-
Notifications
You must be signed in to change notification settings - Fork 6
/
main.tf
133 lines (121 loc) · 9.71 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Copyright (c) 2023 Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
locals {
keys_policies = flatten([
for key_key, key_value in (var.vaults_configuration != null ? (var.vaults_configuration.keys != null ? var.vaults_configuration.keys : {}) : {}) : {
key = key_key
compartment_id = key_value.compartment_id != null ? (length(regexall("^ocid1.*$", key_value.compartment_id)) > 0 ? key_value.compartment_id : var.compartments_dependency[key_value.compartment_id].id) : (length(regexall("^ocid1.*$", var.vaults_configuration.default_compartment_id)) > 0 ? var.vaults_configuration.default_compartment_id : var.compartments_dependency[var.vaults_configuration.default_compartment_id].id)
name = "${key_value.name}-policy"
description = "CIS Landing Zone policy allowing access to ${key_value.name} Key in the Vault service."
statements = concat(key_value.service_grantees != null ? [for sg in key_value.service_grantees : "Allow service ${sg} to use keys in compartment ${data.oci_identity_compartment.managed_keys[key_key].name} where target.key.id = '${oci_kms_key.these[key_key].id}'"] : [],
key_value.group_grantees != null ? [for gg in key_value.group_grantees : "Allow group ${gg} to use key-delegate in compartment ${data.oci_identity_compartment.managed_keys[key_key].name} where target.key.id = '${oci_kms_key.these[key_key].id}'"] : [])
defined_tags = key_value.defined_tags != null ? key_value.defined_tags : var.vaults_configuration.default_defined_tags
freeform_tags = merge(local.cislz_module_tag, key_value.freeform_tags != null ? key_value.freeform_tags : key_value.freeform_tags != null ? key_value.freeform_tags : var.vaults_configuration.default_freeform_tags)
}
])
keys_versions = flatten([
for key_key, key_value in (var.vaults_configuration != null ? (var.vaults_configuration.keys != null ? var.vaults_configuration.keys : {}) : {}) : [
for version in (key_value.versions != null ? key_value.versions : []) : {
key_key = key_key
version_key = "${key_key}.${version}"
}
]
])
algorithms = ["AES","RSA","ECDSA"]
}
#-- Used for retrieving the compartment name to use in policy statements
data "oci_identity_compartment" "managed_keys" {
provider = oci.home
for_each = { for k, v in (var.vaults_configuration != null ? (var.vaults_configuration.keys != null ? var.vaults_configuration.keys : {}) : {}) : k => {compartment_id = v.compartment_id != null ? (length(regexall("^ocid1.*$", v.compartment_id)) > 0 ? v.compartment_id : var.compartments_dependency[v.compartment_id].id) : (length(regexall("^ocid1.*$", var.vaults_configuration.default_compartment_id)) > 0 ? var.vaults_configuration.default_compartment_id : var.compartments_dependency[var.vaults_configuration.default_compartment_id].id) } }
id = each.value.compartment_id
}
resource "oci_kms_vault" "these" {
provider = oci
for_each = var.vaults_configuration != null ? (var.vaults_configuration.vaults != null ? var.vaults_configuration.vaults : {}) : {}
compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.vaults_configuration.default_compartment_id)) > 0 ? var.vaults_configuration.default_compartment_id : var.compartments_dependency[var.vaults_configuration.default_compartment_id].id)
display_name = each.value.name
vault_type = upper(coalesce(each.value.type,"DEFAULT"))
defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.vaults_configuration.default_defined_tags
freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.vaults_configuration.default_freeform_tags)
}
resource "oci_kms_key" "these" {
provider = oci
#-- create_before_destroy makes Terraform to first update any resources that depend on these keys before destroying the keys.
#-- This helps with Object Storage encrypted buckets, when updated with a new encryption key.
lifecycle {
create_before_destroy = true
precondition {
condition = contains(local.algorithms,upper(coalesce(each.value.algorithm,"AES")))
error_message = "VALIDATION FAILURE : \"${upper(coalesce(each.value.algorithm,"AES"))}\" value is invalid for \"algorithm\" attribute in ${each.key} key definition. Valid values are ${join(", ",local.algorithms)} (case insensitive)."
