Merge pull request #14 from terraform-google-modules/ludo-v1.1.0-2

Allow setting prevent_destroy lifecycle value on keys (alternate version)

Author: ludoo

CHANGELOG.md

@@ -9,8 +9,11 @@ and this project adheres to
 
 ## [Unreleased]
 
+## [1.1.0]
+
 ### Added
 
+- Allow setting prevent_destroy lifecycle value on keys, add keyring resource output [#14]
 - Added continuous integration using Cloud Build. [#11]
 
 ## [1.0.0] - 2019-07-19
@@ -26,8 +29,10 @@ and this project adheres to
 - Initial release
 
 [Unreleased]: https://github.com/terraform-google-modules/terraform-google-kms/compare/v1.0.0...HEAD
-[0.1.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v0.1.0
+[1.1.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v1.1.0
 [1.0.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v1.0.0
+[0.1.0]: https://github.com/terraform-google-modules/terraform-google-kms/releases/tag/v0.1.0
 
-[#3]: https://github.com/terraform-google-modules/terraform-google-kms/pull/3
+[#14]: https://github.com/terraform-google-modules/terraform-google-kms/pull/11
 [#11]: https://github.com/terraform-google-modules/terraform-google-kms/pull/11
+[#3]: https://github.com/terraform-google-modules/terraform-google-kms/pull/3

Makefile

@@ -17,7 +17,7 @@
 
 SHELL := /usr/bin/env bash # Make will use bash instead of sh
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.0.1
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.3
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

README.md

@@ -43,13 +43,14 @@ Functional examples are included in the
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) | `<list>` | no |
-| encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) | `<list>` | no |
+| decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | list(string) | `<list>` | no |
+| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | list(string) | `<list>` | no |
 | key\_rotation\_period |  | string | `"100000s"` | no |
 | keyring | Keyring name. | string | n/a | yes |
 | keys | Key names. | list(string) | `<list>` | no |
 | location | Location for the keyring. | string | n/a | yes |
-| owners | List of comma-separated owners for each key declared in set_owners_for. | list(string) | `<list>` | no |
+| owners | List of comma-separated owners for each key declared in set\_owners\_for. | list(string) | `<list>` | no |
+| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | string | `"true"` | no |
 | project\_id | Project id where the keyring will be created. | string | n/a | yes |
 | set\_decrypters\_for | Name of keys for which decrypters will be set. | list(string) | `<list>` | no |
 | set\_encrypters\_for | Name of keys for which encrypters will be set. | list(string) | `<list>` | no |
@@ -61,6 +62,7 @@ Functional examples are included in the
 |------|-------------|
 | keyring | Self link of the keyring. |
 | keyring\_name | Name of the keyring. |
+| keyring\_resource | Keyring resource. |
 | keys | Map of key name => key self link. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/simple_example/README.md

@@ -8,6 +8,7 @@ This example illustrates how to use the `kms` module.
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | keyring | Keyring name. | string | n/a | yes |
+| keys | Key names. | list(string) | `<list>` | no |
 | location | Location for the keyring. | string | `"global"` | no |
 | project\_id | The ID of the project in which to provision resources. | string | n/a | yes |
 
@@ -16,6 +17,8 @@ This example illustrates how to use the `kms` module.
 | Name | Description |
 |------|-------------|
 | keyring | The name of the keyring. |
+| keys | List of created kkey names. |
+| location | The location of the keyring. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/simple_example/main.tf

@@ -19,10 +19,12 @@ provider "google" {
 }
 
 module "kms" {
-  source = "../.."
-
+  source     = "../.."
   project_id = var.project_id
   keyring    = var.keyring
   location   = "global"
+  keys       = var.keys
+  # keys can be destroyed by Terraform
+  prevent_destroy = false
 }
 

examples/simple_example/outputs.tf

@@ -16,6 +16,15 @@
 
 output "keyring" {
   description = "The name of the keyring."
-  value       = module.kms.keyring_name
+  value       = module.kms.keyring_resource.name
 }
 
