From 559fe820c05292a0a715fd72a01eb6958616b9b3 Mon Sep 17 00:00:00 2001 From: RaviGopal Date: Mon, 23 Sep 2024 18:40:28 +0530 Subject: [PATCH 1/3] Fixed: PROD-9094 and PROD-9328 --- docs-archived/guides/dsm_azure_sobject.md | 8 +- docs-archived/guides/dsm_sobject.md | 41 ++++++- docs/data-sources/aws_group.md | 4 +- docs/data-sources/group.md | 2 +- docs/data-sources/plugin.md | 2 +- docs/data-sources/secret.md | 4 +- docs/data-sources/sobject.md | 2 +- docs/data-sources/user.md | 2 +- docs/guides/dsm_azure_sobject.md | 8 +- docs/guides/dsm_sobject.md | 41 ++++++- docs/resources/acc_crypto_policy.md | 93 ++++++++------- docs/resources/acc_quorum_policy.md | 64 ++++++----- docs/resources/app.md | 66 +++++------ docs/resources/app_non_api_key.md | 16 ++- docs/resources/aws_group.md | 10 +- docs/resources/azure_group.md | 4 +- docs/resources/csr.md | 18 +-- docs/resources/existing_group.md | 33 +++--- docs/resources/gcp_ekm_sa.md | 31 +++-- docs/resources/gcp_sobject.md | 27 ++--- docs/resources/group.md | 107 ++++++++++++------ docs/resources/group_crypto_policy.md | 70 +++++++----- docs/resources/group_user_role.md | 12 +- docs/resources/plugin.md | 32 +++--- docs/resources/secret.md | 12 +- docs/resources/sobject.md | 19 +++- dsm/common.go | 15 ++- dsm/resource_csr.go | 2 +- dsm/resource_gcp_sobject.go | 1 - dsm/resource_group.go | 6 +- dsm/resource_group_user_role.go | 2 +- dsm/resource_plugin.go | 34 ++++-- dsm/resource_secret.go | 2 +- dsm/resource_sobject.go | 20 +++- .../data-sources/dsm_aws_group/data-source.tf | 4 +- .../data-sources/dsm_group/data-source.tf | 2 +- .../data-sources/dsm_plugin/data-source.tf | 2 +- .../data-sources/dsm_secret/data-source.tf | 4 +- .../data-sources/dsm_sobject/data-source.tf | 2 +- examples/data-sources/dsm_user/data-source.tf | 2 +- .../dsm_acc_crypto_policy/resource.tf | 93 ++++++++------- .../dsm_acc_quorum_policy/resource.tf | 64 ++++++----- examples/resources/dsm_app/resource.tf | 66 +++++------ .../resources/dsm_app_non_api_key/resource.tf | 16 ++- examples/resources/dsm_aws_group/resource.tf | 10 +- .../resources/dsm_azure_group/resource.tf | 4 +- examples/resources/dsm_csr/resource.tf | 14 +-- .../resources/dsm_existing_group/resource.tf | 33 +++--- examples/resources/dsm_gcp_ekm_sa/resource.tf | 31 +++-- .../resources/dsm_gcp_sobject/resource.tf | 26 ++--- examples/resources/dsm_group/resource.tf | 103 ++++++++++++----- .../dsm_group_crypto_policy/resource.tf | 69 ++++++----- .../resources/dsm_group_user_role/resource.tf | 8 +- examples/resources/dsm_plugin/resource.tf | 26 ++--- examples/resources/dsm_secret/resource.tf | 10 +- 55 files changed, 835 insertions(+), 564 deletions(-) diff --git a/docs-archived/guides/dsm_azure_sobject.md b/docs-archived/guides/dsm_azure_sobject.md index ea6fbb4..68f89a9 100644 --- a/docs-archived/guides/dsm_azure_sobject.md +++ b/docs-archived/guides/dsm_azure_sobject.md @@ -64,7 +64,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate1" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate to DSM security object resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -93,7 +93,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate2" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate to DSM security object resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -173,7 +173,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate1" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate Azure security object resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -201,7 +201,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate2" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate Azure security object resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id diff --git a/docs-archived/guides/dsm_sobject.md b/docs-archived/guides/dsm_sobject.md index de16632..a3377e2 100644 --- a/docs-archived/guides/dsm_sobject.md +++ b/docs-archived/guides/dsm_sobject.md @@ -154,6 +154,45 @@ resource "dsm_sobject" "rsa_sobject_example" { } ``` +## Create a RSA security object with `rsa` attribute + +```terraform +resource "dsm_sobject" "rsa_sobject_example" { + name = "rsa_sobject_example" + obj_type = "RSA" + group_id = dsm_group.group.id + key_size = 2048 + key_ops = [ + "ENCRYPT", + "DECRYPT", + "WRAPKEY", + "UNWRAPKEY", + "SIGN", + "VERIFY", + "APPMANAGEABLE", + "EXPORT" + ] + enabled = true + expiry_date = "2025-02-02T17:04:05Z" + description = "rsa sobject description" + rsa = "{\"encryption_policy\":[{\"padding\":{\"RAW_DECRYPT\":{}}},{\"padding\":{\"OAEP\":{\"mgf\":{\"mgf1\":{\"hash\":\"SHA1\"}}}}}],\"signature_policy\":[{\"padding\":{\"PKCS1_V15\":{}}},{\"padding\":{\"PSS\":{\"mgf\":{\"mgf1\":{\"hash\":\"SHA384\"}}}}}]}" + custom_metadata = { + key1 = "value1" + } + allowed_key_justifications_policy = [ + "CUSTOMER_INITIATED_SUPPORT", + "CUSTOMER_INITIATED_ACCESS" + ] + allowed_missing_justifications = true + rotation_policy = { + interval_days = 20 + effective_at = "20241130T183000Z" + deactivate_rotated_key = true + rotate_copied_keys = "all_external" + } +} +``` + ## Create a DSA security object ```terraform @@ -666,4 +705,4 @@ resource "dsm_sobject" "aes_sobject_example" { ignore_changes = [enabled, expiry_date] } } -``` \ No newline at end of file +``` diff --git a/docs/data-sources/aws_group.md b/docs/data-sources/aws_group.md index c7afc8b..03c2c31 100644 --- a/docs/data-sources/aws_group.md +++ b/docs/data-sources/aws_group.md @@ -14,8 +14,8 @@ Returns the Fortanix DSM AWS KMS mapped group object from the cluster as a Data ```terraform data "dsm_aws_group" "sample_aws_group" { - name = "aws-test" - scan = true + name = "aws-test" + scan = true } ``` diff --git a/docs/data-sources/group.md b/docs/data-sources/group.md index 5b6f863..59d4052 100644 --- a/docs/data-sources/group.md +++ b/docs/data-sources/group.md @@ -14,7 +14,7 @@ Returns the Fortanix DSM group object from the cluster as a Data Source. ```terraform data "dsm_group" "sample_group" { - name = "my_group" + name = "my_group" } ``` diff --git a/docs/data-sources/plugin.md b/docs/data-sources/plugin.md index 71526a8..20a26fe 100644 --- a/docs/data-sources/plugin.md +++ b/docs/data-sources/plugin.md @@ -14,7 +14,7 @@ Returns the Fortanix DSM plugin object from the cluster as a Resource. ```terraform data "dsm_plugin" "sample_plugin" { - name = "my_plugin" + name = "my_plugin" } ``` diff --git a/docs/data-sources/secret.md b/docs/data-sources/secret.md index 540208d..662762b 100644 --- a/docs/data-sources/secret.md +++ b/docs/data-sources/secret.md @@ -14,8 +14,8 @@ Returns the Fortanix DSM secret object from the cluster as a Data Source. ```terraform data "dsm_secret" "sample_secret" { - name = "test_secret_terraform" - export = false + name = "test_secret_terraform" + export = false } ``` diff --git a/docs/data-sources/sobject.md b/docs/data-sources/sobject.md index f3709ff..35c5841 100644 --- a/docs/data-sources/sobject.md +++ b/docs/data-sources/sobject.md @@ -17,7 +17,7 @@ Returns the DSM security object from the cluster as a Data Source. ```terraform data "dsm_sobject" "sample_sobject" { - name = "security_object" + name = "security_object" export = true } ``` diff --git a/docs/data-sources/user.md b/docs/data-sources/user.md index c186768..4132225 100644 --- a/docs/data-sources/user.md +++ b/docs/data-sources/user.md @@ -14,7 +14,7 @@ Returns the DSM user ID from the cluster as a Data Source. ```terraform data "dsm_user" "sample_users" { - user_email = "user@test.com" + user_email = "user@test.com" } ``` diff --git a/docs/guides/dsm_azure_sobject.md b/docs/guides/dsm_azure_sobject.md index ea6fbb4..68f89a9 100644 --- a/docs/guides/dsm_azure_sobject.md +++ b/docs/guides/dsm_azure_sobject.md @@ -64,7 +64,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate1" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate to DSM security object resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -93,7 +93,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate2" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate to DSM security object resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -173,7 +173,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate1" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate Azure security object resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id @@ -201,7 +201,7 @@ resource "dsm_sobject" "rsa_key_dsm_rotate2" { rotate_from = dsm_sobject.rsa_key_dsm.name } -# Copy above RSA key to azure key vault +# Rotate Azure security object resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { name = dsm_azure_sobject.rsa_key_azure.name group_id = dsm_group.azure_group.id diff --git a/docs/guides/dsm_sobject.md b/docs/guides/dsm_sobject.md index de16632..a3377e2 100644 --- a/docs/guides/dsm_sobject.md +++ b/docs/guides/dsm_sobject.md @@ -154,6 +154,45 @@ resource "dsm_sobject" "rsa_sobject_example" { } ``` +## Create a RSA security object with `rsa` attribute + +```terraform +resource "dsm_sobject" "rsa_sobject_example" { + name = "rsa_sobject_example" + obj_type = "RSA" + group_id = dsm_group.group.id + key_size = 2048 + key_ops = [ + "ENCRYPT", + "DECRYPT", + "WRAPKEY", + "UNWRAPKEY", + "SIGN", + "VERIFY", + "APPMANAGEABLE", + "EXPORT" + ] + enabled = true + expiry_date = "2025-02-02T17:04:05Z" + description = "rsa sobject description" + rsa = "{\"encryption_policy\":[{\"padding\":{\"RAW_DECRYPT\":{}}},{\"padding\":{\"OAEP\":{\"mgf\":{\"mgf1\":{\"hash\":\"SHA1\"}}}}}],\"signature_policy\":[{\"padding\":{\"PKCS1_V15\":{}}},{\"padding\":{\"PSS\":{\"mgf\":{\"mgf1\":{\"hash\":\"SHA384\"}}}}}]}" + custom_metadata = { + key1 = "value1" + } + allowed_key_justifications_policy = [ + "CUSTOMER_INITIATED_SUPPORT", + "CUSTOMER_INITIATED_ACCESS" + ] + allowed_missing_justifications = true + rotation_policy = { + interval_days = 20 + effective_at = "20241130T183000Z" + deactivate_rotated_key = true + rotate_copied_keys = "all_external" + } +} +``` + ## Create a DSA security object ```terraform @@ -666,4 +705,4 @@ resource "dsm_sobject" "aes_sobject_example" { ignore_changes = [enabled, expiry_date] } } -``` \ No newline at end of file +``` diff --git a/docs/resources/acc_crypto_policy.md b/docs/resources/acc_crypto_policy.md index e8d85a1..f650be3 100644 --- a/docs/resources/acc_crypto_policy.md +++ b/docs/resources/acc_crypto_policy.md @@ -17,40 +17,22 @@ variable "acct_id" { type = string default = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } -// Add cryptographic policy to a Fortanix DSM account +## Add cryptographic policy to a Fortanix DSM account + +# This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "allowed" + legacy_policy = "allowed" # other values: prohibited and unprotect_only key_ops = [ - "SIGN", - "VERIFY", - "ENCRYPT", - "DECRYPT", - "WRAPKEY", - "UNWRAPKEY", - "DERIVEKEY", - "TRANSFORM", - "MACGENERATE", - "MACVERIFY", - "EXPORT", - "APPMANAGEABLE", - "AGREEKEY", - "ENCAPSULATE", - "DECAPSULATE" + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ] aes = { - key_sizes = [ - 128, - 192, - 256 - ] + key_sizes = [128, 192, 256] } des3 = { - key_sizes = [ - 112, - 168 - ] + key_sizes = [112, 168] } hmac = { minimum_key_length = 112 @@ -99,26 +81,51 @@ resource "dsm_acc_crypto_policy" "name" { des = {} ec = { elliptic_curves = [ - "SecP192K1", - "SecP224K1", - "SecP256K1", - "NistP192", - "NistP224", - "NistP256", - "NistP384", - "NistP521", - "Gost256A", - "X25519", - "Ed25519" + "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", + "NistP256", "NistP384", "NistP521", "Gost256A", "X25519", "Ed25519" ] } - dsa = {} - secret = {} + dsa = {} + secret = {} + certificate = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} + }) +} + +# This resource is an example of a crypto policy with some restrictions. +# rsa, ec and dsa are defined as null, hence they are not allowed to do any operations for rsa, ec and dsa. +# Similarly, if others are not required in the use case, those values can be defined as null. +resource "dsm_acc_crypto_policy" "name" { + acct_id = var.acct_id + cryptographic_policy = jsonencode({ + legacy_policy = "prohibited" # other values: allowed and unprotect_only + key_ops = [ + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" + ] + aes = { + key_sizes = [128, 192, 256] + } + des3 = { + key_sizes = [112, 168] + } + hmac = { + minimum_key_length = 112 + } + opaque = {} + rsa = null + des = {} + ec = null + dsa = null + secret = {} certificate = {} - aria = {} - seed = {} - kcdsa = {} - eckcdsa = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} }) } ``` diff --git a/docs/resources/acc_quorum_policy.md b/docs/resources/acc_quorum_policy.md index cd14cf0..0e810d6 100644 --- a/docs/resources/acc_quorum_policy.md +++ b/docs/resources/acc_quorum_policy.md @@ -17,38 +17,43 @@ variable "acct_id" { type = string default = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } -// Add quorum policy to a Fortanix DSM account -// Example - 1 -/* -When any one of the members approval is required. -In the example, members are users that are configured in the Fortanix DSM account. -Apps can also be the members. e.g. { "app": "" } -*/ +# Add quorum policy to a Fortanix DSM account +# Example - 1 + +# When any one of the members' approval is required, assign `n` as 1 in the high level quorum. +# For example, members are users/apps that are configured in the Fortanix DSM account. +# The user/app value should be its UUID. resource "dsm_acc_quorum_policy" "account_quorum_policy" { acct_id = var.acct_id approval_policy = jsonencode({ policy = { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { quorum = { - n = 1, + n = 1, # This defines that `n` member of approvals required. members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, { user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] - require_2fa = false + require_2fa = false require_password = true } }, { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, + { + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] } @@ -56,44 +61,43 @@ resource "dsm_acc_quorum_policy" "account_quorum_policy" { ] } } - manage_groups = false + manage_groups = false protect_authentication_methods = true - protect_cryptographic_policy = true - protect_logging_config = true + protect_cryptographic_policy = true + protect_logging_config = true }) } -// Add quorum policy to a Fortanix DSM account -// Example - 2 -/*When all the members of approval is required. -In the example, members are users that are configured in the Fortanix DSM account. -Apps can also be the members. Apps can also be the members. e.g. { "app": "" } -*/ +# Add quorum policy to a Fortanix DSM account +# Example - 2 +# When all the members of approval is required. +# In the example, members are users/apps that are configured in the Fortanix DSM account. +# The user/app value should be its UUID. resource "dsm_acc_quorum_policy" "account_quorum_policy" { - acct_id = var.acct_id + acct_id = var.acct_id approval_policy = jsonencode({ policy = { quorum = { - n = 2 + n = 2 # This defines that `n` member of approvals required. members = [ { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] - require_2fa = false + require_2fa = false require_password = true } }, { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] } @@ -101,10 +105,10 @@ resource "dsm_acc_quorum_policy" "account_quorum_policy" { ] } } - manage_groups = false + manage_groups = false protect_authentication_methods = true - protect_cryptographic_policy = true - protect_logging_config = true + protect_cryptographic_policy = true + protect_logging_config = true }) } ``` diff --git a/docs/resources/app.md b/docs/resources/app.md index e4ac491..cf2079f 100644 --- a/docs/resources/app.md +++ b/docs/resources/app.md @@ -15,41 +15,41 @@ This resource can also rotate/regenerate an API key. Default permissions of any ## Example Usage ```terraform -// Create three normal groups +# Create three normal groups resource "dsm_group" "group1" { - name = "group1" + name = "group1" description = "group1" } resource "dsm_group" "group2" { - name = "group2" + name = "group2" description = "group2" } resource "dsm_group" "group3" { - name = "group3" + name = "group3" description = "group3" } -// Create an app +# Create an app resource "dsm_app" "app" { - name = "app" - default_group = dsm_group.group1.id - other_group = [dsm_group.group2.id, dsm_group.group3.id] + name = "app" + default_group = dsm_group.group1.id + other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups } -/* -To modify the default group permissions, other_group_permissions can be used in a zipmap. -In the above app the following permissions are assigned for each group: -group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +###################################################################################################################### +# To modify the default group permissions, other_group_permissions can be used in a zipmap. +# In the above app the following permissions are assigned for each group: +# group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -For group3, default permissions are assigned as it was not specified in the other_group_permissions. -group should be specified only if default permissions need to be changed. -*/ +# For group3, default permissions are assigned as it was not specified in the other_group_permissions. +# group should be specified only if default permissions need to be changed. +###################################################################################################################### locals { other_groups = zipmap( @@ -64,28 +64,28 @@ locals { ) } -// An example on how to modify the existing permissions of a group in app +# An example on how to modify the existing permissions of a group in app resource "dsm_app" "app" { - name = "app" - default_group = dsm_group.group1.id - other_group = [dsm_group.group2.id, dsm_group.group3.id] + name = "app" + default_group = dsm_group.group1.id + other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app + # mod_group_permissions should be given while updating an app mod_group_permissions = local.mod_groups } -// group1 and group2 permissions modification +# group1 and group2 permissions modification locals { -mod_groups = zipmap( -[ -dsm_group.group1.id, -dsm_group.group2.id -], -[ -"SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", -"SIGN,VERIFY,DECRYPT,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" -] -) + mod_groups = zipmap( + [ + dsm_group.group1.id, + dsm_group.group2.id + ], + [ + "SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", + "SIGN,VERIFY,DECRYPT,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" + ] + ) } ``` diff --git a/docs/resources/app_non_api_key.md b/docs/resources/app_non_api_key.md index 74745cb..fdf2b4f 100644 --- a/docs/resources/app_non_api_key.md +++ b/docs/resources/app_non_api_key.md @@ -36,15 +36,15 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { name = "aws-xks-terraform" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] - // other_group_permissions - to change the default permissions + # other_group_permissions - to change the default permissions other_group_permissions = local.other_groups authentication_method = { type = "awsxks" } } -## To modify the default group permissions, other_group_permissions can be used in a zipmap. - +###################################################################################################################### +# To modify the default group permissions, other_group_permissions can be used in a zipmap. # In the above app the following permissions are assigned for each group: # group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT # group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT @@ -52,6 +52,7 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { # For group3, default permissions are assigned as it was not specified in the other_group_permissions. # group should be specified only if default permissions need to be changed. +###################################################################################################################### locals { @@ -69,7 +70,7 @@ locals { # Create an app of type AWS IAM resource "dsm_app_non_api_key" "aws-iam-terraform" { - // The app name must match the AWS ARN associated with the calling entity. + # The app name must match the AWS ARN associated with the calling entity. name = "arn:aws:sts::XXXXXXXXXXXX:assumed-role/XXXXXXX>/XXXXXXX" default_group = dsm_group.group2.id authentication_method = { @@ -78,6 +79,7 @@ resource "dsm_app_non_api_key" "aws-iam-terraform" { } # Create app of type certificate +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-certificate-terraform" { name = "app-certificate-terraform" default_group = dsm_group.group1.id @@ -88,6 +90,7 @@ resource "dsm_app_non_api_key" "app-certificate-terraform" { } # Create an app of type Trusted CA using an ip address +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-trustedca-ip-terraform" { name = "app-trustedca-ip-terraform" default_group = dsm_group.group2.id @@ -99,6 +102,7 @@ resource "dsm_app_non_api_key" "app-trustedca-ip-terraform" { } # Create an app of type Trusted CA using dns_name +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-trustedca-dnsname-terraform" { name = "app-trustedca-dnsname-terraform" default_group = dsm_group.group2.id @@ -114,9 +118,9 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { name = "aws-xks-terraform" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] - // other_group_permissions - to change the default permissions + # other_group_permissions - to change the default permissions other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app + # mod_group_permissions should be given while updating an app mod_group_permissions = local.mod_groups authentication_method = { type = "awsxks" diff --git a/docs/resources/aws_group.md b/docs/resources/aws_group.md index c20fc5d..5c3e0bd 100644 --- a/docs/resources/aws_group.md +++ b/docs/resources/aws_group.md @@ -13,17 +13,17 @@ Creates a Fortanix DSM group mapped to AWS KMS in the cluster as a resource. Thi ## Example Usage ```terraform -// Creation of an dsm aws group -// Default aws_region is us-east-1. It can be modified by adding it in provider. +# Creation of an dsm aws group +# Default aws_region is us-east-1. It can be modified by adding it to the provider. provider "dsm" { aws_region = "us-east-2" } resource "dsm_aws_group" "dsm_aws_group_terraform" { - name = "dsm_aws_group_terraform" + name = "dsm_aws_group_terraform" description = "AWS group" - access_key = "XXXXXXXXXXXXXXXXXXXX" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + access_key = "XXXXXXXXXXXXXXXXXXXX" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } ``` diff --git a/docs/resources/azure_group.md b/docs/resources/azure_group.md index 3354af9..9805c42 100644 --- a/docs/resources/azure_group.md +++ b/docs/resources/azure_group.md @@ -13,11 +13,11 @@ Creates a Fortanix DSM group mapped to Azure Key Vault in the cluster as a resou ## Example Usage ```terraform -// Creation of azure group +# Creation of azure group resource "dsm_azure_group" "dsm_azure_group" { name = "dsm_azure_group" description = "Azure group" - url = "https://testfortanixterraform.vault.azure.net/" + url = "https:#testfortanixterraform.vault.azure.net/" tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" client_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" diff --git a/docs/resources/csr.md b/docs/resources/csr.md index 534fe12..af986c5 100644 --- a/docs/resources/csr.md +++ b/docs/resources/csr.md @@ -3,31 +3,31 @@ page_title: "dsm_csr Resource - terraform-provider-dsm" subcategory: "" description: |- - Generates a CSR. CSR can be generated by an RSA key. + Generates a CSR from an existing private key within DSM. --- # dsm_csr (Resource) -Generates a CSR. CSR can be generated by an RSA key. +Generates a CSR from an existing private key within DSM. ## Example Usage ```terraform -// To use this resource, it is required to create a custom plugin in DSM first. -// Copy the plugin from https://github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua -// Create the custom plugin in DSM -// Plugin title: "Terraform Plugin - CSR" +# To use this resource, it is required to create a custom plugin in DSM first. +# Copy the plugin from https:#github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua +# Create the custom plugin in DSM +# Plugin title: "Terraform Plugin - CSR" -// Create an RSA key pair that will be used to generate the CSR +# Create an RSA key pair that will be used to generate the CSR resource "dsm_sobject" "sobject" { name = "sobject-rsa" obj_type = "RSA" - group_id = "" // make sure that the group can be accessed by your plugin "Terraform Plugin - CSR". + group_id = "" # make sure that the group can be accessed by your plugin "Terraform Plugin - CSR". key_size = 2048 } -// Generating the CSR +# Generating the CSR resource "dsm_csr" "csr" { kid = dsm_sobject.sobject.id cn = "example-common-name" diff --git a/docs/resources/existing_group.md b/docs/resources/existing_group.md index df30c48..5a30e0e 100644 --- a/docs/resources/existing_group.md +++ b/docs/resources/existing_group.md @@ -15,18 +15,16 @@ Later this resource group can be modified. ## Example Usage ```terraform -// Step1: Read the existing DSM group that was already created. +# Step1: Read the existing DSM group that was already created. resource "dsm_existing_group" "dsm_group" { name = "dsm_group" } -// Step2: Update the group -/* -An example of a normal group where it did not configure hmg(HSM/KMS) while creating. -hmg can not be