diff --git a/docs/production.md b/docs/production.md index 1968ba909..8d5eecf29 100644 --- a/docs/production.md +++ b/docs/production.md @@ -251,6 +251,8 @@ DB_APIKEY_SIGNATURE_KEY="gSEGlr482MSTm0eGRm2VvS86iQin3+/+80ALBkKKBYgu2EJyhGkvi8B Note: Removing any of the keys from this list will invalidate API keys signed by that version. +If you are using Terraform, increment the `db_apikey_sig_hmac_count` by 1. + ### API Key database HMAC keys @@ -277,6 +279,8 @@ DB_APIKEY_SIGNATURE_KEY="1do5HM96Bk9WD15BQC3qbW9e3T2V6T0DHn2i1xGJRKX8tZubxuaeziv Note: Removing any of the keys from this list will invalidate API keys HMACed by that version. +If you are using Terraform, increment the `db_apikey_db_hmac_count` by 1. + ### Verification Code database HMAC keys @@ -305,6 +309,8 @@ Note: Removing any of the keys from this list will invalidate verification codes HMACed by that version. However, given verification a verification code's lifetime is short, it is probably safe to remove the key beyond 30 days. +If you are using Terraform, increment the `db_verification_code_hmac_count` by 1. + ### Certificate and token signing keys diff --git a/terraform/database.tf b/terraform/database.tf index 1d12c6570..0bb6db493 100644 --- a/terraform/database.tf +++ b/terraform/database.tf @@ -120,6 +120,7 @@ resource "google_secret_manager_secret_version" "db-secret-version" { # Create secret for the database HMAC for API keys resource "random_id" "db-apikey-db-hmac" { + count = var.db_apikey_db_hmac_count byte_length = 128 } @@ -137,11 +138,12 @@ resource "google_secret_manager_secret" "db-apikey-db-hmac" { resource "google_secret_manager_secret_version" "db-apikey-db-hmac" { secret = google_secret_manager_secret.db-apikey-db-hmac.id - secret_data = random_id.db-apikey-db-hmac.b64_std + secret_data = join(",", reverse(random_id.db-apikey-db-hmac.*.b64_std)) } # Create secret for signature HMAC for api keys resource "random_id" "db-apikey-sig-hmac" { + count = var.db_apikey_sig_hmac_count byte_length = 128 } @@ -159,11 +161,12 @@ resource "google_secret_manager_secret" "db-apikey-sig-hmac" { resource "google_secret_manager_secret_version" "db-apikey-sig-hmac" { secret = google_secret_manager_secret.db-apikey-sig-hmac.id - secret_data = random_id.db-apikey-sig-hmac.b64_std + secret_data = join(",", reverse(random_id.db-apikey-sig-hmac.*.b64_std)) } # Create secret for the database HMAC for verification codes resource "random_id" "db-verification-code-hmac" { + count = var.db_verification_code_hmac_count byte_length = 128 } @@ -181,7 +184,7 @@ resource "google_secret_manager_secret" "db-verification-code-hmac" { resource "google_secret_manager_secret_version" "db-verification-code-hmac" { secret = google_secret_manager_secret.db-verification-code-hmac.id - secret_data = random_id.db-verification-code-hmac.b64_std + secret_data = join(",", reverse(random_id.db-verification-code-hmac.*.b64_std)) } diff --git a/terraform/variables.tf b/terraform/variables.tf index 4aa0e7c2a..8a2032d30 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -175,11 +175,25 @@ variable "enx_redirect_domain_map" { description = "Redirect domains and environments." } -variable "prevent_destroy" { - type = bool - default = true +variable "db_apikey_db_hmac_count" { + type = number + default = 1 + + description = "Number of HMAC keys to create for HMACing API keys in the database. Increase by 1 to force a rotation." +} + +variable "db_apikey_sig_hmac_count" { + type = number + default = 1 + + description = "Number of HMAC keys to create for HMACing API key signatures. Increase by 1 to force a rotation." +} + +variable "db_verification_code_hmac_count" { + type = number + default = 1 - description = "Prevent destruction of critical resources. Set this to false to actually destroy everything." + description = "Number of HMAC keys to create for HMACing verification codes in the database. Increase by 1 to force a rotation." } terraform {