Add files via upload

README.md

@@ -2,7 +2,7 @@
 Autokey simplifies creating and managing customer encryption keys (CMEK) by automating provisioning and assignment.  With Autokey, your key rings, keys, and service accounts do not need to be pre-planned and provisioned. Instead, they are generated on demand as part of resource creation. This module makes it easy to set up [Auto KMS](https://cloud.google.com/kms/docs/autokey-overview).
 
 How to set up KMS Autokey:
-- Choose an existing folder or create a new  resource folder.  You will be creating resource projects in this folder.  All of the resources created in these projects can use Autokey.
+- Choose an existing folder or create a new  folder.  You will be creating or using an existing key projects in this folder.  All of the resources created in these projects can use Autokey.
 - Choose the parent for the resource folder, either it can be root of the organization or any existing folder
 - Enable Cloud KMS API in the Autokey project.
 - Create and assign the Autokey service agent. 
@@ -26,9 +26,6 @@ module "autokey" {
   create_new_autokey_key_project = true                                     ## set to false to use existing project
   autokey_key_project_name       = "autokey-project"                        ## must be 6 to 30 letters, digits, hyphens and start with a letter.; applicable only if creating new folder, otherwise declare null
   autokey_key_project_id         = ""                                       ## update if using existing project
-  create_new_resource_project    = true                                     ## update to 'false' to use an existing project
-  resource_project_name          = "resource-project"                       ## must be 6 to 30 letters, digits, hyphens and start with a letter.; applicable only if creating new folder, otherwise declare null
-  resource_project_id            = ""                                       ## update project_id if using existing project
   autokey_folder_admins          = ["user:foo@example.com"] ## List the users who should have the authority to enable and configure Autokey at a folder level;  example user listing ["user:foo@example.com", "user:bar@example.com"]
   autokey_folder_users           = ["user:user:bar@example.com"] ## List the users who should have the authority to protect their resources with Autokey;  example user listing ["user:foo@example.com", "user:bar@example.com"]
   autokey_project_kms_admins     = ["user:user:bar@example.com"] ## List the users who should have the authority to manage crypto operations in the Key Management Project; example user listing ["user:foo@example.com", "user:bar@example.com"]
@@ -46,17 +43,14 @@ module "autokey" {
 | autokey\_folder\_users | List the users who should have the authority to protect their resources with Autokey | `list(string)` | n/a | yes |
 | autokey\_key\_project\_id | Project name to deploy resources | `string` | `null` | no |
 | autokey\_key\_project\_name | Project name to deploy resources | `string` | `"autokey-project"` | no |
-| autokey\_project\_kms\_admins | List the users who should have the authority to manage crypto operations in the Key Management Project | `list(string)` | n/a | yes |
+| autokey\_project\_kms\_admins | List the users who should have the authority to manage crypto operations in the Key Management Project | `set(string)` | n/a | yes |
 | billing\_account | billing account required | `string` | n/a | yes |
 | create\_new\_autokey\_key\_project | If true, the Terraform will create a new project for autokey key. If false, will use an existing project | `bool` | `true` | no |
 | create\_new\_folder | If true, the Terraform will create a new folder. If false, will use an existing folder | `bool` | `true` | no |
-| create\_new\_resource\_project | If true, the Terraform will create a new project for resources. If false, will use an existing project | `bool` | `true` | no |
 | folder\_id | Resource folders should use KMS Autokey | `string` | `null` | no |
 | organization\_id | Organization ID to add tags at Org level | `string` | n/a | yes |
 | parent\_folder\_id | Folder ID to create child folder for autokey | `string` | n/a | yes |
 | parent\_is\_folder | Folder ID to create child folder for autokey | `bool` | `true` | no |
-| resource\_project\_id | Project id to deploy resources | `string` | `null` | no |
-| resource\_project\_name | Project name to deploy resources | `string` | `"resource-project"` | no |
 | skip\_delete | If true, the Terraform resource can be deleted without deleting the Project via the Google API. | `string` | `"false"` | no |
 
 ## Outputs
@@ -66,7 +60,6 @@ module "autokey" {
 | autokey\_config | KMS Autokey config |
 | key\_project\_id | key\_project\_id |
 | random\_id | random id |
-| resource\_project\_id | resource\_project\_id |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

main.tf

@@ -23,9 +23,8 @@ locals {
   autokey_key_project_id     = var.create_new_autokey_key_project ? "${var.autokey_key_project_name}-${random_id.random_suffix.hex}" : var.autokey_key_project_id
   autokey_key_project_number = data.google_project.key_project.number
 
-  #  project ID for resource project
-  resource_project_id     = var.create_new_resource_project ? "${var.resource_project_name}-${random_id.random_suffix.hex}" : var.resource_project_id
-  resource_project_number = data.google_project.resource_project.number
+  # Prepping KMS Admins users and autokey service for KMS Admin Role
+  new_autokey_project_kms_admins = setunion(var.autokey_project_kms_admins, ["serviceAccount:service-${local.autokey_key_project_number}@gcp-sa-cloudkms.iam.gserviceaccount.com"])
 }
 
