Add VPC connector support and crypto key options (#8)

mbrancato · Dec 26, 2020 · 2f7d957 · 2f7d957
1 parent 33c2039
commit 2f7d957
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -21,14 +21,17 @@ following Google Cloud resources:
   - [`location`](#location)
   - [`project`](#project)
   - [`vault_image`](#vault_image)
-  - [`bucket_force_destroy`](#bucket_force_destroy)
-  - [`vault_ui`](#vault_ui)
-  - [`container_concurrency`](#container_concurrency)
-  - [`vault_api_addr`](#vault_api_addr)
-  - [`vault_kms_keyring_name`](#vault_kms_keyring_name)
-  - [`vault_kms_key_rotation`](#vault_kms_key_rotation)
-  - [`vault_service_account_id`](#vault_service_account_id)
-  - [`vault_storage_bucket_name`](#vault_storage_bucket_name)
+  - [`bucket_force_destroy`](#bucket_force_destroy-optional)
+  - [`container_concurrency`](#container_concurrency-optional)
+  - [`vpc_connector`](#vpc_connector-optional)
+  - [`vault_ui`](#vault_ui-optional)
+  - [`vault_api_addr`](#vault_api_addr-optional)
+  - [`vault_kms_keyring_name`](#vault_kms_keyring_name-optional)
+  - [`vault_kms_key_rotation`](#vault_kms_key_rotation-optional)
+  - [`vault_kms_key_algorithm`](#vault_kms_key_algorithm-optional)
+  - [`vault_kms_key_protection_level`](#vault_kms_key_protection_level-optional)
+  - [`vault_service_account_id`](#vault_service_account_id-optional)
+  - [`vault_storage_bucket_name`](#vault_storage_bucket_name-optional)
 - [Security Concerns](#security-concerns)
 - [Caveats](#caveats)
   - [Google Cloud Container Registry](#google-cloud-container-registry)
@@ -54,7 +57,7 @@ module "vault" {
   name        = "vault"
   project     = data.google_client_config.current.project
   location    = data.google_client_config.current.region
-  vault_image = "us.gcr.io/${data.google_client_config.current.project}/vault:1.5.4"
+  vault_image = "us.gcr.io/${data.google_client_config.current.project}/vault:1.6.1"
 }
 ```
 
@@ -123,44 +126,60 @@ deploying Vault, read
 ### `vault_image`
 - Vault docker image.
 
-### `bucket_force_destroy`
+### `bucket_force_destroy` (optional)
 - CAUTION: Set force_destroy for Storage Bucket. This is where the vault data is stored. Setting this to true will allow terraform destroy to delete the bucket.
   - default - `false`
 
-### `vault_ui`
-- Enable Vault UI.
-  - default - `false`
-
-### `container_concurrency`
+### `container_concurrency` (optional)
 - Max number of connections per container instance.
   - default - `80`
 
-### `vault_api_addr`
+### `vpc_connector` (optional)
+- ID for the [Serverless VPC connector](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access) to be used, if any, for private VPC access.
+  - Creation of the connector is out of scope of this module, see [google_vpc_access_connector](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/vpc_access_connector).
+  - default - `null`
+
+### `vault_ui` (optional)
+- Enable Vault UI.
+  - default - `false`
+
+### `vault_api_addr` (optional)
 - Full HTTP endpoint of Vault Server if using a custom domain name. Leave blank otherwise.
   - default - `""`
 
-### `vault_kms_keyring_name`
+### `vault_kms_keyring_name` (optional)
 - Name of the Google KMS keyring to use.
   - default - `"${var.name}-${lower(random_id.vault.hex)}-kr"`
 
-### `vault_kms_key_rotation`
+### `vault_kms_key_rotation` (optional)
 - The period for KMS key rotation.
-  - default - `"86400s"`
+  - Note: key rotations will lead to multiple active KMS keys and will result in an increasing monthly bill. Setting to `null` should disable rotation (not recommended).
+  - default - `"7776000s"` (90 days)
+
+### `vault_kms_key_algorithm` (optional)
+- The cryptographic algorithm to be used with the KMS key.
+  - Specify a supported [CryptoKeyVersionAlgorithm](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) value.
+  - default - `"GOOGLE_SYMMETRIC_ENCRYPTION"`
+
+### `vault_kms_key_protection_level` (optional)
+- The protection level to be used with the KMS key.
+  - Specify the [protection level](https://cloud.google.com/kms/docs/algorithms#protection_levels) to be used (SOFTWARE, HSM, EXTERNAL).
+  - default - `"SOFTWARE"`
 
-### `vault_service_account_id`
+### `vault_service_account_id` (optional)
 - ID for the service account to be used. This is the part of the service account email before the `@` symbol.
   - default - `"vault-sa"`
 
-### `vault_storage_bucket_name`
+### `vault_storage_bucket_name` (optional)
 - Storage bucket name to be used.
   - default - `"${var.name}-${lower(random_id.vault.hex)}-bucket"`
 
 ## Security Concerns
 
 The following things may be of concern from a security perspective:
 
-* This is a publicly accessible Vault instance. Anyone with the DNS name can connect to it.
