feat!: Restricting autokey module to autokey configuration use case (#163)

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

Author: nb-goog

docs/importing_autokey_key_handles.md

@@ -0,0 +1,21 @@
+# Upgrading to v4.0
+The v4.0 release of *kms* is a backwards incompatible release.
+
+### Autokey Submodule
+The current users of Autokey submodules needs to
+- Switch `project_id` to `key_project_id`
+- Stop using `autokey_handles` field to generate keyhandles, instead directly use `google_kms_key_handle` terraform resource to create keyhandles. For detailed example check [bucket_setup_using_autokey](../examples/bucket_setup_using_autokey/).
+
+
+### To Migrate from v3.0 to v4.0
+Using V3.0 of Autokey modules if you have created keyhandles and wants to use them with V4.0 version then they need to be imported using below steps
+
+1. Retrieve the keyhandles created:
+    -  Run `terraform  state list module.autokey.google_kms_key_handle.primary` to list all keyhandles created using v3.0
+    -  For each item in the output of above CLI, run `terraform state show 'module.autokey.google_kms_key_handle.primary["<an id from the output of list>"]'` and copy the resulting `id` field from the cli output to notepad
+2. Delete all keyhandles from the state: run `terraform state rm module.autokey.google_kms_key_handle.primary`
+3. Update the main root module to use V4.0 version. Add the keyhandle config definition to the main root module for all the keyhandle found in step1.
+4. Import all the keyhandles configs using id copied in setp1 to the terraform state
+    - for each keyhandle id found in step1, Run `terraform  import resource.google_kms_key_handle.<key_handle_name_given_in_step3> "<paste corresponding keyhandle id copied in step 1>"`
+
+

docs/upgrading_to_v4.0.md

@@ -0,0 +1,26 @@
+# Autokey Example
+
+This example illustrates how to setup the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes |
+| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| autokey\_config\_id | An Autokey configuration identifier. |
+| key\_project\_id | The ID of the project in which kms keyring and kms keys will be provisioned by autokey. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/autokey_example/main.tf

@@ -0,0 +1,24 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "autokey" {
+  source  = "terraform-google-modules/kms/google//modules/autokey"
+  version = "~> 4.0"
+
+  key_project_id        = var.key_project_id
+  autokey_folder_number = var.folder_id
+}
+

examples/autokey_setup/README.md

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "autokey_config_id" {
+  description = "An Autokey configuration identifier."
+  value       = module.autokey.autokey_config_id
+}
+
+output "key_project_id" {
+  description = "The ID of the project in which kms keyring and kms keys will be provisioned by autokey."
+  value       = var.key_project_id
+}

examples/autokey_setup/main.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
+  type        = string
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The ID of the folder for which to configure and enable Autokey feature."
+}
+

examples/autokey_setup/outputs.tf

@@ -1,23 +1,23 @@
 # Autokey Example
 
-This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature.
+This example illustrates how to use the `autokey` kms submodule for [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature to create the bucket.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| autokey\_resource\_project\_id | The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK). | `string` | n/a | yes |
-| folder\_id | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes |
-| project\_id | The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys). | `string` | n/a | yes |
+| bucket\_location | The GCP location where storage bucket will be created | `string` | `"us-central1"` | no |
+| folder\_id | The ID of the folder for which to configure and enable Autokey feature. | `string` | n/a | yes |
+| key\_project\_id | The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey. | `string` | n/a | yes |
+| resource\_project\_id | The ID of the project in which to provision cloud storage bucket resource. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| autokey\_config\_id | An Autokey configuration identifier. |
-| autokey\_keyhandles | A map of KeyHandles created. |
-| autokey\_project\_id | Project used for autokey. |
+| bucket\_keyhandle | Keyhandle configuration created for the bucket. |
+| bucket\_name | Name of the bucket created. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/autokey_setup/variables.tf

