diff --git a/ekm-over-vpc-onboarding/README.md b/ekm-over-vpc-onboarding/README.md new file mode 100644 index 00000000..a9f9e247 --- /dev/null +++ b/ekm-over-vpc-onboarding/README.md @@ -0,0 +1,86 @@ +# KMS EKM connection over a VPC onboarding + +## Overview + +This guide provides instructions of an automation for Cloud External Key Manager (Cloud EKM) to connect to your external key management (EKM) provider over a Virtual Private Cloud (VPC) network with Terraform. + +## Prerequisites + +- [Terraform](https://developer.hashicorp.com/terraform/downloads) >= 1.5.7; +- [Google Cloud CLI (`gcloud`)](https://cloud.google.com/sdk/docs/install-sdk); + - You must be authenticated in your GCP account. If you're not, you should run `gcloud auth login`; + - Some IAM permissions will be granted to the authenticated user by this terraform automation. If you want to grant to other user instead, fulfill `project_creator_member_email` in your `terraform.tfvars` file. +- An existing [GCP Organization](https://cloud.google.com/resource-manager/docs/creating-managing-organization); + - [Project Creator role](https://cloud.google.com/resource-manager/docs/default-access-control#adding_a_billing_account_creator_and_project_creator) in the GCP Organization for the authenticated user; +- (Optional) An existing [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) to create all the VPC related resources; +- (Optional) An existing [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) to create all the KMS related resources; + +**Note:** VPC and KMS projects are optional because this terraform automation can auto-create them for you. All you need to do is to set `create_kms_project` and `create_vpc_project` to `true` in your `terraform.tfvars` file. +- If you would like terraform to create kms and vpc projects, please provide account user (the one you used for `gcloud auth login`) with "roles/resourcemanager.projectCreator" iam role. + +**Note 2:** Your EKM provider should be placed/referenced in your VPC project. A Private IP address of the EKM or an IP address for the load balancer pointing to the EKM is required in your `terraform.tfvars` file. You will need to edit `modules/create_ekm_resources/network.tf` file for any forwarding-rule resources you would like to add + +## Deploy infrastructure + +1. Rename `terraform.example.tfvars` to `terraform.tfvars`: + ```sh + mv terraform.example.tfvars terraform.tfvars + ``` + +1. Update `terraform.tfvars` file with the required values. + +1. Create the infrastructure. + + ```sh + terraform init + terraform plan + terraform apply + ``` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| billing\_account | Billing Account for the customer | `string` | `""` | no | +| create\_kms\_project | If true, a project for KMS will be created automatically | `bool` | `true` | no | +| create\_vpc\_project | If true, a project for VPC will be created automatically | `bool` | `true` | no | +| crypto\_space\_path | External key provider crypto space path (ie. v0/longlived/a1-example) | `string` | `""` | no | +| ekm\_connection\_key\_path | Each Cloud EKM key version contains either a key URI or a key path. This is a unique identifier for the external key material that Cloud EKM uses when requesting cryptographic operations using the key. When key\_management\_mode is CLOUD\_KMS, this variable will be equals to crypto\_space\_path | `string` | n/a | yes | +| ekmconnection\_name | Name of the ekmconnection resource | `string` | `"ekmconnection"` | no | +| external\_key\_manager\_ip | Private IP address of the external key manager or ip address for the load balancer pointing to the external key manager | `string` | `"10.2.0.48"` | no | +| external\_key\_manager\_port | Port of the external key manager or port for the load balancer pointing to the external key manager | `string` | `"443"` | no | +| external\_provider\_hostname | Hostname for external key manager provider (ie. private-ekm.example.endpoints.cloud.goog) | `string` | n/a | yes | +| external\_provider\_raw\_der | External key provider server certificate in base64 format | `string` | n/a | yes | +| folder\_id | (Optional) The ID of the GCP folder to create the projects | `string` | `""` | no | +| key\_management\_mode | Key management mode. Possible values: MANUAL and CLOUD\_KMS. Defaults to MANUAL | `string` | `"MANUAL"` | no | +| kms\_name\_prefix | Key management resources name prefix | `string` | `"kms-vpc"` | no | +| kms\_project\_id | ID of the KMS project you would like to create | `string` | `""` | no | +| kms\_project\_name | Name of the KMS project you would like to create | `string` | n/a | yes | +| location | Location where resources will be created | `string` | `"us-central1"` | no | +| network\_name | Name of the Network resource | `string` | `"vpc-network-name"` | no | +| organization\_id | The ID of the existing GCP organization | `string` | n/a | yes | +| project\_creator\_member\_email | Email of the user that will be granted permissions to create resources under the projects | `string` | `""` | no | +| random\_project\_suffix | If true, a suffix of 4 random characters will be appended to project names. Only applies when create project flag is true. | `bool` | `false` | no | +| servicedirectory\_name | Service Directory resource name | `string` | `"ekm-service-directory"` | no | +| subnet\_ip\_cidr\_range | ip\_cidr\_range for subnet resource | `string` | `"10.2.0.0/16"` | no | +| vpc\_project\_id | ID of the VPC project, default to same as KMS | `string` | `""` | no | +| vpc\_project\_name | Name of the VPC project, default to same as KMS | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| crypto\_key | Name of the crypto key created. | +| ekm\_connection\_id | ID of the EKM connection created. | +| key\_version | Name of the key version created. | +| keyring | Name of the keyring. | +| kms\_project\_id | ID of the KMS project | +| location | Location of the keyring created. | +| vpc\_project\_id | ID of the VPC project | + + + +**Note 3:** You will need to manually set crypto-key-version to `primary version` by either using Google console or [Google CLI command](https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-primary-version). + +Congrats! You have successfully created all your required resources to use EKM over VPC diff --git a/ekm-over-vpc-onboarding/main.tf b/ekm-over-vpc-onboarding/main.tf new file mode 100644 index 00000000..a615b052 --- /dev/null +++ b/ekm-over-vpc-onboarding/main.tf @@ -0,0 +1,53 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "create_vpc_kms_project" { + source = "./modules/create_vpc_kms_project" + + organization_id = var.organization_id + folder_id = var.folder_id + kms_project_name = var.kms_project_name + kms_project_id = var.kms_project_id + vpc_project_name = var.vpc_project_name + vpc_project_id = var.vpc_project_id + billing_account = var.billing_account + create_kms_project = var.create_kms_project + create_vpc_project = var.create_vpc_project + random_project_suffix = var.random_project_suffix +} + +module "ekm_resources" { + source = "./modules/ekm_resources_creation" + + kms_project_id = module.create_vpc_kms_project.kms_project_id + vpc_project_id = module.create_vpc_kms_project.vpc_project_id + location = var.location + subnet_ip_cidr_range = var.subnet_ip_cidr_range + external_key_manager_ip = var.external_key_manager_ip + external_key_manager_port = var.external_key_manager_port + external_provider_hostname = var.external_provider_hostname + external_provider_raw_der = var.external_provider_raw_der + crypto_space_path = var.crypto_space_path + network_name = var.network_name + servicedirectory_name = var.servicedirectory_name + kms_name_prefix = var.kms_name_prefix + ekmconnection_name = var.ekmconnection_name + key_management_mode = var.key_management_mode + project_creator_member_email = var.project_creator_member_email + ekm_connection_key_path = var.ekm_connection_key_path + + depends_on = [module.create_vpc_kms_project] +} diff --git a/ekm-over-vpc-onboarding/create-vpc-kms-project/README.md b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/README.md similarity index 91% rename from ekm-over-vpc-onboarding/create-vpc-kms-project/README.md rename to ekm-over-vpc-onboarding/modules/create_vpc_kms_project/README.md index 6578f756..541fc7bc 100644 --- a/ekm-over-vpc-onboarding/create-vpc-kms-project/README.md +++ b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/README.md @@ -16,7 +16,6 @@ This module provides the project infrastructure setup (creation and/or API servi | kms\_project\_id | ID of the KMS project you would like to create | `string` | `""` | no | | kms\_project\_name | Name of the KMS project you would like to create | `string` | n/a | yes | | organization\_id | The ID of the existing GCP organization | `string` | n/a | yes | -| project\_creator\_member\_email | Email of the user that will be granted permissions to create resources under the projects | `string` | `""` | no | | random\_project\_suffix | If true, a suffix of 4 random characters will be appended to project names. Only applies when create project flag is true. | `bool` | `false` | no | | vpc\_project\_id | ID of the VPC project, default to same as KMS | `string` | `""` | no | | vpc\_project\_name | Name of the VPC project, default to same as KMS | `string` | `""` | no | diff --git a/ekm-over-vpc-onboarding/create-vpc-kms-project/main.