From 5eea69078a1f6107933a8f1300259f260da45039 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Thu, 20 Feb 2025 17:52:50 +0000 Subject: [PATCH] feature: add Ephemeral `WriteOnly` attributes support (#13126) Co-authored-by: Zhenhua Li [upstream:6f9117a459fe10f7c00e22e63865ba61ea4ac6bb] Signed-off-by: Modular Magician --- disk_basic_wo/backing_file.tf | 15 ++++ disk_basic_wo/main.tf | 14 ++++ disk_basic_wo/motd | 7 ++ disk_basic_wo/tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ region_disk_disk_encryption_key_wo/main.tf | 27 +++++++ region_disk_disk_encryption_key_wo/motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ secret_version_basic_write_only/main.tf | 18 +++++ secret_version_basic_write_only/motd | 7 ++ secret_version_basic_write_only/tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 19 +++++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ 16 files changed, 482 insertions(+) create mode 100644 disk_basic_wo/backing_file.tf create mode 100644 disk_basic_wo/main.tf create mode 100644 disk_basic_wo/motd create mode 100644 disk_basic_wo/tutorial.md create mode 100644 region_disk_disk_encryption_key_wo/backing_file.tf create mode 100644 region_disk_disk_encryption_key_wo/main.tf create mode 100644 region_disk_disk_encryption_key_wo/motd create mode 100644 region_disk_disk_encryption_key_wo/tutorial.md create mode 100644 secret_version_basic_write_only/backing_file.tf create mode 100644 secret_version_basic_write_only/main.tf create mode 100644 secret_version_basic_write_only/motd create mode 100644 secret_version_basic_write_only/tutorial.md create mode 100644 secret_version_with_base64_string_secret_data_write_only/backing_file.tf create mode 100644 secret_version_with_base64_string_secret_data_write_only/main.tf create mode 100644 secret_version_with_base64_string_secret_data_write_only/motd create mode 100644 secret_version_with_base64_string_secret_data_write_only/tutorial.md diff --git a/disk_basic_wo/backing_file.tf b/disk_basic_wo/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/disk_basic_wo/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/disk_basic_wo/main.tf b/disk_basic_wo/main.tf new file mode 100644 index 00000000..b77222e5 --- /dev/null +++ b/disk_basic_wo/main.tf @@ -0,0 +1,14 @@ +resource "google_compute_disk" "default" { + name = "test-disk-${local.name_suffix}" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-11-bullseye-v20220719" + labels = { + environment = "dev" + } + disk_encryption_key { + raw_key_wo = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + raw_key_wo_version = 1 + } + physical_block_size_bytes = 4096 +} diff --git a/disk_basic_wo/motd b/disk_basic_wo/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/disk_basic_wo/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/disk_basic_wo/tutorial.md b/disk_basic_wo/tutorial.md new file mode 100644 index 00000000..8e198f9a --- /dev/null +++ b/disk_basic_wo/tutorial.md @@ -0,0 +1,79 @@ +# Disk Basic Wo - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/region_disk_disk_encryption_key_wo/backing_file.tf b/region_disk_disk_encryption_key_wo/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/region_disk_disk_encryption_key_wo/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/region_disk_disk_encryption_key_wo/main.tf b/region_disk_disk_encryption_key_wo/main.tf new file mode 100644 index 00000000..51e1871a --- /dev/null +++ b/region_disk_disk_encryption_key_wo/main.tf @@ -0,0 +1,27 @@ +resource "google_compute_region_disk" "regiondisk" { + name = "my-region-disk-${local.name_suffix}" + snapshot = google_compute_snapshot.snapdisk.id + type = "pd-ssd" + region = "us-central1" + physical_block_size_bytes = 4096 + disk_encryption_key { + raw_key_wo = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + raw_key_wo_version = 1 + } + + replica_zones = ["us-central1-a", "us-central1-f"] +} + +resource "google_compute_disk" "disk" { + name = "my-disk-${local.name_suffix}" + image = "debian-cloud/debian-11" + size = 50 + type = "pd-ssd" + zone = "us-central1-a" +} + +resource "google_compute_snapshot" "snapdisk" { + name = "my-snapshot-${local.name_suffix}" + source_disk = google_compute_disk.disk.name + zone = "us-central1-a" +} diff --git a/region_disk_disk_encryption_key_wo/motd b/region_disk_disk_encryption_key_wo/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/region_disk_disk_encryption_key_wo/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/region_disk_disk_encryption_key_wo/tutorial.md b/region_disk_disk_encryption_key_wo/tutorial.md new file mode 100644 index 00000000..b9086bc3 --- /dev/null +++ b/region_disk_disk_encryption_key_wo/tutorial.md @@ -0,0 +1,79 @@ +# Region Disk Disk Encryption Key Wo - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/secret_version_basic_write_only/backing_file.tf b/secret_version_basic_write_only/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/secret_version_basic_write_only/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/secret_version_basic_write_only/main.tf b/secret_version_basic_write_only/main.tf new file mode 100644 index 00000000..3159ffa0 --- /dev/null +++ b/secret_version_basic_write_only/main.tf @@ -0,0 +1,18 @@ +resource "google_secret_manager_secret" "secret-basic-write-only" { + secret_id = "secret-version-write-only-${local.name_suffix}" + + labels = { + label = "my-label" + } + + replication { + auto {} + } +} + + +resource "google_secret_manager_secret_version" "secret-version-basic-write-only" { + secret = google_secret_manager_secret.secret-basic-write-only.id + secret_data_wo_version = 1 + secret_data_wo = "secret-data-write-only-${local.name_suffix}" +} diff --git a/secret_version_basic_write_only/motd b/secret_version_basic_write_only/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/secret_version_basic_write_only/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/secret_version_basic_write_only/tutorial.md b/secret_version_basic_write_only/tutorial.md new file mode 100644 index 00000000..8118588d --- /dev/null +++ b/secret_version_basic_write_only/tutorial.md @@ -0,0 +1,79 @@ +# Secret Version Basic Write Only - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/secret_version_with_base64_string_secret_data_write_only/backing_file.tf b/secret_version_with_base64_string_secret_data_write_only/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/secret_version_with_base64_string_secret_data_write_only/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/secret_version_with_base64_string_secret_data_write_only/main.tf b/secret_version_with_base64_string_secret_data_write_only/main.tf new file mode 100644 index 00000000..88240a98 --- /dev/null +++ b/secret_version_with_base64_string_secret_data_write_only/main.tf @@ -0,0 +1,19 @@ +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "secret-version-base64-write-only-${local.name_suffix}" + + replication { + user_managed { + replicas { + location = "us-central1" + } + } + } +} + +resource "google_secret_manager_secret_version" "secret-version-base64-write-only" { + secret = google_secret_manager_secret.secret-basic.id + + is_secret_data_base64 = true + secret_data_wo_version = 1 + secret_data_wo = filebase64("secret-data-base64-write-only.pfx-${local.name_suffix}") +} diff --git a/secret_version_with_base64_string_secret_data_write_only/motd b/secret_version_with_base64_string_secret_data_write_only/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/secret_version_with_base64_string_secret_data_write_only/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/secret_version_with_base64_string_secret_data_write_only/tutorial.md b/secret_version_with_base64_string_secret_data_write_only/tutorial.md new file mode 100644 index 00000000..a4fc87e9 --- /dev/null +++ b/secret_version_with_base64_string_secret_data_write_only/tutorial.md @@ -0,0 +1,79 @@ +# Secret Version With Base64 String Secret Data Write Only - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +```