diff --git a/Makefile b/Makefile index 353d5b8..cf36787 100644 --- a/Makefile +++ b/Makefile @@ -76,9 +76,10 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ + -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display' # Alias for backwards compatibility .PHONY: generate_docs diff --git a/README.md b/README.md index c875547..ae67229 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ Functional examples are included in the | Name | Description | |------|-------------| +| key\_id\_list | The list of the crypto key IDs. | | keyring | Self link of the keyring. | | keyring\_name | Name of the keyring. | | keyring\_resource | Keyring resource. | diff --git a/metadata.display.yaml b/metadata.display.yaml new file mode 100644 index 0000000..bba6a4b --- /dev/null +++ b/metadata.display.yaml @@ -0,0 +1,208 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kms-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google KMS Terraform Module + source: + repo: https://github.com/anshukaira/terraform-google-kms.git + sourceType: git + ui: + input: + variables: + crypto_key_backend: + name: crypto_key_backend + title: Crypto Key Backend + decrypters: + name: decrypters + title: Decrypters + encrypters: + name: encrypters + title: Encrypters + import_only: + name: import_only + title: Import Only + level: 1 + key_algorithm: + name: key_algorithm + title: Key Algorithm + enumValueLabels: + - label: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED + value: CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED + - label: GOOGLE_SYMMETRIC_ENCRYPTION + value: GOOGLE_SYMMETRIC_ENCRYPTION + - label: AES_128_GCM + value: AES_128_GCM + - label: AES_256_GCM + value: AES_256_GCM + - label: AES_128_CBC + value: AES_128_CBC + - label: AES_256_CBC + value: AES_256_CBC + - label: AES_128_CTR + value: AES_128_CTR + - label: AES_256_CTR + value: AES_256_CTR + - label: RSA_SIGN_PSS_2048_SHA256 + value: RSA_SIGN_PSS_2048_SHA256 + - label: RSA_SIGN_PSS_3072_SHA256 + value: RSA_SIGN_PSS_3072_SHA256 + - label: RSA_SIGN_PSS_4096_SHA256 + value: RSA_SIGN_PSS_4096_SHA256 + - label: RSA_SIGN_PSS_4096_SHA512 + value: RSA_SIGN_PSS_4096_SHA512 + - label: RSA_SIGN_PKCS1_2048_SHA256 + value: RSA_SIGN_PKCS1_2048_SHA256 + - label: RSA_SIGN_PKCS1_3072_SHA256 + value: RSA_SIGN_PKCS1_3072_SHA256 + - label: RSA_SIGN_PKCS1_4096_SHA256 + value: RSA_SIGN_PKCS1_4096_SHA256 + - label: RSA_SIGN_PKCS1_4096_SHA512 + value: RSA_SIGN_PKCS1_4096_SHA512 + - label: RSA_SIGN_RAW_PKCS1_2048 + value: RSA_SIGN_RAW_PKCS1_2048 + - label: RSA_SIGN_RAW_PKCS1_3072 + value: RSA_SIGN_RAW_PKCS1_3072 + - label: RSA_SIGN_RAW_PKCS1_4096 + value: RSA_SIGN_RAW_PKCS1_4096 + - label: RSA_DECRYPT_OAEP_2048_SHA256 + value: RSA_DECRYPT_OAEP_2048_SHA256 + - label: RSA_DECRYPT_OAEP_3072_SHA256 + value: RSA_DECRYPT_OAEP_3072_SHA256 + - label: RSA_DECRYPT_OAEP_4096_SHA256 + value: RSA_DECRYPT_OAEP_4096_SHA256 + - label: RSA_DECRYPT_OAEP_4096_SHA512 + value: RSA_DECRYPT_OAEP_4096_SHA512 + - label: RSA_DECRYPT_OAEP_2048_SHA1 + value: RSA_DECRYPT_OAEP_2048_SHA1 + - label: RSA_DECRYPT_OAEP_3072_SHA1 + value: RSA_DECRYPT_OAEP_3072_SHA1 + - label: RSA_DECRYPT_OAEP_4096_SHA1 + value: RSA_DECRYPT_OAEP_4096_SHA1 + - label: EC_SIGN_P256_SHA256 + value: EC_SIGN_P256_SHA256 + - label: EC_SIGN_P384_SHA384 + value: EC_SIGN_P384_SHA384 + - label: EC_SIGN_SECP256K1_SHA256 + value: EC_SIGN_SECP256K1_SHA256 + - label: EC_SIGN_ED25519 + value: EC_SIGN_ED25519 + - label: HMAC_SHA256 + value: HMAC_SHA256 + - label: HMAC_SHA1 + value: HMAC_SHA1 + - label: HMAC_SHA384 + value: HMAC_SHA384 + - label: HMAC_SHA512 + value: HMAC_SHA512 + - label: HMAC_SHA224 + value: HMAC_SHA224 + - label: EXTERNAL_SYMMETRIC_ENCRYPTION + value: EXTERNAL_SYMMETRIC_ENCRYPTION + - label: ML_KEM_768 + value: ML_KEM_768 + - label: ML_KEM_1024 + value: ML_KEM_1024 + - label: KEM_XWING + value: KEM_XWING + - label: PQ_SIGN_ML_DSA_65 + value: PQ_SIGN_ML_DSA_65 + - label: PQ_SIGN_SLH_DSA_SHA2_128S + value: PQ_SIGN_SLH_DSA_SHA2_128S + - label: PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256 + value: PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256 + level: 1 + key_destroy_scheduled_duration: + name: key_destroy_scheduled_duration + title: Key Destroy Scheduled Duration + level: 1 + key_protection_level: + name: key_protection_level + title: Key Protection Level + enumValueLabels: + - label: SOFTWARE + value: SOFTWARE + - label: HSM + value: HSM + - label: