Create KMS and service account resources for TUF-on-CI (#944)

* Create KMS and service account resources for TUF-on-CI This adds a service account (which will be granted access to a workload identity pool in the private repo), a KMS keyring and key, and grants signerVerifier to the service account. Signed-off-by: Hayden Blauzvern <[email protected]> * Address comments Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Jan 17, 2024 · 18c8742 · 18c8742
1 parent bc13121
commit 18c8742
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 0 deletions.
diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf
@@ -64,6 +64,12 @@ module "tuf" {
   gcs_logging_bucket  = var.gcs_logging_bucket
   storage_class       = var.tuf_storage_class
 
+  tuf_service_account_name = var.tuf_service_account_name
+
+  tuf_keyring_name = var.tuf_keyring_name
+  tuf_key_name     = var.tuf_key_name
+  kms_location     = var.tuf_kms_location
+
   depends_on = [
     module.project_roles
   ]

diff --git a/terraform/gcp/modules/sigstore/variables.tf b/terraform/gcp/modules/sigstore/variables.tf
@@ -80,6 +80,30 @@ variable "tuf_storage_class" {
   default     = "REGIONAL"
 }
 
+variable "tuf_service_account_name" {
+  type        = string
+  description = "Name of service account for TUF signing on GitHub Actions"
+  default     = "tuf-gha"
+}
+
+variable "tuf_keyring_name" {
+  type        = string
+  description = "Name of KMS keyring for TUF metadata signing"
+  default     = "tuf-keyring"
+}
+
+variable "tuf_key_name" {
+  type        = string
+  description = "Name of KMS key for TUF metadata signing"
+  default     = "tuf-key"
+}
+
+variable "tuf_kms_location" {
+  type        = string
+  description = "Location of KMS keyring"
+  default     = "global"
+}
+
 variable "ca_pool_name" {
   description = "Certificate authority pool name"
   type        = string

diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf
@@ -0,0 +1,49 @@
+/**
+ * Copyright 2024 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_kms_key_ring" "tuf-keyring" {
+  name     = var.tuf_keyring_name
+  location = var.kms_location
+  project  = var.project_id
+}
+
+resource "google_kms_crypto_key" "tuf-key" {
+  name     = var.tuf_key_name
+  key_ring = google_kms_key_ring.tuf-keyring.id
+  purpose  = "ASYMMETRIC_SIGN"
+  version_template {
+    algorithm        = "EC_SIGN_P384_SHA384"
+    protection_level = "SOFTWARE"
+  }
+
+  depends_on = [google_kms_key_ring.tuf-keyring]
+}
+
+resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {
+  key_ring_id = google_kms_key_ring.tuf-keyring.id
+  role        = "roles/cloudkms.signerVerifier"
+  member      = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
+  depends_on  = [google_kms_key_ring.tuf-keyring, google_service_account.tuf-sa]
+}
+
+resource "google_kms_key_ring_iam_member" "tuf-key-iam-viewers" {
+  for_each = toset(var.tuf_key_viewers)
+
+  key_ring_id = google_kms_key_ring.tuf-keyring.id
+  role        = "roles/cloudkms.publicKeyViewer"
+  member      = each.key
+  depends_on  = [google_kms_key_ring.tuf-keyring]
+}
diff --git a/terraform/gcp/modules/tuf/service_accounts.tf b/terraform/gcp/modules/tuf/service_accounts.tf
@@ -0,0 +1,21 @@
+/**
+ * Copyright 2024 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_service_account" "tuf-sa" {
+  account_id   = var.tuf_service_account_name
+  display_name = "TUF Service Account for GitHub Actions"
+  project      = var.project_id
+}
diff --git a/terraform/gcp/modules/tuf/variables.tf b/terraform/gcp/modules/tuf/variables.tf
@@ -28,6 +28,7 @@ variable "region" {
   description = "GCP region"
 }
 
+// Storage variables
 variable "tuf_bucket" {
   type        = string
   description = "Name of GCS bucket for TUF root."
@@ -55,3 +56,35 @@ variable "gcs_logging_bucket" {
   type        = string
   default     = ""
 }
+
+// Service account variables
+variable "tuf_service_account_name" {
+  type        = string
+  description = "Name of service account for TUF signing on GitHub Actions"
+  default     = "tuf-gha"
+}
+
+// KMS variables
+variable "tuf_keyring_name" {
+  type        = string
+  description = "Name of KMS keyring for TUF metadata signing"
+  default     = "tuf-keyring"
+}
+
+variable "tuf_key_name" {
+  type        = string
+  description = "Name of KMS key for TUF metadata signing"
+  default     = "tuf-key"
+}
+
+variable "kms_location" {
+  type        = string
+  description = "Location of KMS keyring"
+  default     = "global"
+}
+
+variable "tuf_key_viewers" {
+  type        = list(string)
+  description = "List of members who can view the public key. See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_key_ring_iam#argument-reference for supported values"
+  default     = []
+}