fix: Implement workaround to make HSM keys work

We can't explicitly create key versions with Google KMS due to hashicorp/terraform-provider-google#13924, so this change lets the `google_kms_crypto_key` resource create an initial key and then we import it.
relaycorp · Sep 20, 2023 · 237125b · 237125b
1 parent 39fa289
commit 237125b
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 15 deletions.
diff --git a/bootstrap.tf b/bootstrap.tf
@@ -55,11 +55,11 @@ resource "google_cloud_run_v2_job" "bootstrap" {
 
         env {
           name  = "ACTIVE_ID_KEY_REF"
-          value = google_kms_crypto_key_version.identity_key.id
+          value = data.google_kms_crypto_key_version.initial_identity_key.id
         }
         env {
           name  = "ACTIVE_ID_PUBLIC_KEY"
-          value = data.google_kms_crypto_key_version.identity_key.public_key[0].pem
+          value = data.google_kms_crypto_key_version.initial_identity_key.public_key[0].pem
         }
 
         env {

diff --git a/kms.tf b/kms.tf
@@ -23,8 +23,6 @@ resource "google_kms_crypto_key" "identity_key" {
   key_ring = google_kms_key_ring.keystores.id
   purpose  = "ASYMMETRIC_SIGN"
 
-  skip_initial_version_creation = true
-
   version_template {
     algorithm        = "RSA_SIGN_PSS_2048_SHA256"
     protection_level = var.kms_protection_level
@@ -35,7 +33,11 @@ resource "google_kms_crypto_key" "identity_key" {
   }
 }
 
-resource "google_kms_crypto_key_version" "identity_key" {
+// Ideally, we'd just manage the key version explicitly, but we can't due to two limitations
+// in the Google provider:
+// 1.- This bug with HSM keys: https://github.com/hashicorp/terraform-provider-google/issues/13924
+// 2.- The lack of support for reading the public key as soon as the key is created.
+data "google_kms_crypto_key_version" "initial_identity_key" {
   crypto_key = google_kms_crypto_key.identity_key.id
 
   depends_on = [time_sleep.wait_for_id_key_creation]
@@ -57,15 +59,13 @@ resource "google_kms_crypto_key" "session_keys" {
   }
 }
 
-data "google_kms_crypto_key_version" "identity_key" {
-  crypto_key = google_kms_crypto_key.identity_key.id
-
-  depends_on = [time_sleep.wait_for_id_key_creation]
-}
-
 resource "time_sleep" "wait_for_id_key_creation" {
   depends_on      = [google_kms_crypto_key.identity_key]
   create_duration = "30s"
+
+  triggers = {
+    kms_protection_level = var.kms_protection_level
+  }
 }
 
 // IAM

diff --git a/pohttp_client.tf b/pohttp_client.tf
@@ -52,11 +52,11 @@ resource "google_cloud_run_v2_service" "pohttp_client" {
 
       env {
         name  = "ACTIVE_ID_KEY_REF"
-        value = google_kms_crypto_key_version.identity_key.id
+        value = data.google_kms_crypto_key_version.initial_identity_key.id
       }
       env {
         name  = "ACTIVE_ID_PUBLIC_KEY"
-        value = data.google_kms_crypto_key_version.identity_key.public_key[0].pem
+        value = data.google_kms_crypto_key_version.initial_identity_key.public_key[0].pem
       }
 
       env {

diff --git a/pohttp_server.tf b/pohttp_server.tf
@@ -52,11 +52,11 @@ resource "google_cloud_run_v2_service" "pohttp_server" {
 
       env {
         name  = "ACTIVE_ID_KEY_REF"
-        value = google_kms_crypto_key_version.identity_key.id
+        value = data.google_kms_crypto_key_version.initial_identity_key.id
       }
       env {
         name  = "ACTIVE_ID_PUBLIC_KEY"
-        value = data.google_kms_crypto_key_version.identity_key.public_key[0].pem
+        value = data.google_kms_crypto_key_version.initial_identity_key.public_key[0].pem
       }
 
       env {