+output "location" {
+  description = "The location of the keyring."
+  value       = module.kms.keyring_resource.location
+}
+
+output "keys" {
+  description = "List of created kkey names."
+  value       = keys(module.kms.keys)
+}

examples/simple_example/variables.tf

@@ -15,18 +15,23 @@
  */
 
 variable "project_id" {
-  type        = string
   description = "The ID of the project in which to provision resources."
+  type        = string
 }
 
 variable "location" {
-  type        = string
   description = "Location for the keyring."
-
-  default = "global"
+  type        = string
+  default     = "global"
 }
 
 variable "keyring" {
-  type        = string
   description = "Keyring name."
+  type        = string
+}
+
+variable "keys" {
+  description = "Key names."
+  type        = list(string)
+  default     = []
 }

main.tf

@@ -15,7 +15,7 @@
  */
 
 locals {
-  keys_by_name = zipmap(var.keys, google_kms_crypto_key.key.*.self_link)
+  keys_by_name = zipmap(var.keys, var.prevent_destroy ? google_kms_crypto_key.key[*].self_link : google_kms_crypto_key.key_ephemeral[*].self_link)
 }
 
 resource "google_kms_key_ring" "key_ring" {
@@ -25,7 +25,7 @@ resource "google_kms_key_ring" "key_ring" {
 }
 
 resource "google_kms_crypto_key" "key" {
-  count           = length(var.keys)
+  count           = var.prevent_destroy ? length(var.keys) : 0
   name            = var.keys[count.index]
   key_ring        = google_kms_key_ring.key_ring.self_link
   rotation_period = var.key_rotation_period
@@ -35,30 +35,35 @@ resource "google_kms_crypto_key" "key" {
   }
 }
 
-resource "google_kms_crypto_key_iam_binding" "owners" {
-  count = length(var.set_owners_for)
-  role  = "roles/owner"
+resource "google_kms_crypto_key" "key_ephemeral" {
+  count           = var.prevent_destroy ? 0 : length(var.keys)
+  name            = var.keys[count.index]
+  key_ring        = google_kms_key_ring.key_ring.self_link
+  rotation_period = var.key_rotation_period
 
-  crypto_key_id = local.keys_by_name[var.set_owners_for[count.index]]
+  lifecycle {
+    prevent_destroy = false
+  }
+}
 
-  members = compact(split(",", var.owners[count.index]))
+resource "google_kms_crypto_key_iam_binding" "owners" {
+  count         = length(var.set_owners_for)
+  role          = "roles/owner"
+  crypto_key_id = local.keys_by_name[var.set_owners_for[count.index]]
+  members       = compact(split(",", var.owners[count.index]))
 }
 
 resource "google_kms_crypto_key_iam_binding" "decrypters" {
-  count = length(var.set_decrypters_for)
-  role  = "roles/cloudkms.cryptoKeyDecrypter"
-
+  count         = length(var.set_decrypters_for)
+  role          = "roles/cloudkms.cryptoKeyDecrypter"
   crypto_key_id = local.keys_by_name[var.set_decrypters_for[count.index]]
-
-  members = compact(split(",", var.decrypters[count.index]))
+  members       = compact(split(",", var.decrypters[count.index]))
 }
 
 resource "google_kms_crypto_key_iam_binding" "encrypters" {
-  count = length(var.set_encrypters_for)
-  role  = "roles/cloudkms.cryptoKeyEncrypter"
-
+  count         = length(var.set_encrypters_for)
+  role          = "roles/cloudkms.cryptoKeyEncrypter"
   crypto_key_id = local.keys_by_name[element(var.set_encrypters_for, count.index)]
-
-  members = compact(split(",", var.encrypters[count.index]))
+  members       = compact(split(",", var.encrypters[count.index]))
 }
 

outputs.tf

@@ -19,6 +19,11 @@ output "keyring" {
   value       = google_kms_key_ring.key_ring.self_link
 }
 
+output "keyring_resource" {
+  description = "Keyring resource."
+  value       = google_kms_key_ring.key_ring
+}
+
 output "keys" {
   description = "Map of key name => key self link."
   value       = local.keys_by_name

test/fixtures/simple_example/main.tf

@@ -25,9 +25,9 @@ resource "random_pet" "main" {
 }
 
 module "example" {
-  source = "../../../examples/simple_example"
-
+  source     = "../../../examples/simple_example"
   project_id = var.project_id
   keyring    = random_pet.main.id
   location   = "global"
+  keys       = ["one", "two"]
 }