diff --git a/docs/importing_autokey_key_handles.md b/docs/importing_autokey_key_handles.md deleted file mode 100644 index aebb0af..0000000 --- a/docs/importing_autokey_key_handles.md +++ /dev/null @@ -1,54 +0,0 @@ -# Importing Autokey Key Handles Guidance - -If you have any existing [Autokey Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) previously created using [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module, it is recommended to import them to [autokey submodule](../modules/autokey/README.md) Terraform state by following the steps below. - -**Note:** You don't need to import the existing state for [Autokey configuration](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) resource. The [autokey submodule](../modules/autokey/README.md) apply process will handle that automatically. - -**Note 2:** These instructions were made using [terraform-google-autokey v1.1.1](https://github.com/GoogleCloudPlatform/terraform-google-autokey/releases/tag/v1.1.1) as reference. Future releases versions might require changes in this document. - -**WARNING:** [terraform-google-autokey](https://registry.terraform.io/modules/GoogleCloudPlatform/autokey/google) module can be used to create your Autokey folder, Autokey KMS project, Autokey resource project and additional resources (e.g: a Cloud Storage Bucket configured with Autokey), so **DO NOT RUN** a `terraform destroy` for the existing module, even after the Key Handle import process is completed. - -## Getting the existing Autokey state from terraform-google-autokey module -1. Run `cd REPLACE-WITH-YOUR-PATH` to your `terraform-google-autokey/examples/cloud_autokey_example` local module path; - 1. If you didn't use `examples/cloud_autokey_example`, make sure you update the output names in the script according your terraform files and the relative path in the command below. -1. Run the following helper script to perform `terraform output` and export the Autokey folder number, Autokey Key project, KeyHandle's names, locations and resource projects as environment variables: - ```shell - cp ../../../terraform-google-kms/scripts/export_autokey_env_vars.sh . - chmod +x export_autokey_env_vars.sh - source ./export_autokey_env_vars.sh - ``` - **Note:** You must see values set for echos: `AUTOKEY_FOLDER_NUMBER` and `AUTOKEY_KMS_PROJECT_ID`. - - **Note 2:** You must see values just for the KeyHandles you have deployed. In other words: If you just have a KeyHandle for Bigquery, you'll just see values for: `AUTOKEY_BQ_KEY_HANDLE_PROJECT`, `AUTOKEY_BQ_KEY_HANDLE_LOCATION` and `AUTOKEY_BQ_KEY_HANDLE_NAME` echos. - -## Creating the .tfvars file -1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; -1. Run the following helper script to automate the `terraform output` file creation: - ```shell - chmod +x ../../scripts/create_autokey_tfvars_file.sh - ../../scripts/create_autokey_tfvars_file.sh - ``` - -## Importing the existing Autokey state from terraform-google-autokey module using autokey submodule -1. Run `cd` to your [autokey submodule](../modules/autokey/README.md) folder; -1. Run the following helper script to automate the `terraform import` process: - ```shell - chmod +x ../../scripts/import_autokey_state.sh - ../../scripts/import_autokey_state.sh - ``` -1. **Note:** For each import, you should receive the following output: - ``` - Import successful! - - The resources that were imported are shown above. These resources are now in - your Terraform state and will henceforth be managed by Terraform. - ``` -1. Run `terraform plan`. -1. Run `terraform apply`. **You have successfully imported the Autokey configuration and KeyHandle states**. - -## Cleaning your local environment -1. Run the following helper script to unset all the environment variables used in this import process: - ```shell - chmod +x ../../scripts/unset_autokey_env_vars.sh - source ../../scripts/unset_autokey_env_vars.sh - ``` diff --git a/docs/upgrading_to_v4.0.md b/docs/upgrading_to_v4.0.md new file mode 100644 index 0000000..f20be05 --- /dev/null +++ b/docs/upgrading_to_v4.0.md @@ -0,0 +1,21 @@ +# Upgrading to v4.0 +The v4.0 release of *kms* is a backwards incompatible release. + +### Autokey Submodule +The current users of Autokey submodules needs to +- Switch `project_id` to `key_project_id` +- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/). + + +### To Migrate from v3.0 to v4.0 +Using V3.0 of Autokey modules if you have created keyhandles and wants to use them with V4.0 version then they need to be imported using below steps + +1. Retrieve the keyhandles created: + - Run `terraform state list module.autokey.google_kms_key_handle.primary` to