 
@@ -35,13 +34,6 @@ data "google_project" "key_project" {
 }
 
 
-data "google_project" "resource_project" {
-  project_id = local.resource_project_id
-  depends_on = [google_project.resource_project]
-}
-
-
-
 
 
 # Create Folder in GCP Organization
@@ -57,25 +49,15 @@ resource "google_folder" "autokey_folder" {
 resource "google_project" "key_project" {
   count           = var.create_new_autokey_key_project ? 1 : 0
   billing_account = var.billing_account
-
-  folder_id   = var.create_new_folder ? google_folder.autokey_folder[count.index].name : "folders/${var.folder_id}"
-  name        = var.autokey_key_project_name
-  project_id  = local.autokey_key_project_id
-  skip_delete = var.skip_delete
-  depends_on  = [google_folder.autokey_folder]
-}
-
-# Create the project
-resource "google_project" "resource_project" {
-  count           = var.create_new_resource_project ? 1 : 0
-  billing_account = var.billing_account
   folder_id       = var.create_new_folder ? google_folder.autokey_folder[count.index].name : "folders/${var.folder_id}"
-  name            = var.resource_project_name
-  project_id      = local.resource_project_id
+  name            = var.autokey_key_project_name
+  project_id      = local.autokey_key_project_id
   skip_delete     = var.skip_delete
   depends_on      = [google_folder.autokey_folder]
 }
 
+
+
 #Set permissions for key admins to use Autokey in this folder
 resource "google_folder_iam_binding" "autokey_folder_admin" {
   count   = 1
@@ -92,15 +74,6 @@ resource "google_folder_iam_binding" "autokey_folder_users" {
   members = var.autokey_folder_users
 }
 
-#Set permissions for key admins to use Autokey in this project
-resource "google_project_iam_binding" "autokey_project_admin" {
-  count      = 1
-  project    = local.autokey_key_project_id
-  role       = "roles/cloudkms.admin"
-  members    = var.autokey_project_kms_admins
-  depends_on = [google_project.key_project]
-}
-
 
 
 # Enable the necessary API services
@@ -134,21 +107,24 @@ resource "google_project_service_identity" "KMS_Service_Agent" {
   depends_on = [time_sleep.wait_enable_service_api]
 }
 
-
-
-#Grant the KMS Service Agent the Cloud KMS Admin role
-resource "google_project_iam_member" "autokey_project_admin" {
-  project    = local.autokey_key_project_id
-  role       = "roles/cloudkms.admin"
-  member     = "serviceAccount:service-${local.autokey_key_project_number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
+#Set permissions for key admins and KMS Service Agent the Cloud KMS Admin role
+resource "google_project_iam_binding" "autokey_project_admin" {
+  count   = 1
+  project = local.autokey_key_project_id
+  role    = "roles/cloudkms.admin"
+  members = local.new_autokey_project_kms_admins
+  #["setunion(${var.autokey_project_kms_admins}, serviceAccount:service-${local.autokey_key_project_number}@gcp-sa-cloudkms.iam.gserviceaccount.com)"]
   depends_on = [google_project_service_identity.KMS_Service_Agent]
 }
 
+
+
+
 # Wait delay kms service account IAM permissions
 resource "time_sleep" "wait_srv_acc_priv" {
   create_duration = "15s"
   #  destroy_duration = "15s"
-  depends_on = [google_project_iam_member.autokey_project_admin]
+  depends_on = [google_project_iam_binding.autokey_project_admin]
 }
 
 resource "google_kms_autokey_config" "autokey_config" {

outputs.tf

@@ -15,7 +15,7 @@
 
 output "autokey_config" {
   description = "KMS Autokey config"
-  value       = google_kms_autokey_config.autokey_config
+  value       = google_kms_autokey_config.autokey_config[0].id
 }
 
 
@@ -24,10 +24,6 @@ output "key_project_id" {
   value       = data.google_project.key_project.project_id
 }
 
-output "resource_project_id" {
-  description = "resource_project_id"
-  value       = data.google_project.resource_project.project_id
-}
 
 
 output "random_id" {

test/setup/README.md

@@ -2,7 +2,7 @@
 Autokey simplifies creating and managing customer encryption keys (CMEK) by automating provisioning and assignment.  With Autokey, your key rings, keys, and service accounts do not need to be pre-planned and provisioned. Instead, they are generated on demand as part of resource creation. This module makes it easy to set up [Auto KMS](https://cloud.google.com/kms/docs/autokey-overview).
 