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/main.tf similarity index 84% rename from ekm-over-vpc-onboarding/create-vpc-kms-project/main.tf rename to ekm-over-vpc-onboarding/modules/create_vpc_kms_project/main.tf index 2dd46d6f..1bb951c6 100644 --- a/ekm-over-vpc-onboarding/create-vpc-kms-project/main.tf +++ b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/main.tf @@ -32,17 +32,6 @@ locals { } -# User Credentials (Default: Current logged in user) -data "google_client_openid_userinfo" "provider_identity" { -} - -# Add permission to create projects -resource "google_organization_iam_member" "project_create_iam_member" { - org_id = var.organization_id - role = "roles/resourcemanager.projectCreator" - member = format("user:%s", var.project_creator_member_email == "" ? data.google_client_openid_userinfo.provider_identity.email : var.project_creator_member_email) -} - # Create KMS and VPC projects if specified module "kms_project" { count = var.create_kms_project ? 1 : 0 diff --git a/ekm-over-vpc-onboarding/create-vpc-kms-project/outputs.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/outputs.tf similarity index 100% rename from ekm-over-vpc-onboarding/create-vpc-kms-project/outputs.tf rename to ekm-over-vpc-onboarding/modules/create_vpc_kms_project/outputs.tf diff --git a/ekm-over-vpc-onboarding/create-vpc-kms-project/variables.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/variables.tf similarity index 90% rename from ekm-over-vpc-onboarding/create-vpc-kms-project/variables.tf rename to ekm-over-vpc-onboarding/modules/create_vpc_kms_project/variables.tf index ae3ec69b..ad6858d3 100644 --- a/ekm-over-vpc-onboarding/create-vpc-kms-project/variables.tf +++ b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/variables.tf @@ -51,13 +51,6 @@ variable "billing_account" { description = "Billing Account for the customer" } -variable "project_creator_member_email" { - type = string - default = "" - nullable = true - description = "Email of the user that will be granted permissions to create resources under the projects" -} - variable "folder_id" { type = string default = "" diff --git a/ekm-over-vpc-onboarding/create-vpc-kms-project/versions.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/versions.tf similarity index 100% rename from ekm-over-vpc-onboarding/create-vpc-kms-project/versions.tf rename to ekm-over-vpc-onboarding/modules/create_vpc_kms_project/versions.tf diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/README.md b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/README.md new file mode 100644 index 00000000..a486b749 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/README.md @@ -0,0 +1,39 @@ +# EKM resources creation module + +## Overview + +This module provides all the EKM infrastructure creation (EKM connection, key, keyring) sample with Terraform. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| crypto\_space\_path | External key provider crypto space path (ie. v0/longlived/a1-example) | `string` | `""` | no | +| ekm\_connection\_key\_path | Each Cloud EKM key version contains either a key URI or a key path. This is a unique identifier for the external key material that Cloud EKM uses when requesting cryptographic operations using the key. When key\_management\_mode is CLOUD\_KMS, this variable will be equals to crypto\_space\_path | `string` | n/a | yes | +| ekmconnection\_name | Name of the ekmconnection resource | `string` | `"ekmconnection"` | no | +| external\_key\_manager\_ip | Private IP address of the external key manager or ip address for the load balancer pointing to the external key manager | `string` | `"10.2.0.48"` | no | +| external\_key\_manager\_port | Port of the external key manager or port for the load balancer pointing to the external key manager | `string` | `"443"` | no | +| external\_provider\_hostname | Hostname for external key manager provider (ie. private-ekm.example.endpoints.cloud.goog) | `string` | n/a | yes | +| external\_provider\_raw\_der | External key provider server certificate in base64 format | `string` | n/a | yes | +| key\_management\_mode | Key management mode. Possible values: MANUAL and CLOUD\_KMS. Defaults to MANUAL | `string` | `"MANUAL"` | no | +| kms\_name\_prefix | Key management resources name prefix | `string` | `"kms-vpc"` | no | +| kms\_project\_id | ID of the KMS project you would like to create | `string` | n/a | yes | +| location | Location where resources will be created | `string` | `"us-central1"` | no | +| network\_name | Name of the Network resource | `string` | `"vpc-network-name"` | no | +| project\_creator\_member\_email | Email of the user that will be granted permissions to create resources under the projects | `string` | `""` | no | +| servicedirectory\_name | Service Directory resource name | `string` | `"ekm-service-directory"` | no | +| subnet\_ip\_cidr\_range | ip\_cidr\_range for subnet resource | `string` | `"10.2.0.0/16"` | no | +| vpc\_project\_id | ID of the VPC project, default to same as KMS | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| crypto\_key | Name of the crypto key created. | +| ekm\_connection\_id | ID of the EKM connection created. | +| key\_version | Name of the key version created. | +| keyring | Name of the keyring. | +| location | Location of the keyring created. | + + diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/iam.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/iam.tf new file mode 100644 index 00000000..cbc69a6f --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/iam.tf @@ -0,0 +1,49 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# Grants appropriate permissions to the projects +resource "google_project_iam_member" "iam_member_roles_kms" { + for_each = toset([ + "roles/cloudkms.admin" + ]) + role = each.key + member = format("user:%s", var.project_creator_member_email == "" ? data.google_client_openid_userinfo.provider_identity.email : var.project_creator_member_email) + project = data.google_project.kms_project.number +} +resource "google_project_iam_member" "iam_member_roles_vpc" { + for_each = toset([ + "roles/compute.networkAdmin", + "roles/compute.securityAdmin", + "roles/servicedirectory.admin", + ]) + role = each.key + member = format("user:%s", var.project_creator_member_email == "" ? data.google_client_openid_userinfo.provider_identity.email : var.project_creator_member_email) + project = data.google_project.vpc_project.number +} + +#Granting appropriate roles to service account +resource "google_project_iam_member" "sd_iam_member_roles" { + for_each = toset([ + "roles/servicedirectory.pscAuthorizedService", + "roles/servicedirectory.viewer", + "roles/servicedirectory.networkAttacher", + ]) + role = each.key + member = "serviceAccount:service-${data.google_project.kms_project.number}@gcp-sa-ekms.iam.gserviceaccount.com" + project = data.google_project.vpc_project.number + + depends_on = [google_project_service_identity.enable_ekm_service_agent] +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/main.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/main.tf new file mode 100644 index 00000000..83ea2fb1 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/main.tf @@ -0,0 +1,83 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +##### +# Script to create resources +##### + +data "google_project" "kms_project" { + project_id = var.kms_project_id +} + +data "google_project" "vpc_project" { + project_id = var.vpc_project_id == "" ? var.kms_project_id : var.vpc_project_id +} + +# User Credentials (Default: Current logged in user) +data "google_client_openid_userinfo" "provider_identity" { +} + +resource "google_project_service_identity" "enable_ekm_service_agent" { + provider = google-beta + + project = data.google_project.kms_project.number + service = "cloudkms.googleapis.com" +} + +#EKM Connection Creation +resource "google_kms_ekm_connection" "ekm_main_resource" { + name = var.ekmconnection_name + location = var.location + key_management_mode = var.key_management_mode + project = var.kms_project_id + service_resolvers { + service_directory_service = google_service_directory_service.sd_service.id + hostname = var.external_provider_hostname + server_certificates { + raw_der = var.external_provider_raw_der + } + } + crypto_space_path = var.crypto_space_path +} + +# #Key Ring Creation +resource "google_kms_key_ring" "vpc_kms_ring" { + name = "${var.kms_name_prefix}-keyring" + location = var.location + project = var.kms_project_id +} + +# #Key Creation +resource "google_kms_crypto_key" "vpc_key" { + name = "${var.kms_name_prefix}-key" + key_ring = google_kms_key_ring.vpc_kms_ring.id + purpose = "ENCRYPT_DECRYPT" + + version_template { + algorithm = "EXTERNAL_SYMMETRIC_ENCRYPTION" + protection_level = "EXTERNAL_VPC" + } + skip_initial_version_creation = true + crypto_key_backend = google_kms_ekm_connection.ekm_main_resource.id + depends_on = [google_service_directory_service.sd_service] +} +resource "google_kms_crypto_key_version" "vpc_crypto_key_version" { + crypto_key = google_kms_crypto_key.vpc_key.id + external_protection_level_options { + ekm_connection_key_path = var.ekm_connection_key_path + } +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/network.