added while updating the group. -*/ +# Step2: Update the group +# An example of a normal group where it did not configure hmg(HSM/KMS) while creating. +# hmg can not be added while updating the group. resource "dsm_existing_group" "dsm_group" { - name = "dsm_group" + name = "dsm_group" description = "Update existing group" approval_policy = jsonencode({ protect_permissions = [ @@ -53,18 +51,17 @@ resource "dsm_existing_group" "dsm_group" { } ] require_password = false - require_2fa = false + require_2fa = false } }) } -/* -An example of a group where it configured the hmg(HSM/KMS) while creation. -*/ + +# An example of a group where it configured the hmg(HSM/KMS) while creation. resource "dsm_existing_group" "dsm_group" { - name = "dsm_group" + name = "dsm_group" description = "Update existing group" hmg = jsonencode({ - url = "https://sampleakv.vault.azure.net/" + url = "https:#sampleakv.vault.azure.net/" tls = { mode = "required" validate_hostname : false @@ -72,12 +69,12 @@ resource "dsm_existing_group" "dsm_group" { ca_set = "global_roots" } } - kind = "AZUREKEYVAULT" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + kind = "AZUREKEYVAULT" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" subscription_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - key_vault_type = "STANDARD" + key_vault_type = "STANDARD" }) } ``` diff --git a/docs/resources/gcp_ekm_sa.md b/docs/resources/gcp_ekm_sa.md index fa2c856..c836964 100644 --- a/docs/resources/gcp_ekm_sa.md +++ b/docs/resources/gcp_ekm_sa.md @@ -13,7 +13,7 @@ Creates a Fortanix DSM Google EKM app. The returned resource object contains the ## Example Usage ```terraform -// Create three normal groups +# Create three normal groups resource "dsm_group" "group1" { name = "group1" description = "group1" @@ -29,7 +29,7 @@ resource "dsm_group" "group3" { description = "group3" } -// Create a Google EKM app in DSM +# Create a Google EKM app in DSM resource "dsm_gcp_ekm_sa" "ekm_sa" { name = "service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com" default_group = dsm_group.group1.id @@ -37,16 +37,15 @@ resource "dsm_gcp_ekm_sa" "ekm_sa" { other_group_permissions = local.other_groups } -/* -To modify the default group permissions, other_group_permissions can be used in a zipmap. -In the above app the following permissions are assigned for each group: -group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -For group3, default permissions are assigned as it was not specified in the other_group_permissions. -group should be specified only if default permissions need to be changed. -*/ +# To modify the default group permissions, other_group_permissions can be used in a zipmap. +# In the above app the following permissions are assigned for each group: +# group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT + +# For group3, default permissions are assigned as it was not specified in the other_group_permissions. +# group should be specified only if default permissions need to be changed. locals { other_groups = zipmap( @@ -55,23 +54,23 @@ locals { dsm_group.group2.id ], [ - "SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", + "SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", "SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" ] ) } -// An example on how to modify the existing permissions of a group in EKM +# An example on how to modify the existing permissions of a group in EKM resource "dsm_gcp_ekm_sa" "ekm_sa" { name = "service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app - mod_group_permissions = local.mod_groups + # mod_group_permissions should be given while updating an app + mod_group_permissions = local.mod_groups } -// group1 and group2 permissions modification +# group1 and group2 permissions modification locals { mod_groups = zipmap( [ diff --git a/docs/resources/gcp_sobject.md b/docs/resources/gcp_sobject.md index d78b3dc..22ddda5 100644 --- a/docs/resources/gcp_sobject.md +++ b/docs/resources/gcp_sobject.md @@ -13,33 +13,33 @@ Creates a new security object in GCP CDC Group. This is a Bring-Your-Own-Key (BY ## Example Usage ```terraform -// Create a normal group +# Create a normal group resource "dsm_group" "normal_group" { name = "group_test" } -// Create GCP group +# Create GCP group resource "dsm_group" "gcp_group" { name = "gcp_group" hmg = jsonencode({ - kind = "GCPKEYRING" - key_ring = "key_ring_name" - project_id = "gcp_project_id" + kind = "GCPKEYRING" + key_ring = "key_ring_name" + project_id = "gcp_project_id" service_account_email = "test@test.iam.gserviceaccount.com" - location = "us-east1" - private_key = "" + location = "us-east1" + private_key = "" }) } -// Create an AES key in normal group +# Create an AES key in normal group resource "dsm_sobject" "sobject" { name = "aes256" key_size = 256 group_id = dsm_group.normal_group.id - obj_type = "AES" + obj_type = "AES" } -// Copy a key to GCP key ring using the above DSM security object +# Copy a key to GCP key ring using the above DSM security object resource "dsm_gcp_sobject" "gcp_sobject" { name = "gcp_sobject" group_id = dsm_group.gcp_group.id @@ -50,10 +50,8 @@ resource "dsm_gcp_sobject" "gcp_sobject" { gcp-key-id = "name-of-the-key-in-gcp" } rotation_policy = { - interval_days = 20 - effective_at = "20231130T183000Z" - deactivate_rotated_key = true - rotate_copied_keys = "all_external" + interval_days = 20 + effective_at = "20231130T183000Z" } obj_type = "AES" key_size = 256 @@ -90,7 +88,6 @@ resource "dsm_gcp_sobject" "gcp_sobject" { * `interval_days`: Rotate the key every given number of days. * `interval_months`: Rotate the key every given number of months. * `effective_at`: Start time of the rotation policy. - * `rotate_copied_keys`: Enable key rotation for copied keys. * **Note:** Either `interval_days` or `interval_months` should be given, but not both. - `state` (String) The state of the GCP KMS key. Values are Created, Deleted, Purged. diff --git a/docs/resources/group.md b/docs/resources/group.md index f5ac1b5..2bd34dc 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -15,47 +15,58 @@ Besides creating regular DSM groups, this resource may also be used to create DS ## Example Usage ```terraform -// Create a normal group +# Create a normal group resource "dsm_group" "group" { name = "group" } -/* -Create a group with multiple parameters. -The following resource group is an example of an external KMS group of Azure key vault -and an approval policy. -For more examples of external KMS groups please refer Guides/create_BYOK_groups -*/ +# Create a group with multiple parameters. +# The following resource group is an example of an external KMS group of Azure key vault +# and an approval policy which is configured with two users. + +# For more examples of external KMS groups please refer Guides/create_BYOK_groups resource "dsm_group" "group" { - name = "group" + name = "group" description = "group description" approval_policy = jsonencode({ protect_permissions = [ - "ROTATE_SOBJECTS", - "REVOKE_SOBJECTS", - "REVERT_SOBJECTS", - "DELETE_KEY_MATERIAL", - "DELETE_SOBJECTS", - "DESTROY_SOBJECTS", - "MOVE_SOBJECTS", - "CREATE_SOBJECTS", - "UPDATE_SOBJECTS_PROFILE", - "UPDATE_SOBJECTS_ENABLED_STATE", - "UPDATE_SOBJECT_POLICIES", - "ACTIVATE_SOBJECTS", - "UPDATE_KEY_OPS" + "ROTATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", + "DESTROY_SOBJECTS", "MOVE_SOBJECTS", "CREATE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", + "UPDATE_SOBJECT_POLICIES", "ACTIVATE_SOBJECTS", "UPDATE_KEY_OPS" ] protect_crypto_operations = true quorum = { - n = 1 + n = 1, # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_2fa = false, + require_password = false + } + }, + { + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_2fa = false, + require_password = false + } } ] - require_password = false - require_2fa = false } }) hmg = jsonencode({ @@ -67,13 +78,45 @@ resource "dsm_group" "group" { ca_set = "global_roots" } } - kind = "AZUREKEYVAULT" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + kind = "AZUREKEYVAULT" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" subscription_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - key_vault_type = "STANDARD" + key_vault_type = "STANDARD" }) +} + + +# Create a group with basic approval_policy +# The following resource group is an example of approval policy which has configured with a single user. +resource "dsm_group" "group" { + name = "group" + description = "group description" + approval_policy = jsonencode({ + protect_permissions = [ + "ROTATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", + "DESTROY_SOBJECTS", "MOVE_SOBJECTS", "CREATE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", + "UPDATE_SOBJECT_POLICIES", "ACTIVATE_SOBJECTS", "UPDATE_KEY_OPS" + ] + protect_crypto_operations = true + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_password = false + require_2fa = false + } + }) +} + + +# Create a normal group with key undo policy +resource "dsm_group" "group" { + name = "group" key_undo_policy_window_time = 9000 } ``` @@ -89,8 +132,8 @@ resource "dsm_group" "group" { - `approval_policy` (String) The Fortanix DSM group object quorum approval policy definition as a JSON string. - `description` (String) The Fortanix DSM group object description. -- `hmg` (String, Sensitive) The Fortanix DSM group object HMS/KMS definition as a JSON string. -- `key_undo_policy_window_time` (Number) The Fortanix DSM group object key undo policy window time as an Integer(Number of seconds). +- `hmg` (String, Sensitive) The Fortanix DSM group object HMS/KMS definition as a JSON string. It is only required, if group is pointing to an external KMS or HSM. For more examples refer Guides/create_BYOK_groups +- `key_undo_policy_window_time` (Number) The Fortanix DSM group object key undo policy window time as an Integer(Number of seconds).Key undo policy is not applicable for External KMS groups. ### Read-Only diff --git a/docs/resources/group_crypto_policy.md b/docs/resources/group_crypto_policy.md index d77921b..cb18ed4 100644 --- a/docs/resources/group_crypto_policy.md +++ b/docs/resources/group_crypto_policy.md @@ -13,32 +13,21 @@ Adds cryptographic policy to a existing Fortnanix DSM group. ## Example Usage ```terraform -// Create a group +# Create a group resource "dsm_group" "group" { name = "group" } -// Adding cryptographic policy to the group +## Adding cryptographic policy to the group + +# This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_group_crypto_policy" "group_crypto_policy" { name = dsm_group.group.name cryptographic_policy = jsonencode({ legacy_policy = "allowed" key_ops = [ - "SIGN", - "VERIFY", - "ENCRYPT", - "DECRYPT", - "WRAPKEY", - "UNWRAPKEY", - "DERIVEKEY", - "MACGENERATE", - "MACVERIFY", - "EXPORT", - "APPMANAGEABLE", - "AGREEKEY", - "ENCAPSULATE", - "DECAPSULATE", - "TRANSFORM" + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", + "MACVERIFY", "EXhasPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE", "TRANSFORM" ] aes = { key_sizes = [128, 192, 256] @@ -58,17 +47,8 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { des = {} ec = { elliptic_curves = [ - "SecP192K1", - "SecP224K1", - "SecP256K1", - "NistP192", - "NistP224", - "NistP256", - "NistP384", - "NistP521", - "Gost256A", - "X25519", - "Ed25519" + "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", "NistP256", + "NistP384", "NistP521", "Gost256A", "X25519", "Ed25519" ] } dsa = {} @@ -84,6 +64,40 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { bls = {} }) } + +# This resource is an example of a crypto policy with some restrictions. +# rsa, ec and dsa are defined beas null, hence they are not allowed to do any operations for rsa, ec and dsa. +# Similarly, if others are not required in the use case, those values can be defined as null. +resource "dsm_group_crypto_policy" "group_crypto_policy" { + name = dsm_group.group.name + cryptographic_policy = jsonencode({ + legacy_policy = "prohibited" # other values: allowed and unprotect_only + key_ops = [ + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY",has "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" + ] + aes = { + key_sizes = [128, 192, 256] + } + des3 = { + key_sizes = [112, 168] + } + hmac = { + minimum_key_length = 112 + } + opaque = {} + rsa = null + des = {} + ec = null + dsa = null + secret = {} + certificate = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} + }) +} ``` diff --git a/docs/resources/group_user_role.md b/docs/resources/group_user_role.md index 24c70a0..5535e09 100644 --- a/docs/resources/group_user_role.md +++ b/docs/resources/group_user_role.md @@ -3,21 +3,21 @@ page_title: "dsm_group_user_role Resource - terraform-provider-dsm" subcategory: "" description: |- - Associates a user with a group and a role. + Creates an assignment of a DSM group role to a