list all keyhandles created using v3.0 + - For each item in the output of above CLI, run `terraform state show 'module.autokey.google_kms_key_handle.primary[""]'` and copy the resulting `id` field from the cli output to notepad +2. Delete all keyhandles from the state: run `terraform state rm module.autokey.google_kms_key_handle.primary` +3. Update the main root module to use V4.0 version. Add the keyhandle config definition to the main root module for all the keyhandle found in step1. +4. Import all the keyhandles configs using id copied in setp1 to the terraform state + - for each keyhandle id found in step1, Run `terraform import resource.google_kms_key_handle. ""` + + diff --git a/examples/autokey_example/main.tf b/examples/autokey_example/main.tf deleted file mode 100644 index df8c26c..0000000 --- a/examples/autokey_example/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "autokey" { - source = "terraform-google-modules/kms/google//modules/autokey" - version = "~> 3.2" - - project_id = var.project_id - autokey_folder_number = var.folder_id - autokey_handles = { - storage_bucket = { - name = "bucket-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "storage.googleapis.com/Bucket", - location = "us-central1" - } - compute_disk = { - name = "disk-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "compute.googleapis.com/Disk", - location = "us-central1" - } - bigquery_dataset = { - name = "dataset-key-handle", - project = var.autokey_resource_project_id, - resource_type_selector = "bigquery.googleapis.com/Dataset", - location = "us-central1" - } - } -} - diff --git a/examples/autokey_setup/README.md b/examples/autokey_setup/README.md new file mode 100644 index 0000000..45e2861 --- /dev/null +++ b/examples/autokey_setup/README.md @@ -0,0 +1,26 @@ +# Autokey Example + +This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| autokey\_config\_id | An Autokey configuration identifier. | +| key\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/autokey_setup/main.tf b/examples/autokey_setup/main.tf new file mode 100644 index 0000000..ba893b8 --- /dev/null +++ b/examples/autokey_setup/main.tf @@ -0,0 +1,24 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "autokey" { + source = "terraform-google-modules/kms/google//modules/autokey" + version = "~> 4.0" + + key_project_id = var.key_project_id + autokey_folder_number = var.folder_id +} + diff --git a/examples/autokey_setup/outputs.tf b/examples/autokey_setup/outputs.tf new file mode 100644 index 0000000..a879da4 --- /dev/null +++ b/examples/autokey_setup/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "autokey_config_id" { + description = "An Autokey configuration identifier." + value = module.autokey.autokey_config_id +} + +output "key_project_id" { + description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey." + value = var.key_project_id +} diff --git a/examples/autokey_setup/variables.tf b/examples/autokey_setup/variables.tf new file mode 100644 index 0000000..e671a03 --- /dev/null +++ b/examples/autokey_setup/variables.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "key_project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature." +} + diff --git a/examples/autokey_example/README.md b/examples/bucket_setup_using_autokey/README.md similarity index 52% rename from examples/autokey_example/README.md rename to examples/bucket_setup_using_autokey/README.md index ddd2966..711c277 100644 --- a/examples/autokey_example/README.md +++ b/examples/bucket_setup_using_autokey/README.md @@ -1,23 +1,23 @@ # Autokey Example -This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature. +This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes | -| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes | +| bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no | +| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes | +| resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| autokey\_project\_id | Project used for autokey. | +| bucket\_keyhandle | Keyhandle configuration created for the bucket. | +| bucket\_name | Name of the bucket created. | diff --git a/examples/bucket_setup_using_autokey/main.tf b/examples/bucket_setup_using_autokey/main.tf new file mode 100644 index 0000000..8abb460 --- /dev/null +++ b/examples/bucket_setup_using_autokey/main.tf @@ -0,0 +1,62 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "autokey" { + source = "terraform-google-modules/kms/google//modules/autokey" + version = "~> 4.0" + + key_project_id = var.key_project_id + autokey_folder_number = var.folder_id +} + +# Wait delay for autokey configuration. +resource "time_sleep" "wait_autokey_config" { + create_duration = "20s" + depends_on = [module.autokey] +} + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_kms_key_handle" "bucket_keyhandle" { + provider = google-beta + name = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}" + project = var.resource_project_id + location = var.bucket_location + resource_type_selector = "storage.googleapis.com/Bucket" + + lifecycle { + ignore_changes = [name] + } + depends_on = [time_sleep.wait_autokey_config] +} + +module "bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 9.0" + + name = "${var.resource_project_id}-bucket-${random_string.suffix.result}" + project_id = var.resource_project_id + location = var.bucket_location + encryption = { + default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key + } + + depends_on = [resource.google_kms_key_handle.bucket_keyhandle] +} diff --git a/examples/bucket_setup_using_autokey/outputs.tf b/examples/bucket_setup_using_autokey/outputs.tf new file mode 100644 index 0000000..9e5ed94 --- /dev/null +++ b/examples/bucket_setup_using_autokey/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "bucket_keyhandle" { + description = "Keyhandle configuration created for the bucket." + value = resource.google_kms_key_handle.bucket_keyhandle +} + +output "bucket_name" { + description = "Name of the bucket created." + value = module.bucket.name +} diff --git a/examples/bucket_setup_using_autokey/variables.tf b/examples/bucket_setup_using_autokey/variables.tf new file mode 100644 index 0000000..5d3082f --- /dev/null +++ b/examples/bucket_setup_using_autokey/variables.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "key_project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature." +} + +variable "resource_project_id" { + description = "The ID of the project in which to provision cloud storage bucket resource." + type = string +} + +variable "bucket_location" { + type = string + description = "The GCP location where storage bucket will be created" + default = "us-central1" +} diff --git a/modules/autokey/README.md b/modules/autokey/README.md index 772e8c0..59d223e 100644 --- a/modules/autokey/README.md +++ b/modules/autokey/README.md @@ -1,22 +1,18 @@ # Autokey submodule -This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project and create [Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) for existing resource projects. - +This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| autokey\_folder\_number | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes | -| autokey\_handles | (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.
- name: The resource name for the KeyHandle.
- resource\_type\_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.
- location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.
- project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. | 
map(object({
    name                   = string
    resource_type_selector = string
    location               = string
    project                = string
  }))
| `null` | no | -| project\_id | Project id where the Autokey configuration and KeyHandles will be created. | `string` | n/a | yes | +| autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes | +| key\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | autokey\_config\_id | An Autokey configuration identifier. | -| autokey\_keyhandles | A map of KeyHandles created. | -| random\_suffix | Random 4 digits suffix used in Autokey submodule. | diff --git a/modules/autokey/iam.tf b/modules/autokey/iam.tf index 29e9df6..4ce64c9 100644 --- a/modules/autokey/iam.tf +++ b/modules/autokey/iam.tf @@ -15,12 +15,11 @@ */ data "google_project" "kms_project" { - project_id = var.project_id + project_id = var.key_project_id } #Create KMS Service Agent resource "google_project_service_identity" "kms_service_agent" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta service = "cloudkms.googleapis.com" @@ -29,18 +28,15 @@ resource "google_project_service_identity" "kms_service_agent" { # Wait delay after creating service agent. resource "time_sleep" "wait_service_agent" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_service_identity.kms_service_agent] } #Grant the KMS Service Agent the Cloud KMS Admin role resource "google_project_iam_member" "autokey_project_admin" { - count = var.autokey_handles != null ? 1 : 0 provider = google-beta - project = var.project_id + project = var.key_project_id role = "roles/cloudkms.admin" member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com" depends_on = [time_sleep.wait_service_agent] @@ -48,8 +44,6 @@ resource "google_project_iam_member" "autokey_project_admin" { # Wait delay after granting IAM permissions resource "time_sleep" "wait_srv_acc_permissions" { - count = var.autokey_handles != null ? 