From a5d881dec70b1f0116a0cc745be2e6bf77ce9097 Mon Sep 17 00:00:00 2001 From: Thales Group Date: Wed, 5 Apr 2023 21:01:18 +0000 Subject: [PATCH] updated docs --- changelog.md | 23 ++++ docs/data-sources/aws_account_details.md | 2 + docs/data-sources/azure_connection.md | 15 --- docs/data-sources/azure_key.md | 13 +-- docs/data-sources/gcp_connection.md | 26 +++++ docs/data-sources/gcp_key.md | 26 ++--- docs/data-sources/gcp_keyring.md | 10 +- docs/resources/password_policy.md | 50 +++++++++ docs/resources/policies.md | 56 ++++++++++ docs/resources/policy_attachments.md | 31 ++++++ docs/resources/user.md | 14 +-- .../data-source.tf | 2 + .../ciphertrust_aws_key/data-source.tf | 16 +-- .../data-source.tf | 15 --- .../ciphertrust_azure_key/data-source.tf | 11 +- .../ciphertrust_gcp_connection/data_source.tf | 4 + .../ciphertrust_gcp_key/data-source.tf | 15 +-- .../ciphertrust_gcp_keyring/data_source.tf | 7 +- examples/provider/provider.tf | 2 +- .../ciphertrust_password_policy/resource.tf | 12 ++ .../ciphertrust_policies/resource.tf | 11 ++ .../ciphertrust_policy_attachment/resource.tf | 8 ++ .../aws-keys/create-native/ec/main.tf | 2 +- .../aws-keys/create-native/rsa/main.tf | 2 +- .../aws-keys/create-native/symmetric/main.tf | 2 +- .../aws-keys/import/ciphertrust/main.tf | 2 +- sample-scripts/aws-keys/import/dsm/main.tf | 2 +- .../aws-keys/import/hsm-luna/main.tf | 2 +- .../aws-keys/key-rotation/ciphertrust/main.tf | 2 +- .../aws-keys/key-rotation/dsm/main.tf | 2 +- .../aws-keys/key-rotation/hsm-luna/main.tf | 2 +- .../aws-keys/key-synchronization/main.tf | 2 +- .../aws-keys/policy-templates/main.tf | 2 +- .../aws-keys/upload/ciphertrust/main.tf | 2 +- sample-scripts/aws-keys/upload/dsm/main.tf | 2 +- .../aws-keys/upload/hsm-luna/main.tf | 2 +- .../azure-keys/create-native/ec/main.tf | 2 +- .../azure-keys/create-native/hsm/main.tf | 2 +- .../azure-keys/create-native/rsa/main.tf | 2 +- .../key-rotation/ciphertrust/main.tf | 2 +- .../azure-keys/key-rotation/dsm/main.tf | 2 +- .../azure-keys/key-rotation/hsm-luna/main.tf | 2 +- .../azure-keys/key-rotation/native/main.tf | 2 +- .../azure-keys/key-synchronization/main.tf | 2 +- .../azure-keys/upload/ciphertrust/main.tf | 2 +- sample-scripts/azure-keys/upload/dsm/main.tf | 2 +- .../azure-keys/upload/hsm-luna/main.tf | 2 +- sample-scripts/azure-keys/upload/pfx/main.tf | 2 +- sample-scripts/connections/aws/main.tf | 2 +- sample-scripts/connections/azure/main.tf | 2 +- sample-scripts/connections/dsm/main.tf | 2 +- sample-scripts/connections/google/main.tf | 2 +- sample-scripts/connections/luna-hsm/main.tf | 2 +- sample-scripts/data-sources/aws-key/main.tf | 2 +- .../data-sources/azure-connection/main.tf | 2 +- sample-scripts/data-sources/azure-key/main.tf | 27 +---- .../google-connection/gcp_vars.tf | 15 +++ .../data-sources/google-connection/main.tf | 41 +++++++ .../data-sources/google-key/main.tf | 29 ++--- .../data-sources/google-keyring/main.tf | 24 ++-- sample-scripts/google-ekm-endpoints/main.tf | 2 +- .../google-keyring-acls/groups/main.tf | 2 +- .../google-keyring-acls/users/main.tf | 5 +- .../ciphertrust/asymmetric/main.tf | 2 +- .../ciphertrust/symmetric/main.tf | 2 +- .../add-versions/dsm/asymmetric/main.tf | 2 +- .../add-versions/dsm/symmetric/main.tf | 2 +- .../add-versions/hsm-luna/asymmetric/main.tf | 2 +- .../add-versions/native/asymmetric/main.tf | 2 +- .../add-versions/native/symmetric/main.tf | 2 +- .../create-native/asymmetric/main.tf | 2 +- .../create-native/symmetric/main.tf | 2 +- .../key-rotation/ciphertrust/main.tf | 2 +- .../google-keys/key-rotation/dsm/main.tf | 2 +- .../google-keys/key-rotation/hsm-luna/main.tf | 2 +- .../google-keys/key-rotation/native/main.tf | 2 +- .../google-keys/key-synchronization/main.tf | 2 +- .../upload/ciphertrust/asymmetric/main.tf | 2 +- .../upload/ciphertrust/symmetric/main.tf | 2 +- .../google-keys/upload/dsm/asymmetric/main.tf | 2 +- .../google-keys/upload/dsm/symmetric/main.tf | 2 +- .../upload/hsm-luna/asymmetric/main.tf | 2 +- .../google-workspace-cse/cse-endpoint/main.tf | 2 +- .../google-workspace-cse/cse-identity/main.tf | 2 +- .../aws/allow-kms-add/README.md | 81 ++++++++++++++ .../aws/allow-kms-add/main.tf | 101 +++++++++++++++++ .../azure/allow-vault-add/README.md | 95 ++++++++++++++++ .../azure/allow-vault-add/azure_vars.tf | 4 + .../azure/allow-vault-add/main.tf | 103 ++++++++++++++++++ .../deny-cmkey-export/README.md | 74 +++++++++++++ .../deny-cmkey-export/gcp_vars.tf | 15 +++ .../deny-cmkey-export/main.tf | 81 ++++++++++++++ .../google/allow-keyring-create/README.md | 74 +++++++++++++ .../google/allow-keyring-create/gcp_vars.tf | 14 +++ .../google/allow-keyring-create/main.tf | 103 ++++++++++++++++++ .../practical-examples/aws_s3_bucket/main.tf | 2 +- .../azure_storage_account/main.tf | 2 +- .../practical-examples/cluster/main.tf | 2 +- 98 files changed, 1151 insertions(+), 222 deletions(-) create mode 100644 docs/data-sources/gcp_connection.md create mode 100644 docs/resources/password_policy.md create mode 100644 docs/resources/policies.md create mode 100644 docs/resources/policy_attachments.md create mode 100644 examples/data-sources/ciphertrust_gcp_connection/data_source.tf create mode 100644 examples/resources/ciphertrust_password_policy/resource.tf create mode 100644 examples/resources/ciphertrust_policies/resource.tf create mode 100644 examples/resources/ciphertrust_policy_attachment/resource.tf create mode 100644 sample-scripts/data-sources/google-connection/gcp_vars.tf create mode 100644 sample-scripts/data-sources/google-connection/main.tf create mode 100644 sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/README.md create mode 100644 sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/main.tf create mode 100644 sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/README.md create mode 100644 sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/azure_vars.tf create mode 100644 sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/main.tf create mode 100644 sample-scripts/policies/cloud-key-manager/deny-cmkey-export/README.md create mode 100644 sample-scripts/policies/cloud-key-manager/deny-cmkey-export/gcp_vars.tf create mode 100644 sample-scripts/policies/cloud-key-manager/deny-cmkey-export/main.tf create mode 100644 sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/README.md create mode 100644 sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/gcp_vars.tf create mode 100644 sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/main.tf diff --git a/changelog.md b/changelog.md index 5598d72..82d2f2d 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,26 @@ +# 0.9.0-beta9 + +## New Resources + ciphertrust_password_policy + Updates CipherTrust Manager's global password policy + ciphertrust_policies: + Creates custom policies that: + Allow a non-admin users add an AWS KMS + Allow a non-admin users add an Azure vault + Allow a non-admin users add a Google Cloud keyring + Prevent users from exporting CipherTrust keys + ciphertrust_policy_attachments + Used to attach ciphertrust_policies to principles, eg groups. + +## New Data Sources + ciphertrust-gcp-connection + Reads a gcp connection resource + +## Breaking changes + ciphertrust_gcp_key + enable_versions - has changed from a list of version id strings to a list of version numbers + disable_versions - has changed from a list of version id strings to a list of version numbers + # 0.9.0-beta8 ## New Resources diff --git a/docs/data-sources/aws_account_details.md b/docs/data-sources/aws_account_details.md index 71eab9c..4bb4b16 100644 --- a/docs/data-sources/aws_account_details.md +++ b/docs/data-sources/aws_account_details.md @@ -23,10 +23,12 @@ resource "ciphertrust_aws_connection" "aws_connection" { secret_access_key = "secret-access-key" } +# Use the connection ID to retrieve account details data "ciphertrust_aws_account_details" "account_details" { aws_connection = ciphertrust_aws_connection.aws_connection.id } +# Use the account details datasource elements to create a KMS resource resource "ciphertrust_aws_kms" "kms" { account_id = data.ciphertrust_aws_account_details.account_details.account_id aws_connection = ciphertrust_aws_connection.aws_connection.id diff --git a/docs/data-sources/azure_connection.md b/docs/data-sources/azure_connection.md index 67c1bdc..76eddc8 100644 --- a/docs/data-sources/azure_connection.md +++ b/docs/data-sources/azure_connection.md @@ -14,21 +14,6 @@ This data-source provides vault details associated with a [ciphertrust_azure_con ## Example Usage ```terraform -# Create an Azure connection -resource "ciphertrust_azure_connection" "azure_connection" { - name = "connection-name" - client_id = "azure-client-id" - client_secret = "azure-client-secret" - tenant_id = "azure-tenant-id" -} - -# Add a vault -resource "ciphertrust_azure_vault" "azure_vault" { - azure_connection = ciphertrust_azure_connection.azure_connection.name - subscription_id = "azure-subscription-id" - name = "azure-vault-name" -} - # Get the Azure connection details including the vaults data "ciphertrust_azure_connection" "connection_details" { azure_connection = "connection-name" diff --git a/docs/data-sources/azure_key.md b/docs/data-sources/azure_key.md index 48453fd..c780a89 100644 --- a/docs/data-sources/azure_key.md +++ b/docs/data-sources/azure_key.md @@ -16,14 +16,9 @@ It's possible to identify the key using a range of fields. ## Example Usage ```terraform -# Retrieve details using the Terraform resource ID -data "ciphertrust_azure_key" "by_resource_id" { - id = ciphertrust_azure_key.azure_key.id -} - # Retrieve details using the Azure key ID data "ciphertrust_azure_key" "by_azure_key_id" { - azure_key_id = ciphertrust_azure_key.azure_key.azure_key_id + azure_key_id = "kid" } # Retrieve details using the key name and vault @@ -38,9 +33,8 @@ data "ciphertrust_azure_key" "by_name_and_vault" { ### Optional -- `azure_key_id` (String) Azure key identifier. Can be used alone to identify the key, all other parameters will be ignored. -- `id` (String) Azure key identifier. Can be used alone to identify a key. -- `key_id` (String) CipherTrust Key ID. Can be used alone to identify the key, all other parameters will be ignored. +- `azure_key_id` (String) Azure key identifier. Can be used alone to identify the key. +- `key_id` (String) CipherTrust Key ID. Can be used alone to identify the key. - `key_vault` (String) Name of the Azure vault containing the key in the format of vault_name::subscription_id. - `name` (String) Key name. - `version` (String) Key version. Set to -1 to retrieve the latest version @@ -58,6 +52,7 @@ data "ciphertrust_azure_key" "by_name_and_vault" { - `enabled` (Boolean) True if the key is enabled. - `expiration_date` (String) Date of key expiry. - `exportable` (Boolean) True if the key is exportable. +- `id` (String) Azure key identifier. - `key_material_origin` (String) Key material origin of an uploaded or imported key. - `key_ops` (List of String) Allowed key operations for asymmetric keys. - `key_size` (Number) Size of asymmetric keys. diff --git a/docs/data-sources/gcp_connection.md b/docs/data-sources/gcp_connection.md new file mode 100644 index 0000000..de6e1a2 --- /dev/null +++ b/docs/data-sources/gcp_connection.md @@ -0,0 +1,26 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "ciphertrust_gcp_connection Data Source - terraform-provider-ciphertrust" +subcategory: "" +description: |- + +--- + +# ciphertrust_gcp_connection (Data Source) + +This data-source retrieves details of a [ciphertrust_gcp_connection](https://registry.terraform.io/providers/ThalesGroup/ciphertrust/latest/docs/resources/gcp_connection) resource. + + +## Schema + +### Required + +- `name` (String) Name of the Google cloud connection. + +### Read-Only + +- `cloud_name` (String) Name of the cloud. +- `description` (String) Description of the Google Cloud connection. +- `id` (String) CipherTrust Google Cloud connection ID. +- `key_rings` (Map of String) A list of keying name:keyring ID pairs managed by the connection. +- `meta` (Map of String) A list of key:value pairs to store with the connection. diff --git a/docs/data-sources/gcp_key.md b/docs/data-sources/gcp_key.md index 84df43f..d1aac65 100644 --- a/docs/data-sources/gcp_key.md +++ b/docs/data-sources/gcp_key.md @@ -16,20 +16,15 @@ It's possible to identify the key using a range of fields. ## Example Usage ```terraform -# Retrieve details using the terraform ID -data "ciphertrust_gcp_key" "by_terraform_id" { - id = ciphertrust_gcp_key.gcp_key.id -} - # Retrieve details using the CipherTrust key ID data "ciphertrust_gcp_key" "by_ciphertrust_id" { - key_id = ciphertrust_gcp_key.gcp_key.key_id + key_id = "6f4134bf-0007-42db-bc0b-e11e5bfbe782" } -# Retrieve details using the key name and the keyring name -data "ciphertrust_gcp_key" "by_multiple_values" { - name = ciphertrust_gcp_key.gcp_key.name - key_ring = ciphertrust_gcp_key.gcp_key.key_ring_name +# Retrieve details using the key name and keyring +data "ciphertrust_gcp_key" "by_keyname_and_keyring" { + name = "key-name" + key_ring = "projects/my-project/locations/my-location/keyRings/my-keyring" } ``` @@ -38,10 +33,9 @@ data "ciphertrust_gcp_key" "by_multiple_values" { ### Optional -- `id` (String) Terraform resource ID. Can be used alone to identify the key, all other parameters will be ignored. -- `key_id` (String) CipherTrust key ID. Can be used alone to identify the key, all other parameters will be ignored. +- `key_id` (String) CipherTrust key ID. Can be used alone to identify the key. - `key_ring` (String) Terraform ID of the keyring. -- `keyring_id` (String) Keyring ID, short keyring name. +- `keyring_id` (String) Google cloud keyring ID. - `location_id` (String) Google Cloud location. - `name` (String) Name of the key. - `project_id` (String) Google Cloud project ID. @@ -52,14 +46,16 @@ data "ciphertrust_gcp_key" "by_multiple_values" { - `cloud_name` (String) Cloud name. - `create_status` (String) Key creation status. - `created_at` (String) Date the key was created. +- `id` (String) Terraform datasource ID - `key_labels` (Map of String) A list of key:value pairs to assigned to the key. -- `key_ring_name` (String) Google cloud keyring. +- `key_ring_name` (String) Google cloud keyring name. - `key_versions` (List of Object) Key version details. (see [below for nested schema](#nestedatt--key_versions)) - `labels` (Map of String) A list of key:value pairs associated with the key. - `next_rotation_time` (String) Time when the key will next be rotated by Google Cloud KMS. - `primary` (String) Primary version. - `purpose` (String) Purpose of the key. - `rotation_period` (String) Frequency at which the Google Cloud key will to be rotated by Google Cloud. +- `state` (String) State of the key. - `updated_at` (String) Date the key was last updated. @@ -71,7 +67,7 @@ Read-Only: - `is_primary` (Boolean) - `local_key_id` (String) - `local_key_name` (String) -- `public_key` (Set of Object) (see [below for nested schema](#nestedobjatt--key_versions--public_key)) +- `public_key` (List of Object) (see [below for nested schema](#nestedobjatt--key_versions--public_key)) - `version` (Number) - `version_id` (String) - `version_state` (String) diff --git a/docs/data-sources/gcp_keyring.md b/docs/data-sources/gcp_keyring.md index d1b30c6..94fd6cc 100644 --- a/docs/data-sources/gcp_keyring.md +++ b/docs/data-sources/gcp_keyring.md @@ -15,16 +15,16 @@ It's possible to identify the key using a range of fields. ## Schema -### Optional +### Required -- `id` (String) Terraform resource ID. Can be used alone to identify the keyring. - `name` (String) Keyring name. Can be used alone to identify the keyring. ### Read-Only -- `acls` (Set of Object) List of ACLs that have been added to the keyring. (see [below for nested schema](#nestedatt--acls)) +- `acls` (List of Object) List of ACLs that have been added to the keyring. (see [below for nested schema](#nestedatt--acls)) - `gcp_connection` (String) Name of the Google Cloud connection. -- `keyring_id` (String) Keyring ID, short keyring name. +- `id` (String) The ID of this resource. +- `keyring_id` (String) Google cloud keyring ID. - `project_id` (String) Google Cloud project ID. @@ -32,6 +32,6 @@ It's possible to identify the key using a range of fields. Read-Only: -- `actions` (Set of String) +- `actions` (List of String) - `group` (String) - `user_id` (String) diff --git a/docs/resources/password_policy.md b/docs/resources/password_policy.md new file mode 100644 index 0000000..f4bf8ad --- /dev/null +++ b/docs/resources/password_policy.md @@ -0,0 +1,50 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "ciphertrust_password_policy Resource - terraform-provider-ciphertrust" +subcategory: "" +description: |- + +--- + +# ciphertrust_password_policy (Resource) +Change the current password policy for all users. Can only be used to by a member of the admin group. Currently, a single policy named 'global' is applied to all users. + + +## Example Usage + +```terraform +resource "ciphertrust_password_policy" "PasswordPolicy"{ + inclusive_min_upper_case = 2 + inclusive_min_lower_case = 2 + inclusive_min_digits = 2 + inclusive_min_other = 2 + inclusive_min_total_length = 10 + inclusive_max_total_length = 50 + password_history_threshold = 10 + failed_logins_lockout_thresholds = [0, 0, 1, 1] + password_lifetime = 20 + password_change_min_days = 100 +} +``` + + +## Schema + +### Optional + +- `failed_logins_lockout_thresholds` (List of Number) List of lockout durations in minutes for failed login attempts. For example, with input of [0, 5, 30], the first failed login attempt with duration of zero will not lockout the user account, the second failed login attempt will lockout the account for 5 minutes, the third and subsequent failed login attempts will lockout for 30 minutes. Set an empty array '[]' to disable the user account lockout.List of lockout durations in minutes for failed login attempts. For example, with input of [0, 5, 30], the first failed login attempt with duration of zero will not lockout the user account, the second failed login attempt will lockout the account for 5 minutes, the third and subsequent failed login attempts will lockout for 30 minutes. Set an empty array '[]' to disable the user account lockout. +- `inclusive_max_total_length` (Number) The maximum length of the password. Value 0 is ignored. +- `inclusive_min_digits` (Number) The minimum number of digits. +- `inclusive_min_lower_case` (Number) The minimum number of lower cases. +- `inclusive_min_other` (Number) The minimum number of other characters. +- `inclusive_min_total_length` (Number) The minimum length of the password. Value 0 is ignored. +- `inclusive_min_upper_case` (Number) The minimum number of upper cases. +- `password_change_min_days` (Number) The minimum period in days between password changes. Value 0 is ignored. +- `password_history_threshold` (Number) Determines the number of past passwords a user cannot reuse. Even with value 0, the user will not be able to change their password to the same password. +- `password_lifetime` (Number) The maximum lifetime of the password in days. Value 0 is ignored. + +### Read-Only + +- `id` (String) The ID of this resource. + + diff --git a/docs/resources/policies.md b/docs/resources/policies.md new file mode 100644 index 0000000..b08228f --- /dev/null +++ b/docs/resources/policies.md @@ -0,0 +1,56 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "ciphertrust_policies Resource - terraform-provider-ciphertrust" +subcategory: "" +description: |- + +--- + +# ciphertrust_policies (Resource) + + + +## Example Usage + +```terraform +resource "ciphertrust_policies" "policy" { + name = "policyReadKeyOnly" + actions = ["ReadKey"] + allow = true + effect = "allow" + conditions { + path = "context.resource.alg" + op = "equals" + values = ["aes","rsa"] + } +} +``` + + +## Schema + +### Optional + +- `actions` (List of String) Action attribute of an operation is a string, in the form of VerbResource e.g. CreateKey, or VerbWithResource e.g. EncryptWithKey +- `allow` (Boolean) Allow is the effect of the policy, either to allow the actions or to deny the actions. +- `conditions` (Block List) Conditions are rules for matching the other attributes of the operation (see [below for nested schema](#nestedblock--conditions)) +- `effect` (String) Specifies the effect of the policy, either to allow or to deny. +- `include_descendant_accounts` (Boolean) When false, only the resources in the principal's account can be accessed if the policy allows it. +- `name` (String) This is the name of the policy. +- `resources` (List of String) Resources is a list of URI strings, which must be in URI format. + +### Read-Only + +- `id` (String) The ID of this resource. + + +### Nested Schema for `conditions` + +Optional: + +- `negate` (Boolean) +- `op` (String) +- `path` (String) +- `values` (List of String) + + diff --git a/docs/resources/policy_attachments.md b/docs/resources/policy_attachments.md