diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf index 8b53daa28..44f17226d 100644 --- a/terraform/gcp/modules/sigstore/sigstore.tf +++ b/terraform/gcp/modules/sigstore/sigstore.tf @@ -64,6 +64,12 @@ module "tuf" { gcs_logging_bucket = var.gcs_logging_bucket storage_class = var.tuf_storage_class + tuf_service_account_name = var.tuf_service_account_name + + tuf_keyring_name = var.tuf_keyring_name + tuf_key_name = var.tuf_key_name + kms_location = var.tuf_kms_location + depends_on = [ module.project_roles ] diff --git a/terraform/gcp/modules/sigstore/variables.tf b/terraform/gcp/modules/sigstore/variables.tf index f067464f4..6dee23e06 100644 --- a/terraform/gcp/modules/sigstore/variables.tf +++ b/terraform/gcp/modules/sigstore/variables.tf @@ -80,6 +80,30 @@ variable "tuf_storage_class" { default = "REGIONAL" } +variable "tuf_service_account_name" { + type = string + description = "Name of service account for TUF signing on GitHub Actions" + default = "tuf-gha" +} + +variable "tuf_keyring_name" { + type = string + description = "Name of KMS keyring for TUF metadata signing" + default = "tuf-keyring" +} + +variable "tuf_key_name" { + type = string + description = "Name of KMS key for TUF metadata signing" + default = "tuf-key" +} + +variable "tuf_kms_location" { + type = string + description = "Location of KMS keyring" + default = "global" +} + variable "ca_pool_name" { description = "Certificate authority pool name" type = string diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf new file mode 100644 index 000000000..9e939111f --- /dev/null +++ b/terraform/gcp/modules/tuf/kms.tf @@ -0,0 +1,49 @@ +/** + * Copyright 2024 The Sigstore Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_kms_key_ring" "tuf-keyring" { + name = var.tuf_keyring_name + location = var.kms_location + project = var.project_id +} + +resource "google_kms_crypto_key" "tuf-key" { + name = var.tuf_key_name + key_ring = google_kms_key_ring.tuf-keyring.id + purpose = "ASYMMETRIC_SIGN" + version_template { + algorithm = "EC_SIGN_P384_SHA384" + protection_level = "SOFTWARE" + } + + depends_on = [google_kms_key_ring.tuf-keyring] +} + +resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" { + key_ring_id = google_kms_key_ring.tuf-keyring.id + role = "roles/cloudkms.signerVerifier" + member = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id) + depends_on = [google_kms_key_ring.tuf-keyring, google_service_account.tuf-sa] +} + +resource "google_kms_key_ring_iam_member" "tuf-key-iam-viewers" { + for_each = toset(var.tuf_key_viewers) + + key_ring_id = google_kms_key_ring.tuf-keyring.id + role = "roles/cloudkms.publicKeyViewer" + member = each.key + depends_on = [google_kms_key_ring.tuf-keyring] +} diff --git a/terraform/gcp/modules/tuf/service_accounts.tf b/terraform/gcp/modules/tuf/service_accounts.tf new file mode 100644 index 000000000..76e60f7e1 --- /dev/null +++ b/terraform/gcp/modules/tuf/service_accounts.tf @@ -0,0 +1,21 @@ +/** + * Copyright 2024 The Sigstore Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_service_account" "tuf-sa" { + account_id = var.tuf_service_account_name + display_name = "TUF Service Account for GitHub Actions" + project = var.project_id +} diff --git a/terraform/gcp/modules/tuf/variables.tf b/terraform/gcp/modules/tuf/variables.tf index d7dda52c4..66506bb26 100644 --- a/terraform/gcp/modules/tuf/variables.tf +++ b/terraform/gcp/modules/tuf/variables.tf @@ -28,6 +28,7 @@ variable "region" { description = "GCP region" } +// Storage variables variable "tuf_bucket" { type = string description = "Name of GCS bucket for TUF root." @@ -55,3 +56,35 @@ variable "gcs_logging_bucket" { type = string default = "" } + +// Service account variables +variable "tuf_service_account_name" { + type = string + description = "Name of service account for TUF signing on GitHub Actions" + default = "tuf-gha" +} + +// KMS variables +variable "tuf_keyring_name" { + type = string + description = "Name of KMS keyring for TUF metadata signing" + default = "tuf-keyring" +} + +variable "tuf_key_name" { + type = string + description = "Name of KMS key for TUF metadata signing" + default = "tuf-key" +} + +variable "kms_location" { + type = string + description = "Location of KMS keyring" + default = "global" +} + +variable "tuf_key_viewers" { + type = list(string) + description = "List of members who can view the public key. See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_key_ring_iam#argument-reference for supported values" + default = [] +}