1 : 0 - create_duration = "10s" depends_on = [google_project_iam_member.autokey_project_admin] } diff --git a/modules/autokey/main.tf b/modules/autokey/main.tf index f6d37ba..50eb321 100644 --- a/modules/autokey/main.tf +++ b/modules/autokey/main.tf @@ -18,27 +18,6 @@ resource "google_kms_autokey_config" "primary" { provider = google-beta folder = var.autokey_folder_number - key_project = "projects/${var.project_id}" -} - -resource "random_string" "suffix" { - length = 4 - special = false - upper = false -} - -resource "google_kms_key_handle" "primary" { - for_each = var.autokey_handles != null ? var.autokey_handles : tomap({}) - provider = google-beta - - project = each.value.project - name = "${each.value.name}-${random_string.suffix.result}" - location = each.value.location - resource_type_selector = each.value.resource_type_selector - - lifecycle { - ignore_changes = [name] - } - - depends_on = [time_sleep.wait_srv_acc_permissions] + key_project = "projects/${var.key_project_id}" + depends_on = [time_sleep.wait_srv_acc_permissions] } diff --git a/modules/autokey/outputs.tf b/modules/autokey/outputs.tf index a198889..1c8e036 100644 --- a/modules/autokey/outputs.tf +++ b/modules/autokey/outputs.tf @@ -18,13 +18,3 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." value = google_kms_autokey_config.primary.id } - -output "autokey_keyhandles" { - description = "A map of KeyHandles created." - value = var.autokey_handles != null ? google_kms_key_handle.primary : {} -} - -output "random_suffix" { - description = "Random 4 digits suffix used in Autokey submodule." - value = random_string.suffix.result -} diff --git a/modules/autokey/variables.tf b/modules/autokey/variables.tf index 0fb78ad..ac2f5db 100644 --- a/modules/autokey/variables.tf +++ b/modules/autokey/variables.tf @@ -14,29 +14,13 @@ * limitations under the License. */ -variable "project_id" { - description = "Project id where the Autokey configuration and KeyHandles will be created." +variable "key_project_id" { + description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey." type = string } variable "autokey_folder_number" { type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." + description = "The folder number on which autokey will be configured and enabled. Required when using Autokey." } -variable "autokey_handles" { - type = map(object({ - name = string - resource_type_selector = string - location = string - project = string - })) - description = <<-EOF - (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service. - - name: The resource name for the KeyHandle. - - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services. - - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list. - - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. - EOF - default = null -} diff --git a/scripts/create_autokey_tfvars_file.sh b/scripts/create_autokey_tfvars_file.sh deleted file mode 100755 index cd56a52..0000000 --- a/scripts/create_autokey_tfvars_file.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Starting terraform.tfvars file creation -echo ---------------------------------------------- - -echo " -project_id = $AUTOKEY_KMS_PROJECT_ID -autokey_folder_number = \"$AUTOKEY_FOLDER_NUMBER\" -autokey_handles = { -" > terraform.tfvars - -if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then - echo " - bq_dataset = { - name = \"$AUTOKEY_BQ_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_BQ_KEY_HANDLE_PROJECT\", - resource_type_selector = \"bigquery.googleapis.com/Dataset\", - location = \"$AUTOKEY_BQ_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then - echo " - compute_disk = { - name = \"$AUTOKEY_DISK_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_DISK_KEY_HANDLE_PROJECT\", - resource_type_selector = \"compute.googleapis.com/Disk\", - location = \"$AUTOKEY_DISK_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi -if [ -n "$AUTOKEY_GCS_KEY_HANDLE_NAME" ]; then - echo " - gcs_bucket = { - name = \"$AUTOKEY_GCS_KEY_HANDLE_NAME\", - project = \"$AUTOKEY_GCS_KEY_HANDLE_PROJECT\", - resource_type_selector = \"storage.googleapis.com/Bucket\", - location = \"$AUTOKEY_GCS_KEY_HANDLE_LOCATION\" - }, -" >> terraform.tfvars -fi - -echo " -} -" >> terraform.tfvars - -echo ---------------------------------------------- -echo terraform.tfvars file created -echo ---------------------------------------------- diff --git a/scripts/export_autokey_env_vars.sh b/scripts/export_autokey_env_vars.sh deleted file mode 100644 index 213ec15..0000000 --- a/scripts/export_autokey_env_vars.