user. This assignment is linked to a specific group. --- # dsm_group_user_role (Resource) -Associates a user with a group and a role. +Creates an assignment of a DSM group role to a user. This assignment is linked to a specific group. ## Example Usage ```terraform -// Adding a group role to a user +# Adding a group role to a user resource "dsm_group_user_role" "group_user_role" { - group_name = "crypto_group" - user_email = "test123@fortanix.com" - role_name = "GROUPAUDITOR" + group_name = "crypto_group" + user_email = "test123@fortanix.com" + role_name = "GROUPAUDITOR" } ``` diff --git a/docs/resources/plugin.md b/docs/resources/plugin.md index 8dd8fe2..17ffc34 100644 --- a/docs/resources/plugin.md +++ b/docs/resources/plugin.md @@ -13,33 +13,33 @@ Creates a Fortanix DSM plugin. The returned resource object contains the UUID of ## Example Usage ```terraform -// Creation of a groups -resource "dsm_group" "group1"{ +# Creation of a groups +resource "dsm_group" "group1" { name = "group1" } -resource "dsm_group" "group2"{ +resource "dsm_group" "group2" { name = "group2" } -resource "dsm_group" "group3"{ +resource "dsm_group" "group3" { name = "group3" } -// Read the lua plugin from a file +# Read the lua plugin from a file data "local_file" "plugin_code" { - filename ="path/of/a/lua_plugin" + filename = "path/of/a/lua_plugin" } -// Create a plugin by reading a file +# Create a plugin by reading a file resource "dsm_plugin" "dsm_plugin" { - name = "dsm_plugin" - description = "DSM Plugin" + name = "dsm_plugin" + description = "DSM Plugin" default_group = dsm_group.group1.id - groups = [dsm_group.group2.id, dsm_group.group3.id] - plugin_type = "STANDARD" - language = "LUA" - code = data.local_file.plugin_code.content + groups = [dsm_group.group1.id, dsm_group.group2.id, dsm_group.group3.id] + plugin_type = "STANDARD" + language = "LUA" + code = data.local_file.plugin_code.content } ``` @@ -50,15 +50,15 @@ resource "dsm_plugin" "dsm_plugin" { - `code` (String) Plugin code that will be executed in DSM. Code should be in specified programming language. - `default_group` (String) The Fortanix DSM group object id to be mapped to the plugin by default. +- `groups` (List of String) List of Fortanix DSM group object ids to be mapped to the plugin that includes default_group as well. - `name` (String) The Fortanix DSM plugin object name. ### Optional - `description` (String) The Fortanix DSM plugin object description. - `enabled` (Boolean) Whether the security object is enabled or disabled. The values are true/false. -- `groups` (List of String) List of other Fortanix DSM group object ids to be mapped to the plugin. -- `language` (String) Programming language for plugin code (Default value is `LUA`). -- `plugin_type` (String) Type of the plugin. +- `language` (String) Programming language for plugin code (Default value is `LUA`). `LUA` is the only supported language at the moment. +- `plugin_type` (String) Type of the plugin. The supported values are standard, impersonating and customalgorithm. Default value is `standard`. ### Read-Only diff --git a/docs/resources/secret.md b/docs/resources/secret.md index 48b783b..29fcd8a 100644 --- a/docs/resources/secret.md +++ b/docs/resources/secret.md @@ -15,13 +15,13 @@ A secret value format should be in a base64 format. Secret can also be rotated. ## Example Usage ```terraform -// Create a group +# Create a group resource "dsm_group" "group" { - name = "group" + name = "group" description = "group description" } -// Import a secret +# Import a secret resource "dsm_secret" "secret" { name = "secret" group_id = dsm_group.group.id @@ -32,7 +32,7 @@ resource "dsm_secret" "secret" { expiry_date = "2025-02-02T17:04:05Z" } -// Rotate a secret +# Rotate a secret resource "dsm_secret" "secret_rotate" { name = "secret_rotate" group_id = dsm_group.group.id @@ -42,7 +42,7 @@ resource "dsm_secret" "secret_rotate" { value = "cm90YXRlZm9ydGFuaXg=" expiry_date = "2025-02-02T17:04:05Z" rotate = true - // Provide the secret security object name that needs to be rotated + # Provide the secret security object name that needs to be rotated rotate_from = dsm_secret.secret.name } ``` @@ -54,7 +54,7 @@ resource "dsm_secret" "secret_rotate" { - `group_id` (String) The Fortanix DSM security object group assignment. - `name` (String) The Fortanix DSM secret security object name -- `value` (String, Sensitive) The secret value +- `value` (String, Sensitive) The value of the secret security object Base64 encoded. ### Optional diff --git a/docs/resources/sobject.md b/docs/resources/sobject.md index db4e35f..751d31b 100644 --- a/docs/resources/sobject.md +++ b/docs/resources/sobject.md @@ -241,7 +241,7 @@ Refer to the fpeOptions schema in https://www.fortanix.com/fortanix-restful-api- | `LMS` | APPMANAGEABLE, SIGN, VERIFY | - `obj_type` (String) The security object type. * `Supported security objects`: AES, DES, DES3, RSA, DSA, KCDSA, EC, ECKCDSA, ARIA, SEED and Tokenization(fpe). -- `rotate` (String) specify method to use for key rotation. +- `rotate` (String) Specify method to use for key rotation. Value is `DSM`. - `rotate_from` (String) Name of the security object to be rotated from. - `rotation_policy` (Map of String) Policy to rotate a Security Object, configure the below parameters. This is not supported while importing the security object. * `interval_days`: Rotate the key for every given number of days. @@ -263,6 +263,23 @@ Refer to the fpeOptions schema in https://www.fortanix.com/fortanix-restful-api- | `KCDSA` | 224, 256| 224, 256: When KCDSA key_size is 2048. - `value` (String) Sobject content when importing content. +| obj_type | Curve/Key_size/Variants | key_ops | +| -------- | -------- |-------- | +| `CERTIFICATE` | EC/RSA curves/key_sizes | APPMANAGEABLE, ENCRYPT, VERIFY, WRAPKEY, EXPORT | +| `EC` | SecP192K1, SecP224K1, SecP256K1 NistP192, NistP224, NistP256, NistP384, NistP521, X25519, Ed25519 | APPMANAGEABLE, SIGN, VERIFY, AGREEKEY, EXPORT | +| `ECKCDSA` | SecP192K1, SecP224K1, SecP256K1 NistP192, NistP224, NistP256, NistP384, NistP521 | APPMANAGEABLE, SIGN, VERIFY, EXPORT | +| `RSA` | 1024, 2048, 4096, 8192 | APPMANAGEABLE, SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, EXPORT | +| `DSA` | 2048, 3072 | APPMANAGEABLE, SIGN, VERIFY, EXPORT | +| `KCDSA` | 2048 | APPMANAGEABLE, SIGN, VERIFY, EXPORT | +| `AES` | 128, 192, 256 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT | +| `DES` | 56 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE, EXPORT | +| `DES3` | 112, 168 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT | +| `ARIA` | 128, 192, 256 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT | +| `SEED` | 128 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, EXPORT | +| `HMAC` | 112 to 8192 | DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT | +| `BLS` | small_signatures/small_public_keys | APPMANAGEABLE, SIGN, VERIFY, EXPORT | +| `Opaque` | - | APPMANAGEABLE, EXPORT | + ### Read-Only - `acct_id` (String) Account ID from Fortanix DSM. diff --git a/dsm/common.go b/dsm/common.go index b9a70b4..a7f8f5d 100644 --- a/dsm/common.go +++ b/dsm/common.go @@ -224,9 +224,18 @@ func compTwoArrays(x interface{}, y interface{}) bool{ for _, yElem := range y_array_set { yMap[yElem.(string)]++ } - for xMapKey, xMapVal := range xMap { - if yMap[xMapKey] != xMapVal { - return false + // It should always compare with the greater size of a map. + if len(xMap) > len(yMap) { + for xMapKey, xMapVal := range xMap { + if yMap[xMapKey] != xMapVal { + return false + } + } + } else { + for yMapKey, yMapVal := range yMap { + if xMap[yMapKey] != yMapVal { + return false + } } } return true diff --git a/dsm/resource_csr.go b/dsm/resource_csr.go index de4c9fa..cf385cc 100644 --- a/dsm/resource_csr.go +++ b/dsm/resource_csr.go @@ -26,7 +26,7 @@ func resourceCsr() *schema.Resource { ReadContext: resourceReadCsr, UpdateContext: resourceUpdateCsr, DeleteContext: resourceDeleteCsr, - Description: "Generates a CSR. CSR can be generated by an RSA key.", + Description: "Generates a CSR from an existing private key within DSM.", Schema: map[string]*schema.Schema{ "kid": { Description: "The security object kid.", diff --git a/dsm/resource_gcp_sobject.go b/dsm/resource_gcp_sobject.go index f610584..e60c5de 100644 --- a/dsm/resource_gcp_sobject.go +++ b/dsm/resource_gcp_sobject.go @@ -79,7 +79,6 @@ func resourceGCPSobject() *schema.Resource { " * `interval_days`: Rotate the key every given number of days.\n" + " * `interval_months`: Rotate the key every given number of months.\n" + " * `effective_at`: Start time of the rotation policy.\n" + - " * `rotate_copied_keys`: Enable key rotation for copied keys.\n" + " * **Note:** Either `interval_days` or `interval_months` should be given, but not both.", Type: schema.TypeMap, Optional: true, diff --git a/dsm/resource_group.go b/dsm/resource_group.go index 19f71d5..6b7746d 100644 --- a/dsm/resource_group.go +++ b/dsm/resource_group.go @@ -54,7 +54,8 @@ func resourceGroup() *schema.Resource { Optional: true, }, "hmg": { - Description: "The Fortanix DSM group object HMS/KMS definition as a JSON string.", + Description: "The Fortanix DSM group object HMS/KMS definition as a JSON string. It is only required, " + + "if group is pointing to an external KMS or HSM. For more examples refer Guides/create_BYOK_groups", Type: schema.TypeString, Optional: true, Sensitive: true, @@ -65,7 +66,8 @@ func resourceGroup() *schema.Resource { Computed: true, }, "key_undo_policy_window_time": { - Description: "The Fortanix DSM group object key undo policy window time as an Integer(Number of seconds).", + Description: "The Fortanix DSM group object key undo policy window time as an Integer(Number of seconds)." + + "Key undo policy is not applicable for External KMS groups.", Type: schema.TypeInt, Optional: true, }, diff --git a/dsm/resource_group_user_role.go b/dsm/resource_group_user_role.go index 107105f..faf6d10 100644 --- a/dsm/resource_group_user_role.go +++ b/dsm/resource_group_user_role.go @@ -17,7 +17,7 @@ func resourceGroupUserRole() *schema.Resource { ReadContext: resourceReadGroupUserRole, UpdateContext: resourceUpdateGroupUserRole, DeleteContext: resourceDeleteGroupUserRole, - Description: "Associates a user with a group and a role.", + Description: "Creates an assignment of a DSM group role to a user. This assignment is linked to a specific group.", Schema: map[string]*schema.Schema{ "name": { Description: "Group object name from Fortanix DSM (matches the group_name provided during creation).", diff --git a/dsm/resource_plugin.go b/dsm/resource_plugin.go index aa91a53..13c8601 100644 --- a/dsm/resource_plugin.go +++ b/dsm/resource_plugin.go @@ -11,6 +11,7 @@ package dsm import ( "context" "fmt" + "strings" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" @@ -72,7 +73,8 @@ func resourcePlugin() *schema.Resource { Default: "", }, "plugin_type": { - Description: "Type of the plugin.", + Description: "Type of the plugin. The supported values are standard, impersonating and customalgorithm. " + + "Default value is `standard`.", Type: schema.TypeString, Optional: true, Default: "standard", @@ -83,15 +85,15 @@ func resourcePlugin() *schema.Resource { Required: true, }, "groups": { - Description: "List of other Fortanix DSM group object ids to be mapped to the plugin.", + Description: "List of Fortanix DSM group object ids to be mapped to the plugin that includes default_group as well.", Type: schema.TypeList, - Optional: true, + Required: true, Elem: &schema.Schema{ Type: schema.TypeString, }, }, "language": { - Description: "Programming language for plugin code (Default value is `LUA`).", + Description: "Programming language for plugin code (Default value is `LUA`). `LUA` is the only supported language at the moment.", Type: schema.TypeString, Optional: true, Default: "LUA", @@ -273,15 +275,33 @@ func resourceReadPlugin(ctx context.Context, d *schema.ResourceData, m interface if err := d.Set("acct_id", req["acct_id"].(string)); err != nil { return diag.FromErr(err) } - if err := d.Set("groups", req["groups"].([]interface{})); err != nil { - return diag.FromErr(err) + if _, ok := req["groups"]; ok { + resp_groups := req["groups"].([]interface{}) + tf_state_groups, is_tf_state_groups := d.GetOk("groups") + var is_same_groups bool + if is_tf_state_groups { + is_same_groups = compTwoArrays(tf_state_groups, resp_groups) + } + if is_same_groups { + if err := d.Set("groups", tf_state_groups); err != nil { + return diag.FromErr(err) + } + } else if err := d.Set("groups", resp_groups); err != nil { + return diag.FromErr(err) + } } if err := d.Set("creator", req["creator"]); err != nil { return diag.FromErr(err) } if _, ok := req["source"]; ok { if source := req["source"].(map[string]interface{}); len(source) > 0 { - if err := d.Set("language", source["language"].