Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create KMS and service account resources for TUF-on-CI #944

Merged
merged 2 commits into from
Jan 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions terraform/gcp/modules/sigstore/sigstore.tf
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ module "tuf" {
gcs_logging_bucket = var.gcs_logging_bucket
storage_class = var.tuf_storage_class

tuf_service_account_name = var.tuf_service_account_name

tuf_keyring_name = var.tuf_keyring_name
tuf_key_name = var.tuf_key_name
kms_location = var.tuf_kms_location
Comment on lines +67 to +71
Copy link
Member

@jku jku Jan 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we simplify and not expose any of these as variables (except kms_location that seems potentially useful)?

  • service account can be parametrized on cluster name (see other comment)
  • key and keyring name could just be hard coded -- at least I can't see the value of changing them

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that there's defaults for these, most deployers won't have to think about setting the variables. My thought is that this is just in case someone is opinionated.


depends_on = [
module.project_roles
]
Expand Down
24 changes: 24 additions & 0 deletions terraform/gcp/modules/sigstore/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,30 @@ variable "tuf_storage_class" {
default = "REGIONAL"
}

variable "tuf_service_account_name" {
type = string
description = "Name of service account for TUF signing on GitHub Actions"
default = "tuf-gha"
}

variable "tuf_keyring_name" {
type = string
description = "Name of KMS keyring for TUF metadata signing"
default = "tuf-keyring"
}

variable "tuf_key_name" {
type = string
description = "Name of KMS key for TUF metadata signing"
default = "tuf-key"
}

variable "tuf_kms_location" {
type = string
description = "Location of KMS keyring"
default = "global"
}

variable "ca_pool_name" {
description = "Certificate authority pool name"
type = string
Expand Down
49 changes: 49 additions & 0 deletions terraform/gcp/modules/tuf/kms.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/**
* Copyright 2024 The Sigstore Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "google_kms_key_ring" "tuf-keyring" {
name = var.tuf_keyring_name
location = var.kms_location
project = var.project_id
}

resource "google_kms_crypto_key" "tuf-key" {
name = var.tuf_key_name
key_ring = google_kms_key_ring.tuf-keyring.id
purpose = "ASYMMETRIC_SIGN"
version_template {
algorithm = "EC_SIGN_P384_SHA384"
protection_level = "SOFTWARE"
}

depends_on = [google_kms_key_ring.tuf-keyring]
}

resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {
key_ring_id = google_kms_key_ring.tuf-keyring.id
role = "roles/cloudkms.signerVerifier"
member = format("serviceAccount:%s@%s.iam.gserviceaccount.com", var.tuf_service_account_name, var.project_id)
depends_on = [google_kms_key_ring.tuf-keyring, google_service_account.tuf-sa]
}
Comment on lines +35 to +40
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks good to me.

If you decide to remove the service account variable as suggested in other comment, member here would need changing to something like
member = "serviceAccount:${google_service_account.tuf-sa.email}"


resource "google_kms_key_ring_iam_member" "tuf-key-iam-viewers" {
for_each = toset(var.tuf_key_viewers)

key_ring_id = google_kms_key_ring.tuf-keyring.id
role = "roles/cloudkms.publicKeyViewer"
member = each.key
depends_on = [google_kms_key_ring.tuf-keyring]
}
21 changes: 21 additions & 0 deletions terraform/gcp/modules/tuf/service_accounts.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/**
* Copyright 2024 The Sigstore Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "google_service_account" "tuf-sa" {
account_id = var.tuf_service_account_name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we get rid of the variable and parametrize on cluster_name like rekor does:
account_id = format("%s-tuf-sa", var.cluster_name)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cluster_name is related to GKE. I'm not sure what we could parameterize on beyond project name. I decided to add variables for all new fields just in case someone was opinionated on names, but there's a default value for each so no configuration is needed.

display_name = "TUF Service Account for GitHub Actions"
project = var.project_id
}
33 changes: 33 additions & 0 deletions terraform/gcp/modules/tuf/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ variable "region" {
description = "GCP region"
}

// Storage variables
variable "tuf_bucket" {
type = string
description = "Name of GCS bucket for TUF root."
Expand Down Expand Up @@ -55,3 +56,35 @@ variable "gcs_logging_bucket" {
type = string
default = ""
}

// Service account variables
variable "tuf_service_account_name" {
type = string
description = "Name of service account for TUF signing on GitHub Actions"
default = "tuf-gha"
}

// KMS variables
variable "tuf_keyring_name" {
type = string
description = "Name of KMS keyring for TUF metadata signing"
default = "tuf-keyring"
}

variable "tuf_key_name" {
type = string
description = "Name of KMS key for TUF metadata signing"
default = "tuf-key"
}

variable "kms_location" {
type = string
description = "Location of KMS keyring"
default = "global"
}

variable "tuf_key_viewers" {
type = list(string)
description = "List of members who can view the public key. See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_key_ring_iam#argument-reference for supported values"
default = []
}