@@ -0,0 +1,62 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "autokey" {
+  source  = "terraform-google-modules/kms/google//modules/autokey"
+  version = "~> 4.0"
+
+  key_project_id        = var.key_project_id
+  autokey_folder_number = var.folder_id
+}
+
+# Wait delay for autokey configuration.
+resource "time_sleep" "wait_autokey_config" {
+  create_duration = "20s"
+  depends_on      = [module.autokey]
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+resource "google_kms_key_handle" "bucket_keyhandle" {
+  provider               = google-beta
+  name                   = "${var.resource_project_id}-keyhandle-${random_string.suffix.result}"
+  project                = var.resource_project_id
+  location               = var.bucket_location
+  resource_type_selector = "storage.googleapis.com/Bucket"
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+  depends_on = [time_sleep.wait_autokey_config]
+}
+
+module "bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 9.0"
+
+  name       = "${var.resource_project_id}-bucket-${random_string.suffix.result}"
+  project_id = var.resource_project_id
+  location   = var.bucket_location
+  encryption = {
+    default_kms_key_name = resource.google_kms_key_handle.bucket_keyhandle.kms_key
+  }
+
+  depends_on = [resource.google_kms_key_handle.bucket_keyhandle]
+}

examples/autokey_example/README.md examples/bucket_setup_using_autokey/README.md

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "bucket_keyhandle" {
+  description = "Keyhandle configuration created for the bucket."
+  value       = resource.google_kms_key_handle.bucket_keyhandle
+}
+
+output "bucket_name" {
+  description = "Name of the bucket created."
+  value       = module.bucket.name
+}

examples/bucket_setup_using_autokey/main.tf

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
+  type        = string
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The ID of the folder for which to configure and enable Autokey feature."
+}
+
+variable "resource_project_id" {
+  description = "The ID of the project in which to provision cloud storage bucket resource."
+  type        = string
+}
+
+variable "bucket_location" {
+  type        = string
+  description = "The GCP location where storage bucket will be created"
+  default     = "us-central1"
+}

examples/bucket_setup_using_autokey/outputs.tf

@@ -1,22 +1,18 @@
 # Autokey submodule
 
-This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project and create [Key Handles](https://cloud.google.com/kms/docs/resource-hierarchy#key_handles) for existing resource projects.
-
+This is a submodule built to make [KMS Autokey](https://cloud.google.com/kms/docs/autokey-overview) feature simple to be used. This submodule will create the [Autokey Config](https://cloud.google.com/kms/docs/enable-autokey#enable-autokey-folder) for an existing folder where you want to enable Autokey, set up the Cloud KMS [service agent](https://cloud.google.com/kms/docs/enable-autokey#autokey-service-agent) on an existing key project.
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| autokey\_folder\_number | The Autokey folder number used by Autokey config resource. Required when using Autokey. | `string` | n/a | yes |
-| autokey\_handles | (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.<br>- name: The resource name for the KeyHandle.<br>- resource\_type\_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.<br>- location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.<br>- project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used. | <pre>map(object({<br>    name                   = string<br>    resource_type_selector = string<br>    location               = string<br>    project                = string<br>  }))</pre> | `null` | no |
-| project\_id | Project id where the Autokey configuration and KeyHandles will be created. | `string` | n/a | yes |
+| autokey\_folder\_number | The folder number on which autokey will be configured and enabled. Required when using Autokey. | `string` | n/a | yes |
+| key\_project\_id | The ID of the project in which kms keyrings and keys will be provisioned by the Autokey. | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | autokey\_config\_id | An Autokey configuration identifier. |
-| autokey\_keyhandles | A map of KeyHandles created. |
-| random\_suffix | Random 4 digits suffix used in Autokey submodule. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/bucket_setup_using_autokey/variables.tf

@@ -15,12 +15,11 @@
  */
 
 data "google_project" "kms_project" {
-  project_id = var.project_id
+  project_id = var.key_project_id
 }
 