(string)); err != nil { + language := "" + if strings.EqualFold(source["language"].(string), d.Get("language").(string)) { + language = d.Get("language").(string) + } else { + language = source["language"].(string) + } + if err := d.Set("language", language); err != nil { return diag.FromErr(err) } if err := d.Set("code", source["code"].(string)); err != nil { diff --git a/dsm/resource_secret.go b/dsm/resource_secret.go index e403004..f47f70f 100644 --- a/dsm/resource_secret.go +++ b/dsm/resource_secret.go @@ -92,7 +92,7 @@ func resourceSecret() *schema.Resource { Optional: true, }, "value": { - Description: "The secret value", + Description: "The value of the secret security object Base64 encoded.", Type: schema.TypeString, Required: true, Sensitive: true, diff --git a/dsm/resource_sobject.go b/dsm/resource_sobject.go index f449c13..38c3ad9 100644 --- a/dsm/resource_sobject.go +++ b/dsm/resource_sobject.go @@ -79,7 +79,7 @@ func resourceSobject() *schema.Resource { // Computed: true, //}, "rotate": { - Description: "specify method to use for key rotation.", + Description: "Specify method to use for key rotation. Value is `DSM`.", Type: schema.TypeString, Optional: true, ValidateFunc: validation.StringInSlice([]string{"DSM", "ALL"}, true), @@ -279,7 +279,23 @@ func resourceSobject() *schema.Resource { Computed: true, }, "value": { - Description: "Sobject content when importing content.", + Description: "Sobject content when importing content.\n\n" + + "| obj_type | Curve/Key_size/Variants | key_ops |\n" + + "| -------- | -------- |-------- |\n" + + "| `CERTIFICATE` | EC/RSA curves/key_sizes | APPMANAGEABLE, ENCRYPT, VERIFY, WRAPKEY, EXPORT |\n" + + "| `EC` | SecP192K1, SecP224K1, SecP256K1 NistP192, NistP224, NistP256, NistP384, NistP521, X25519, Ed25519 | APPMANAGEABLE, SIGN, VERIFY, AGREEKEY, EXPORT |\n" + + "| `ECKCDSA` | SecP192K1, SecP224K1, SecP256K1 NistP192, NistP224, NistP256, NistP384, NistP521 | APPMANAGEABLE, SIGN, VERIFY, EXPORT |\n" + + "| `RSA` | 1024, 2048, 4096, 8192 | APPMANAGEABLE, SIGN, VERIFY, ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, EXPORT |\n" + + "| `DSA` | 2048, 3072 | APPMANAGEABLE, SIGN, VERIFY, EXPORT |\n" + + "| `KCDSA` | 2048 | APPMANAGEABLE, SIGN, VERIFY, EXPORT |\n" + + "| `AES` | 128, 192, 256 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT |\n" + + "| `DES` | 56 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, APPMANAGEABLE, EXPORT |\n" + + "| `DES3` | 112, 168 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT |\n" + + "| `ARIA` | 128, 192, 256 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT |\n" + + "| `SEED` | 128 | ENCRYPT, DECRYPT, WRAPKEY, UNWRAPKEY, DERIVEKEY, EXPORT |\n" + + "| `HMAC` | 112 to 8192 | DERIVEKEY, MACGENERATE, MACVERIFY, APPMANAGEABLE, EXPORT |\n" + + "| `BLS` | small_signatures/small_public_keys | APPMANAGEABLE, SIGN, VERIFY, EXPORT |\n" + + "| `Opaque` | - | APPMANAGEABLE, EXPORT |\n", Type: schema.TypeString, Optional: true, }, diff --git a/examples/data-sources/dsm_aws_group/data-source.tf b/examples/data-sources/dsm_aws_group/data-source.tf index 32bed13..a8ec91a 100644 --- a/examples/data-sources/dsm_aws_group/data-source.tf +++ b/examples/data-sources/dsm_aws_group/data-source.tf @@ -1,4 +1,4 @@ data "dsm_aws_group" "sample_aws_group" { - name = "aws-test" - scan = true + name = "aws-test" + scan = true } \ No newline at end of file diff --git a/examples/data-sources/dsm_group/data-source.tf b/examples/data-sources/dsm_group/data-source.tf index e95e051..d43c261 100644 --- a/examples/data-sources/dsm_group/data-source.tf +++ b/examples/data-sources/dsm_group/data-source.tf @@ -1,3 +1,3 @@ data "dsm_group" "sample_group" { - name = "my_group" + name = "my_group" } \ No newline at end of file diff --git a/examples/data-sources/dsm_plugin/data-source.tf b/examples/data-sources/dsm_plugin/data-source.tf index 1b9682c..d2ab15c 100644 --- a/examples/data-sources/dsm_plugin/data-source.tf +++ b/examples/data-sources/dsm_plugin/data-source.tf @@ -1,3 +1,3 @@ data "dsm_plugin" "sample_plugin" { - name = "my_plugin" + name = "my_plugin" } \ No newline at end of file diff --git a/examples/data-sources/dsm_secret/data-source.tf b/examples/data-sources/dsm_secret/data-source.tf index 5aeba43..c790792 100644 --- a/examples/data-sources/dsm_secret/data-source.tf +++ b/examples/data-sources/dsm_secret/data-source.tf @@ -1,4 +1,4 @@ data "dsm_secret" "sample_secret" { - name = "test_secret_terraform" - export = false + name = "test_secret_terraform" + export = false } \ No newline at end of file diff --git a/examples/data-sources/dsm_sobject/data-source.tf b/examples/data-sources/dsm_sobject/data-source.tf index efd76ef..ab3cd9d 100644 --- a/examples/data-sources/dsm_sobject/data-source.tf +++ b/examples/data-sources/dsm_sobject/data-source.tf @@ -1,4 +1,4 @@ data "dsm_sobject" "sample_sobject" { - name = "security_object" + name = "security_object" export = true } \ No newline at end of file diff --git a/examples/data-sources/dsm_user/data-source.tf b/examples/data-sources/dsm_user/data-source.tf index 673a3bb..06d4f97 100644 --- a/examples/data-sources/dsm_user/data-source.tf +++ b/examples/data-sources/dsm_user/data-source.tf @@ -1,3 +1,3 @@ data "dsm_user" "sample_users" { - user_email = "user@test.com" + user_email = "user@test.com" } \ No newline at end of file diff --git a/examples/resources/dsm_acc_crypto_policy/resource.tf b/examples/resources/dsm_acc_crypto_policy/resource.tf index 5cb6336..30628ce 100644 --- a/examples/resources/dsm_acc_crypto_policy/resource.tf +++ b/examples/resources/dsm_acc_crypto_policy/resource.tf @@ -2,40 +2,22 @@ variable "acct_id" { type = string default = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } -// Add cryptographic policy to a Fortanix DSM account +## Add cryptographic policy to a Fortanix DSM account + +# This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "allowed" + legacy_policy = "allowed" # other values: prohibited and unprotect_only key_ops = [ - "SIGN", - "VERIFY", - "ENCRYPT", - "DECRYPT", - "WRAPKEY", - "UNWRAPKEY", - "DERIVEKEY", - "TRANSFORM", - "MACGENERATE", - "MACVERIFY", - "EXPORT", - "APPMANAGEABLE", - "AGREEKEY", - "ENCAPSULATE", - "DECAPSULATE" + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ] aes = { - key_sizes = [ - 128, - 192, - 256 - ] + key_sizes = [128, 192, 256] } des3 = { - key_sizes = [ - 112, - 168 - ] + key_sizes = [112, 168] } hmac = { minimum_key_length = 112 @@ -84,25 +66,50 @@ resource "dsm_acc_crypto_policy" "name" { des = {} ec = { elliptic_curves = [ - "SecP192K1", - "SecP224K1", - "SecP256K1", - "NistP192", - "NistP224", - "NistP256", - "NistP384", - "NistP521", - "Gost256A", - "X25519", - "Ed25519" + "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", + "NistP256", "NistP384", "NistP521", "Gost256A", "X25519", "Ed25519" ] } - dsa = {} - secret = {} + dsa = {} + secret = {} + certificate = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} + }) +} + +# This resource is an example of a crypto policy with some restrictions. +# rsa, ec and dsa are defined as null, hence they are not allowed to do any operations for rsa, ec and dsa. +# Similarly, if others are not required in the use case, those values can be defined as null. +resource "dsm_acc_crypto_policy" "name" { + acct_id = var.acct_id + cryptographic_policy = jsonencode({ + legacy_policy = "prohibited" # other values: allowed and unprotect_only + key_ops = [ + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" + ] + aes = { + key_sizes = [128, 192, 256] + } + des3 = { + key_sizes = [112, 168] + } + hmac = { + minimum_key_length = 112 + } + opaque = {} + rsa = null + des = {} + ec = null + dsa = null + secret = {} certificate = {} - aria = {} - seed = {} - kcdsa = {} - eckcdsa = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} }) } \ No newline at end of file diff --git a/examples/resources/dsm_acc_quorum_policy/resource.tf b/examples/resources/dsm_acc_quorum_policy/resource.tf index 8731a98..eeae3f8 100644 --- a/examples/resources/dsm_acc_quorum_policy/resource.tf +++ b/examples/resources/dsm_acc_quorum_policy/resource.tf @@ -2,38 +2,43 @@ variable "acct_id" { type = string default = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } -// Add quorum policy to a Fortanix DSM account -// Example - 1 -/* -When any one of the members approval is required. -In the example, members are users that are configured in the Fortanix DSM account. -Apps can also be the members. e.g. { "app": "" } -*/ +# Add quorum policy to a Fortanix DSM account +# Example - 1 + +# When any one of the members' approval is required, assign `n` as 1 in the high level quorum. +# For example, members are users/apps that are configured in the Fortanix DSM account. +# The user/app value should be its UUID. resource "dsm_acc_quorum_policy" "account_quorum_policy" { acct_id = var.acct_id approval_policy = jsonencode({ policy = { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { quorum = { - n = 1, + n = 1, # This defines that `n` member of approvals required. members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, { user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] - require_2fa = false + require_2fa = false require_password = true } }, { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, + { + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] } @@ -41,44 +46,43 @@ resource "dsm_acc_quorum_policy" "account_quorum_policy" { ] } } - manage_groups = false + manage_groups = false protect_authentication_methods = true - protect_cryptographic_policy = true - protect_logging_config = true + protect_cryptographic_policy = true + protect_logging_config = true }) } -// Add quorum policy to a Fortanix DSM account -// Example - 2 -/*When all the members of approval is required. -In the example, members are users that are configured in the Fortanix DSM account. -Apps can also be the members. Apps can also be the members. e.g. { "app": "" } -*/ +# Add quorum policy to a Fortanix DSM account +# Example - 2 +# When all the members of approval is required. +# In the example, members are users/apps that are configured in the Fortanix DSM account. +# The user/app value should be its UUID. resource "dsm_acc_quorum_policy" "account_quorum_policy" { - acct_id = var.acct_id + acct_id = var.acct_id approval_policy = jsonencode({ policy = { quorum = { - n = 2 + n = 2 # This defines that `n` member of approvals required. members = [ { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] - require_2fa = false + require_2fa = false require_password = true } }, { quorum = { - n = 1 + n = 1 # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + app = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] } @@ -86,9 +90,9 @@ resource "dsm_acc_quorum_policy" "account_quorum_policy" { ] } } - manage_groups = false + manage_groups = false protect_authentication_methods = true - protect_cryptographic_policy = true - protect_logging_config = true + protect_cryptographic_policy = true + protect_logging_config = true }) } \ No newline at end of file diff --git a/examples/resources/dsm_app/resource.tf b/examples/resources/dsm_app/resource.tf index 5e86b72..cb02866 100644 --- a/examples/resources/dsm_app/resource.tf +++ b/examples/resources/dsm_app/resource.tf @@ -1,38 +1,38 @@ -// Create three normal groups +# Create three normal groups resource "dsm_group" "group1" { - name = "group1" + name = "group1" description = "group1" } resource "dsm_group" "group2" { - name = "group2" + name = "group2" description = "group2" } resource "dsm_group" "group3" { - name = "group3" + name = "group3" description = "group3" } -// Create an app +# Create an app resource "dsm_app" "app" { - name = "app" - default_group = dsm_group.group1.id - other_group = [dsm_group.group2.id, dsm_group.group3.id] + name = "app" + default_group = dsm_group.group1.id + other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups } -/* -To modify the default group permissions, other_group_permissions can be used in a zipmap. -In the above app the following permissions are assigned for each group: -group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +###################################################################################################################### +# To modify the default group permissions, other_group_permissions can be used in a zipmap. +# In the above app the following permissions are assigned for each group: +# group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -For group3, default permissions are assigned as it was not specified in the other_group_permissions. -group should be specified only if default permissions need to be changed. -*/ +# For group3, default permissions are assigned as it was not specified in the other_group_permissions. +# group should