feat: ability to pass base64 encoded signature keys (#40)

terraform-ibm-modules · Aug 2, 2023 · 70e3e4f · 70e3e4f
1 parent ce7c3ec
commit 70e3e4f
Show file tree

Hide file tree

Showing 8 changed files with 151 additions and 29 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-06-28T08:12:45Z",
+  "generated_at": "2023-07-13T08:02:39Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,26 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "b7789e80adceebbe078db3e927944143c93e3116",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 158,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "379f23674341f122f9075538a32277b5efaa2f7d",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 163,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.61.dss",
   "word_list": {
     "file": null,

diff --git a/README.md b/README.md
@@ -129,6 +129,44 @@ module "hpcs" {
 }
 ```
 
+### Usage to create and initialize the HPCS instance using Schematics
+
+* Convert the signature keys to Base64 encoding.
+  ```sh
+  cat 1.sigkey | base64
+  cat 2.sigkey | base64
+  ```
+
+```hcl
+provider "ibm" {
+  ibmcloud_api_key = ""
+  region           = "us-south"
+}
+
+module "hpcs" {
+  # replace "main" with a GIT release version to lock into a specific release
+  source                                          = "git::https://github.com/terraform-ibm-modules/terraform-ibm-hpcs?ref=main"
+  resource_group_id                               = "000fb3134f214c3a9017554db4510f70" # pragma: allowlist secret
+  region                                          = "us-south"
+  service_name                                    = "my-hpcs-instance"
+  tags                                            = ["tag1","tag2"]
+  auto_initialization_using_recovery_crypto_units = true
+  number_of_crypto_units                          = 3
+  base64_encoded_admins = [
+    {
+      name  = "admin1"
+      key   = "eyJlbmNrZXkiOiJyYW5kb21fa2V5Iiwia2V5VHlwZSI6InJhbmRvbSIsIm5hbWUiOiJhZG1pbjEiLCJzZWFTYWx0IjoicmFuZG9tIiwic2tpIjoicmFuZG9tIn0="
+      token = "sensitive1234"
+    },
+    {
+      name  = "admin2"
+      key   = "eyJlbmNrZXkiOiJyYW5kb20yX2tleSIsImtleVR5cGUiOiJyYW5kb20yIiwibmFtZSI6ImFkbWluMiIsInNlYVNhbHQiOiJyYW5kb20yIiwic2tpIjoicmFuZG9tMiJ9"
+      token = "sensitive1234"
+    }
+  ]
+}
+```
+
 ## Required IAM access policies
 You need the following permissions to run this module.
 
@@ -156,6 +194,7 @@ You need the following permissions to run this module.
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.49.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.4.0 |
 
 ### Modules
 
@@ -167,13 +206,15 @@ No modules.
 |------|------|
 | [ibm_hpcs.hpcs_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/hpcs) | resource |
 | [ibm_resource_instance.base_hpcs_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [local_file.admin_files](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_admins"></a> [admins](#input\_admins) | A list of administrators for the instance crypto units. See [instructions](https://github.com/terraform-ibm-modules/terraform-ibm-hpcs#before-you-begin) to create administrator signature keys. You can set up to 8 administrators. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true. | <pre>list(object({<br>    name = string # max length: 30 chars<br>    key  = string # the absolute path and the file name of the signature key file if key files are created using TKE CLI and are not using a third-party signing service<br>    # if you are using a signing service, the key name is appended to a URI that will be sent to the signing service<br>    token = string # sensitive: the administrator password/token to authorize and access the corresponding signature key file<br>  }))</pre> | `[]` | no |
 | <a name="input_auto_initialization_using_recovery_crypto_units"></a> [auto\_initialization\_using\_recovery\_crypto\_units](#input\_auto\_initialization\_using\_recovery\_crypto\_units) | Set to true if auto initialization using recovery crypto units is required. | `bool` | `true` | no |
+| <a name="input_base64_encoded_admins"></a> [base64\_encoded\_admins](#input\_base64\_encoded\_admins) | A list of up to 8 administrators for the instance crypto units. Required if auto\_initialization\_using\_recovery\_crypto\_units is set to true. Pass the signature keys as base64 encoded values. For information about administrator signature keys, see the readme file. | <pre>list(object({<br>    name  = string # max length: 30 chars<br>    key   = string #  base64 encoded value of signature key files if key files are created using TKE CLI and are not using a third-party signing service<br>    token = string # sensitive: the administrator password/token to authorize and access the corresponding signature key file<br>  }))</pre> | `[]` | no |
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | Create timeout value of the HPCS instance. | `string` | `"120m"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | Delete timeout value of the HPCS instance. | `string` | `"120m"` | no |
 | <a name="input_hsm_connector_id"></a> [hsm\_connector\_id](#input\_hsm\_connector\_id) | The HSM connector ID provided by IBM required for Hybrid HPCS. Available to selected customers only. | `string` | `null` | no |
@@ -183,10 +224,10 @@ No modules.
