Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added CMEK for Secret auto managed #1739

Merged
merged 13 commits into from
Nov 10, 2023
Merged

Added CMEK for Secret auto managed #1739

merged 13 commits into from
Nov 10, 2023

Conversation

luigi-bitonti
Copy link
Contributor

Users can choose a custom KMS key for Secret Manager secret replicated automatically.

Checklist

I applicable, I acknowledge that I have:

  • Read the contributing guide
  • Ran terraform fmt on all modified files
  • Regenerated the relevant README.md files using tools/tfdoc.py
  • Made sure all relevant tests pass

@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 2 times, most recently from 6b3cc14 to c2c96ea Compare October 8, 2023 20:54
juliocc
juliocc previously requested changes Oct 9, 2023
View reviewed changes
Copy link
Collaborator

@juliocc juliocc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes introduced in this PR make the module's use ambiguous. If I understand correctly, you're assuming that if the user specifies a global key, then it will be used for automatic replication.

This opens a few questions:

  • How do I enable customer managed replication with a global key?
  • How do I disable automatic replication with a global key?
  • What happens if the user provides global and regional keys at the same time?

At the very least, I think there should be a way for the user to specify what type of replication to use.

@luigi-bitonti
Copy link
Contributor Author

luigi-bitonti commented Oct 9, 2023
edited
Loading

The changes introduced in this PR make the module's use ambiguous. If I understand correctly, you're assuming that if the user specifies a global key, then it will be used for automatic replication.

This opens a few questions:

  • How do I enable customer managed replication with a global key?
  • How do I disable automatic replication with a global key?
  • What happens if the user provides global and regional keys at the same time?

At the very least, I think there should be a way for the user to specify what type of replication to use.

Hi Julio
your assumption it's correct.

  • I haven't changed this part, so if you wanted to use a global key to encrypt a secret in europe-west1, you would have to insert in encryption key variable: europe-west1: global_key_selflink;
  • If you don't put null in secrets variable, you won't use automatic replication, so the global key will not be used. The same happen in customer managed replication: if your secret it's in europe-west1 but in encryption key variable there is not the key europe-west1, the secret will be crypted with Google default key.
  • Customer managed replication secrets will be crypted with regional key, automatic replication secrets will be crypted with global key.
  • If you put null as value in secrets variable, the secret will have automatic replication. If you put a region, the secret will have a custom replication.

@luigi-bitonti luigi-bitonti requested a review from juliocc October 10, 2023 09:17
@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 3 times, most recently from d35c950 to 951488a Compare October 12, 2023 10:43
@luigi-bitonti
Copy link
Contributor Author

luigi-bitonti commented Oct 12, 2023
edited
Loading

@juliocc Is there anything else I need to do to keep PR going?

@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 3 times, most recently from e925217 to 5a1f36d Compare October 15, 2023 19:36
ludoo
ludoo previously requested changes Oct 16, 2023
View reviewed changes
Copy link
Collaborator

@ludoo ludoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we start supporting a new feature which we did not previously support, we need to implement it fully. The replication block supports auto and user management settings, please refactor this to properly support both.

image

@luigi-bitonti
Copy link
Contributor Author

If we start supporting a new feature which we did not previously support, we need to implement it fully. The replication block supports auto and user management settings, please refactor this to properly support both.

image

image

Both user_managed replication and auto replication are supported. With this PR, I want to introduce CMEK feature on auto replication. Currently, CMEK can be used only for user_managed replication.

@ludoo
Copy link
Collaborator

ludoo commented Oct 16, 2023

Replication should be controlled via its own variable, and the CMEK key should be an attribute in it, not a top-level variable.

@luigi-bitonti
Copy link
Contributor Author

Replication should be controlled via its own variable, and the CMEK key should be an attribute in it, not a top-level variable.

So you suggest that the entire logic of this part should be refactored, also the As Is?

@ludoo
Copy link
Collaborator

ludoo commented Oct 16, 2023

Replication should be controlled via its own variable, and the CMEK key should be an attribute in it, not a top-level variable.

So you suggest that the entire logic of this part should be refactored, also the As Is?

yep, and sorry for doing this in pieces, if we were face to face it would have been a 5m discussion :) I think we should make replication a top-level variable now, and expose auto/user managed/key in its structure

I can give it a shot if you like

@luigi-bitonti
Copy link
Contributor Author

Replication should be controlled via its own variable, and the CMEK key should be an attribute in it, not a top-level variable.

So you suggest that the entire logic of this part should be refactored, also the As Is?

yep, and sorry for doing this in pieces, if we were face to face it would have been a 5m discussion :) I think we should make replication a top-level variable now, and expose auto/user managed/key in its structure

I can give it a shot if you like

I was thinking something like this:
image
But OK, if you want you can do it :)

@luigi-bitonti
Copy link
Contributor Author

luigi-bitonti commented Oct 31, 2023
edited
Loading

@ludoo I tried to implement your suggest by refactoring the logic of secrets variable.

@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 2 times, most recently from ac80035 to 4c07268 Compare November 2, 2023 08:17
@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 2 times, most recently from d93c31c to 63f4376 Compare November 2, 2023 15:59
@luigi-bitonti luigi-bitonti requested a review from ludoo November 2, 2023 17:09
@luigi-bitonti luigi-bitonti force-pushed the secret_kms branch 4 times, most recently from ab30f7a to 06b207d Compare November 9, 2023 09:29
@luigi-bitonti
Copy link
Contributor Author

Hi @wiktorn, is there anything else I can do for this PR?

@wiktorn wiktorn requested review from juliocc and removed request for ludoo and juliocc November 10, 2023 15:42
@wiktorn wiktorn dismissed stale reviews from ludoo and juliocc November 10, 2023 15:44

As discussed, moving forward with this PR

@wiktorn wiktorn merged commit d07f8fd into GoogleCloudPlatform:master Nov 10, 2023
9 checks passed
@wiktorn
Copy link
Collaborator

wiktorn commented Nov 10, 2023

Thank you for your contribution @luigi-bitonti and sorry to keep you waiting.

@luigi-bitonti luigi-bitonti deleted the secret_kms branch November 10, 2023 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wiktorn wiktorn wiktorn approved these changes

@juliocc juliocc juliocc left review comments

@ludoo ludoo ludoo left review comments

Assignees
No one assigned
Labels
on:blueprints on:modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@luigi-bitonti @ludoo @wiktorn @juliocc