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/network.tf new file mode 100644 index 00000000..63d90744 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/network.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#Network & Subnet creation +module "vpc-network" { + source = "terraform-google-modules/network/google" + version = "~> 8.0" + project_id = data.google_project.vpc_project.number + network_name = var.network_name + mtu = 1460 + routing_mode = "REGIONAL" + + subnets = [ + { + subnet_name = "${var.network_name}-subnet" + subnet_region = var.location + subnet_ip = var.subnet_ip_cidr_range + subnet_private_access = true + } + ] +} + +module "firewall_rules" { + source = "terraform-google-modules/network/google//modules/firewall-rules" + version = "9.1.0" + + project_id = data.google_project.vpc_project.number + network_name = module.vpc-network.network_name + + rules = [{ + name = "google-ingress-firewall" + direction = "INGRESS" + source_ranges = ["35.199.192.0/19"] + allow = [{ + protocol = "tcp" + ports = ["80", "31234", "443"] + }] + }, + { + name = "google-egress-firewall" + direction = "EGRESS" + destination_ranges = ["35.199.192.0/19"] + allow = [{ + protocol = "all" + }] + log_config = { + metadata = "INCLUDE_ALL_METADATA" + } + }] +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/outputs.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/outputs.tf new file mode 100644 index 00000000..da22b871 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/outputs.tf @@ -0,0 +1,40 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "keyring" { + description = "Name of the keyring." + value = google_kms_key_ring.vpc_kms_ring.name +} + +output "crypto_key" { + description = "Name of the crypto key created." + value = google_kms_crypto_key.vpc_key.name +} + +output "key_version" { + description = "Name of the key version created." + value = google_kms_crypto_key_version.vpc_crypto_key_version.name +} + +output "location" { + description = "Location of the keyring created." + value = google_kms_key_ring.vpc_kms_ring.location +} + +output "ekm_connection_id" { + description = "ID of the EKM connection created." + value = google_kms_ekm_connection.ekm_main_resource.id +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/service_directory.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/service_directory.tf new file mode 100644 index 00000000..36fb9017 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/service_directory.tf @@ -0,0 +1,37 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_service_directory_namespace" "sd_namespace" { + provider = google-beta + namespace_id = "${var.servicedirectory_name}-namespace" + location = var.location + project = data.google_project.vpc_project.number +} + +resource "google_service_directory_service" "sd_service" { + provider = google-beta + service_id = "${var.servicedirectory_name}-service" + namespace = google_service_directory_namespace.sd_namespace.id +} + +resource "google_service_directory_endpoint" "sd_endpoint" { + provider = google-beta + endpoint_id = "${var.servicedirectory_name}-endpoint" + service = google_service_directory_service.sd_service.id + network = "projects/${data.google_project.vpc_project.number}/locations/global/networks/${module.vpc-network.network_name}" + address = var.external_key_manager_ip + port = var.external_key_manager_port +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/variables.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/variables.tf new file mode 100644 index 00000000..3489c8d2 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/variables.tf @@ -0,0 +1,121 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +##### +# Run: terraform apply -var='kms_project_name=my_kms_project' -var="vpc_project_name=my_vpc_project" +# Pre-Req: Allow External Key Manager to receive requests from 35.199.192.0/19 +##### + +# Variables Required +variable "kms_project_id" { + type = string + nullable = false + description = "ID of the KMS project you would like to create" +} + +variable "vpc_project_id" { + type = string + default = "" + description = "ID of the VPC project, default to same as KMS" +} + +variable "location" { + type = string + default = "us-central1" + nullable = false + description = "Location where resources will be created" +} + +variable "subnet_ip_cidr_range" { + type = string + default = "10.2.0.0/16" + nullable = false + description = "ip_cidr_range for subnet resource" +} + +variable "external_key_manager_ip" { + type = string + default = "10.2.0.48" + nullable = false + description = "Private IP address of the external key