-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add autokey plus migration #156
Merged
apeabody
merged 29 commits into
terraform-google-modules:master
from
romanini-ciandt:feat/add-autokey-plus-migration
Oct 15, 2024
Merged
Changes from 27 commits
Commits
Show all changes
29 commits
Select commit
Hold shift + click to select a range
fd6ff3d
Introduce autokey feature
romanini-ciandt fba57c4
Adjusts on setup
romanini-ciandt 8c4df14
Merge branch 'master' of github.com:romanini-ciandt/terraform-google-…
romanini-ciandt 68dc943
Adjust docs
romanini-ciandt 8a94f7e
Adjust permissions
romanini-ciandt 275bed5
Make module more readable
romanini-ciandt 4a018d5
Add tests
romanini-ciandt b173b10
Add more tests
romanini-ciandt 35b48a9
Turn autokey an independent submodule
romanini-ciandt f0874c1
README adjusts
romanini-ciandt f5eb555
Merge branch 'master' into feat/add-autokey
romanini-ciandt 78bddd7
Description updates
romanini-ciandt ad5d895
Merge branch 'feat/add-autokey' of github.com:romanini-ciandt/terrafo…
romanini-ciandt 8d665de
Adjust tag value
romanini-ciandt e2598d0
Update output type
romanini-ciandt b4bd45f
Add autokey README
romanini-ciandt 5c4d195
Fix typo
romanini-ciandt 07c34f5
Hardcode location in tests
romanini-ciandt 2c7e6fd
Add an importing plan README
romanini-ciandt 73bfbba
Add missing init
romanini-ciandt c6c99a2
Merge branch 'master' into feat/add-autokey-plus-migration
romanini-ciandt ed14225
Add specific instructions to import existing state
romanini-ciandt e769c63
Partial working version
romanini-ciandt e587109
Turn bash commands into scripts
romanini-ciandt 0a3dbda
Remove comments
romanini-ciandt 72efd29
Fix lint errors
romanini-ciandt 91eccaf
Revert an unwanted change
romanini-ciandt 9172091
Fix typo
romanini-ciandt c44d574
Add comment to explain string op
romanini-ciandt File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,6 +3,7 @@ terraform.tfstate* | |
*.pyc | ||
.kitchen | ||
credentials.json | ||
terraform.tfvars | ||
|
||
# tf lock file | ||
.terraform.lock.hcl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Importing Autokey Key Handles Guidance | ||
|
||
If you have any existing [Autokey Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) previously created using [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module, it is recommended to import them to [autokey submodule](../modules/autokey/README.md) Terraform state by following the steps below. | ||
|
||
**Note:** You don't need to import the existing state for [Autokey configuration](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) resource. The [autokey submodule](../modules/autokey/README.md) apply process will handle that automatically. | ||
|
||
**Note 2:** These instructions were made using [terraform-google-autokey v1.1.1](https://github.com/GoogleCloudPlatform/terraform-google-autokey/releases/tag/v1.1.1) as reference. Future releases versions might require changes in this document. | ||
|
||
**WARNING:** [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module can be used to create your Autokey folder, Autokey KMS project, Autokey resource project and additional resources (e.g: a Cloud Storage Bucket configured with Autokey), so **DO NOT RUN** a `terraform destroy` for the existing module, even after the Key Handle import process is completed. | ||
|
||
## Getting the existing Autokey state from terraform-google-autokey module | ||
1. Run `cd REPLACE-WITH-YOUR-PATH` to your `terraform-google-autokey/examples/cloud_autokey_example` local module path; | ||
1. If you didn't use `examples/cloud_autokey_example`, make sure you update the output names in the script according your terraform files and the relative path in the command below. | ||