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Getting Autokey config and project -echo ---------------------------------------------- - -# terraform output format: "folders/{FOLDER_NUMBER}/autokeyConfig". That's why we cut just the second element. -AUTOKEY_FOLDER_NUMBER=$(terraform output -raw autokey_config | cut -d'/' -f2) -export AUTOKEY_FOLDER_NUMBER - -AUTOKEY_KMS_PROJECT_ID=$(echo "module.autokey.key_project_id" | terraform console) -export AUTOKEY_KMS_PROJECT_ID - -echo AUTOKEY_FOLDER_NUMBER: "$AUTOKEY_FOLDER_NUMBER" -echo AUTOKEY_KMS_PROJECT_ID: "$AUTOKEY_KMS_PROJECT_ID" - -echo ---------------------------------------------- -echo Getting Bigquery Dataset KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_BQ_KEY_HANDLE_PROJECT=$(terraform output -raw bq_key_handle | cut -d'/' -f2) -export AUTOKEY_BQ_KEY_HANDLE_PROJECT - -AUTOKEY_BQ_KEY_HANDLE_LOCATION=$(terraform output -raw bq_key_handle | cut -d'/' -f4) -export AUTOKEY_BQ_KEY_HANDLE_LOCATION - -AUTOKEY_BQ_KEY_HANDLE_NAME=$(terraform output -raw bq_key_handle | cut -d'/' -f6) -export AUTOKEY_BQ_KEY_HANDLE_NAME - -echo AUTOKEY_BQ_KEY_HANDLE_PROJECT: "$AUTOKEY_BQ_KEY_HANDLE_PROJECT" -echo AUTOKEY_BQ_KEY_HANDLE_LOCATION: "$AUTOKEY_BQ_KEY_HANDLE_LOCATION" -echo AUTOKEY_BQ_KEY_HANDLE_NAME: "$AUTOKEY_BQ_KEY_HANDLE_NAME" - -echo ---------------------------------------------- -echo Getting Compute Disk KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_DISK_KEY_HANDLE_PROJECT=$(terraform output -raw disk_key_handle | cut -d'/' -f2) -export AUTOKEY_DISK_KEY_HANDLE_PROJECT - -AUTOKEY_DISK_KEY_HANDLE_LOCATION=$(terraform output -raw disk_key_handle | cut -d'/' -f4) -export AUTOKEY_DISK_KEY_HANDLE_LOCATION - -AUTOKEY_DISK_KEY_HANDLE_NAME=$(terraform output -raw disk_key_handle | cut -d'/' -f6) -export AUTOKEY_DISK_KEY_HANDLE_NAME - -echo AUTOKEY_DISK_KEY_HANDLE_PROJECT: "$AUTOKEY_DISK_KEY_HANDLE_PROJECT" -echo AUTOKEY_DISK_KEY_HANDLE_LOCATION: "$AUTOKEY_DISK_KEY_HANDLE_LOCATION" -echo AUTOKEY_DISK_KEY_HANDLE_NAME: "$AUTOKEY_DISK_KEY_HANDLE_NAME" - -echo ---------------------------------------------- -echo Getting Storage Bucket KeyHandle -echo ---------------------------------------------- - -# terraform output format: "projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEYHANDLE_NAME}". -# That's why we have the cut operation. - -AUTOKEY_GCS_KEY_HANDLE_PROJECT=$(terraform output -raw gcs_key_handle | cut -d'/' -f2) -export AUTOKEY_GCS_KEY_HANDLE_PROJECT - -AUTOKEY_GCS_KEY_HANDLE_LOCATION=$(terraform output -raw gcs_key_handle | cut -d'/' -f4) -export AUTOKEY_GCS_KEY_HANDLE_LOCATION - -AUTOKEY_GCS_KEY_HANDLE_NAME=$(terraform output -raw gcs_key_handle | cut -d'/' -f6) -export AUTOKEY_GCS_KEY_HANDLE_NAME - -echo AUTOKEY_GCS_KEY_HANDLE_PROJECT: "$AUTOKEY_GCS_KEY_HANDLE_PROJECT" -echo AUTOKEY_GCS_KEY_HANDLE_LOCATION: "$AUTOKEY_GCS_KEY_HANDLE_LOCATION" -echo AUTOKEY_GCS_KEY_HANDLE_NAME: "$AUTOKEY_GCS_KEY_HANDLE_NAME" diff --git a/scripts/import_autokey_state.sh b/scripts/import_autokey_state.sh deleted file mode 100755 index adaadc1..0000000 --- a/scripts/import_autokey_state.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -echo ---------------------------------------------- -echo Starting terraform init process -echo ---------------------------------------------- - -terraform init - -echo ---------------------------------------------- -echo terraform init process completed -echo ---------------------------------------------- - -echo ---------------------------------------------- -echo Starting terraform import process -echo ---------------------------------------------- - -if [ -n "$AUTOKEY_BQ_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"bq_dataset\"\] projects/"$AUTOKEY_BQ_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_BQ_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_BQ_KEY_HANDLE_NAME" -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"compute_disk\"\] projects/"$AUTOKEY_DISK_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_DISK_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_DISK_KEY_HANDLE_NAME" -fi -if [ -n "$AUTOKEY_DISK_KEY_HANDLE_NAME" ]; then -terraform import google_kms_key_handle.primary\[\"gcs_bucket\"\] projects/"$AUTOKEY_GCS_KEY_HANDLE_PROJECT"/locations/"$AUTOKEY_GCS_KEY_HANDLE_LOCATION"/keyHandles/"$AUTOKEY_GCS_KEY_HANDLE_NAME" -fi - -echo ---------------------------------------------- -echo terraform import completed -echo ---------------------------------------------- diff --git a/scripts/unset_autokey_env_vars.sh b/scripts/unset_autokey_env_vars.sh deleted file mode 100755 index c892f74..0000000 --- a/scripts/unset_autokey_env_vars.