EXTERNAL + value: EXTERNAL + - label: EXTERNAL_VPC + value: EXTERNAL_VPC + key_rotation_period: + name: key_rotation_period + title: Key Rotation Period + keyring: + name: keyring + title: Keyring + level: 1 + keys: + name: keys + title: Keys + regexValidation: ^[a-zA-Z0-9_-]{1,63}$ + validation: Keyring name must be 1-63 characters and can only contain letters, numbers, underscores, and hyphens. + level: 1 + labels: + name: labels + title: Labels + location: + name: location + title: Location + owners: + name: owners + title: Owners + prevent_destroy: + name: prevent_destroy + title: Prevent Destroy + level: 1 + project_id: + name: project_id + title: Project Id + level: 1 + purpose: + name: purpose + title: Purpose + enumValueLabels: + - label: CRYPTO_KEY_PURPOSE_UNSPECIFIED + value: CRYPTO_KEY_PURPOSE_UNSPECIFIED + - label: ENCRYPT_DECRYPT + value: ENCRYPT_DECRYPT + - label: ASYMMETRIC_SIGN + value: ASYMMETRIC_SIGN + - label: ASYMMETRIC_DECRYPT + value: ASYMMETRIC_DECRYPT + - label: RAW_ENCRYPT_DECRYPT + value: RAW_ENCRYPT_DECRYPT + - label: MAC + value: MAC + - label: KEY_ENCAPSULATION + value: KEY_ENCAPSULATION + set_decrypters_for: + name: set_decrypters_for + title: Set Decrypters For + level: 1 + set_encrypters_for: + name: set_encrypters_for + title: Set Encrypters For + set_owners_for: + name: set_owners_for + title: Set Owners For + skip_initial_version_creation: + name: skip_initial_version_creation + title: Skip Initial Version Creation diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 0000000..7eadd7a --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,168 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kms + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Google KMS Terraform Module + source: + repo: https://github.com/anshukaira/terraform-google-kms.git + sourceType: git + version: 4.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + subBlueprints: + - name: autokey + location: modules/autokey + examples: + - name: autokey_setup + location: examples/autokey_setup + - name: bucket_setup_using_autokey + location: examples/bucket_setup_using_autokey + - name: import_only_example + location: examples/import_only_example + - name: monitoring_alerts + location: examples/monitoring_alerts + - name: simple_example + location: examples/simple_example + interfaces: + variables: + - name: project_id + description: Project id where the keyring will be created. + varType: string + required: true + - name: location + description: Location for the keyring. + varType: string + required: true + - name: keyring + description: Keyring name. + varType: string + required: true + - name: keys + description: Key names. + varType: list(string) + defaultValue: [] + - name: prevent_destroy + description: Set the prevent_destroy lifecycle attribute on keys. + varType: bool + defaultValue: true + - name: key_destroy_scheduled_duration + description: Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. + varType: string + - name: purpose + description: The immutable purpose of the CryptoKey. Default value is ENCRYPT_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. + varType: string + defaultValue: ENCRYPT_DECRYPT + - name: set_owners_for + description: Name of keys for which owners will be set. + varType: list(string) + defaultValue: [] + - name: owners + description: List of comma-separated owners for each key declared in set_owners_for. + varType: list(string) + defaultValue: [] + - name: set_encrypters_for + description: Name of keys for which encrypters will be set. + varType: list(string) + defaultValue: [] + - name: encrypters + description: List of comma-separated owners for each key declared in set_encrypters_for. + varType: list(string) + defaultValue: [] + - name: set_decrypters_for + description: Name of keys for which decrypters will be set. + varType: list(string) + defaultValue: [] + - name: decrypters + description: List of comma-separated owners for each key declared in set_decrypters_for. + varType: list(string) + defaultValue: [] + - name: key_rotation_period + description: Generate a new key every time this period passes. + varType: string + defaultValue: 7776000s + - name: key_algorithm + description: The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. + varType: string + defaultValue: GOOGLE_SYMMETRIC_ENCRYPTION + - name: key_protection_level + description: "The protection level to use when creating a version