}
precondition {
condition = each.value.vault_key != null || each.value.vault_management_endpoint != null
error_message = "VALIDATION FAILURE : either vault_key or vault_management_endpoint must be provided. Otherwise it is not possible to know which vault the key belongs to."
}
}
for_each = var.vaults_configuration != null ? (var.vaults_configuration.keys != null ? var.vaults_configuration.keys : {}) : {}
compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.vaults_configuration.default_compartment_id)) > 0 ? var.vaults_configuration.default_compartment_id : var.compartments_dependency[var.vaults_configuration.default_compartment_id].id)
display_name = each.value.name
management_endpoint = each.value.vault_management_endpoint != null ? length(regexall("^https://.*$", each.value.vault_management_endpoint)) > 0 ? each.value.vault_management_endpoint : var.vaults_dependency[each.value.vault_management_endpoint].management_endpoint : oci_kms_vault.these[each.value.vault_key].management_endpoint
protection_mode = upper(coalesce(each.value.protection_mode,"HSM"))
key_shape {
algorithm = upper(coalesce(each.value.algorithm,"AES"))
length = coalesce(each.value.length,32)
curve_id = each.value.curve_id
}
defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.vaults_configuration.default_defined_tags
freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.vaults_configuration.default_freeform_tags)
}
resource "oci_kms_key_version" "these" {
provider = oci
lifecycle {
create_before_destroy = true
}
for_each = { for version in local.keys_versions : version.version_key => {key_id = oci_kms_key.these[version.key_key].id,
management_endpoint = oci_kms_key.these[version.key_key].management_endpoint }}
key_id = each.value.key_id
management_endpoint = each.value.management_endpoint
}
resource "oci_identity_policy" "managed_keys" {
provider = oci.home
lifecycle {
create_before_destroy = true
}
for_each = { for k in local.keys_policies : k.key => {compartment_id = k.compartment_id,
name = k.name,
description = k.description,
statements = k.statements,
defined_tags = k.defined_tags,
freeform_tags = k.freeform_tags} if length(k.statements) > 0}
name = each.value.name
description = each.value.description
compartment_id = each.value.compartment_id
statements = each.value.statements
defined_tags = each.value.defined_tags
freeform_tags = each.value.freeform_tags
}
#-- Used for retrieving the compartment name to use in policy statements
data "oci_identity_compartment" "existing_keys" {
provider = oci.home
for_each = var.vaults_configuration != null ? (var.vaults_configuration.existing_keys_grants != null ? var.vaults_configuration.existing_keys_grants : {}) : {}
id = each.value.compartment_ocid
}
resource "oci_identity_policy" "existing_keys" {
provider = oci.home
for_each = var.vaults_configuration != null ? (var.vaults_configuration.existing_keys_grants != null ? var.vaults_configuration.existing_keys_grants : {}) : {}
name = "${lower(each.key)}-policy"
description = "CIS Landing Zone policy allowing access to keys in the Vault service."
compartment_id = length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id
statements = concat(
each.value.service_grantees != null ? [for sg in each.value.service_grantees : "Allow service ${sg} to use keys in compartment ${data.oci_identity_compartment.existing_keys[each.key].name} where target.key.id = '${length(regexall("^ocid1.*$", each.value.key_id)) > 0 ? each.value.key_id : var.vaults_dependency[each.value.key_id].id}'"] : [],
each.value.group_grantees != null ? [for gg in each.value.group_grantees : "Allow group ${gg} to use key-delegate in compartment ${data.oci_identity_compartment.existing_keys[each.key].name} where target.key.id = '${length(regexall("^ocid1.*$", each.value.key_id)) > 0 ? each.value.key_id : var.vaults_dependency[each.value.key_id].id}'"] : [])
defined_tags = var.vaults_configuration.default_defined_tags
freeform_tags = merge(local.cislz_module_tag, var.vaults_configuration.default_freeform_tags)
}
resource "oci_kms_vault_replication" "these" {
for_each = { for k, v in var.vaults_configuration != null ? var.vaults_configuration.vaults : {} : k => v
if v.replica_region != null
}
vault_id = oci_kms_vault.these[each.key].id
replica_region = each.value.replica_region
}