1. Run the following helper script to perform `terraform output` and export the Autokey folder number, Autokey Key project, KeyHandle's names, locations and resource projects as environment variables: | ||
```shell | ||
cp ../../../terraform-google-kms/scripts/export_autokey_env_vars.sh . | ||
chmod +x export_autokey_env_vars.sh | ||
source ./export_autokey_env_vars.sh | ||
``` | ||
**Note:** You must see values set for echos: `AUTOKEY_FOLDER_NUMBER` and `AUTOKEY_KMS_PROJECT_ID`. | ||
|
||
**Note 2:** You must see values just for the KeyHandles you have deployed. In other words: If you just have a KeyHandle for Bigquery, you'll just see values for: `AUTOKEY_BQ_KEY_HANDLE_PROJECT`, `AUTOKEY_BQ_KEY_HANDLE_LOCATION` and `AUTOKEY_BQ_KEY_HANDLE_NAME` echos. | ||
|
||
## Creating the .tfvars file | ||
1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; | ||
1. Run the following helper script to automate the `terraform output` file creation: | ||
```shell | ||
chmod +x ../../scripts/create_autokey_tfvars_file.sh | ||
../../scripts/create_autokey_tfvars_file.sh | ||
``` | ||
|
||
## Importing the existing Autokey state from terraform-google-autokey module using autokey submodule | ||
1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; | ||
1. Run the following helper script to automate the `terraform import` process: | ||
```shell | ||
chmod +x ../../scripts/import_autokey_state.sh | ||
../../scripts/import_autokey_state.sh | ||
``` | ||
1. **Note:** For each import, you should receive the following output: | ||
``` | ||
Import successful! | ||
|
||
The resources that were imported are shown above. These resources are now in | ||
your Terraform state and will henceforth be managed by Terraform. | ||
``` | ||
1. Run `terraform plan`. | ||
1. Run `terraform apply`. **You have successfully imported the Autokey configuration and KeyHandle states**. | ||
|
||
## Cleaning your local environment | ||
1. Run the following helper script to unset all the environment variables used in this import process: | ||
```shell | ||
chmod +x ../../scripts/unset_autokey_env_vars.sh | ||
source ../../scripts/unset_autokey_env_vars.sh | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
echo ---------------------------------------------- | ||
echo Starting terraform.tfvars file creation | ||
echo ---------------------------------------------- | ||
|
||
echo " | ||
project_id = $AUTOKEY_KMS_PROJECT_ID | ||
autokey_folder_number = \"$AUTOKEY_FOLDER_NUMBER\" | ||
autokey_handles = { | ||
" > terraform.tfvars | ||
|
||
if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then | ||
echo " | ||
bq_dataset = { | ||
name = \"$AUTOKEY_BQ_KEY_HANDLE_NAME\", | ||
project = \"$AUTOKEY_BQ_KEY_HANDLE_PROJECT\", | ||
resource_type_selector = \"bigquery.googleapis.com/Dataset\", | ||
location = \"$AUTOKEY_BQ_KEY_HANDLE_LOCATION\" | ||
}, | ||
" >> terraform.tfvars | ||
fi | ||
if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then | ||
echo " | ||
compute_disk = { | ||
name = \"$AUTOKEY_DISK_KEY_HANDLE_NAME\", | ||
project = \"$AUTOKEY_DISK_KEY_HANDLE_PROJECT\", | ||
resource_type_selector = \"compute.googleapis.com/Disk\", | ||
location = \"$AUTOKEY_DISK_KEY_HANDLE_LOCATION\" | ||
}, | ||
" >> terraform.tfvars | ||
fi | ||
if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then | ||
romanini-ciandt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
echo " | ||
gcs_bucket = { | ||
name = \"$AUTOKEY_GCS_KEY_HANDLE_NAME\", | ||
project = \"$AUTOKEY_GCS_KEY_HANDLE_PROJECT\", | ||
resource_type_selector = \"storage.googleapis.com/Bucket\", | ||