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -unset AUTOKEY_FOLDER_NUMBER -unset AUTOKEY_KMS_PROJECT_ID -unset AUTOKEY_BQ_KEY_HANDLE_PROJECT -unset AUTOKEY_BQ_KEY_HANDLE_LOCATION -unset AUTOKEY_BQ_KEY_HANDLE_NAME -unset AUTOKEY_DISK_KEY_HANDLE_PROJECT -unset AUTOKEY_DISK_KEY_HANDLE_LOCATION -unset AUTOKEY_DISK_KEY_HANDLE_NAME -unset AUTOKEY_GCS_KEY_HANDLE_PROJECT -unset AUTOKEY_GCS_KEY_HANDLE_LOCATION -unset AUTOKEY_GCS_KEY_HANDLE_NAME - -echo ---------------------------------------------- -echo unset env vars process completed -echo ---------------------------------------------- diff --git a/test/fixtures/autokey_setup_fixture/main.tf b/test/fixtures/autokey_setup_fixture/main.tf new file mode 100644 index 0000000..c1d0000 --- /dev/null +++ b/test/fixtures/autokey_setup_fixture/main.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +module "autokey_setup_fixture" { + source = "../../../examples/autokey_setup" + key_project_id = var.project_id + folder_id = var.folder_id +} diff --git a/examples/autokey_example/outputs.tf b/test/fixtures/autokey_setup_fixture/outputs.tf similarity index 67% rename from examples/autokey_example/outputs.tf rename to test/fixtures/autokey_setup_fixture/outputs.tf index 45f188b..150795a 100644 --- a/examples/autokey_example/outputs.tf +++ b/test/fixtures/autokey_setup_fixture/outputs.tf @@ -16,15 +16,10 @@ output "autokey_config_id" { description = "An Autokey configuration identifier." - value = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : "" + value = module.autokey_setup_fixture.autokey_config_id } -output "autokey_keyhandles" { - description = "A map of KeyHandles created." - value = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {} -} - -output "autokey_project_id" { - description = "Project used for autokey." +output "key_project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." value = var.project_id } diff --git a/examples/autokey_example/variables.tf b/test/fixtures/autokey_setup_fixture/variables.tf similarity index 62% rename from examples/autokey_example/variables.tf rename to test/fixtures/autokey_setup_fixture/variables.tf index 35a0fa5..4340480 100644 --- a/examples/autokey_example/variables.tf +++ b/test/fixtures/autokey_setup_fixture/variables.tf @@ -15,17 +15,12 @@ */ variable "project_id" { - description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)." - type = string -} - -variable "autokey_resource_project_id" { - description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)." + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." type = string } variable "folder_id" { + description = "The ID of the folder for which to configure and enable Autokey feature." type = string - description = "The Autokey folder number used by Autokey config resource. Required when using Autokey." -} +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/main.tf b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf new file mode 100644 index 0000000..9d1f04a --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/main.tf @@ -0,0 +1,22 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +module "bucket_setup_using_autokey_fixture" { + source = "../../../examples/bucket_setup_using_autokey" + key_project_id = var.project_id + folder_id = var.folder_id + resource_project_id = var.resource_project_id + bucket_location = var.bucket_location +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf b/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf new file mode 100644 index 0000000..bc53167 --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/outputs.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "bucket_keyhandle" { + description = "Keyhandle configuration created for the bucket." + value = module.bucket_setup_using_autokey_fixture.bucket_keyhandle +} + +output "bucket_name" { + description = "Name of the bucket created." + value = module.bucket_setup_using_autokey_fixture.bucket_name +} diff --git a/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf b/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf new file mode 100644 index 0000000..68cddfa --- /dev/null +++ b/test/fixtures/bucket_setup_using_autokey_fixture/variables.