based on this template. Default value: \"SOFTWARE\" Possible values: [\"SOFTWARE\", \"HSM\", \"EXTERNAL\", \"EXTERNAL_VPC\"]" + varType: string + defaultValue: SOFTWARE + - name: labels + description: Labels, provided as a map + varType: map(string) + defaultValue: {} + - name: import_only + description: Whether these keys may contain imported versions only. + varType: bool + defaultValue: false + - name: skip_initial_version_creation + description: If set to true, the request will create CryptoKeys without any CryptoKeyVersions. + varType: bool + defaultValue: false + - name: crypto_key_backend + description: (Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL_VPC' keys. + varType: string + outputs: + - name: key_id_list + description: The list of the crypto key IDs. + type: list(string) + - name: keyring + description: Self link of the keyring. + type: string + - name: keyring_name + description: Name of the keyring. + type: string + - name: keyring_resource + description: Keyring resource. + type: + - object + - id: string + location: string + name: string + project: string + timeouts: + - object + - create: string + delete: string + - name: keys + description: Map of key name => key self link. + type: + - map + - string + requirements: + roles: + - level: Project + roles: + - roles/cloudkms.admin + - roles/owner + services: + - cloudkms.googleapis.com + - serviceusage.googleapis.com + - cloudresourcemanager.googleapis.com + - monitoring.googleapis.com + - logging.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 5.31.0, < 8" diff --git a/modules/autokey/metadata.display.yaml b/modules/autokey/metadata.display.yaml new file mode 100644 index 0000000..8652728 --- /dev/null +++ b/modules/autokey/metadata.display.yaml @@ -0,0 +1,36 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kms-autokey-display + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Autokey submodule + source: + repo: https://github.com/anshukaira/terraform-google-kms.git + sourceType: git + dir: /modules/autokey + ui: + input: + variables: + autokey_folder_number: + name: autokey_folder_number + title: Autokey Folder Number + key_project_id: + name: key_project_id + title: Key Project Id diff --git a/modules/autokey/metadata.yaml b/modules/autokey/metadata.yaml new file mode 100644 index 0000000..61a6a27 --- /dev/null +++ b/modules/autokey/metadata.yaml @@ -0,0 +1,79 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-kms-autokey + annotations: + config.kubernetes.io/local-config: "true" +spec: + info: + title: Autokey submodule + source: + repo: https://github.com/anshukaira/terraform-google-kms.git + sourceType: git + dir: /modules/autokey + version: 4.1.0 + actuationTool: + flavor: Terraform + version: ">= 1.3" + description: {} + content: + examples: + - name: autokey_setup + location: examples/autokey_setup + - name: bucket_setup_using_autokey + location: examples/bucket_setup_using_autokey + - name: import_only_example + location: examples/import_only_example + - name: monitoring_alerts + location: examples/monitoring_alerts + - name: simple_example + location: examples/simple_example + interfaces: + variables: + - name: key_project_id + description: The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. + varType: string + required: true + - name: autokey_folder_number + description: The folder number on which autokey will be configured and enabled. Required when using Autokey. + varType: string + required: true + outputs: + - name: autokey_config_id + description: An Autokey configuration identifier. + type: string + requirements: + roles: + - level: Project + roles: + - roles/cloudkms.admin + - roles/owner + services: + - cloudkms.googleapis.com + - serviceusage.googleapis.com + - cloudresourcemanager.googleapis.com + - monitoring.googleapis.com + - logging.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 5.31.0" + - source: hashicorp/google-beta + version: ">= 5.31.0" + - source: hashicorp/random + version: ">= 3.6.2" + - source: hashicorp/time + version: ">= 0.12.0" diff --git a/outputs.tf b/outputs.tf index 8815505..6748bdc 100644 --- a/outputs.tf +++ b/outputs.tf @@ -61,3 +61,8 @@ output "keyring_name" { google_kms_crypto_key_iam_binding.encrypters, ] } + +output "key_id_list" { + description = "The list of the crypto key IDs." + value = concat(google_kms_crypto_key.key[*].id, google_kms_crypto_key.key_ephemeral[*].id) +} \ No newline at end of file