 #Create KMS Service Agent
 resource "google_project_service_identity" "kms_service_agent" {
-  count    = var.autokey_handles != null ? 1 : 0
   provider = google-beta
 
   service = "cloudkms.googleapis.com"
@@ -29,27 +28,22 @@ resource "google_project_service_identity" "kms_service_agent" {
 
 # Wait delay after creating service agent.
 resource "time_sleep" "wait_service_agent" {
-  count = var.autokey_handles != null ? 1 : 0
-
   create_duration = "10s"
   depends_on      = [google_project_service_identity.kms_service_agent]
 }
 
 #Grant the KMS Service Agent the Cloud KMS Admin role
 resource "google_project_iam_member" "autokey_project_admin" {
-  count    = var.autokey_handles != null ? 1 : 0
   provider = google-beta
 
-  project    = var.project_id
+  project    = var.key_project_id
   role       = "roles/cloudkms.admin"
   member     = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
   depends_on = [time_sleep.wait_service_agent]
 }
 
 # Wait delay after granting IAM permissions
 resource "time_sleep" "wait_srv_acc_permissions" {
-  count = var.autokey_handles != null ? 1 : 0
-
   create_duration = "10s"
   depends_on      = [google_project_iam_member.autokey_project_admin]
 }

modules/autokey/README.md

@@ -18,27 +18,6 @@ resource "google_kms_autokey_config" "primary" {
   provider = google-beta
 
   folder      = var.autokey_folder_number
-  key_project = "projects/${var.project_id}"
-}
-
-resource "random_string" "suffix" {
-  length  = 4
-  special = false
-  upper   = false
-}
-
-resource "google_kms_key_handle" "primary" {
-  for_each = var.autokey_handles != null ? var.autokey_handles : tomap({})
-  provider = google-beta
-
-  project                = each.value.project
-  name                   = "${each.value.name}-${random_string.suffix.result}"
-  location               = each.value.location
-  resource_type_selector = each.value.resource_type_selector
-
-  lifecycle {
-    ignore_changes = [name]
-  }
-
-  depends_on = [time_sleep.wait_srv_acc_permissions]
+  key_project = "projects/${var.key_project_id}"
+  depends_on  = [time_sleep.wait_srv_acc_permissions]
 }

modules/autokey/iam.tf

@@ -18,13 +18,3 @@ output "autokey_config_id" {
   description = "An Autokey configuration identifier."
   value       = google_kms_autokey_config.primary.id
 }
-
-output "autokey_keyhandles" {
-  description = "A map of KeyHandles created."
-  value       = var.autokey_handles != null ? google_kms_key_handle.primary : {}
-}
-
-output "random_suffix" {
-  description = "Random 4 digits suffix used in Autokey submodule."
-  value       = random_string.suffix.result
-}

modules/autokey/main.tf

@@ -14,29 +14,13 @@
  * limitations under the License.
  */
 
-variable "project_id" {
-  description = "Project id where the Autokey configuration and KeyHandles will be created."
+variable "key_project_id" {
+  description = "The ID of the project in which kms keyrings and keys will be provisioned by the Autokey."
   type        = string
 }
 
 variable "autokey_folder_number" {
   type        = string
-  description = "The Autokey folder number used by Autokey config resource. Required when using Autokey."
+  description = "The folder number on which autokey will be configured and enabled. Required when using Autokey."
 }
 
