feat: added encryption options (#33)

BREAKING CHANGE: cos bucket will be destroyed if enabling encryption during upgrade

Author: daniel-butler-irl

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2022-11-09T13:08:40Z",
+  "generated_at": "2022-11-11T12:06:12Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -81,7 +81,9 @@ You need the following permissions to run this module.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kp_all_inclusive"></a> [kp\_all\_inclusive](#module\_kp\_all\_inclusive) | git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git | v1.0.0 |
 
 ## Resources
 
@@ -92,7 +94,6 @@ No modules.
 | [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/resource_instance) | data source |
-| [ibm_resource_instance.keyprotect_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/resource_instance) | data source |
 
 ## Inputs
 
@@ -103,14 +104,18 @@ No modules.
 | <a name="input_archive_type"></a> [archive\_type](#input\_archive\_type) | Specifies the storage class or archive type to which you want the object to transition. | `string` | `"Glacier"` | no |
 | <a name="input_bucket_infix"></a> [bucket\_infix](#input\_bucket\_infix) | Custom infix for use in cos bucket name (Optional) | `string` | `null` | no |
 | <a name="input_cos_instance_name"></a> [cos\_instance\_name](#input\_cos\_instance\_name) | Name of the cos instance where the bucket should be created | `string` | `null` | no |
+| <a name="input_cos_key_name"></a> [cos\_key\_name](#input\_cos\_key\_name) | List of strings containing the list of desired Key Protect Key names as the values for each Key Ring, this Key Protect Key is used to encrypt the data in the COS Bucket | `list(string)` | <pre>[<br>  "cos-key"<br>]</pre> | no |
+| <a name="input_cos_key_ring_name"></a> [cos\_key\_ring\_name](#input\_cos\_key\_ring\_name) | A String containing the desired Key Ring Names as the key of the map for the key protect instance, this Key Protect Key is used to encrypt the data in the COS Bucket | `string` | `"cos-key-ring"` | no |
 | <a name="input_cos_location"></a> [cos\_location](#input\_cos\_location) | Location of the cloud object storage instance | `string` | `"global"` | no |
 | <a name="input_cos_plan"></a> [cos\_plan](#input\_cos\_plan) | Plan to be used for creating cloud object storage instance | `string` | `"standard"` | no |
 | <a name="input_create_cos_instance"></a> [create\_cos\_instance](#input\_create\_cos\_instance) | Set as true to create a new Cloud Object Storage instance | `bool` | `true` | no |
+| <a name="input_create_key_protect_instance"></a> [create\_key\_protect\_instance](#input\_create\_key\_protect\_instance) | Set as true to create a new Key Protect instance, this instance will store the Key used to encrypt the data in the COS Bucket | `bool` | `true` | no |
+| <a name="input_create_key_protect_key"></a> [create\_key\_protect\_key](#input\_create\_key\_protect\_key) | Set as true to create a new Key Protect Key, this Key Protect Key is used to encrypt the COS Bucket | `bool` | `true` | no |
 | <a name="input_encryption_enabled"></a> [encryption\_enabled](#input\_encryption\_enabled) | Set as true to use Key Protect encryption to encrypt data in COS bucket | `bool` | `true` | no |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | Prefix name for all related resources | `string` | n/a | yes |
 | <a name="input_expire_days"></a> [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. | `number` | `365` | no |
-| <a name="input_key_protect_instance_name"></a> [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | Name of an existing Key Protect instance to use, this instance will store the Key used to encrypt the data in the COS Bucket | `string` | `null` | no |
-| <a name="input_key_protect_key_crn"></a> [key\_protect\_key\_crn](#input\_key\_protect\_key\_crn) | CRN of the Key Protect Key to use, this Key Protect Key is used to encrypt the data in the COS Bucket | `string` | `null` | no |
+| <a name="input_key_protect_instance_name"></a> [key\_protect\_instance\_name](#input\_key\_protect\_instance\_name) | Name to set as the instance name if creating a Key Protect instance, otherwise name of an existing Key Protect instance to use, this instance will store the Key used to encrypt the data in the COS Bucket | `string` | `null` | no |
+| <a name="input_key_protect_key_crn"></a> [key\_protect\_key\_crn](#input\_key\_protect\_key\_crn) | CRN of the Key Protect Key to use if not creating a Key in this module, this Key Protect Key is used to encrypt the data in the COS Bucket | `string` | `null` | no |
 | <a name="input_object_versioning_enabled"></a> [object\_versioning\_enabled](#input\_object\_versioning\_enabled) | Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | Name of the Region to deploy in to | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the environment will be created | `string` | n/a | yes |
@@ -128,6 +133,7 @@ No modules.
 | <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | Bucket id |
 | <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | Bucket Name |
 | <a name="output_cos_instance_id"></a> [cos\_instance\_id](#output\_cos\_instance\_id) | The GUID of the Cloud Object Storage Instance where the buckets are created |
+| <a name="output_key_protect_instance_id"></a> [key\_protect\_instance\_id](#output\_key\_protect\_instance\_id) | The GUID of the Key Protect Instance where the Key to encrypt the COS Bucket is stored |
 | <a name="output_key_protect_key_crn"></a> [key\_protect\_key\_crn](#output\_key\_protect\_key\_crn) | The CRN of the Key Protect Key used to encrypt the COS Bucket |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | Resource Group ID |
 | <a name="output_s3_endpoint_private"></a> [s3\_endpoint\_private](#output\_s3\_endpoint\_private) | S3 private endpoint |