-* By default, Vault is running on shared compute infrastructure.
+* When not using a VPC connector, this is a publicly accessible Vault instance. Anyone with the DNS name can connect to it.
+* By default, Vault is running on shared compute infrastructure. The [Google Terraform provider](https://github.com/hashicorp/terraform-provider-google) does not yet support Cloud Run on Anthos / GKE to deploy on single-tenant VMs.
 
 ## Caveats
 
@@ -180,6 +199,6 @@ A quick way to get Vault into GCR for a GCP project:
 ```
 gcloud auth configure-docker
 docker pull hashicorp/vault:latest
-docker tag hashicorp/vault:latest gcr.io/{{ project_id }}/vault:latest
-docker push gcr.io/{{ project_id }}/vault:latest
+docker tag hashicorp/vault:1.6.1 gcr.io/{{ project_id }}/vault:1.6.1
+docker push gcr.io/{{ project_id }}/vault:1.6.1
 ```
diff --git a/main.tf b/main.tf
@@ -1,5 +1,3 @@
-provider "random" {}
-
 locals {
   vault_config = jsonencode(
     {
@@ -33,18 +31,19 @@ locals {
   vault_storage_bucket_name = var.vault_storage_bucket_name != "" ? var.vault_storage_bucket_name : "${var.name}-${lower(random_id.vault.hex)}-bucket"
 }
 
-
 resource "random_id" "vault" {
   byte_length = 2
 }
 
 resource "google_service_account" "vault" {
+  project      = var.project
   account_id   = var.vault_service_account_id
   display_name = "Vault Service Account for KMS auto-unseal"
 }
 
 resource "google_storage_bucket" "vault" {
   name          = local.vault_storage_bucket_name
+  project       = var.project
   force_destroy = var.bucket_force_destroy
 }
 
@@ -57,6 +56,7 @@ resource "google_storage_bucket_iam_member" "member" {
 # Create a KMS key ring
 resource "google_kms_key_ring" "vault" {
   name     = local.vault_kms_keyring_name
+  project  = var.project
   location = var.location
 }
 
@@ -65,6 +65,11 @@ resource "google_kms_crypto_key" "vault" {
   name            = "${var.name}-key"
   key_ring        = google_kms_key_ring.vault.self_link
   rotation_period = var.vault_kms_key_rotation
+
+  version_template {
+    algorithm        = var.vault_kms_key_algorithm
+    protection_level = var.vault_kms_key_protection_level
+  }
 }
 
 # Add the service account to the Keyring
@@ -76,6 +81,7 @@ resource "google_kms_key_ring_iam_member" "vault" {
 
 resource "google_cloud_run_service" "default" {
   name                       = var.name
+  project                    = var.project
   location                   = var.location
   autogenerate_revision_name = true
 
@@ -86,7 +92,8 @@ resource "google_cloud_run_service" "default" {
   template {
     metadata {
       annotations = {
-        "autoscaling.knative.dev/maxScale" = 1 # HA not Supported
+        "autoscaling.knative.dev/maxScale"        = 1 # HA not Supported
+        "run.googleapis.com/vpc-access-connector" = var.vpc_connector != "" ? var.vpc_connector : null
       }
     }
     spec {

diff --git a/variables.tf b/variables.tf
@@ -24,18 +24,24 @@ variable "bucket_force_destroy" {
   default     = false
 }
 
-variable "vault_ui" {
-  description = "Enable Vault UI."
-  type        = bool
-  default     = false
-}
-
 variable "container_concurrency" {
   description = "Max number of connections per container instance."
   type        = number
   default     = 80 # Max per Cloud Run Documentation
 }
 
+variable "vpc_connector" {
+  description = "Serverless VPC access connector."
+  type        = string
+  default     = ""
+}
+
+variable "vault_ui" {
+  description = "Enable Vault UI."
+  type        = bool
+  default     = false
+}
+
 variable "vault_api_addr" {
   description = "Full HTTP endpoint of Vault Server if using a custom domain name. Leave blank otherwise."
   type        = string
@@ -51,7 +57,19 @@ variable "vault_kms_keyring_name" {
 variable "vault_kms_key_rotation" {
   description = "The period for KMS key rotation."
   type        = string
-  default     = "86400s"
+  default     = "7776000s"
+}
+
+variable "vault_kms_key_algorithm" {
+  description = "The cryptographic algorithm to be used with the KMS key."
+  type        = string
+  default     = "GOOGLE_SYMMETRIC_ENCRYPTION"
+}
+
+variable "vault_kms_key_protection_level" {
+  description = "The protection level to be used with the KMS key."
+  type        = string
+  default     = "SOFTWARE"
 }
 
 variable "vault_service_account_id" {
@@ -64,4 +82,4 @@ variable "vault_storage_bucket_name" {
   description = "Storage bucket name to be used."
   type        = string
   default     = ""
-}
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+  required_version = ">= 0.13"
+}