From 705ddc19456f94f86586016db4ad6da5bb20f278 Mon Sep 17 00:00:00 2001 From: maheshwarishikha Date: Fri, 23 Jun 2023 17:07:09 +0530 Subject: [PATCH] feat: renamed module to terraform-ibm-kms-key as official support added for HPCS (#398) --- .github/settings.yml | 6 ++--- README.md | 32 +++++++++++----------- examples/default/README.md | 6 ++--- examples/default/main.tf | 24 ++++++++--------- examples/default/outputs.tf | 20 +++++++------- examples/default/variables.tf | 2 +- examples/existing-kms/main.tf | 14 +++++----- examples/existing-kms/outputs.tf | 4 +-- main.tf | 10 +++---- module-metadata.json | 22 +++++++-------- tests/pr_test.go | 46 +++++++++++++++++++++++++++++--- variables.tf | 10 +++---- 12 files changed, 117 insertions(+), 79 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index c13e4ba..6ed70dd 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -15,12 +15,12 @@ repository: # By changing this field, you rename the repository. # Uncomment this name property and set the name to the current repo name. - name: "terraform-ibm-key-protect-key" + name: "terraform-ibm-kms-key" # The description is displayed under the repository name on the # organization page and in the 'About' section of the repository. # Uncomment this description property # and update the description to the current repo description. - description: "Module for creation of Key Protect keys" - topics: core-team, terraform, ibm-cloud, terraform-module, key-protect, kms + description: "Module for creation of KMS keys" + topics: core-team, terraform, ibm-cloud, terraform-module, key-protect, kms, hpcs diff --git a/README.md b/README.md index 01abe6e..a8c762b 100644 --- a/README.md +++ b/README.md @@ -1,35 +1,35 @@ -# Key Protect key module +# KMS key module [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green?style=plastic)](https://terraform-ibm-modules.github.io/documentation/#/badge-status) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit) -[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-key-protect-key?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key/releases/latest) +[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-kms-key?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-kms-key/releases/latest) [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/) -This module supports creating a standard or root key in an existing key ring and Key Protect instance. You can specify rotation and deletion policies. +This module supports creating a standard or root key in an existing key ring and KMS instance. KMS can be Key Protect or Hyper Protect Crypto Services(HPCS) instance. You can specify rotation and deletion policies for the keys. ## Usage ```hcl provider "ibm" { ibmcloud_api_key = "XXXXXXXXXX" - # Must be the same region the Key Protect instance is in + # Must be the same region the KMS instance is in region = "us-south" } -# Key Protect root key -module "key_protect_root_key" { - source = "terraform-ibm-modules/key-protect-key/ibm" +# KMS root key +module "kms_root_key" { + source = "terraform-ibm-modules/kms-key/ibm" version = "latest" # Replace "latest" with a release version to lock into a specific release - key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid + kms_instance_id = ibm_resource_instance.kms_instance.guid key_name = "my-root-key" } -# Key Protect standard key -module "key_protect_standard_key" { - source = "terraform-ibm-modules/key-protect-key/ibm" +# KMS standard key +module "kms_standard_key" { + source = "terraform-ibm-modules/kms-key/ibm" version = "latest" # Replace "latest" with a release version to lock into a specific release - key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid + kms_instance_id = ibm_resource_instance.kms_instance.guid key_name = "my-standard-key" standard_key = true } @@ -42,7 +42,7 @@ You need the following permissions to run this module. - **Resource Group** service - `Viewer` platform access - IAM Services - - **Key Protect** service + - **KMS** service - `Viewer` platform access - `Manager` service access @@ -76,12 +76,12 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform. | `bool` | `false` | no | +| [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, KMS enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform. | `bool` | `false` | no | | [endpoint\_type](#input\_endpoint\_type) | Endpoint to use when creating the Key | `string` | `"public"` | no | | [force\_delete](#input\_force\_delete) | Set as true to enable forcing deletion even if key is in use | `bool` | `false` | no | | [key\_name](#input\_key\_name) | Name to give the key | `string` | n/a | yes | -| [key\_protect\_instance\_id](#input\_key\_protect\_instance\_id) | ID or GUID of Key Protect Instance | `string` | n/a | yes | -| [key\_protect\_key\_ring\_id](#input\_key\_protect\_key\_ring\_id) | The ID of the key ring where you want to add your Key Protect key | `string` | `"default"` | no | +| [kms\_instance\_id](#input\_kms\_instance\_id) | ID or GUID of KMS Instance | `string` | n/a | yes | +| [kms\_key\_ring\_id](#input\_kms\_key\_ring\_id) | The ID of the key ring where you want to add your KMS key | `string` | `"default"` | no | | [rotation\_interval\_month](#input\_rotation\_interval\_month) | The key rotation time interval in months. Rotation policy cannot be set for standard key, so value is ignored if var.standard\_key is true | `number` | `1` | no | | [standard\_key](#input\_standard\_key) | Set as true for Standard Key, false for Root Key | `bool` | `false` | no | diff --git a/examples/default/README.md b/examples/default/README.md index 59f6f41..3d19bed 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -3,6 +3,6 @@ An end-to-end example that uses the module's default variable values. This example will: - Create a new resource group (if existing one is not passed in). - - Create a new Key Protect instance in the region and resource group provided. - - Create a new Root Key in the Key Protect instance. - - Create a new Standard Key in the Key Protect instance. + - Create a new KMS (Key Protect) instance in the region and resource group provided. + - Create a new Root Key in the KMS instance. + - Create a new Standard Key in the KMS instance. diff --git a/examples/default/main.tf b/examples/default/main.tf index aca9f18..dca9e6e 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -11,7 +11,7 @@ module "resource_group" { } ############################################################################## -# Key Protect instance +# KMS (Key Protect) instance ############################################################################## resource "ibm_resource_instance" "key_protect_instance" { @@ -24,22 +24,22 @@ resource "ibm_resource_instance" "key_protect_instance" { } ############################################################################## -# Key Protect root key +# KMS root key ############################################################################## -module "key_protect_root_key" { - source = "../.." - key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid - key_name = "${var.prefix}-root-key" +module "kms_root_key" { + source = "../.." + kms_instance_id = ibm_resource_instance.key_protect_instance.guid + key_name = "${var.prefix}-root-key" } ############################################################################## -# Key Protect standard key +# KMS standard key ############################################################################## -module "key_protect_standard_key" { - source = "../.." - key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid - key_name = "${var.prefix}-standard-key" - standard_key = true +module "kms_standard_key" { + source = "../.." + kms_instance_id = ibm_resource_instance.key_protect_instance.guid + key_name = "${var.prefix}-standard-key" + standard_key = true } diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf index 13af924..0fc0696 100644 --- a/examples/default/outputs.tf +++ b/examples/default/outputs.tf @@ -13,33 +13,33 @@ output "instance_guid" { } output "root_key_id" { - description = "Key Protect Key ID" - value = module.key_protect_root_key.key_id + description = "Key Protect Root Key ID" + value = module.kms_root_key.key_id } output "root_key_rotation_interval_month" { - description = "Month Interval for Rotation" - value = module.key_protect_root_key.rotation_interval_month + description = "Month Interval for Rotation of Root Key" + value = module.kms_root_key.rotation_interval_month } output "root_key_dual_auth_delete_enabled" { description = "Is Dual Auth Delete Enabled" - value = module.key_protect_root_key.dual_auth_delete + value = module.kms_root_key.dual_auth_delete } output "standard_key_id" { - description = "Key Protect Key ID" - value = module.key_protect_standard_key.key_id + description = "Key Protect Standard Key ID" + value = module.kms_standard_key.key_id } output "standard_key_rotation_interval_month" { - description = "Month Interval for Rotation" - value = module.key_protect_standard_key.rotation_interval_month + description = "Month Interval for Rotation of Standard Key" + value = module.kms_standard_key.rotation_interval_month } output "standard_key_dual_auth_delete_enabled" { description = "Is Dual Auth Delete Enabled" - value = module.key_protect_standard_key.dual_auth_delete + value = module.kms_standard_key.dual_auth_delete } output "resource_group_name" { diff --git a/examples/default/variables.tf b/examples/default/variables.tf index cbd60d9..86d8c12 100644 --- a/examples/default/variables.tf +++ b/examples/default/variables.tf @@ -13,7 +13,7 @@ variable "region" { variable "prefix" { type = string description = "Prefix to append to all resources created by this example" - default = "kp-key" + default = "kms-key" } variable "resource_group" { diff --git a/examples/existing-kms/main.tf b/examples/existing-kms/main.tf index d1aa0fc..69fff56 100644 --- a/examples/existing-kms/main.tf +++ b/examples/existing-kms/main.tf @@ -3,9 +3,9 @@ ############################################################################## module "kms_root_key" { - source = "../.." - key_protect_instance_id = var.existing_kms_instance_guid - key_name = "${var.prefix}-root-key" + source = "../.." + kms_instance_id = var.existing_kms_instance_guid + key_name = "${var.prefix}-root-key" } ############################################################################## @@ -13,8 +13,8 @@ module "kms_root_key" { ############################################################################## module "kms_standard_key" { - source = "../.." - key_protect_instance_id = var.existing_kms_instance_guid - key_name = "${var.prefix}-standard-key" - standard_key = true + source = "../.." + kms_instance_id = var.existing_kms_instance_guid + key_name = "${var.prefix}-standard-key" + standard_key = true } diff --git a/examples/existing-kms/outputs.tf b/examples/existing-kms/outputs.tf index fd74339..11b6ae6 100644 --- a/examples/existing-kms/outputs.tf +++ b/examples/existing-kms/outputs.tf @@ -3,7 +3,7 @@ ############################################################################## output "root_key_id" { - description = "Key Protect Key ID" + description = "KMS Root Key ID" value = module.kms_root_key.key_id } @@ -18,7 +18,7 @@ output "root_key_dual_auth_delete_enabled" { } output "standard_key_id" { - description = "Key Protect Key ID" + description = "KMS Standard Key ID" value = module.kms_standard_key.key_id } diff --git a/main.tf b/main.tf index f46c20d..0b97ed7 100644 --- a/main.tf +++ b/main.tf @@ -1,11 +1,11 @@ ############################################################################## -# Key Protect Key module +# KMS Key module ############################################################################## resource "ibm_kms_key" "key" { - instance_id = var.key_protect_instance_id + instance_id = var.kms_instance_id key_name = var.key_name - key_ring_id = var.key_protect_key_ring_id + key_ring_id = var.kms_key_ring_id standard_key = var.standard_key endpoint_type = var.endpoint_type force_delete = var.force_delete @@ -14,7 +14,7 @@ resource "ibm_kms_key" "key" { resource "ibm_kms_key_policies" "root_key_policy" { count = var.standard_key ? 0 : 1 endpoint_type = var.endpoint_type - instance_id = var.key_protect_instance_id + instance_id = var.kms_instance_id key_id = ibm_kms_key.key.key_id rotation { interval_month = var.rotation_interval_month @@ -27,7 +27,7 @@ resource "ibm_kms_key_policies" "root_key_policy" { resource "ibm_kms_key_policies" "standard_key_policy" { count = var.standard_key ? 1 : 0 endpoint_type = var.endpoint_type - instance_id = var.key_protect_instance_id + instance_id = var.kms_instance_id key_id = ibm_kms_key.key.key_id dual_auth_delete { enabled = var.dual_auth_delete_enabled diff --git a/module-metadata.json b/module-metadata.json index 2479ce3..5c55b69 100644 --- a/module-metadata.json +++ b/module-metadata.json @@ -4,7 +4,7 @@ "dual_auth_delete_enabled": { "name": "dual_auth_delete_enabled", "type": "bool", - "description": "If set to true, Key Protect enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform.", + "description": "If set to true, KMS enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform.", "default": false, "pos": { "filename": "variables.tf", @@ -55,10 +55,10 @@ }, "immutable": true }, - "key_protect_instance_id": { - "name": "key_protect_instance_id", + "kms_instance_id": { + "name": "kms_instance_id", "type": "string", - "description": "ID or GUID of Key Protect Instance", + "description": "ID or GUID of KMS Instance", "required": true, "source": [ "ibm_kms_key.key.instance_id", @@ -75,10 +75,10 @@ "service:kms|hs-crypto" ] }, - "key_protect_key_ring_id": { - "name": "key_protect_key_ring_id", + "kms_key_ring_id": { + "name": "kms_key_ring_id", "type": "string", - "description": "The ID of the key ring where you want to add your Key Protect key", + "description": "The ID of the key ring where you want to add your KMS key", "default": "default", "source": [ "ibm_kms_key.key.key_ring_id" @@ -174,9 +174,9 @@ "attributes": { "endpoint_type": "endpoint_type", "force_delete": "force_delete", - "instance_id": "key_protect_instance_id", + "instance_id": "kms_instance_id", "key_name": "key_name", - "key_ring_id": "key_protect_key_ring_id", + "key_ring_id": "kms_key_ring_id", "standard_key": "standard_key" }, "provider": { @@ -194,7 +194,7 @@ "attributes": { "count": "standard_key", "endpoint_type": "endpoint_type", - "instance_id": "key_protect_instance_id" + "instance_id": "kms_instance_id" }, "provider": { "name": "ibm" @@ -211,7 +211,7 @@ "attributes": { "count": "standard_key", "endpoint_type": "endpoint_type", - "instance_id": "key_protect_instance_id" + "instance_id": "kms_instance_id" }, "provider": { "name": "ibm" diff --git a/tests/pr_test.go b/tests/pr_test.go index 022c78d..6652dd4 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -2,20 +2,41 @@ package test import ( + "log" + "os" "testing" "github.com/stretchr/testify/assert" + "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" ) // Use existing resource group for tests const resourceGroup = "geretain-test-key-protect-key" -const terraformDir = "examples/default" +const defaultExampleTerraformDir = "examples/default" +const existingKmsExampleTerraformDir = "examples/existing-kms" + +// Define a struct with fields that match the structure of the YAML data +const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" + +var permanentResources map[string]interface{} + +// TestMain will be run before any parallel tests, used to read data from yaml for use with tests +func TestMain(m *testing.M) { + + var err error + permanentResources, err = common.LoadMapFromYaml(yamlLocation) + if err != nil { + log.Fatal(err) + } + + os.Exit(m.Run()) +} func setupOptions(t *testing.T, prefix string) *testhelper.TestOptions { options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ Testing: t, - TerraformDir: terraformDir, + TerraformDir: defaultExampleTerraformDir, Prefix: prefix, ResourceGroup: resourceGroup, }) @@ -26,7 +47,24 @@ func setupOptions(t *testing.T, prefix string) *testhelper.TestOptions { func TestRunDefaultExample(t *testing.T) { t.Parallel() - options := setupOptions(t, "kp-key") + options := setupOptions(t, "kms-key") + output, err := options.RunTestConsistency() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") +} + +func TestRunExistingKMSExample(t *testing.T) { + t.Parallel() + + options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ + Testing: t, + TerraformDir: existingKmsExampleTerraformDir, + Prefix: "hpcs", + TerraformVars: map[string]interface{}{ + "existing_kms_instance_guid": permanentResources["hpcs_south"], + }, + }) + output, err := options.RunTestConsistency() assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") @@ -35,7 +73,7 @@ func TestRunDefaultExample(t *testing.T) { func TestRunUpgrade(t *testing.T) { t.Parallel() - options := setupOptions(t, "kp-key-upg") + options := setupOptions(t, "kms-key-upg") output, err := options.RunTestUpgrade() if !options.UpgradeTestSkipped { assert.Nil(t, err, "This should not have errored") diff --git a/variables.tf b/variables.tf index 992065e..64d8f87 100644 --- a/variables.tf +++ b/variables.tf @@ -2,9 +2,9 @@ # Input Variables ############################################################################## -variable "key_protect_instance_id" { +variable "kms_instance_id" { type = string - description = "ID or GUID of Key Protect Instance" + description = "ID or GUID of KMS Instance" } variable "key_name" { @@ -12,9 +12,9 @@ variable "key_name" { description = "Name to give the key" } -variable "key_protect_key_ring_id" { +variable "kms_key_ring_id" { type = string - description = "The ID of the key ring where you want to add your Key Protect key" + description = "The ID of the key ring where you want to add your KMS key" default = "default" } @@ -47,7 +47,7 @@ variable "rotation_interval_month" { variable "dual_auth_delete_enabled" { type = bool - description = "If set to true, Key Protect enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform." + description = "If set to true, KMS enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform." default = false }