examples/bucket-without-tracking-monitoring/main.tf

@@ -7,14 +7,15 @@ module "resource_group" {
 
 # Create COS bucket with:
 # - Retention
+# - Encryption
 # Create COS bucket without:
 # - Monitoring
 # - Activity Tracking
-# - Encryption
+
 module "cos" {
   source             = "../../"
   environment_name   = "${var.prefix}-${var.environment_name}-cos"
   resource_group_id  = module.resource_group.resource_group_id
   region             = var.region
-  encryption_enabled = false
+  encryption_enabled = true
 }

examples/bucket-without-tracking-monitoring/providers.tf

@@ -2,3 +2,19 @@
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
 }
+
+# used by the restapi provider to authenticate the API call based on API key
+data "ibm_iam_auth_token" "token_data" {
+}
+
+provider "restapi" {
+  uri                   = "https:"
+  write_returns_object  = false
+  create_returns_object = false
+  debug                 = false # set to true to show detailed logs, but use carefully as it might print sensitive values.
+  headers = {
+    Authorization    = data.ibm_iam_auth_token.token_data.iam_access_token
+    Bluemix-Instance = module.cos.key_protect_instance_id
+    Content-Type     = "application/vnd.ibm.kms.policy+json"
+  }
+}

examples/bucket-without-tracking-monitoring/version.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "ibm-cloud/ibm"
       version = "1.45.0"
     }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "1.17.0"
+    }
   }
 }

main.tf

@@ -19,10 +19,36 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   cos_validate_check = regex("^${local.cos_validate_msg}$", (!local.cos_validate_condition ? local.cos_validate_msg : ""))
 
+  # only allow create_key_protect_key or key_protect_key_crn to be passed
+  kp_key_validate_condition = var.encryption_enabled && ((var.create_key_protect_key && var.key_protect_key_crn != null) || (!var.create_key_protect_key && var.key_protect_key_crn == null))
+  kp_key_validate_msg       = "Value for 'create_key_protect_key' cannot be true if 'key_protect_key_crn' is not null"
+  # tflint-ignore: terraform_unused_declarations
+  kp_key_validate_check = regex("^${local.kp_key_validate_msg}$", (!local.kp_key_validate_condition ? local.kp_key_validate_msg : ""))
+
+  # ensure if kms_key_crn is passed the create_kms_instance is false
+  kp_key_instance_validate_condition = var.encryption_enabled && (var.key_protect_key_crn != null && var.create_key_protect_instance)
+  kp_key_instance_validate_msg       = "Value for 'key_protect_key_crn' must be null if instance is created by the module"
+  # tflint-ignore: terraform_unused_declarations
+  kp_key_instance_validate_check = regex("^${local.kp_key_instance_validate_msg}$", (!local.kp_key_instance_validate_condition ? local.kp_key_instance_validate_msg : ""))
+  key_map = tomap({
+    # tflint-ignore: terraform_deprecated_interpolation
+    "${var.cos_key_ring_name}" : "${var.cos_key_name}"
+  })
+
+  key_crn = (var.encryption_enabled && var.create_key_protect_key) ? module.kp_all_inclusive[0].keys["${var.cos_key_ring_name}.${var.cos_key_name[0]}"].crn : var.key_protect_key_crn
 }
 
-locals {
-  key_crn = var.encryption_enabled ? var.key_protect_key_crn : ""
+# Module to create key protect instance or create keys if key protect instance is provided.
+# This module will be executed if encryption_enabled is set to true
+module "kp_all_inclusive" {
+  count                       = (var.encryption_enabled && var.create_key_protect_key) ? 1 : 0
+  source                      = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v1.0.0"
+  resource_group_id           = var.resource_group_id
+  region                      = var.region
+  prefix                      = var.environment_name
+  key_protect_instance_name   = var.key_protect_instance_name == null ? "${var.environment_name}-kp" : var.key_protect_instance_name
+  create_key_protect_instance = var.create_key_protect_instance
+  key_map                     = local.key_map
 }
 
 # Resource to create COS instance if create_cos_instance is true
@@ -50,23 +76,21 @@ data "ibm_resource_instance" "cos_instance" {
   service           = "cloud-object-storage"
 }
 
-# Data source to retrieve the key protect guid
-data "ibm_resource_instance" "keyprotect_instance" {
-  count = var.key_protect_instance_name == null ? 0 : 1
-  name  = var.key_protect_instance_name
-}
-
 # Create IAM Access Policy to allow Key protect to access COS instance
 resource "ibm_iam_authorization_policy" "policy" {
   count                       = local.create_access_policy ? 1 : 0
   source_service_name         = "cloud-object-storage"
   source_resource_instance_id = local.cos_instance_guid
   target_service_name         = "kms"
-  target_resource_instance_id = data.ibm_resource_instance.keyprotect_instance[0].guid
+  target_resource_instance_id = module.kp_all_inclusive[0].key_protect_guid
   roles                       = ["Reader"]
 }
 
-# Create COS bucket
+# Create COS bucket with:
+# - Retention
+# - Encryption
+# - Monitoring
+# - Activity Tracking
 resource "ibm_cos_bucket" "cos_bucket" {
   count                = var.encryption_enabled ? 1 : 0
   depends_on           = [ibm_iam_authorization_policy.policy]