 How to set up KMS Autokey:
-- Choose an existing folder or create a new  resource folder.  You will be creating resource projects in this folder.  All of the resources created in these projects can use Autokey.
+- Choose an existing folder or create a new  folder.  You will be creating or using an existing key projects in this folder.  All of the resources created in these projects can use Autokey.
 - Choose the parent for the resource folder, either it can be root of the organization or any existing folder
 - Enable Cloud KMS API in the Autokey project.
 - Create and assign the Autokey service agent. 
@@ -26,9 +26,6 @@ module "autokey" {
   create_new_autokey_key_project = true                                     ## set to false to use existing project
   autokey_key_project_name       = "autokey-project"                        ## must be 6 to 30 letters, digits, hyphens and start with a letter.; applicable only if creating new folder, otherwise declare null
   autokey_key_project_id         = ""                                       ## update if using existing project
-  create_new_resource_project    = true                                     ## update to 'false' to use an existing project
-  resource_project_name          = "resource-project"                       ## must be 6 to 30 letters, digits, hyphens and start with a letter.; applicable only if creating new folder, otherwise declare null
-  resource_project_id            = ""                                       ## update project_id if using existing project
   autokey_folder_admins          = ["user:foo@example.com"] ## List the users who should have the authority to enable and configure Autokey at a folder level;  example user listing ["user:foo@example.com", "user:bar@example.com"]
   autokey_folder_users           = ["user:user:bar@example.com"] ## List the users who should have the authority to protect their resources with Autokey;  example user listing ["user:foo@example.com", "user:bar@example.com"]
   autokey_project_kms_admins     = ["user:user:bar@example.com"] ## List the users who should have the authority to manage crypto operations in the Key Management Project; example user listing ["user:foo@example.com", "user:bar@example.com"]
@@ -46,17 +43,14 @@ module "autokey" {
 | autokey\_folder\_users | List the users who should have the authority to protect their resources with Autokey | `list(string)` | n/a | yes |
 | autokey\_key\_project\_id | Project name to deploy resources | `string` | `null` | no |
 | autokey\_key\_project\_name | Project name to deploy resources | `string` | `"autokey-project"` | no |
-| autokey\_project\_kms\_admins | List the users who should have the authority to manage crypto operations in the Key Management Project | `list(string)` | n/a | yes |
+| autokey\_project\_kms\_admins | List the users who should have the authority to manage crypto operations in the Key Management Project | `set(string)` | n/a | yes |
 | billing\_account | billing account required | `string` | n/a | yes |
 | create\_new\_autokey\_key\_project | If true, the Terraform will create a new project for autokey key. If false, will use an existing project | `bool` | `true` | no |
 | create\_new\_folder | If true, the Terraform will create a new folder. If false, will use an existing folder | `bool` | `true` | no |
-| create\_new\_resource\_project | If true, the Terraform will create a new project for resources. If false, will use an existing project | `bool` | `true` | no |
 | folder\_id | Resource folders should use KMS Autokey | `string` | `null` | no |
 | organization\_id | Organization ID to add tags at Org level | `string` | n/a | yes |
 | parent\_folder\_id | Folder ID to create child folder for autokey | `string` | n/a | yes |
 | parent\_is\_folder | Folder ID to create child folder for autokey | `bool` | `true` | no |
-| resource\_project\_id | Project id to deploy resources | `string` | `null` | no |
-| resource\_project\_name | Project name to deploy resources | `string` | `"resource-project"` | no |
 | skip\_delete | If true, the Terraform resource can be deleted without deleting the Project via the Google API. | `string` | `"false"` | no |
 
 ## Outputs
@@ -66,7 +60,6 @@ module "autokey" {
 | autokey\_config | KMS Autokey config |
 | key\_project\_id | key\_project\_id |
 | random\_id | random id |
-| resource\_project\_id | resource\_project\_id |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

variables.tf

@@ -73,25 +73,6 @@ variable "autokey_key_project_id" {
   default     = null
 }
 
-variable "create_new_resource_project" {
-  description = " If true, the Terraform will create a new project for resources. If false, will use an existing project"
-  type        = bool
-  default     = true ## update to 'false' to use an existing project
-}
-
-variable "resource_project_name" {
-  type        = string
-  description = "Project name to deploy resources"
-  default     = "resource-project" # no spaces only aalowed to have characters, numbers and special characters
-
-}
-
-variable "resource_project_id" {
-  type        = string
-  description = "Project id to deploy resources"
-  default     = null
-}
-
 
 variable "skip_delete" {
   description = " If true, the Terraform resource can be deleted without deleting the Project via the Google API."
@@ -113,6 +94,6 @@ variable "autokey_folder_users" {
 
 
 variable "autokey_project_kms_admins" {
-  type        = list(string)
+  type        = set(string)
   description = "List the users who should have the authority to manage crypto operations in the Key Management Project"
 }

versions.tf

@@ -19,8 +19,9 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 3.53, < 6"
     }
-     google-beta = {
-      source = "hashicorp/google-beta"
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.53, < 6"
     }
   }