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey." + type = string +} + +variable "folder_id" { + type = string + description = "The ID of the folder for which to configure and enable Autokey feature." +} + +variable "resource_project_id" { + description = "The ID of the project in which to provision cloud storage bucket resources." + type = string +} + +variable "bucket_location" { + type = string + description = "The GCP location where storage bucket will be created" + default = "us-central1" +} diff --git a/test/integration/autokey_example/autokey_example_test.go b/test/integration/autokey_setup/autokey_setup_test.go similarity index 54% rename from test/integration/autokey_example/autokey_example_test.go rename to test/integration/autokey_setup/autokey_setup_test.go index b793bda..8f2deaa 100755 --- a/test/integration/autokey_example/autokey_example_test.go +++ b/test/integration/autokey_setup/autokey_setup_test.go @@ -12,36 +12,27 @@ // See the License for the specific language governing permissions and // limitations under the License. -package autokey_example +package autokey_setup import ( "context" "fmt" "io" - "regexp" "testing" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" "golang.org/x/oauth2/google" ) -func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool { - pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource) - regex := regexp.MustCompile(pattern) - return regex.MatchString(input) -} - -func TestAutokeyExample(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) +func TestAutokeySetup(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture")) bpt.DefineVerify(func(assert *assert.Assertions) { bpt.DefaultVerify(assert) - projectId := bpt.GetStringOutput("autokey_project_id") + kmsProjectId := bpt.GetStringOutput("key_project_id") autokeyConfig := bpt.GetStringOutput("autokey_config_id") - autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("autokey_resource_project_number") // Autokey config doesn't have a gcloud command yet. That's why we need to hit the API. autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig) @@ -65,19 +56,9 @@ func TestAutokeyExample(t *testing.T) { result := utils.ParseJSONResult(t, string(body)) - // Asserting if Autokey configuration was created + // Asserting if Autokey configuration was enabled with correct kms project id autokeyConfigProject := result.Get("keyProject").String() - assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", projectId), "autokey expected for project %s", projectId) - - // Asserting if Autokey keyring was created - op := gcloud.Runf(t, "--project=%s kms keyrings list --location us-central1 --filter name:autokey", projectId).Array()[0].Get("name") - assert.Contains(op.String(), fmt.Sprintf("projects/%s/locations/us-central1/keyRings/autokey", projectId), "Contains Autokey KeyRing") - - // Asserting if Autokey keyHandles were created - op1 := gcloud.Runf(t, "kms keys list --project=%s --keyring autokey --location us-central1", projectId).Array() - for _, element := range op1 { - assert.True(validateKeyHandleVersion(element.Get("primary").Map()["name"].Str, projectId, autokeyResourceProjectNumber.Str), "Contains KeyHandles") - } + assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", kmsProjectId), "autokey expected for project %s", kmsProjectId) }) bpt.Test() diff --git a/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go new file mode 100755 index 0000000..fedd0ee --- /dev/null +++ b/test/integration/bucket_setup_using_autokey/bucket_setup_using_autokey_test.go @@ -0,0 +1,41 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package bucket_setup_using_autokey + +import ( + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" +) + +func TestBucketSetupUsingAutokey(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture")) + bpt.DefineVerify(func(assert *assert.Assertions) { + bpt.DefaultVerify(assert) + + bucketKeyHandle := bpt.GetJsonOutput("bucket_keyhandle") + bucketName := bpt.GetStringOutput("bucket_name") + + keyHandleKmsKey := bucketKeyHandle.Get("kms_key").String() + op1 := gcloud.Runf(t, "storage buckets describe gs://%s", bucketName).Array() + bucketKmsKey := op1[0].Map()["default_kms_key"].Str + assert.True(keyHandleKmsKey != "", "Invalid KMS Key generated for bucket keyhandle") + assert.True(bucketKmsKey == keyHandleKmsKey, "KMS Key generated for bucket keyhandle %s is not matching with kms key used in bucket %s", keyHandleKmsKey, bucketKmsKey) + }) + + bpt.Test() +} diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 63f42bc..2d9a328 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -18,11 +18,11 @@ output "project_id" { value = module.project_ci_kms.project_id } -output "autokey_resource_project_id" { +output "resource_project_id" { value = module.autokey_resource_project.project_id } -output "autokey_resource_project_number" { +output "resource_project_number" { value = module.autokey_resource_project.project_number }