 | <a name="input_plan"></a> [plan](#input\_plan) | The name of the service plan that you choose for your Hyper Protect Crypto Service instance. | `string` | `"standard"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where you want to deploy your instance. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group name where the Hyper Protect Crypto Service instance will be created. | `string` | n/a | yes |
-| <a name="input_revocation_threshold"></a> [revocation\_threshold](#input\_revocation\_threshold) | The number of administrator signatures that is required to remove an administrator after you leave imprint mode. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true. | `number` | `1` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The service\_endpoints to access your service instance. Only used if auto\_initialization\_using\_recovery\_crypto\_units is true. Can only be set to private-only if Terraform has access to the private endpoints. Default value is public-and-private. | `string` | `"public-and-private"` | no |
-| <a name="input_signature_server_url"></a> [signature\_server\_url](#input\_signature\_server\_url) | The URL and port number of the signing service. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true and using a third-party signing service to provide administrator signature keys. Only used if auto\_initialization\_using\_recovery\_crypto\_units is true | `string` | `null` | no |
-| <a name="input_signature_threshold"></a> [signature\_threshold](#input\_signature\_threshold) | The number of administrator signatures that is required to execute administrative commands. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true. | `number` | `1` | no |
+| <a name="input_revocation_threshold"></a> [revocation\_threshold](#input\_revocation\_threshold) | The number of administrator signatures required to remove an administrator after you leave imprint mode. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true. | `number` | `1` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The service\_endpoints to access your service instance. Used only if auto\_initialization\_using\_recovery\_crypto\_units is set to true. Can be set to private-only if Terraform has access to the private endpoints. Default value is public-and-private. | `string` | `"public-and-private"` | no |
+| <a name="input_signature_server_url"></a> [signature\_server\_url](#input\_signature\_server\_url) | The URL and port number of the signing service. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true and using a third-party signing service to provide administrator signature keys. Used only if auto\_initialization\_using\_recovery\_crypto\_units is set to true. | `string` | `null` | no |
+| <a name="input_signature_threshold"></a> [signature\_threshold](#input\_signature\_threshold) | The number of administrator signatures required to execute administrative commands. Required if auto\_initialization\_using\_recovery\_crypto\_units set to true. | `number` | `1` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of resource tags to apply to the HPCS instance. | `list(string)` | `[]` | no |
 | <a name="input_update_timeout"></a> [update\_timeout](#input\_update\_timeout) | Update timeout value of the HPCS instance. | `string` | `"120m"` | no |
 

diff --git a/main.tf b/main.tf
@@ -8,14 +8,26 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_region = var.auto_initialization_using_recovery_crypto_units == true ? (contains(["us-south", "us-east"], var.region) ? true : tobool("Currently us-south and us-east are the only supported regions for HPCS instance initialization using recovery crypto units.")) : true
   # tflint-ignore: terraform_unused_declarations
-  validate_num_of_administrators = var.auto_initialization_using_recovery_crypto_units == true ? ((length(var.admins) >= 1 && length(var.admins) <= 8) ? true : tobool("At least one administrator is required for the instance crypto unit and you can set upto 8 adminsitrators.")) : true
+  validate_num_of_administrators = var.auto_initialization_using_recovery_crypto_units == true ? ((length(var.admins) >= 1 && length(var.admins) <= 8) || (length(var.base64_encoded_admins) >= 1 && length(var.base64_encoded_admins) <= 8) ? true : tobool("At least one administrator is required for the instance crypto unit and you can set upto 8 adminsitrators.")) : true
   # tflint-ignore: terraform_unused_declarations
-  validate_admins_and_threshold = var.auto_initialization_using_recovery_crypto_units == true ? ((length(var.admins) >= var.signature_threshold && length(var.admins) >= var.revocation_threshold) ? true : tobool("The adminstrators of the instance crypto units need to be equal to or greater than the threshold value.")) : true
+  validate_admins_and_threshold = var.auto_initialization_using_recovery_crypto_units == true ? (((length(var.admins) >= var.signature_threshold) || (length(var.base64_encoded_admins) >= var.signature_threshold) && (length(var.admins) >= var.revocation_threshold) || (length(var.base64_encoded_admins) >= var.revocation_threshold)) ? true : tobool("The adminstrators of the instance crypto units need to be equal to or greater than the threshold value.")) : true
   # tflint-ignore: terraform_unused_declarations
   validate_num_of_failover_units = var.auto_initialization_using_recovery_crypto_units == true ? (var.number_of_failover_units <= var.number_of_crypto_units ? true : tobool("Number of failover_units must be less than or equal to the number of operational crypto units")) : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_admins_variables = var.auto_initialization_using_recovery_crypto_units == true ? ((length(var.admins) == 0 && length(var.base64_encoded_admins) == 0) || (length(var.admins) != 0 && length(var.base64_encoded_admins) != 0) ? tobool("Please provide exactly one of admins or base64_encoded_admins. Passing neither or both is invalid.") : true) : true
+
+  admins_map = length(var.base64_encoded_admins) != 0 ? { for admin in var.base64_encoded_admins : admin.name => admin } : null
+  admins = local.admins_map != null ? [
+    for admin in var.base64_encoded_admins : {
+      name  = admin.name
+      key   = local_file.admin_files[admin.name].filename
+      token = admin.token
+    }
+  ] : var.admins
 }
 
 resource "ibm_hpcs" "hpcs_instance" {
+  depends_on           = [local_file.admin_files]
   count                = var.auto_initialization_using_recovery_crypto_units ? 1 : 0
   location             = var.region
   resource_group_id    = var.resource_group_id
@@ -30,7 +42,7 @@ resource "ibm_hpcs" "hpcs_instance" {
   service_endpoints    = var.service_endpoints # Can only be set to private-only if Terraform has access to the private endpoints, ie. Terraform is run in IBM Cloud https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4660
 
   dynamic "admins" {
-    for_each = nonsensitive(var.admins != null ? var.admins : [])
+    for_each = nonsensitive(local.admins != null ? local.admins : [])
     content {
       name  = admins.value["name"]
       key   = admins.value["key"]
@@ -45,6 +57,12 @@ resource "ibm_hpcs" "hpcs_instance" {
   }
 }
 
+resource "local_file" "admin_files" {
+  for_each       = local.admins_map != null ? nonsensitive(local.admins_map) : {}
+  content_base64 = each.value.key
+  filename       = "${path.module}/${each.key}.sigkey"
+}
+
 resource "ibm_resource_instance" "base_hpcs_instance" {
   count             = var.auto_initialization_using_recovery_crypto_units ? 0 : 1
   name              = var.name

diff --git a/module-metadata.json b/module-metadata.json
@@ -26,14 +26,25 @@
         "line": 34
       }
     },
+    "base64_encoded_admins": {
+      "name": "base64_encoded_admins",
+      "type": "list(object({\n    name  = string # max length: 30 chars\n    key   = string #  base64 encoded value of signature key files if key files are created using TKE CLI and are not using a third-party signing service\n    token = string # sensitive: the administrator password/token to authorize and access the corresponding signature key file\n  }))",
+      "description": "A list of up to 8 administrators for the instance crypto units. Required if auto_initialization_using_recovery_crypto_units is set to true. Pass the signature keys as base64 encoded values. For information about administrator signature keys, see the readme file.",
+      "default": [],
+      "sensitive": true,
+      "pos": {
+        "filename": "variables.tf",
+        "line": 94
+      }
+    },
     "create_timeout": {
       "name": "create_timeout",
       "type": "string",
       "description": "Create timeout value of the HPCS instance.",
