From 0f9313f6b12421bd2bdb104de56144275af53c0e Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Fri, 19 Jan 2024 18:10:57 +0000
Subject: [PATCH 1/3] Update TUF KMS key algorithm

Cosign requires ECDSA-p256 rather than p384.

Also adds protection against accidental deletion

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 terraform/gcp/modules/tuf/kms.tf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf
index 9e939111f..e551d391c 100644
--- a/terraform/gcp/modules/tuf/kms.tf
+++ b/terraform/gcp/modules/tuf/kms.tf
@@ -25,10 +25,12 @@ resource "google_kms_crypto_key" "tuf-key" {
   key_ring = google_kms_key_ring.tuf-keyring.id
   purpose  = "ASYMMETRIC_SIGN"
   version_template {
-    algorithm        = "EC_SIGN_P384_SHA384"
+    algorithm        = "EC_SIGN_P256_SHA256"
     protection_level = "SOFTWARE"
   }
-
+  lifecycle {
+    prevent_destroy = true
+  }
   depends_on = [google_kms_key_ring.tuf-keyring]
 }
 

From 12a08bd86e179b97597de4624610f9c8d9aeeade Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Fri, 19 Jan 2024 18:15:33 +0000
Subject: [PATCH 2/3] Add key version

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 terraform/gcp/modules/tuf/kms.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf
index e551d391c..8b9cbcc24 100644
--- a/terraform/gcp/modules/tuf/kms.tf
+++ b/terraform/gcp/modules/tuf/kms.tf
@@ -34,6 +34,11 @@ resource "google_kms_crypto_key" "tuf-key" {
   depends_on = [google_kms_key_ring.tuf-keyring]
 }
 
+resource "google_kms_crypto_key_version" "tuf-key-version" {
+  crypto_key = google_kms_crypto_key.tuf-key.id
+  depends_on = [google_kms_key_ring.tuf-key]
+}
+
 resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {
   key_ring_id = google_kms_key_ring.tuf-keyring.id
   role        = "roles/cloudkms.signerVerifier"

From ce36762e5d4f56200a6674434dd8bf29c8bf8d06 Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Fri, 19 Jan 2024 18:16:46 +0000
Subject: [PATCH 3/3] Add key version

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 terraform/gcp/modules/tuf/kms.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/gcp/modules/tuf/kms.tf b/terraform/gcp/modules/tuf/kms.tf
index 8b9cbcc24..adf8252dc 100644
--- a/terraform/gcp/modules/tuf/kms.tf
+++ b/terraform/gcp/modules/tuf/kms.tf
@@ -36,7 +36,7 @@ resource "google_kms_crypto_key" "tuf-key" {
 
 resource "google_kms_crypto_key_version" "tuf-key-version" {
   crypto_key = google_kms_crypto_key.tuf-key.id
-  depends_on = [google_kms_key_ring.tuf-key]
+  depends_on = [google_kms_crypto_key.tuf-key]
 }
 
 resource "google_kms_key_ring_iam_member" "tuf-sa-key-iam" {