-variable "autokey_handles" {
-  type = map(object({
-    name                   = string
-    resource_type_selector = string
-    location               = string
-    project                = string
-  }))
-  description = <<-EOF
-    (Optional) A KeyHandle is a resource used by Autokey to auto-provision CryptoKeys for CMEK for a particular service.
-    - name: The resource name for the KeyHandle.
-    - resource_type_selector: Indicates the resource type that the resulting CryptoKey is meant to protect, in the following format: {SERVICE}.googleapis.com/{TYPE}. For example, storage.googleapis.com/Bucket. All Cloud KMS Autokey compatible services available at https://cloud.google.com/kms/docs/autokey-overview#compatible-services.
-    - location: The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.
-    - project: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-  EOF
-  default     = null
-}

modules/autokey/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module "autokey_setup_fixture" {
+  source         = "../../../examples/autokey_setup"
+  key_project_id = var.project_id
+  folder_id      = var.folder_id
+}

modules/autokey/variables.tf

@@ -16,15 +16,10 @@
 
 output "autokey_config_id" {
   description = "An Autokey configuration identifier."
-  value       = module.autokey.autokey_config_id != null ? module.autokey.autokey_config_id : ""
+  value       = module.autokey_setup_fixture.autokey_config_id
 }
 
-output "autokey_keyhandles" {
-  description = "A map of KeyHandles created."
-  value       = module.autokey.autokey_keyhandles != null ? module.autokey.autokey_keyhandles : {}
-}
-
-output "autokey_project_id" {
-  description = "Project used for autokey."
+output "key_project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
   value       = var.project_id
 }

scripts/create_autokey_tfvars_file.sh

@@ -15,17 +15,12 @@
  */
 
 variable "project_id" {
-  description = "The ID of the project in which to provision Autokey resources (autokey keyring and keyHandle keys)."
-  type        = string
-}
-
-variable "autokey_resource_project_id" {
-  description = "The ID of the project for Autokey to be used (e.g: a storage project which expects to use Autokey as CMEK)."
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
   type        = string
 }
 
 variable "folder_id" {
+  description = "The ID of the folder for which to configure and enable Autokey feature."
   type        = string
-  description = "The Autokey folder number used by Autokey config resource. Required when using Autokey."
-}
 
+}

scripts/export_autokey_env_vars.sh

@@ -0,0 +1,22 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module "bucket_setup_using_autokey_fixture" {
+  source              = "../../../examples/bucket_setup_using_autokey"
+  key_project_id      = var.project_id
+  folder_id           = var.folder_id
+  resource_project_id = var.resource_project_id
+  bucket_location     = var.bucket_location
+}

scripts/import_autokey_state.sh

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "bucket_keyhandle" {
+  description = "Keyhandle configuration created for the bucket."
+  value       = module.bucket_setup_using_autokey_fixture.bucket_keyhandle
+}
+
+output "bucket_name" {
+  description = "Name of the bucket created."
+  value       = module.bucket_setup_using_autokey_fixture.bucket_name
+}

scripts/unset_autokey_env_vars.sh

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which KMS keyring and KMS keys will be provisioned by autokey."
+  type        = string
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The ID of the folder for which to configure and enable Autokey feature."
+}
+
+variable "resource_project_id" {
+  description = "The ID of the project in which to provision cloud storage bucket resources."
+  type        = string
+}
+
+variable "bucket_location" {
+  type        = string
+  description = "The GCP location where storage bucket will be created"
+  default     = "us-central1"
+}

test/fixtures/autokey_setup_fixture/main.tf

@@ -12,36 +12,27 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package autokey_example
+package autokey_setup
 
 import (
 	"context"
 	"fmt"
 	"io"
-	"regexp"
 	"testing"
 
-	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
 	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
 	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/oauth2/google"
 )
 
-func validateKeyHandleVersion(input string, projectId string, autokeyResource string) bool {
-	pattern := fmt.Sprintf(`^projects/%s/locations/us-central1/keyRings/autokey/cryptoKeys/%s-(bigquery-dataset|compute-disk|storage-bucket)-.*?/cryptoKeyVersions/1$`, projectId, autokeyResource)
-	regex := regexp.MustCompile(pattern)
-	return regex.MatchString(input)
-}
-
-func TestAutokeyExample(t *testing.T) {
-	bpt := tft.NewTFBlueprintTest(t)
+func TestAutokeySetup(t *testing.T) {
+	bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/autokey_setup_fixture"))
 	bpt.DefineVerify(func(assert *assert.Assertions) {
 		bpt.DefaultVerify(assert)
 
