From 25aae072e4a8f8da4056fb9e2e0b6ad50c4dbd8f Mon Sep 17 00:00:00 2001
From: Hayden B <hblauzvern@google.com>
Date: Fri, 19 Jan 2024 11:12:47 -0800
Subject: [PATCH] Update TUF KMS key algorithm (#949)

* Update TUF KMS key algorithm

Cosign requires ECDSA-p256 rather than p384.

Also adds protection against accidental deletion

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Add key version

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Add key version

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

---------

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 terraform/gcp/modules/tuf/kms.tf | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf
index 9e939111f..adf8252dc 100644
--- a/terraform/gcp/modules/tuf/kms.tf
+++ b/terraform/gcp/modules/tuf/kms.tf
@@ -25,13 +25,20 @@ resource "google_kms_crypto_key" "tuf-key" {
   key_ring = google_kms_key_ring.tuf-keyring.id
   purpose  = "ASYMMETRIC_SIGN"
   version_template {
-    algorithm        = "EC_SIGN_P384_SHA384"
+    algorithm        = "EC_SIGN_P256_SHA256"
     protection_level = "SOFTWARE"
   }
-
+  lifecycle {
+    prevent_destroy = true
+  }
   depends_on = [google_kms_key_ring.tuf-keyring]
 }
 
+resource "google_kms_crypto_key_version" "tuf-key-version" {
+  crypto_key = google_kms_crypto_key.tuf-key.id
+  depends_on = [google_kms_crypto_key.tuf-key]
+}
+
 resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {
   key_ring_id = google_kms_key_ring.tuf-keyring.id
   role        = "roles/cloudkms.signerVerifier"