README.md

Key Rotation Module

Terraform module to deploy the Key Rotation services.

Features

Key components of this module consist of

• Key rotation service deployed in Cloud Run
• Secret in Secret Manager with Rotation Schedule

Technical Details

These are important details of this module's behavior.

• When this module is deployed for the first time, the key rotaton service will generate new key pairs, store them in Secret Manager secret and send key rotation request to ONDC registry. Sending key rotation request will fail if your entity is not registerd. If it fails, it will retry for 2 - 3 times.
• Key pairs generated by this service is in the JSON format eg.

{
  "encryptionKey": {
    "privateKeyEncryption": "3nrQndffw/dhO7OlwW4uk5d7er5W5E0B+R6Ua0+f6YM=",
    "publicKeyEncryption": "K+YtJdFIXxaIhuX3P5KAT3Z8zxUc/qibwHn8aWmSd1c=",
    "publicKeyEncryptionDER": "MCowBQYDK2VuAyEAK+YtJdFIXxaIhuX3P5KAT3Z8zxUc/qibwHn8aWmSd1c="
  },
  "signingKey": {
    "publicKeySigning": "R/4cp5ZCTPlRrTtth7Yt/v+/04K9lEnACdOz65q6GYA=",
    "signingKeySet": "eyJwcmltYXJ5S2V5SWQiOjEyNTE4NDA0MzEsICJrZXkiOlt7ImtleURhdGEiOnsidHlwZVVybCI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmNyeXB0by50aW5rLkVkMjU1MTlQcml2YXRlS2V5IiwgInZhbHVlIjoiRWlBOUdDRm5rckJ0MHkrMVB3elByVzdVWHRyRWQyNWNDYW5zSzdRZjNaNHE3Um9pRWlCSC9oeW5sa0pNK1ZHdE8yMkh0aTMrLzcvVGdyMlVTY0FKMDdQcm1yb1pnQT09IiwgImtleU1hdGVyaWFsVHlwZSI6IkFTWU1NRVRSSUNfUFJJVkFURSJ9LCAic3RhdHVzIjoiRU5BQkxFRCIsICJrZXlJZCI6MTI1MTg0MDQzMSwgIm91dHB1dFByZWZpeFR5cGUiOiJSQVcifV19"
  }
}

When you need to provide public keys to ONDC, use these values in the following fields

• encryptionKey.publicKeyEncryptionDER for public encryption key
• signingKey.publicKeySigning for public signing key

Example Usage

See the terraform/examples/sample

Requirements

Name	Version
google	4.73.1
google-beta	4.73.1
random	3.5.1

Providers

Name	Version
google	4.73.1
google-beta	4.73.1
random	3.5.1

Inputs

Name	Description	Type	Default	Required
artifact_registry	Artifact Registry where the Docker images stored	object({ project_id = string, location = string, repository = string, })	n/a	yes
location	Cloud Run location.	string	n/a	yes
prefix	Resouce Prefix. If it's not empty, it should contains - as a last character eg. dev-	string	""	no
project_id	Google Cloud Project ID	string	n/a	yes
registry_url	ONDC Registry URL	string	n/a	yes
request_id	Arbitary ID (eg. UUID). This will be used when sending key rotation request to ONDC registry. It should be the same ID you will use in onboarding module.	string	n/a	yes
rotation_period	Time between each key rotation. Default to 6 months. WARNING: changing this field after created the Secret Manager secret can delete all sercet versions. See this issue	string	"15780000s"	no
secret_id	Secret Manager's Secret ID	string	n/a	yes
service_accounts	Service Accounts List as Secret Manager Admins	list(string)	n/a	yes
subscriber_id	Subscriber ID of the ONDC entity ex. ondcaccelerator.com	string	n/a	yes

Outputs

Name	Description
secret_id	Secret Manager's Secret ID

Modules

No modules.

Resources

Name	Type
google-beta_google_project_service_identity.pubsub_agent	resource
google-beta_google_project_service_identity.secret_manager_identity	resource
google_cloud_run_service.key_rotater	resource
google_cloud_run_service_iam_member.rotation_trigger_run_invoker	resource
google_project_iam_member.project_token_creator	resource
google_project_service.cloud_run	resource
google_project_service.pubsub	resource
google_project_service.secret_manager	resource
google_pubsub_subscription.key_rotation	resource
google_pubsub_topic.key_rotation	resource
google_pubsub_topic_iam_member.sm_sa_publisher	resource
google_secret_manager_secret.keys	resource
google_secret_manager_secret_iam_member.key_rotater_secret_adder	resource
google_secret_manager_secret_iam_member.secretmanagerAdmin	resource
google_service_account.key_rotater	resource
google_service_account.rotation_trigger	resource
random_id.subscription_suffix	resource
random_id.topic_suffix	resource