location = \"$AUTOKEY_GCS_KEY_HANDLE_LOCATION\" | ||
}, | ||
" >> terraform.tfvars | ||
fi | ||
|
||
echo " | ||
} | ||
" >> terraform.tfvars | ||
|
||
echo ---------------------------------------------- | ||
echo terraform.tfvars file created | ||
echo ---------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
echo ---------------------------------------------- | ||
echo Getting Autokey config and project | ||
echo ---------------------------------------------- | ||
AUTOKEY_FOLDER_NUMBER=$(terraform output -raw autokey_config | cut -d'/' -f2) | ||
romanini-ciandt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
export AUTOKEY_FOLDER_NUMBER | ||
AUTOKEY_KMS_PROJECT_ID=$(echo "module.autokey.key_project_id" | terraform console) | ||
export AUTOKEY_KMS_PROJECT_ID | ||
echo AUTOKEY_FOLDER_NUMBER: "$AUTOKEY_FOLDER_NUMBER" | ||
echo AUTOKEY_KMS_PROJECT_ID: "$AUTOKEY_KMS_PROJECT_ID" | ||
echo ---------------------------------------------- | ||
echo Getting Bigquery Dataset KeyHandle | ||
echo ---------------------------------------------- | ||
AUTOKEY_BQ_KEY_HANDLE_PROJECT=$(terraform output -raw bq_key_handle | cut -d'/' -f2) | ||
export AUTOKEY_BQ_KEY_HANDLE_PROJECT | ||
AUTOKEY_BQ_KEY_HANDLE_LOCATION=$(terraform output -raw bq_key_handle | cut -d'/' -f4) | ||
export AUTOKEY_BQ_KEY_HANDLE_LOCATION | ||
AUTOKEY_BQ_KEY_HANDLE_NAME=$(terraform output -raw bq_key_handle | cut -d'/' -f6) | ||
export AUTOKEY_BQ_KEY_HANDLE_NAME | ||
echo AUTOKEY_BQ_KEY_HANDLE_PROJECT: "$AUTOKEY_BQ_KEY_HANDLE_PROJECT" | ||
echo AUTOKEY_BQ_KEY_HANDLE_LOCATION: "$AUTOKEY_BQ_KEY_HANDLE_LOCATION" | ||
echo AUTOKEY_BQ_KEY_HANDLE_NAME: "$AUTOKEY_BQ_KEY_HANDLE_NAME" | ||
echo ---------------------------------------------- | ||
echo Getting Compute Disk KeyHandle | ||
echo ---------------------------------------------- | ||
AUTOKEY_DISK_KEY_HANDLE_PROJECT=$(terraform output -raw disk_key_handle | cut -d'/' -f2) | ||
export AUTOKEY_DISK_KEY_HANDLE_PROJECT | ||
AUTOKEY_DISK_KEY_HANDLE_LOCATION=$(terraform output -raw disk_key_handle | cut -d'/' -f4) | ||
export AUTOKEY_DISK_KEY_HANDLE_LOCATION | ||
AUTOKEY_DISK_KEY_HANDLE_NAME=$(terraform output -raw disk_key_handle | cut -d'/' -f6) | ||
export AUTOKEY_DISK_KEY_HANDLE_NAME | ||
echo AUTOKEY_DISK_KEY_HANDLE_PROJECT: "$AUTOKEY_DISK_KEY_HANDLE_PROJECT" | ||
echo AUTOKEY_DISK_KEY_HANDLE_LOCATION: "$AUTOKEY_DISK_KEY_HANDLE_LOCATION" | ||
echo AUTOKEY_DISK_KEY_HANDLE_NAME: "$AUTOKEY_DISK_KEY_HANDLE_NAME" | ||
echo ---------------------------------------------- | ||
echo Getting Storage Bucket KeyHandle | ||
echo ---------------------------------------------- | ||
AUTOKEY_GCS_KEY_HANDLE_PROJECT=$(terraform output -raw gcs_key_handle | cut -d'/' -f2) | ||
export AUTOKEY_GCS_KEY_HANDLE_PROJECT | ||
AUTOKEY_GCS_KEY_HANDLE_LOCATION=$(terraform output -raw gcs_key_handle | cut -d'/' -f4) | ||
export AUTOKEY_GCS_KEY_HANDLE_LOCATION | ||
AUTOKEY_GCS_KEY_HANDLE_NAME=$(terraform output -raw gcs_key_handle | cut -d'/' -f6) | ||
export AUTOKEY_GCS_KEY_HANDLE_NAME | ||
echo AUTOKEY_GCS_KEY_HANDLE_PROJECT: "$AUTOKEY_GCS_KEY_HANDLE_PROJECT" | ||
echo AUTOKEY_GCS_KEY_HANDLE_LOCATION: "$AUTOKEY_GCS_KEY_HANDLE_LOCATION" | ||
echo AUTOKEY_GCS_KEY_HANDLE_NAME: "$AUTOKEY_GCS_KEY_HANDLE_NAME" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
echo ---------------------------------------------- | ||
echo Starting terraform init process | ||
echo ---------------------------------------------- | ||
|
||
terraform init | ||
|
||
echo ---------------------------------------------- | ||
echo terraform init process completed | ||
echo ---------------------------------------------- | ||
|
||
echo ---------------------------------------------- | ||