manager or ip address for the load balancer pointing to the external key manager" +} + +variable "external_key_manager_port" { + type = string + default = "443" + nullable = false + description = "Port of the external key manager or port for the load balancer pointing to the external key manager" +} + +variable "external_provider_hostname" { + type = string + nullable = false + description = "Hostname for external key manager provider (ie. private-ekm.example.endpoints.cloud.goog)" +} + +variable "external_provider_raw_der" { + type = string + nullable = false + description = "External key provider server certificate in base64 format" +} + +variable "crypto_space_path" { + type = string + default = "" + description = "External key provider crypto space path (ie. v0/longlived/a1-example)" +} + +variable "ekm_connection_key_path" { + type = string + description = "Each Cloud EKM key version contains either a key URI or a key path. This is a unique identifier for the external key material that Cloud EKM uses when requesting cryptographic operations using the key. When key_management_mode is CLOUD_KMS, this variable will be equals to crypto_space_path" +} + +# Variables Optional +variable "network_name" { + type = string + default = "vpc-network-name" + description = "Name of the Network resource" +} + +variable "servicedirectory_name" { + type = string + default = "ekm-service-directory" + description = "Service Directory resource name" +} + +variable "kms_name_prefix" { + type = string + default = "kms-vpc" + description = "Key management resources name prefix" +} + +variable "ekmconnection_name" { + type = string + default = "ekmconnection" + description = "Name of the ekmconnection resource" +} + +variable "key_management_mode" { + type = string + default = "MANUAL" + description = "Key management mode. Possible values: MANUAL and CLOUD_KMS. Defaults to MANUAL" +} + +variable "project_creator_member_email" { + type = string + default = "" + description = "Email of the user that will be granted permissions to create resources under the projects" +} diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/versions.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/versions.tf new file mode 100644 index 00000000..347b1485 --- /dev/null +++ b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/versions.tf @@ -0,0 +1,32 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +terraform { + required_version = ">= 1.5.7" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.23.0" + } + + google-beta = { + source = "hashicorp/google-beta" + version = "5.26.0" + } + } +} diff --git a/ekm-over-vpc-onboarding/outputs.tf b/ekm-over-vpc-onboarding/outputs.tf new file mode 100644 index 00000000..e5aff5ba --- /dev/null +++ b/ekm-over-vpc-onboarding/outputs.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kms_project_id" { + description = "ID of the KMS project" + value = module.create_vpc_kms_project.kms_project_id +} + +output "vpc_project_id" { + description = "ID of the VPC project" + value = module.create_vpc_kms_project.vpc_project_id +} + +output "keyring" { + description = "Name of the keyring." + value = module.ekm_resources.keyring +} + +output "crypto_key" { + description = "Name of the crypto key created." + value = module.ekm_resources.crypto_key +} + +output "key_version" { + description = "Name of the key version created." + value = module.ekm_resources.key_version +} + +output "location" { + description = "Location of the keyring created." + value = module.ekm_resources.location +} + +output "ekm_connection_id" { + description = "ID of the EKM connection created." + value = module.ekm_resources.ekm_connection_id +} diff --git a/ekm-over-vpc-onboarding/terraform.example.tfvars b/ekm-over-vpc-onboarding/terraform.example.tfvars new file mode 100644 index 00000000..ab151394 --- /dev/null +++ b/ekm-over-vpc-onboarding/terraform.example.tfvars @@ -0,0 +1,36 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +organization_id = "REPLACE-WITH-YOUR-ORG-ID" +billing_account = "REPLACE-WITH-YOUR-BILLING-ACCOUNT" +project_creator_member_email = "" # Set if you want to grant the permissions to a different user than it is authenticated +folder_id = "" # Set if you want to create the projects in a specific GCP folder (Applies only when create flag is true) +location = "us-central1" # Set if you want to create resources in a specific location + +create_kms_project = false # Set to true if you want to auto-create the KMS project +create_vpc_project = false # Set to true if you want to auto-create the VPC project + +kms_project_id = "sample-kms-project-id" # Desired or existing project KMS name (if existing set create flag to false) +vpc_project_id = "sample-vpc-project-id" # Desired or existing project VPC name (if existing set create flag to false) +random_project_suffix = false # Set to true if you want to append a 4 random string into project ID (applies only when create flag is true) + +kms_project_name = "sample-kms-project-name" # (Applies only when create flag is true) +vpc_project_name = "sample-vpc-project-name" # (Applies only when create flag is true) + +external_provider_hostname = "REPLACE-WITH-YOUR-EKM-HOSTNAME" +external_provider_raw_der = "REPLACE-WITH-YOUR-RAW-DER" # The raw certificate bytes in DER format. A base64-encoded string. For more info see: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections#Certificate +external_key_manager_ip = "REPLACE-WITH-YOUR-EKM-IP" # Set with a Private IP address of the EKM or an IP address for the load balancer pointing to the EKM +ekm_connection_key_path = "REPLACE-WITH-YOUR-KEY-PATH" # Set with Cloud EKM key version. diff --git a/ekm-over-vpc-onboarding/variables.tf b/ekm-over-vpc-onboarding/variables.tf new file mode 100644 index 00000000..73dafccd --- /dev/null +++ b/ekm-over-vpc-onboarding/variables.tf @@ -0,0 +1,164 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "kms_project_name" { + type = string + nullable = false + description = "Name of the KMS project you would like to create" +} + +variable "organization_id" { + type = string + nullable = false + description = "The ID of the existing GCP organization" +} + +variable "kms_project_id" { + type = string + default = "" + nullable = false + description = "ID of the KMS project you would like to create" +} + +variable "vpc_project_name" { + type = string + default = "" + description = "Name of the VPC project, default to same as KMS" +} + +variable "vpc_project_id" { + type = string + default = "" + description = "ID of the VPC project, default to same as KMS" +} + +variable "billing_account" { + type = string + default = "" + description = "Billing Account for the customer" +} + +variable "location" { + type = string + default = "us-central1" + nullable = false + description = "Location where resources will be created" +} + +variable "project_creator_member_email" { + type = string + default = "" + nullable = true + description = "Email of the user that will be granted permissions to create resources under the projects" +} + +variable "folder_id" { + type = string + default = "" + description = "(Optional) The ID of the GCP folder to create the projects" +} + +variable "create_kms_project" { + type = bool + default = true + description = "If true, a project for KMS will be created automatically" +} + +variable "create_vpc_project" { + type = bool + default = true + description = "If true, a project for VPC will be created automatically" +} + +variable "random_project_suffix" { + type = bool + default = false + description = "If true, a suffix of 4 random characters will be appended to project names. Only applies when create project flag is true." +} + +variable "subnet_ip_cidr_range" { + type = string + default = "10.2.0.0/16" + nullable = false + description = "ip_cidr_range for subnet resource" +} + +variable "external_key_manager_ip" { + type = string + default = "10.2.0.48" + nullable = false + description = "Private IP address of the external key manager or ip address for the load balancer pointing to the external key manager" +} + +variable "external_key_manager_port" { + type = string + default = "443" + nullable = false + description = "Port of the external key manager or port for the load balancer pointing to the external key manager" +} + +variable "external_provider_hostname" { + type = string + nullable = false + description = "Hostname for external key manager provider (ie. private-ekm.example.endpoints.cloud.goog)" +} + +variable "external_provider_raw_der" { + type = string + nullable = false + description = "External key provider server certificate in base64 format" +} + +variable "crypto_space_path" { + type = string + default = "" + description = "External key provider crypto space path (ie. v0/longlived/a1-example)" +} + +variable "network_name" { + type = string + default = "vpc-network-name" + description = "Name of the Network resource" +} + +variable "servicedirectory_name" { + type = string + default = "ekm-service-directory" + description = "Service Directory resource name" +} + +variable "kms_name_prefix" { + type = string + default = "kms-vpc" + description = "Key management resources name prefix" +} + +variable "ekmconnection_name" { + type = string + default = "ekmconnection" + description = "Name of the ekmconnection