Terraform module to deploy the Key Rotation services.
Key components of this module consist of
- Key rotation service deployed in Cloud Run
- Secret in Secret Manager with Rotation Schedule
These are important details of this module's behavior.
- When this module is deployed for the first time, the key rotaton service will generate new key pairs, store them in Secret Manager secret and send key rotation request to ONDC registry. Sending key rotation request will fail if your entity is not registerd. If it fails, it will retry for 2 - 3 times.
- Key pairs generated by this service is in the JSON format eg.
{
"encryptionKey": {
"privateKeyEncryption": "3nrQndffw/dhO7OlwW4uk5d7er5W5E0B+R6Ua0+f6YM=",
"publicKeyEncryption": "K+YtJdFIXxaIhuX3P5KAT3Z8zxUc/qibwHn8aWmSd1c=",
"publicKeyEncryptionDER": "MCowBQYDK2VuAyEAK+YtJdFIXxaIhuX3P5KAT3Z8zxUc/qibwHn8aWmSd1c="
},
"signingKey": {
"publicKeySigning": "R/4cp5ZCTPlRrTtth7Yt/v+/04K9lEnACdOz65q6GYA=",
"signingKeySet": "eyJwcmltYXJ5S2V5SWQiOjEyNTE4NDA0MzEsICJrZXkiOlt7ImtleURhdGEiOnsidHlwZVVybCI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmNyeXB0by50aW5rLkVkMjU1MTlQcml2YXRlS2V5IiwgInZhbHVlIjoiRWlBOUdDRm5rckJ0MHkrMVB3elByVzdVWHRyRWQyNWNDYW5zSzdRZjNaNHE3Um9pRWlCSC9oeW5sa0pNK1ZHdE8yMkh0aTMrLzcvVGdyMlVTY0FKMDdQcm1yb1pnQT09IiwgImtleU1hdGVyaWFsVHlwZSI6IkFTWU1NRVRSSUNfUFJJVkFURSJ9LCAic3RhdHVzIjoiRU5BQkxFRCIsICJrZXlJZCI6MTI1MTg0MDQzMSwgIm91dHB1dFByZWZpeFR5cGUiOiJSQVcifV19"
}
}
When you need to provide public keys to ONDC, use these values in the following fields
encryptionKey.publicKeyEncryptionDER
for public encryption keysigningKey.publicKeySigning
for public signing key
See the terraform/examples/sample
Name | Version |
---|---|
4.73.1 | |
google-beta | 4.73.1 |
random | 3.5.1 |
Name | Version |
---|---|
4.73.1 | |
google-beta | 4.73.1 |
random | 3.5.1 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
artifact_registry | Artifact Registry where the Docker images stored | object({ |
n/a | yes |
location | Cloud Run location. | string |
n/a | yes |
prefix | Resouce Prefix. If it's not empty, it should contains - as a last character eg. dev- |
string |
"" |
no |
project_id | Google Cloud Project ID | string |
n/a | yes |
registry_url | ONDC Registry URL | string |
n/a | yes |
request_id | Arbitary ID (eg. UUID). This will be used when sending key rotation request to ONDC registry. It should be the same ID you will use in onboarding module. |
string |
n/a | yes |
rotation_period | Time between each key rotation. Default to 6 months. WARNING: changing this field after created the Secret Manager secret can delete all sercet versions. See this issue | string |
"15780000s" |
no |
secret_id | Secret Manager's Secret ID | string |
n/a | yes |
service_accounts | Service Accounts List as Secret Manager Admins | list(string) |
n/a | yes |
subscriber_id | Subscriber ID of the ONDC entity ex. ondcaccelerator.com |
string |
n/a | yes |
Name | Description |
---|---|
secret_id | Secret Manager's Secret ID |
No modules.