-		projectId := bpt.GetStringOutput("autokey_project_id")
+		kmsProjectId := bpt.GetStringOutput("key_project_id")
 		autokeyConfig := bpt.GetStringOutput("autokey_config_id")
-		autokeyResourceProjectNumber := bpt.GetTFSetupJsonOutput("autokey_resource_project_number")
 
 		// Autokey config doesn't have a gcloud command yet. That's why we need to hit the API.
 		autokeyConfigUrl := fmt.Sprintf("https://cloudkms.googleapis.com/v1/%s", autokeyConfig)
@@ -65,19 +56,9 @@ func TestAutokeyExample(t *testing.T) {
 
 		result := utils.ParseJSONResult(t, string(body))
 
-		// Asserting if Autokey configuration was created
+		// Asserting if Autokey configuration was enabled with correct kms project id
 		autokeyConfigProject := result.Get("keyProject").String()
-		assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", projectId), "autokey expected for project %s", projectId)
-
-		// Asserting if Autokey keyring was created
-		op := gcloud.Runf(t, "--project=%s kms keyrings list --location us-central1 --filter name:autokey", projectId).Array()[0].Get("name")
-		assert.Contains(op.String(), fmt.Sprintf("projects/%s/locations/us-central1/keyRings/autokey", projectId), "Contains Autokey KeyRing")
-
-		// Asserting if Autokey keyHandles were created
-		op1 := gcloud.Runf(t, "kms keys list --project=%s --keyring autokey --location us-central1", projectId).Array()
-		for _, element := range op1 {
-			assert.True(validateKeyHandleVersion(element.Get("primary").Map()["name"].Str, projectId, autokeyResourceProjectNumber.Str), "Contains KeyHandles")
-		}
+		assert.Equal(autokeyConfigProject, fmt.Sprintf("projects/%s", kmsProjectId), "autokey expected for project %s", kmsProjectId)
 	})
 
 	bpt.Test()

examples/autokey_example/outputs.tf test/fixtures/autokey_setup_fixture/outputs.tf

@@ -0,0 +1,41 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bucket_setup_using_autokey
+
+import (
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBucketSetupUsingAutokey(t *testing.T) {
+	bpt := tft.NewTFBlueprintTest(t, tft.WithTFDir("../../fixtures/bucket_setup_using_autokey_fixture"))
+	bpt.DefineVerify(func(assert *assert.Assertions) {
+		bpt.DefaultVerify(assert)
+
+		bucketKeyHandle := bpt.GetJsonOutput("bucket_keyhandle")
+		bucketName := bpt.GetStringOutput("bucket_name")
+
+		keyHandleKmsKey := bucketKeyHandle.Get("kms_key").String()
+		op1 := gcloud.Runf(t, "storage buckets describe gs://%s", bucketName).Array()
+		bucketKmsKey := op1[0].Map()["default_kms_key"].Str
+		assert.True(keyHandleKmsKey != "", "Invalid KMS Key generated for bucket keyhandle")
+		assert.True(bucketKmsKey == keyHandleKmsKey, "KMS Key generated for bucket keyhandle %s is not matching with kms key used in bucket %s", keyHandleKmsKey, bucketKmsKey)
+	})
+
+	bpt.Test()
+}

examples/autokey_example/variables.tf test/fixtures/autokey_setup_fixture/variables.tf

@@ -18,11 +18,11 @@ output "project_id" {
   value = module.project_ci_kms.project_id
 }
 
-output "autokey_resource_project_id" {
+output "resource_project_id" {
   value = module.autokey_resource_project.project_id
 }
 
-output "autokey_resource_project_number" {
+output "resource_project_number" {
   value = module.autokey_resource_project.project_number
 }