be specified only if default permissions need to be changed. +###################################################################################################################### locals { other_groups = zipmap( @@ -47,27 +47,27 @@ locals { ) } -// An example on how to modify the existing permissions of a group in app +# An example on how to modify the existing permissions of a group in app resource "dsm_app" "app" { - name = "app" - default_group = dsm_group.group1.id - other_group = [dsm_group.group2.id, dsm_group.group3.id] + name = "app" + default_group = dsm_group.group1.id + other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app + # mod_group_permissions should be given while updating an app mod_group_permissions = local.mod_groups } -// group1 and group2 permissions modification +# group1 and group2 permissions modification locals { -mod_groups = zipmap( -[ -dsm_group.group1.id, -dsm_group.group2.id -], -[ -"SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", -"SIGN,VERIFY,DECRYPT,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" -] -) + mod_groups = zipmap( + [ + dsm_group.group1.id, + dsm_group.group2.id + ], + [ + "SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", + "SIGN,VERIFY,DECRYPT,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" + ] + ) } diff --git a/examples/resources/dsm_app_non_api_key/resource.tf b/examples/resources/dsm_app_non_api_key/resource.tf index 189b6a7..18f1a2d 100644 --- a/examples/resources/dsm_app_non_api_key/resource.tf +++ b/examples/resources/dsm_app_non_api_key/resource.tf @@ -16,15 +16,15 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { name = "aws-xks-terraform" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] - // other_group_permissions - to change the default permissions + # other_group_permissions - to change the default permissions other_group_permissions = local.other_groups authentication_method = { type = "awsxks" } } -## To modify the default group permissions, other_group_permissions can be used in a zipmap. - +###################################################################################################################### +# To modify the default group permissions, other_group_permissions can be used in a zipmap. # In the above app the following permissions are assigned for each group: # group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT # group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT @@ -32,6 +32,7 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { # For group3, default permissions are assigned as it was not specified in the other_group_permissions. # group should be specified only if default permissions need to be changed. +###################################################################################################################### locals { @@ -49,7 +50,7 @@ locals { # Create an app of type AWS IAM resource "dsm_app_non_api_key" "aws-iam-terraform" { - // The app name must match the AWS ARN associated with the calling entity. + # The app name must match the AWS ARN associated with the calling entity. name = "arn:aws:sts::XXXXXXXXXXXX:assumed-role/XXXXXXX>/XXXXXXX" default_group = dsm_group.group2.id authentication_method = { @@ -58,6 +59,7 @@ resource "dsm_app_non_api_key" "aws-iam-terraform" { } # Create app of type certificate +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-certificate-terraform" { name = "app-certificate-terraform" default_group = dsm_group.group1.id @@ -68,6 +70,7 @@ resource "dsm_app_non_api_key" "app-certificate-terraform" { } # Create an app of type Trusted CA using an ip address +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-trustedca-ip-terraform" { name = "app-trustedca-ip-terraform" default_group = dsm_group.group2.id @@ -79,6 +82,7 @@ resource "dsm_app_non_api_key" "app-trustedca-ip-terraform" { } # Create an app of type Trusted CA using dns_name +# To update the certificate, change the value of the certificate with the new certificate. resource "dsm_app_non_api_key" "app-trustedca-dnsname-terraform" { name = "app-trustedca-dnsname-terraform" default_group = dsm_group.group2.id @@ -94,9 +98,9 @@ resource "dsm_app_non_api_key" "aws-xks-terraform" { name = "aws-xks-terraform" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] - // other_group_permissions - to change the default permissions + # other_group_permissions - to change the default permissions other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app + # mod_group_permissions should be given while updating an app mod_group_permissions = local.mod_groups authentication_method = { type = "awsxks" diff --git a/examples/resources/dsm_aws_group/resource.tf b/examples/resources/dsm_aws_group/resource.tf index a808e3d..f2a740a 100644 --- a/examples/resources/dsm_aws_group/resource.tf +++ b/examples/resources/dsm_aws_group/resource.tf @@ -1,12 +1,12 @@ -// Creation of an dsm aws group -// Default aws_region is us-east-1. It can be modified by adding it in provider. +# Creation of an dsm aws group +# Default aws_region is us-east-1. It can be modified by adding it to the provider. provider "dsm" { aws_region = "us-east-2" } resource "dsm_aws_group" "dsm_aws_group_terraform" { - name = "dsm_aws_group_terraform" + name = "dsm_aws_group_terraform" description = "AWS group" - access_key = "XXXXXXXXXXXXXXXXXXXX" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + access_key = "XXXXXXXXXXXXXXXXXXXX" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } \ No newline at end of file diff --git a/examples/resources/dsm_azure_group/resource.tf b/examples/resources/dsm_azure_group/resource.tf index adad109..aea8127 100644 --- a/examples/resources/dsm_azure_group/resource.tf +++ b/examples/resources/dsm_azure_group/resource.tf @@ -1,8 +1,8 @@ -// Creation of azure group +# Creation of azure group resource "dsm_azure_group" "dsm_azure_group" { name = "dsm_azure_group" description = "Azure group" - url = "https://testfortanixterraform.vault.azure.net/" + url = "https:#testfortanixterraform.vault.azure.net/" tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" client_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" diff --git a/examples/resources/dsm_csr/resource.tf b/examples/resources/dsm_csr/resource.tf index 12f9af6..76b87d9 100644 --- a/examples/resources/dsm_csr/resource.tf +++ b/examples/resources/dsm_csr/resource.tf @@ -1,18 +1,18 @@ -// To use this resource, it is required to create a custom plugin in DSM first. -// Copy the plugin from https://github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua -// Create the custom plugin in DSM -// Plugin title: "Terraform Plugin - CSR" +# To use this resource, it is required to create a custom plugin in DSM first. +# Copy the plugin from https:#github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua +# Create the custom plugin in DSM +# Plugin title: "Terraform Plugin - CSR" -// Create an RSA key pair that will be used to generate the CSR +# Create an RSA key pair that will be used to generate the CSR resource "dsm_sobject" "sobject" { name = "sobject-rsa" obj_type = "RSA" - group_id = "" // make sure that the group can be accessed by your plugin "Terraform Plugin - CSR". + group_id = "" # make sure that the group can be accessed by your plugin "Terraform Plugin - CSR". key_size = 2048 } -// Generating the CSR +# Generating the CSR resource "dsm_csr" "csr" { kid = dsm_sobject.sobject.id cn = "example-common-name" diff --git a/examples/resources/dsm_existing_group/resource.tf b/examples/resources/dsm_existing_group/resource.tf index 1c203ea..da0f883 100644 --- a/examples/resources/dsm_existing_group/resource.tf +++ b/examples/resources/dsm_existing_group/resource.tf @@ -1,15 +1,13 @@ -// Step1: Read the existing DSM group that was already created. +# Step1: Read the existing DSM group that was already created. resource "dsm_existing_group" "dsm_group" { name = "dsm_group" } -// Step2: Update the group -/* -An example of a normal group where it did not configure hmg(HSM/KMS) while creating. -hmg can not be added while updating the group. -*/ +# Step2: Update the group +# An example of a normal group where it did not configure hmg(HSM/KMS) while creating. +# hmg can not be added while updating the group. resource "dsm_existing_group" "dsm_group" { - name = "dsm_group" + name = "dsm_group" description = "Update existing group" approval_policy = jsonencode({ protect_permissions = [ @@ -36,18 +34,17 @@ resource "dsm_existing_group" "dsm_group" { } ] require_password = false - require_2fa = false + require_2fa = false } }) } -/* -An example of a group where it configured the hmg(HSM/KMS) while creation. -*/ + +# An example of a group where it configured the hmg(HSM/KMS) while creation. resource "dsm_existing_group" "dsm_group" { - name = "dsm_group" + name = "dsm_group" description = "Update existing group" hmg = jsonencode({ - url = "https://sampleakv.vault.azure.net/" + url = "https:#sampleakv.vault.azure.net/" tls = { mode = "required" validate_hostname : false @@ -55,11 +52,11 @@ resource "dsm_existing_group" "dsm_group" { ca_set = "global_roots" } } - kind = "AZUREKEYVAULT" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + kind = "AZUREKEYVAULT" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" subscription_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - key_vault_type = "STANDARD" + key_vault_type = "STANDARD" }) } \ No newline at end of file diff --git a/examples/resources/dsm_gcp_ekm_sa/resource.tf b/examples/resources/dsm_gcp_ekm_sa/resource.tf index 5b1ac06..708059e 100644 --- a/examples/resources/dsm_gcp_ekm_sa/resource.tf +++ b/examples/resources/dsm_gcp_ekm_sa/resource.tf @@ -1,4 +1,4 @@ -// Create three normal groups +# Create three normal groups resource "dsm_group" "group1" { name = "group1" description = "group1" @@ -14,7 +14,7 @@ resource "dsm_group" "group3" { description = "group3" } -// Create a Google EKM app in DSM +# Create a Google EKM app in DSM resource "dsm_gcp_ekm_sa" "ekm_sa" { name = "service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com" default_group = dsm_group.group1.id @@ -22,16 +22,15 @@ resource "dsm_gcp_ekm_sa" "ekm_sa" { other_group_permissions = local.other_groups } -/* -To modify the default group permissions, other_group_permissions can be used in a zipmap. -In the above app the following permissions are assigned for each group: -group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT -For group3, default permissions are assigned as it was not specified in the other_group_permissions. -group should be specified only if default permissions need to be changed. -*/ +# To modify the default group permissions, other_group_permissions can be used in a zipmap. +# In the above app the following permissions are assigned for each group: +# group1: SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group2: SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT +# group3: SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT + +# For group3, default permissions are assigned as it was not specified in the other_group_permissions. +# group should be specified only if default permissions need to be changed. locals { other_groups = zipmap( @@ -40,23 +39,23 @@ locals { dsm_group.group2.id ], [ - "SIGN,VERIFY,ENCRYPT,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", + "SIGN,VERIFY,ENCRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT", "SIGN,VERIFY,DECRYPT,WRAPKEY,UNWRAPKEY,DERIVEKEY,MACGENERATE,MACVERIFY,EXPORT,MANAGE,AGREEKEY,AUDIT" ] ) } -// An example on how to modify the existing permissions of a group in EKM +# An example on how to modify the existing permissions of a group in EKM resource "dsm_gcp_ekm_sa" "ekm_sa" { name = "service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com" default_group = dsm_group.group1.id other_group = [dsm_group.group2.id, dsm_group.group3.id] other_group_permissions = local.other_groups - // mod_group_permissions should be given while updating an app - mod_group_permissions = local.mod_groups + # mod_group_permissions should be given while updating an app + mod_group_permissions = local.mod_groups } -// group1 and group2 permissions modification +# group1 and group2 permissions modification locals { mod_groups = zipmap( [ diff --git a/examples/resources/dsm_gcp_sobject/resource.tf b/examples/resources/dsm_gcp_sobject/resource.tf index ab47279..9767047 100644 --- a/examples/resources/dsm_gcp_sobject/resource.tf +++ b/examples/resources/dsm_gcp_sobject/resource.tf @@ -1,30 +1,30 @@ -// Create a normal group +# Create a normal group resource "dsm_group" "normal_group" { name = "group_test" } -// Create GCP group +# Create GCP group resource "dsm_group" "gcp_group" { name = "gcp_group" hmg = jsonencode({ - kind = "GCPKEYRING" - key_ring = "key_ring_name" - project_id = "gcp_project_id" + kind = "GCPKEYRING" + key_ring = "key_ring_name" + project_id = "gcp_project_id" service_account_email = "test@test.iam.gserviceaccount.com" - location = "us-east1" - private_key = "" + location = "us-east1" + private_key = "" }) } -// Create an AES key in normal group +# Create an AES key in normal group resource "dsm_sobject" "sobject" { name = "aes256" key_size = 256 group_id = dsm_group.normal_group.id - obj_type = "AES" + obj_type = "AES" } -// Copy a key to GCP key ring using the above DSM security object +# Copy a key to GCP key ring using the above DSM security object resource "dsm_gcp_sobject" "gcp_sobject" { name = "gcp_sobject" group_id = dsm_group.gcp_group.id @@ -35,10 +35,8 @@ resource "dsm_gcp_sobject" "gcp_sobject" { gcp-key-id = "name-of-the-key-in-gcp" } rotation_policy = { - interval_days = 20 - effective_at = "20231130T183000Z" - deactivate_rotated_key = true - rotate_copied_keys = "all_external" + interval_days = 20 + effective_at = "20231130T183000Z" } obj_type = "AES" key_size = 256 diff --git a/examples/resources/dsm_group/resource.tf b/examples/resources/dsm_group/resource.tf index 35d326e..f6c336c 100644 --- a/examples/resources/dsm_group/resource.tf +++ b/examples/resources/dsm_group/resource.tf @@ -1,44 +1,55 @@ -// Create a normal group +# Create a normal group resource "dsm_group" "group" { name = "group" } -/* -Create a group with multiple parameters. -The following resource group is an example of an external KMS group of Azure key vault -and an approval policy. -For more examples of external KMS groups please refer Guides/create_BYOK_groups -*/ +# Create a group with multiple parameters. +# The following resource group is an example of an external KMS group of Azure key vault +# and an approval policy which is configured with two users. + +# For more examples of external KMS groups please refer Guides/create_BYOK_groups resource "dsm_group" "group" { - name = "group" + name = "group" description = "group description" approval_policy = jsonencode({ protect_permissions = [ - "ROTATE_SOBJECTS", - "REVOKE_SOBJECTS", - "REVERT_SOBJECTS", - "DELETE_KEY_MATERIAL", - "DELETE_SOBJECTS", - "DESTROY_SOBJECTS", - "MOVE_SOBJECTS", - "CREATE_SOBJECTS", - "UPDATE_SOBJECTS_PROFILE", - "UPDATE_SOBJECTS_ENABLED_STATE", - "UPDATE_SOBJECT_POLICIES", - "ACTIVATE_SOBJECTS", - "UPDATE_KEY_OPS" + "ROTATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", + "DESTROY_SOBJECTS", "MOVE_SOBJECTS", "CREATE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", + "UPDATE_SOBJECT_POLICIES", "ACTIVATE_SOBJECTS", "UPDATE_KEY_OPS" ] protect_crypto_operations = true quorum = { - n = 1 + n = 1, # This defines that `n` member of approvals required. members = [ { - user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + }, + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_2fa = false, + require_password = false + } + }, + { + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_2fa = false, + require_password = false + } } ] - require_password = false - require_2fa = false } }) hmg = jsonencode({ @@ -50,12 +61,44 @@ resource "dsm_group" "group" { ca_set = "global_roots" } } - kind = "AZUREKEYVAULT" - secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + kind = "AZUREKEYVAULT" + secret_key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + tenant_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" + client_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" subscription_id = "0XXXXXXX-YYYY-HHHH-GGGG-123456789123" - key_vault_type = "STANDARD" + key_vault_type = "STANDARD" }) +} + + +# Create a group with basic approval_policy +# The following resource group is an example of approval policy which has configured with a single user. +resource "dsm_group" "group" { + name = "group" + description = "group description" + approval_policy = jsonencode({ + protect_permissions = [ + "ROTATE_SOBJECTS", "REVOKE_SOBJECTS", "REVERT_SOBJECTS", "DELETE_KEY_MATERIAL", "DELETE_SOBJECTS", + "DESTROY_SOBJECTS", "MOVE_SOBJECTS", "CREATE_SOBJECTS", "UPDATE_SOBJECTS_PROFILE", "UPDATE_SOBJECTS_ENABLED_STATE", + "UPDATE_SOBJECT_POLICIES", "ACTIVATE_SOBJECTS", "UPDATE_KEY_OPS" + ] + protect_crypto_operations = true + quorum = { + n = 1 # This defines that `n` member of approvals required. + members = [ + { + user = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + } + ] + require_password = false + require_2fa = false + } + }) +} + + +# Create a normal group with key undo policy +resource "dsm_group" "group" { + name = "group" key_undo_policy_window_time = 9000 } \ No newline at end of file diff --git a/examples/resources/dsm_group_crypto_policy/resource.tf b/examples/resources/dsm_group_crypto_policy/resource.tf index 8095ff2..016b564 100644 --- a/examples/resources/dsm_group_crypto_policy/resource.tf +++ b/examples/resources/dsm_group_crypto_policy/resource.tf @@ -1,29 +1,18 @@ -// Create a group +# Create a group resource "dsm_group" "group" { name = "group" } -// Adding cryptographic policy to the group +## Adding cryptographic policy to the group + +# This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_group_crypto_policy" "group_crypto_policy" { name = dsm_group.group.name cryptographic_policy = jsonencode({ legacy_policy = "allowed" key_ops = [ - "SIGN", - "VERIFY", - "ENCRYPT", - "DECRYPT", - "WRAPKEY", - "UNWRAPKEY", - "DERIVEKEY", - "MACGENERATE", - "MACVERIFY", - "EXPORT", - "APPMANAGEABLE", - "AGREEKEY", - "ENCAPSULATE", - "DECAPSULATE", - "TRANSFORM" + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "MACGENERATE", + "MACVERIFY", "EXhasPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE", "TRANSFORM" ] aes = { key_sizes = [128, 192, 256] @@ -43,17 +32,8 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { des = {} ec = { elliptic_curves = [ - "SecP192K1", - "SecP224K1", - "SecP256K1", - "NistP192", - "NistP224", - "NistP256", - "NistP384", - "NistP521", - "Gost256A", - "X25519", - "Ed25519" + "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", "NistP256", + "NistP384", "NistP521", "Gost256A", "X25519", "Ed25519" ] } dsa = {} @@ -70,3 +50,36 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { }) } +# This resource is an example of a crypto policy with some restrictions. +# rsa, ec and dsa are defined beas null, hence they are not allowed to do any operations for rsa, ec and dsa. +# Similarly, if others are not required in the use case, those values can be defined as null. +resource "dsm_group_crypto_policy" "group_crypto_policy" { + name = dsm_group.group.name + cryptographic_policy = jsonencode({ + legacy_policy = "prohibited" # other values: allowed and unprotect_only + key_ops = [ + "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", + "MACVERIFY",has "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" + ] + aes = { + key_sizes = [128, 192, 256] + } + des3 = { + key_sizes = [112, 168] + } + hmac = { + minimum_key_length = 112 + } + opaque = {} + rsa = null + des = {} + ec = null + dsa = null + secret = {} + certificate = {} + aria = {} + seed = {} + kcdsa = {} + eckcdsa = {} + }) +} \ No newline at end of file diff --git a/examples/resources/dsm_group_user_role/resource.tf b/examples/resources/dsm_group_user_role/resource.tf index 80fc2dd..bf74c25 100644 --- a/examples/resources/dsm_group_user_role/resource.tf +++ b/examples/resources/dsm_group_user_role/resource.tf @@ -1,6 +1,6 @@ -// Adding a group role to a user +# Adding a group role to a user resource "dsm_group_user_role" "group_user_role" { - group_name = "crypto_group" - user_email = "test123@fortanix.com" - role_name = "GROUPAUDITOR" + group_name = "crypto_group" + user_email = "test123@fortanix.com" + role_name = "GROUPAUDITOR" } \ No newline at end of file diff --git a/examples/resources/dsm_plugin/resource.tf b/examples/resources/dsm_plugin/resource.tf index 7156918..e986882 100644 --- a/examples/resources/dsm_plugin/resource.tf +++ b/examples/resources/dsm_plugin/resource.tf @@ -1,28 +1,28 @@ -// Creation of a groups -resource "dsm_group" "group1"{ +# Creation of a groups +resource "dsm_group" "group1" { name = "group1" } -resource "dsm_group" "group2"{ +resource "dsm_group" "group2" { name = "group2" } -resource "dsm_group" "group3"{ +resource "dsm_group" "group3" { name = "group3" } -// Read the lua plugin from a file +# Read the lua plugin from a file data "local_file" "plugin_code" { - filename ="path/of/a/lua_plugin" + filename = "path/of/a/lua_plugin" } -// Create a plugin by reading a file +# Create a plugin by reading a file resource "dsm_plugin" "dsm_plugin" { - name = "dsm_plugin" - description = "DSM Plugin" + name = "dsm_plugin" + description = "DSM Plugin" default_group = dsm_group.group1.id - groups = [dsm_group.group2.id, dsm_group.group3.id] - plugin_type = "STANDARD" - language = "LUA" - code = data.local_file.plugin_code.content + groups = [dsm_group.group1.id, dsm_group.group2.id, dsm_group.group3.id] + plugin_type = "STANDARD" + language = "LUA" + code = data.local_file.plugin_code.content } \ No newline at end of file diff --git a/examples/resources/dsm_secret/resource.tf b/examples/resources/dsm_secret/resource.tf index 90df5dd..6cba097 100644 --- a/examples/resources/dsm_secret/resource.tf +++ b/examples/resources/dsm_secret/resource.tf @@ -1,10 +1,10 @@ -// Create a group +# Create a group resource "dsm_group" "group" { - name = "group" + name = "group" description = "group description" } -// Import a secret +# Import a secret resource "dsm_secret" "secret" { name = "secret" group_id = dsm_group.group.id @@ -15,7 +15,7 @@ resource "dsm_secret" "secret" { expiry_date = "2025-02-02T17:04:05Z" } -// Rotate a secret +# Rotate a secret resource "dsm_secret" "secret_rotate" { name = "secret_rotate" group_id = dsm_group.group.id @@ -25,6 +25,6 @@ resource "dsm_secret" "secret_rotate" { value = "cm90YXRlZm9ydGFuaXg=" expiry_date = "2025-02-02T17:04:05Z" rotate = true - // Provide the secret security object name that needs to be rotated + # Provide the secret security object name that needs to be rotated rotate_from = dsm_secret.secret.name } \ No newline at end of file From d4c1d4ce1eadf725f62b03328db186161e48ffb2 Mon Sep 17 00:00:00 2001 From: RaviGopal Date: Mon, 23 Sep 2024 18:51:33 +0530 Subject: [PATCH 2/3] Conflicts resolved --- docs-archived/guides/dsm_azure_sobject.md | 93 ++++++----------------- docs/guides/dsm_azure_sobject.md | 93 ++++++----------------- 2 files changed, 48 insertions(+), 138 deletions(-) diff --git a/docs-archived/guides/dsm_azure_sobject.md b/docs-archived/guides/dsm_azure_sobject.md index 68f89a9..8058cb4 100644 --- a/docs-archived/guides/dsm_azure_sobject.md +++ b/docs-archived/guides/dsm_azure_sobject.md @@ -53,60 +53,39 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## 1st Rotation of azure security object with DSM option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate1" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "DSM" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate to DSM security object +# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate1.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "DSM" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated. } ## 2nd Rotation of azure security object with DSM option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate2" { - name = es.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "DSM" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate to DSM security object +# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate2.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "DSM" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated. } + ``` ## Rotate with AZURE Option @@ -162,58 +141,36 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## 1st Rotation of azure security object with AZURE option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate1" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "AZURE" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate Azure security object +# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate1.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "AZURE" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated. } ## 2nd Rotation of azure security object with AZURE option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate2" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "AZURE" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate Azure security object +# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate2.