provision
 the resources of this module:
 
-- Storage Admin: `roles/storage.admin`
+- Cloud KMS Admin: `roles/cloudkms.admin` or
+- Owner: `roles/owner`
 
 The [Project Factory module][project-factory-module] and the
 [IAM module][iam-module] may be used in combination to provision a
@@ -54,7 +64,7 @@ service account with the necessary roles applied.
 A project with the following APIs enabled must be used to host the
 resources of this module:
 
-- Google Cloud Storage JSON API: `storage-api.googleapis.com`
+- Google Cloud Key Management Service: `cloudkms.googleapis.com`
 
 The [Project Factory module][project-factory-module] can be used to
 provision a project with the necessary APIs enabled.

main.tf

@@ -18,7 +18,65 @@ terraform {
   required_version = "~> 0.11.0"
 }
 
-resource "google_storage_bucket" "main" {
-  project = "${var.project_id}"
-  name    = "${var.bucket_name}"
+locals {
+  keys_by_name = "${zipmap(var.keys, google_kms_crypto_key.key.*.self_link)}"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "${var.keyring}"
+  project  = "${var.project_id}"
+  location = "${var.location}"
+}
+
+resource "google_kms_crypto_key" "key" {
+  count           = "${length(var.keys)}"
+  name            = "${element(var.keys, count.index)}"
+  key_ring        = "${google_kms_key_ring.key_ring.self_link}"
+  rotation_period = "${var.key_rotation_period}"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_kms_crypto_key_iam_binding" "owners" {
+  count = "${length(var.set_owners_for)}"
+  role  = "roles/owner"
+
+  crypto_key_id = "${lookup(
+    local.keys_by_name,
+    element(var.set_owners_for, count.index)
+  )}"
+
+  members = [
+    "${compact(split(",", element(var.owners, count.index)))}",
+  ]
+}
+
+resource "google_kms_crypto_key_iam_binding" "decrypters" {
+  count = "${length(var.set_decrypters_for)}"
+  role  = "roles/cloudkms.cryptoKeyDecrypter"
+
+  crypto_key_id = "${lookup(
+    local.keys_by_name,
+    element(var.set_decrypters_for, count.index)
+  )}"
+
+  members = [
+    "${compact(split(",", element(var.decrypters, count.index)))}",
+  ]
+}
+
+resource "google_kms_crypto_key_iam_binding" "encrypters" {
+  count = "${length(var.set_encrypters_for)}"
+  role  = "roles/cloudkms.cryptoKeyEncrypter"
+
+  crypto_key_id = "${lookup(
+    local.keys_by_name,
+    element(var.set_encrypters_for, count.index)
+  )}"
+
+  members = [
+    "${compact(split(",", element(var.encrypters, count.index)))}",
+  ]
 }

outputs.tf

@@ -14,6 +14,17 @@
  * limitations under the License.
  */
 
-output "bucket_name" {
-  value = "${google_storage_bucket.main.name}"
+output "keyring" {
+  description = "Self link of the keyring."
+  value       = "${google_kms_key_ring.key_ring.self_link}"
+}
+
+output "keys" {
+  description = "Map of key name => key self link."
+  value       = "${local.keys_by_name}"
+}
+
+output "keyring_name" {
+  description = "Name of the keyring."
+  value       = "${google_kms_key_ring.key_ring.name}"
 }

variables.tf

@@ -15,9 +15,53 @@
  */
 
 variable "project_id" {
-  description = "The project ID to deploy to"
+  description = "Project id where the keyring will be created."
 }
 
-variable "bucket_name" {
-  description = "The name of the bucket to create"
+# cf https://cloud.google.com/kms/docs/locations
+variable "location" {
+  description = "Location for the keyring."
+}
+
+variable "keyring" {
+  description = "Keyring name."
+}
+
+variable "keys" {
+  description = "Key names."
+  default     = []
+}
+
+variable "set_owners_for" {
+  description = "Name of keys for which owners will be set."
+  default     = []
+}
+
+variable "owners" {
+  description = "List of comma-separated owners for each key declared in set_owners_for."
+  default     = []
+}
+
+variable "set_encrypters_for" {
+  description = "Name of keys for which encrypters will be set."
+  default     = []
+}
+
+variable "encrypters" {
+  description = "List of comma-separated owners for each key declared in set_encrypters_for."
+  default     = []
+}
+
+variable "set_decrypters_for" {
+  description = "Name of keys for which decrypters will be set."
+  default     = []
+}
+
+variable "decrypters" {
+  description = "List of comma-separated owners for each key declared in set_decrypters_for."
+  default     = []
+}
+
+variable "key_rotation_period" {
+  default = "100000s"
 }