       "default": "120m",
       "pos": {
         "filename": "variables.tf",
-        "line": 121
+        "line": 132
       }
     },
     "delete_timeout": {
@@ -43,7 +54,7 @@
       "default": "120m",
       "pos": {
         "filename": "variables.tf",
-        "line": 133
+        "line": 144
       }
     },
     "hsm_connector_id": {
@@ -55,7 +66,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 115
+        "line": 126
       }
     },
     "name": {
@@ -96,7 +107,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 94
+        "line": 105
       }
     },
     "plan": {
@@ -153,7 +164,7 @@
     "revocation_threshold": {
       "name": "revocation_threshold",
       "type": "number",
-      "description": "The number of administrator signatures that is required to remove an administrator after you leave imprint mode. Required if auto_initialization_using_recovery_crypto_units set to true.",
+      "description": "The number of administrator signatures required to remove an administrator after you leave imprint mode. Required if auto_initialization_using_recovery_crypto_units set to true.",
       "default": 1,
       "required": true,
       "source": [
@@ -167,21 +178,21 @@
     "service_endpoints": {
       "name": "service_endpoints",
       "type": "string",
-      "description": "The service_endpoints to access your service instance. Only used if auto_initialization_using_recovery_crypto_units is true. Can only be set to private-only if Terraform has access to the private endpoints. Default value is public-and-private.",
+      "description": "The service_endpoints to access your service instance. Used only if auto_initialization_using_recovery_crypto_units is set to true. Can be set to private-only if Terraform has access to the private endpoints. Default value is public-and-private.",
       "default": "public-and-private",
       "source": [
         "ibm_hpcs.hpcs_instance.service_endpoints"
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 104
+        "line": 115
       },
       "computed": true
     },
     "signature_server_url": {
       "name": "signature_server_url",
       "type": "string",
-      "description": "The URL and port number of the signing service. Required if auto_initialization_using_recovery_crypto_units set to true and using a third-party signing service to provide administrator signature keys. Only used if auto_initialization_using_recovery_crypto_units is true",
+      "description": "The URL and port number of the signing service. Required if auto_initialization_using_recovery_crypto_units set to true and using a third-party signing service to provide administrator signature keys. Used only if auto_initialization_using_recovery_crypto_units is set to true.",
       "source": [
         "ibm_hpcs.hpcs_instance.signature_server_url"
       ],
@@ -193,7 +204,7 @@
     "signature_threshold": {
       "name": "signature_threshold",
       "type": "number",
-      "description": "The number of administrator signatures that is required to execute administrative commands. Required if auto_initialization_using_recovery_crypto_units set to true. ",
+      "description": "The number of administrator signatures required to execute administrative commands. Required if auto_initialization_using_recovery_crypto_units set to true. ",
       "default": 1,
       "required": true,
       "source": [
@@ -232,7 +243,7 @@
       "default": "120m",
       "pos": {
         "filename": "variables.tf",
-        "line": 127
+        "line": 138
       }
     }
   },
@@ -287,6 +298,12 @@
       "version_constraints": [
         "\u003e= 1.49.0"
       ]
+    },
+    "local": {
+      "source": "hashicorp/local",
+      "version_constraints": [
+        "\u003e= 2.4.0"
+      ]
     }
   },
   "managed_resources": {
@@ -313,7 +330,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 18
+        "line": 29
       }
     },
     "ibm_resource_instance.base_hpcs_instance": {
@@ -334,7 +351,19 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 48
+        "line": 66
+      }
+    },
+    "local_file.admin_files": {
+      "mode": "managed",
+      "type": "local_file",
+      "name": "admin_files",
+      "provider": {
+        "name": "local"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 60
       }
     }
   },