GoogleCloudPlatform · wiktorn · Mar 13, 2024 · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024
diff --git a/modules/kms/README.md b/modules/kms/README.md
@@ -7,8 +7,8 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi
 <!-- BEGIN TOC -->
 - [Protecting against destroy](#protecting-against-destroy)
 - [Examples](#examples)
-  - [Using an existing keyring](#using-an-existing-keyring)
   - [Keyring creation and crypto key rotation and IAM roles](#keyring-creation-and-crypto-key-rotation-and-iam-roles)
+  - [Using an existing keyring](#using-an-existing-keyring)
   - [Crypto key purpose](#crypto-key-purpose)
   - [Import job](#import-job)
 - [Variables](#variables)
@@ -21,44 +21,28 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
 
 ## Examples
 
-### Using an existing keyring
-
-```hcl
-module "kms" {
-  source     = "./fabric/modules/kms"
-  project_id = "my-project"
-  iam = {
-    "roles/cloudkms.admin" = ["user:user1@example.com"]
-  }
-  keyring        = { location = "europe-west1", name = "test" }
-  keyring_create = false
-  keys           = { key-a = {}, key-b = {}, key-c = {} }
-}
-# tftest skip (uses data sources)
-```
-
 ### Keyring creation and crypto key rotation and IAM roles
 
 ```hcl
 module "kms" {
   source     = "./fabric/modules/kms"
-  project_id = "my-project"
+  project_id = var.project_id
   keyring = {
-    location = "europe-west1"
-    name     = "test"
+    location = var.region
+    name     = "test-1"
   }
   keys = {
     key-a = {
       iam = {
-        "roles/cloudkms.admin" = ["user:user3@example.com"]
+        "roles/cloudkms.admin" = ["group:${var.group_email}"]
       }
     }
     key-b = {
       rotation_period = "604800s"
       iam_bindings_additive = {
         key-b-iam1 = {
           key    = "key-b"
-          member = "user:am1@example.com"
+          member = "group:${var.group_email}"
           role   = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
         }
       }
@@ -70,18 +54,34 @@ module "kms" {
     }
   }
 }
-# tftest modules=1 resources=6 inventory=basic.yaml
+# tftest modules=1 resources=6 inventory=basic.yaml e2e
+```
+
+### Using an existing keyring
+
+```hcl
+module "kms" {
+  source     = "./fabric/modules/kms"
+  project_id = var.project_id
+  iam = {
+    "roles/cloudkms.admin" = ["group:${var.group_email}"]
+  }
+  keyring        = { location = var.region, name = var.keyring.name }
+  keyring_create = false
+  keys           = { key-a = {}, key-b = {}, key-c = {} }
+}
+# tftest skip (uses data sources) e2e
 ```
 
 ### Crypto key purpose
 
 ```hcl
 module "kms" {
   source     = "./fabric/modules/kms"
-  project_id = "my-project"
+  project_id = var.project_id
   keyring = {
-    location = "europe-west1"
-    name     = "test"
+    location = var.region
+    name     = "test-2"
   }
   keys = {
     key-a = {
@@ -93,26 +93,26 @@ module "kms" {
     }
   }
 }
-# tftest modules=1 resources=2 inventory=purpose.yaml
+# tftest modules=1 resources=2 inventory=purpose.yaml e2e
 ```
 
 ### Import job
 
 ```hcl
 module "kms" {
   source     = "./fabric/modules/kms"
-  project_id = "my-project"
+  project_id = var.project_id
   keyring = {
-    location = "europe-west1"
-    name     = "test"
+    location = var.region
+    name     = "test-3"
   }
   import_job = {
     id               = "my-import-job"
     import_method    = "RSA_OAEP_3072_SHA1_AES_256"
     protection_level = "SOFTWARE"
   }
 }
-# tftest modules=1 resources=2 inventory=import-job.yaml
+# tftest modules=1 resources=2 inventory=import-job.yaml e2e
 ```
 <!-- BEGIN TFDOC -->
 ## Variables

diff --git a/tests/examples/variables.tf b/tests/examples/variables.tf
@@ -26,6 +26,12 @@ variable "group_email" {
   default = "organization-admins@example.org"
 }
 
+variable "keyring" {
+  default = {
+    name = "keyring"
+  }
+}
+
 variable "kms_key" {
   default = {
     id = "kms_key_self_link"

diff --git a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
@@ -17,6 +17,9 @@ billing_account_id = "${billing_account_id}"
 kms_key = {
     id = "${kms_key_id}"
 }
+keyring = {
+  name     = "${keyring.name}"
+}
 group_email     = "${group_email}"
 organization_id = "organizations/${organization_id}"
 folder_id       = "folders/${folder_id}"

diff --git a/tests/examples_e2e/setup_module/main.tf b/tests/examples_e2e/setup_module/main.tf
@@ -150,10 +150,13 @@ resource "local_file" "terraform_tfvars" {
     folder_id          = google_folder.folder.folder_id
     group_email        = var.group_email
     kms_key_id         = google_kms_crypto_key.key.id
-    organization_id    = var.organization_id
-    project_id         = google_project.project.project_id
-    project_number     = google_project.project.number
-    region             = var.region
+    keyring = {
+      name = google_kms_key_ring.keyring.name
+    }
+    organization_id = var.organization_id
+    project_id      = google_project.project.project_id
+    project_number  = google_project.project.number
+    region          = var.region
     service_account = {
       id        = google_service_account.service_account.id
       email     = google_service_account.service_account.email

diff --git a/tests/modules/kms/examples/basic.yaml b/tests/modules/kms/examples/basic.yaml
@@ -35,16 +35,16 @@ values:
   module.kms.google_kms_crypto_key_iam_binding.authoritative["key-a.roles/cloudkms.admin"]:
     condition: []
     members:
-    - user:user3@example.com
+    - group:organization-admins@example.org
     role: roles/cloudkms.admin
   module.kms.google_kms_crypto_key_iam_member.members["key-b-iam1"]:
     condition: []
-    member: user:am1@example.com
+    member: group:organization-admins@example.org
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
   module.kms.google_kms_key_ring.default[0]:
-    location: europe-west1
-    name: test
-    project: my-project
+    location: europe-west8
+    name: test-1
+    project: project-id
 
 counts:
   google_kms_crypto_key: 3

diff --git a/tests/modules/kms/examples/import-job.yaml b/tests/modules/kms/examples/import-job.yaml
@@ -18,9 +18,9 @@ values:
     import_method: RSA_OAEP_3072_SHA1_AES_256
     protection_level: SOFTWARE
   module.kms.google_kms_key_ring.default[0]:
-    location: europe-west1
-    name: test
-    project: my-project
+    location: europe-west8
+    name: test-3
+    project: project-id
 
 counts:
   google_kms_key_ring_import_job: 1

diff --git a/tests/modules/kms/examples/purpose.yaml b/tests/modules/kms/examples/purpose.yaml
@@ -20,9 +20,9 @@ values:
     - algorithm: EC_SIGN_P384_SHA384
       protection_level: HSM
   module.kms.google_kms_key_ring.default[0]:
-    location: europe-west1
-    name: test
-    project: my-project
+    location: europe-west8
+    name: test-2
+    project: project-id
 
 counts:
   google_kms_crypto_key: 1