echo Starting terraform import process | ||
echo ---------------------------------------------- | ||
|
||
if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then | ||
terraform import google_kms_key_handle.primary\[\"bq_dataset\"\] projects/"$AUTOKEY_BQ_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_BQ_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_BQ_KEY_HANDLE_NAME" | ||
fi | ||
if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then | ||
terraform import google_kms_key_handle.primary\[\"compute_disk\"\] projects/"$AUTOKEY_DISK_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_DISK_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_DISK_KEY_HANDLE_NAME" | ||
fi | ||
if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then | ||
terraform import google_kms_key_handle.primary\[\"gcs_bucket\"\] projects/"$AUTOKEY_GCS_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_GCS_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_GCS_KEY_HANDLE_NAME" | ||
fi | ||
|
||
echo ---------------------------------------------- | ||
echo terraform import completed | ||
echo ---------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/bin/bash | ||
|
||
romanini-ciandt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
# Copyright 2024 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
unset AUTOKEY_FOLDER_NUMBER | ||
unset AUTOKEY_KMS_PROJECT_ID | ||
unset AUTOKEY_BQ_KEY_HANDLE_PROJECT | ||
unset AUTOKEY_BQ_KEY_HANDLE_LOCATION | ||
unset AUTOKEY_BQ_KEY_HANDLE_NAME | ||
unset AUTOKEY_DISK_KEY_HANDLE_PROJECT | ||
unset AUTOKEY_DISK_KEY_HANDLE_LOCATION | ||
unset AUTOKEY_DISK_KEY_HANDLE_NAME | ||
unset AUTOKEY_GCS_KEY_HANDLE_PROJECT | ||
unset AUTOKEY_GCS_KEY_HANDLE_LOCATION | ||
unset AUTOKEY_GCS_KEY_HANDLE_NAME | ||
|
||
echo ---------------------------------------------- | ||
echo unset env vars process completed | ||
echo ---------------------------------------------- |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed because the import script will import the existing keyhandles into TF resources that include the random suffix in the name, but we need to ignore the diffs on apply?
Or is it unrelated and more of a general autokey module improvement, to address what we discussed offline re: users changing the keyhandle name and then running into issues when they try to change it back?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A short answer would be:
It is to address issues on both (when imported or not), but the change was motivated to support the import process. It would impact 100% of the imports and just eventual use cases for not imported.
More context about why:
I added this
lifecycle
to avoid resource replaces when importing existing key handles. When we import, this submodule will try to append a random suffix and a replacement will be forced.But also, as we discussed offline, this change would avoid errors even when the user is not importing.
Example: The key Handle for secret manager can not be recreated, just 1 instance per project is allowed by GCP. In this case, if the name is changed in tf, terraform will "destroy" (not actually destroy, but remove it from tf state) and the attempt to create a new resource will raise an error.
So, I chose this
lifecycle
approach, but I also see two others alternatives:Sorry for the length of the comment... but is it clear?
Let me know what you think, or if we should change the approach here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha, thanks for confirming! This all makes sense to me and seems reasonable, I'll defer to the CFT team and see if they disagree :) Thank you!