resource" +} + +variable "key_management_mode" { + type = string + default = "MANUAL" + description = "Key management mode. Possible values: MANUAL and CLOUD_KMS. Defaults to MANUAL" +} + +variable "ekm_connection_key_path" { + type = string + description = "Each Cloud EKM key version contains either a key URI or a key path. This is a unique identifier for the external key material that Cloud EKM uses when requesting cryptographic operations using the key. When key_management_mode is CLOUD_KMS, this variable will be equals to crypto_space_path" +} diff --git a/ekm-over-vpc-onboarding/versions.tf b/ekm-over-vpc-onboarding/versions.tf new file mode 100644 index 00000000..59285437 --- /dev/null +++ b/ekm-over-vpc-onboarding/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.5.7" +} diff --git a/share-encrypted-data-with-partners/consumer/0-bootstrap/versions.tf b/share-encrypted-data-with-partners/consumer/0-bootstrap/versions.tf index 46393644..8644faae 100644 --- a/share-encrypted-data-with-partners/consumer/0-bootstrap/versions.tf +++ b/share-encrypted-data-with-partners/consumer/0-bootstrap/versions.tf @@ -25,7 +25,7 @@ terraform { random = { source = "hashicorp/random" - version = "3.6.0" + version = "3.6.1" } null = { @@ -35,7 +35,7 @@ terraform { time = { source = "hashicorp/time" - version = "0.10.0" + version = "0.11.1" } } } diff --git a/share-encrypted-data-with-partners/examples/python/requirements.txt b/share-encrypted-data-with-partners/examples/python/requirements.txt index d4c09efd..51e3cfb6 100644 --- a/share-encrypted-data-with-partners/examples/python/requirements.txt +++ b/share-encrypted-data-with-partners/examples/python/requirements.txt @@ -1,2 +1,2 @@ cryptography==42.0.5 -google-cloud-kms==2.21.2 +google-cloud-kms==2.21.4 diff --git a/test/integration/go.mod b/test/integration/go.mod index fe7fd7c1..a624d7e0 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,7 +2,7 @@ module github.com/terraform-google-modules/kms-solutions/test/integration go 1.21.0 -require github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 +require github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 require ( cloud.google.com/go v0.110.7 // indirect @@ -15,7 +15,7 @@ require ( github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go v1.45.5 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/go-errors/errors v1.5.0 // indirect github.com/go-openapi/jsonpointer v0.20.0 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect @@ -23,8 +23,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect - github.com/google/gofuzz v1.2.0 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.3.1 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect @@ -49,7 +48,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/stretchr/testify v1.9.0 // indirect github.com/tidwall/gjson v1.17.1 // indirect github.com/tidwall/match v1.1.1 // indirect @@ -59,12 +58,12 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.16.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.138.0 // indirect @@ -75,7 +74,7 @@ require ( google.golang.org/grpc v1.58.3 // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f // indirect - sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/test/integration/go.sum b/test/integration/go.sum index 3c012985..9272e9e9 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 h1:DQS5D0xaV1SVFNoGvHdYB0wYeZ24D9hVeFiLG2+r06I= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2/go.mod h1:uomWciQn6oAotW86ck0b0ix+sUeZHSXyS+IYAVFTPj8= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 h1:db17HvmQPwTAq7/ex/w2DiNMA4oGUmTiHvScfPW/cRI= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0/go.mod h1:JSsaDg/h4yaiNNTNnrCjyL6/czHb/Oz/z+dzWVqJYBE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -221,8 +221,9 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -303,8 +304,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= @@ -419,13 +421,14 @@ github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770/ github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -480,8 +483,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -518,8 +521,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -567,8 +570,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -675,13 +678,14 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1001,14 +1005,14 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f h1:eeEUOoGYWhOz7EyXqhlR2zHKNw2mNJ9vzJmub6YN6kk= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= -sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= +sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= +sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=