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "AZURE" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated. } ``` @@ -237,11 +194,10 @@ resource "dsm_azure_sobject" "rsa_key_azure" { soft_deletion = true } - ## Purging a dsm_azure_sobject. # Enable purge_deleted_key as true. -# This can be enabled only during update. +# Only after soft_deletion can this be enabled during an update resource "dsm_azure_sobject" "rsa_key_azure" { name = "rsa_key_azure" group_id = dsm_group.azure_group.id @@ -258,6 +214,7 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## Soft deletion and Purging a key in a single request. # First it does the soft deletion and then purging the key. +# These can be enabled only during update. resource "dsm_azure_sobject" "rsa_key_azure" { name = "rsa_key_azure" group_id = dsm_group.azure_group.id @@ -271,6 +228,4 @@ resource "dsm_azure_sobject" "rsa_key_azure" { soft_deletion = true purge_deleted_key = true } -``` - - +``` \ No newline at end of file diff --git a/docs/guides/dsm_azure_sobject.md b/docs/guides/dsm_azure_sobject.md index 68f89a9..8058cb4 100644 --- a/docs/guides/dsm_azure_sobject.md +++ b/docs/guides/dsm_azure_sobject.md @@ -53,60 +53,39 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## 1st Rotation of azure security object with DSM option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate1" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "DSM" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate to DSM security object +# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate1.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "DSM" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated. } ## 2nd Rotation of azure security object with DSM option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate2" { - name = es.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "DSM" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate to DSM security object +# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate2.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "DSM" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated. } + ``` ## Rotate with AZURE Option @@ -162,58 +141,36 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## 1st Rotation of azure security object with AZURE option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate1" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "AZURE" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate Azure security object +# Just copy the above dsm_azure_sobject.rsa_key_azure, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate1" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate1.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "AZURE" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure.name # Name of the key from where it is being rotated. } ## 2nd Rotation of azure security object with AZURE option -# Rotate RSA security object -resource "dsm_sobject" "rsa_key_dsm_rotate2" { - name = dsm_sobject.rsa_key_dsm.name - group_id = dsm_group.normal_group.id - key_size = 2048 - key_ops = ["ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "SIGN", "VERIFY", "EXPORT"] - obj_type = "RSA" - rotate = "AZURE" - rotate_from = dsm_sobject.rsa_key_dsm.name -} - -# Rotate Azure security object +# Just copy the above dsm_azure_sobject.rsa_key_azure_rotate1, add rotate and rotate_from attributes and change the resource name resource "dsm_azure_sobject" "rsa_key_azure_rotate2" { - name = dsm_azure_sobject.rsa_key_azure.name + name = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name should be the same as the key name to be rotated. group_id = dsm_group.azure_group.id key = { - kid = dsm_sobject.rsa_key_dsm_rotate2.id + kid = dsm_sobject.rsa_key_dsm.id } custom_metadata = { - azure-key-name = "rsa-key-azure" + azure-key-name = "rsa-key-azure" # Should be the same azure-key-name as the key copied to the Azure group } key_ops = ["SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME"] rotate = "AZURE" - rotate_from = dsm_azure_sobject.rsa_key_azure.name + rotate_from = dsm_azure_sobject.rsa_key_azure_rotate1.name # Name of the key from where it is being rotated. } ``` @@ -237,11 +194,10 @@ resource "dsm_azure_sobject" "rsa_key_azure" { soft_deletion = true } - ## Purging a dsm_azure_sobject. # Enable purge_deleted_key as true. -# This can be enabled only during update. +# Only after soft_deletion can this be enabled during an update resource "dsm_azure_sobject" "rsa_key_azure" { name = "rsa_key_azure" group_id = dsm_group.azure_group.id @@ -258,6 +214,7 @@ resource "dsm_azure_sobject" "rsa_key_azure" { ## Soft deletion and Purging a key in a single request. # First it does the soft deletion and then purging the key. +# These can be enabled only during update. resource "dsm_azure_sobject" "rsa_key_azure" { name = "rsa_key_azure" group_id = dsm_group.azure_group.id @@ -271,6 +228,4 @@ resource "dsm_azure_sobject" "rsa_key_azure" { soft_deletion = true purge_deleted_key = true } -``` - - +``` \ No newline at end of file From a9ecba7bfe631fad94e588336e9184c539253f26 Mon Sep 17 00:00:00 2001 From: RaviGopal Date: Wed, 25 Sep 2024 10:39:56 +0530 Subject: [PATCH 3/3] Addressed review comments: On branch final_doc_changes_5_33 Your branch is up to date with 'origin/final_doc_changes_5_33'. --- docs/resources/acc_crypto_policy.md | 4 ++-- docs/resources/azure_group.md | 2 +- docs/resources/csr.md | 2 +- docs/resources/existing_group.md | 2 +- docs/resources/group_crypto_policy.md | 4 ++-- examples/resources/dsm_acc_crypto_policy/resource.tf | 4 ++-- examples/resources/dsm_azure_group/resource.tf | 2 +- examples/resources/dsm_csr/resource.tf | 2 +- examples/resources/dsm_existing_group/resource.tf | 2 +- examples/resources/dsm_group_crypto_policy/resource.tf | 4 ++-- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/resources/acc_crypto_policy.md b/docs/resources/acc_crypto_policy.md index f650be3..1996cf0 100644 --- a/docs/resources/acc_crypto_policy.md +++ b/docs/resources/acc_crypto_policy.md @@ -23,7 +23,7 @@ variable "acct_id" { resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "allowed" # other values: prohibited and unprotect_only + legacy_policy = "allowed" # other accepted values: prohibited and unprotect_only key_ops = [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" @@ -101,7 +101,7 @@ resource "dsm_acc_crypto_policy" "name" { resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "prohibited" # other values: allowed and unprotect_only + legacy_policy = "prohibited" # other accepted values: allowed and unprotect_only key_ops = [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" diff --git a/docs/resources/azure_group.md b/docs/resources/azure_group.md index 9805c42..1251695 100644 --- a/docs/resources/azure_group.md +++ b/docs/resources/azure_group.md @@ -17,7 +17,7 @@ Creates a Fortanix DSM group mapped to Azure Key Vault in the cluster as a resou resource "dsm_azure_group" "dsm_azure_group" { name = "dsm_azure_group" description = "Azure group" - url = "https:#testfortanixterraform.vault.azure.net/" + url = "https://testfortanixterraform.vault.azure.net/" tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" client_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" diff --git a/docs/resources/csr.md b/docs/resources/csr.md index af986c5..72d101d 100644 --- a/docs/resources/csr.md +++ b/docs/resources/csr.md @@ -14,7 +14,7 @@ Generates a CSR from an existing private key within DSM. ```terraform # To use this resource, it is required to create a custom plugin in DSM first. -# Copy the plugin from https:#github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua +# Copy the plugin from https://github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua # Create the custom plugin in DSM # Plugin title: "Terraform Plugin - CSR" diff --git a/docs/resources/existing_group.md b/docs/resources/existing_group.md index 5a30e0e..c39f916 100644 --- a/docs/resources/existing_group.md +++ b/docs/resources/existing_group.md @@ -61,7 +61,7 @@ resource "dsm_existing_group" "dsm_group" { name = "dsm_group" description = "Update existing group" hmg = jsonencode({ - url = "https:#sampleakv.vault.azure.net/" + url = "https://sampleakv.vault.azure.net/" tls = { mode = "required" validate_hostname : false diff --git a/docs/resources/group_crypto_policy.md b/docs/resources/group_crypto_policy.md index cb18ed4..2d419fe 100644 --- a/docs/resources/group_crypto_policy.md +++ b/docs/resources/group_crypto_policy.md @@ -18,7 +18,7 @@ resource "dsm_group" "group" { name = "group" } -## Adding cryptographic policy to the group +# Adding cryptographic policy to the group # This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_group_crypto_policy" "group_crypto_policy" { @@ -66,7 +66,7 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { } # This resource is an example of a crypto policy with some restrictions. -# rsa, ec and dsa are defined beas null, hence they are not allowed to do any operations for rsa, ec and dsa. +# rsa, ec and dsa are defined as null, hence they are not allowed to do any operations for rsa, ec and dsa. # Similarly, if others are not required in the use case, those values can be defined as null. resource "dsm_group_crypto_policy" "group_crypto_policy" { name = dsm_group.group.name diff --git a/examples/resources/dsm_acc_crypto_policy/resource.tf b/examples/resources/dsm_acc_crypto_policy/resource.tf index 30628ce..efc393d 100644 --- a/examples/resources/dsm_acc_crypto_policy/resource.tf +++ b/examples/resources/dsm_acc_crypto_policy/resource.tf @@ -8,7 +8,7 @@ variable "acct_id" { resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "allowed" # other values: prohibited and unprotect_only + legacy_policy = "allowed" # other accepted values: prohibited and unprotect_only key_ops = [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" @@ -86,7 +86,7 @@ resource "dsm_acc_crypto_policy" "name" { resource "dsm_acc_crypto_policy" "name" { acct_id = var.acct_id cryptographic_policy = jsonencode({ - legacy_policy = "prohibited" # other values: allowed and unprotect_only + legacy_policy = "prohibited" # other accepted values: allowed and unprotect_only key_ops = [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" diff --git a/examples/resources/dsm_azure_group/resource.tf b/examples/resources/dsm_azure_group/resource.tf index aea8127..fb79ab5 100644 --- a/examples/resources/dsm_azure_group/resource.tf +++ b/examples/resources/dsm_azure_group/resource.tf @@ -2,7 +2,7 @@ resource "dsm_azure_group" "dsm_azure_group" { name = "dsm_azure_group" description = "Azure group" - url = "https:#testfortanixterraform.vault.azure.net/" + url = "https://testfortanixterraform.vault.azure.net/" tenant_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" client_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" subscription_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" diff --git a/examples/resources/dsm_csr/resource.tf b/examples/resources/dsm_csr/resource.tf index 76b87d9..c996891 100644 --- a/examples/resources/dsm_csr/resource.tf +++ b/examples/resources/dsm_csr/resource.tf @@ -1,5 +1,5 @@ # To use this resource, it is required to create a custom plugin in DSM first. -# Copy the plugin from https:#github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua +# Copy the plugin from https://github.com/fortanix/terraform-provider-dsm/blob/main/plugins/Terraform-Plugin-CSR.lua # Create the custom plugin in DSM # Plugin title: "Terraform Plugin - CSR" diff --git a/examples/resources/dsm_existing_group/resource.tf b/examples/resources/dsm_existing_group/resource.tf index da0f883..e85630d 100644 --- a/examples/resources/dsm_existing_group/resource.tf +++ b/examples/resources/dsm_existing_group/resource.tf @@ -44,7 +44,7 @@ resource "dsm_existing_group" "dsm_group" { name = "dsm_group" description = "Update existing group" hmg = jsonencode({ - url = "https:#sampleakv.vault.azure.net/" + url = "https://sampleakv.vault.azure.net/" tls = { mode = "required" validate_hostname : false diff --git a/examples/resources/dsm_group_crypto_policy/resource.tf b/examples/resources/dsm_group_crypto_policy/resource.tf index 016b564..13d9462 100644 --- a/examples/resources/dsm_group_crypto_policy/resource.tf +++ b/examples/resources/dsm_group_crypto_policy/resource.tf @@ -3,7 +3,7 @@ resource "dsm_group" "group" { name = "group" } -## Adding cryptographic policy to the group +# Adding cryptographic policy to the group # This resource is an example of a crypto policy with all the permissions allowed. resource "dsm_group_crypto_policy" "group_crypto_policy" { @@ -51,7 +51,7 @@ resource "dsm_group_crypto_policy" "group_crypto_policy" { } # This resource is an example of a crypto policy with some restrictions. -# rsa, ec and dsa are defined beas null, hence they are not allowed to do any operations for rsa, ec and dsa. +# rsa, ec and dsa are defined as null, hence they are not allowed to do any operations for rsa, ec and dsa. # Similarly, if others are not required in the use case, those values can be defined as null. resource "dsm_group_crypto_policy" "group_crypto_policy" { name = dsm_group.group.name