new file mode 100644 index 0000000..0f27201 --- /dev/null +++ b/docs/resources/policy_attachments.md @@ -0,0 +1,31 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "ciphertrust_policy_attachments Resource - terraform-provider-ciphertrust" +subcategory: "" +description: |- + +--- + +# ciphertrust_policy_attachments (Resource) + + + + + + +## Schema + +### Required + +- `policy` (String) The ID for the policy to be attached. +- `principal_selector` (String) Selects which principals to apply the policy to. This can also be done using the conditions set while creating a policy. + +### Optional + +- `jurisdiction` (String) Jurisdiction to which the policy applies. + +### Read-Only + +- `id` (String) The ID of this resource. + + diff --git a/docs/resources/user.md b/docs/resources/user.md index 52c633a..7439caa 100644 --- a/docs/resources/user.md +++ b/docs/resources/user.md @@ -8,7 +8,7 @@ description: |- # ciphertrust_user (Resource) -Users are unique individuals or systems using the API. + ## Example Usage @@ -33,17 +33,17 @@ resource "ciphertrust_user" "user_admin1" { ### Required -- `password` (String) The user password. +- `password` (String) (Updateable) The user password. - `username` (String) The user name. ### Optional -- `email` (String) E-mail of the user. +- `email` (String) (Updateable) E-mail of the user. - `is_domain_user` (Boolean) This flag can be used to create the user in a non-root domain where user management is allowed. -- `name` (String) Full name of the user. -- `password_change_required` (Boolean) Password change required flag. If set to true, user will be required to change their password on next successful login. -- `prevent_ui_login` (Boolean) If true, user is not allowed to login from Web UI. Default - false -- `user_metadata` (Map of String) User meta data +- `name` (String) (Updateable) Full name of the user. +- `password_change_required` (Boolean) (Updateable) Password change required flag. If set to true, user will be required to change their password on next successful login. +- `prevent_ui_login` (Boolean) (Updateable) If true, user is not allowed to login from Web UI. Default - false +- `user_metadata` (Map of String) (Updateable) User meta data ### Read-Only diff --git a/examples/data-sources/ciphertrust_aws_account_details/data-source.tf b/examples/data-sources/ciphertrust_aws_account_details/data-source.tf index c1942fd..89a147a 100644 --- a/examples/data-sources/ciphertrust_aws_account_details/data-source.tf +++ b/examples/data-sources/ciphertrust_aws_account_details/data-source.tf @@ -5,10 +5,12 @@ resource "ciphertrust_aws_connection" "aws_connection" { secret_access_key = "secret-access-key" } +# Use the connection ID to retrieve account details data "ciphertrust_aws_account_details" "account_details" { aws_connection = ciphertrust_aws_connection.aws_connection.id } +# Use the account details datasource elements to create a KMS resource resource "ciphertrust_aws_kms" "kms" { account_id = data.ciphertrust_aws_account_details.account_details.account_id aws_connection = ciphertrust_aws_connection.aws_connection.id diff --git a/examples/data-sources/ciphertrust_aws_key/data-source.tf b/examples/data-sources/ciphertrust_aws_key/data-source.tf index 49a576c..f935bf9 100644 --- a/examples/data-sources/ciphertrust_aws_key/data-source.tf +++ b/examples/data-sources/ciphertrust_aws_key/data-source.tf @@ -1,20 +1,20 @@ -# Retrieve details using the terraform resource ID +# Retrieve details using a terraform resource ID data "ciphertrust_aws_key" "by_resource_id" { - id = ciphertrust_aws_key.aws_key.id + id = "ap-south-2\\6fe5ebd3-8f02-4870-ba35-b433f9e0ea7c" } -# Retrieve details using the CipherTrust key ID +# Retrieve details using a CipherTrust key ID data "ciphertrust_aws_key" "by_key_id" { - key_id = ciphertrust_aws_key.aws_key.key_id + key_id = "77b4acd3-80e4-4270-81b5-11bb13b8053a" } -# Retrieve details using the AWS key ARN +# Retrieve details using an AWS key ARN data "ciphertrust_aws_key" "by_arn" { - arn = ciphertrust_aws_key.aws_key.arn + arn = "arn:aws:kms:ap-south-2:999999999999:key/6abfe573-4506-4ce4-8672-3af42f552d42" } -# Retrieve details using the alias and a region +# Retrieve details using the alias and a region of a key data "ciphertrust_aws_key" "by_alias_and_region" { - alias = ["key_name"] + alias = ["key-name"] region = "region" } diff --git a/examples/data-sources/ciphertrust_azure_connection/data-source.tf b/examples/data-sources/ciphertrust_azure_connection/data-source.tf index 2e0aff4..24aeddc 100644 --- a/examples/data-sources/ciphertrust_azure_connection/data-source.tf +++ b/examples/data-sources/ciphertrust_azure_connection/data-source.tf @@ -1,18 +1,3 @@ -# Create an Azure connection -resource "ciphertrust_azure_connection" "azure_connection" { - name = "connection-name" - client_id = "azure-client-id" - client_secret = "azure-client-secret" - tenant_id = "azure-tenant-id" -} - -# Add a vault -resource "ciphertrust_azure_vault" "azure_vault" { - azure_connection = ciphertrust_azure_connection.azure_connection.name - subscription_id = "azure-subscription-id" - name = "azure-vault-name" -} - # Get the Azure connection details including the vaults data "ciphertrust_azure_connection" "connection_details" { azure_connection = "connection-name" diff --git a/examples/data-sources/ciphertrust_azure_key/data-source.tf b/examples/data-sources/ciphertrust_azure_key/data-source.tf index 4afc7b2..6b1e7a2 100644 --- a/examples/data-sources/ciphertrust_azure_key/data-source.tf +++ b/examples/data-sources/ciphertrust_azure_key/data-source.tf @@ -1,15 +1,10 @@ -# Retrieve details using the Terraform resource ID -data "ciphertrust_azure_key" "by_resource_id" { - id = ciphertrust_azure_key.azure_key.id -} - # Retrieve details using the Azure key ID data "ciphertrust_azure_key" "by_azure_key_id" { - azure_key_id = ciphertrust_azure_key.azure_key.azure_key_id + azure_key_id = "kid" } # Retrieve details using the key name and vault data "ciphertrust_azure_key" "by_name_and_vault" { - name = ciphertrust_azure_key.azure_key.name - key_vault = format("%s::%s", "vault_name", "subscription") + name = "key-name" + key_vault = "vault-name::subscription-id" } diff --git a/examples/data-sources/ciphertrust_gcp_connection/data_source.tf b/examples/data-sources/ciphertrust_gcp_connection/data_source.tf new file mode 100644 index 0000000..ae843a6 --- /dev/null +++ b/examples/data-sources/ciphertrust_gcp_connection/data_source.tf @@ -0,0 +1,4 @@ +# Get the GCP connection data using the connection name +data "ciphertrust_gcp_connection" "by_connection_name" { + name = "connection-name" +} diff --git a/examples/data-sources/ciphertrust_gcp_key/data-source.tf b/examples/data-sources/ciphertrust_gcp_key/data-source.tf index 3f5fcc9..75f427e 100644 --- a/examples/data-sources/ciphertrust_gcp_key/data-source.tf +++ b/examples/data-sources/ciphertrust_gcp_key/data-source.tf @@ -1,15 +1,10 @@ -# Retrieve details using the terraform ID -data "ciphertrust_gcp_key" "by_terraform_id" { - id = ciphertrust_gcp_key.gcp_key.id -} - # Retrieve details using the CipherTrust key ID data "ciphertrust_gcp_key" "by_ciphertrust_id" { - key_id = ciphertrust_gcp_key.gcp_key.key_id + key_id = "6f4134bf-0007-42db-bc0b-e11e5bfbe782" } -# Retrieve details using the key name and the keyring name -data "ciphertrust_gcp_key" "by_multiple_values" { - name = ciphertrust_gcp_key.gcp_key.name - key_ring = ciphertrust_gcp_key.gcp_key.key_ring_name +# Retrieve details using the key name and keyring +data "ciphertrust_gcp_key" "by_keyname_and_keyring" { + name = "key-name" + key_ring = "projects/my-project/locations/my-location/keyRings/my-keyring" } diff --git a/examples/data-sources/ciphertrust_gcp_keyring/data_source.tf b/examples/data-sources/ciphertrust_gcp_keyring/data_source.tf index a409b0e..fd1ab7f 100644 --- a/examples/data-sources/ciphertrust_gcp_keyring/data_source.tf +++ b/examples/data-sources/ciphertrust_gcp_keyring/data_source.tf @@ -1,9 +1,4 @@ -# Get the GCP keyring data using the Terraform resource id -data "ciphertrust_gcp_keyring" "by_terraform_id" { - id = ciphertrust_gcp_keyring.gcp_keyring.id -} - # Get the GCP keyring data using the keyring name data "ciphertrust_gcp_keyring" "by_keyring_name" { - name = ciphertrust_gcp_keyring.gcp_keyring.name + name = "projects/my-project/locations/my-location/keyRings/keyring" } diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf index b203752..046b8d2 100644 --- a/examples/provider/provider.tf +++ b/examples/provider/provider.tf @@ -1,5 +1,5 @@ provider "ciphertrust" { - address = "https://34.207.194.87" + address = "https://ip_or_hostname_of_cm" username = "username" password = "password" domain = "domain" diff --git a/examples/resources/ciphertrust_password_policy/resource.tf b/examples/resources/ciphertrust_password_policy/resource.tf new file mode 100644 index 0000000..3ec26a6 --- /dev/null +++ b/examples/resources/ciphertrust_password_policy/resource.tf @@ -0,0 +1,12 @@ +resource "ciphertrust_password_policy" "PasswordPolicy"{ + inclusive_min_upper_case = 2 + inclusive_min_lower_case = 2 + inclusive_min_digits = 2 + inclusive_min_other = 2 + inclusive_min_total_length = 10 + inclusive_max_total_length = 50 + password_history_threshold = 10 + failed_logins_lockout_thresholds = [0, 0, 1, 1] + password_lifetime = 20 + password_change_min_days = 100 +} diff --git a/examples/resources/ciphertrust_policies/resource.tf b/examples/resources/ciphertrust_policies/resource.tf new file mode 100644 index 0000000..9124499 --- /dev/null +++ b/examples/resources/ciphertrust_policies/resource.tf @@ -0,0 +1,11 @@ +resource "ciphertrust_policies" "policy" { + name = "policyReadKeyOnly" + actions = ["ReadKey"] + allow = true + effect = "allow" + conditions { + path = "context.resource.alg" + op = "equals" + values = ["aes","rsa"] + } +} \ No newline at end of file diff --git a/examples/resources/ciphertrust_policy_attachment/resource.tf b/examples/resources/ciphertrust_policy_attachment/resource.tf new file mode 100644 index 0000000..7d68459 --- /dev/null +++ b/examples/resources/ciphertrust_policy_attachment/resource.tf @@ -0,0 +1,8 @@ +resource "ciphertrust_policy_attachments" "policyattachment" { + policy = ciphertrust_policies.policy.id + principal_selector = <<-EOT + { + "groups" : ["admin"] + } + EOT +} \ No newline at end of file diff --git a/sample-scripts/aws-keys/create-native/ec/main.tf b/sample-scripts/aws-keys/create-native/ec/main.tf index 98e47cd..b3180c5 100644 --- a/sample-scripts/aws-keys/create-native/ec/main.tf +++ b/sample-scripts/aws-keys/create-native/ec/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/create-native/rsa/main.tf b/sample-scripts/aws-keys/create-native/rsa/main.tf index 8987ce4..18d8251 100644 --- a/sample-scripts/aws-keys/create-native/rsa/main.tf +++ b/sample-scripts/aws-keys/create-native/rsa/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/create-native/symmetric/main.tf b/sample-scripts/aws-keys/create-native/symmetric/main.tf index fdb6e64..3b67461 100644 --- a/sample-scripts/aws-keys/create-native/symmetric/main.tf +++ b/sample-scripts/aws-keys/create-native/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/import/ciphertrust/main.tf b/sample-scripts/aws-keys/import/ciphertrust/main.tf index 60ae57d..38941aa 100644 --- a/sample-scripts/aws-keys/import/ciphertrust/main.tf +++ b/sample-scripts/aws-keys/import/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/import/dsm/main.tf b/sample-scripts/aws-keys/import/dsm/main.tf index 60fe4f8..6038f89 100644 --- a/sample-scripts/aws-keys/import/dsm/main.tf +++ b/sample-scripts/aws-keys/import/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/import/hsm-luna/main.tf b/sample-scripts/aws-keys/import/hsm-luna/main.tf index f5e5452..a28b582 100644 --- a/sample-scripts/aws-keys/import/hsm-luna/main.tf +++ b/sample-scripts/aws-keys/import/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/key-rotation/ciphertrust/main.tf b/sample-scripts/aws-keys/key-rotation/ciphertrust/main.tf index 2c09afe..2bc85a2 100644 --- a/sample-scripts/aws-keys/key-rotation/ciphertrust/main.tf +++ b/sample-scripts/aws-keys/key-rotation/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/key-rotation/dsm/main.tf b/sample-scripts/aws-keys/key-rotation/dsm/main.tf index c76319a..3915021 100644 --- a/sample-scripts/aws-keys/key-rotation/dsm/main.tf +++ b/sample-scripts/aws-keys/key-rotation/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/key-rotation/hsm-luna/main.tf b/sample-scripts/aws-keys/key-rotation/hsm-luna/main.tf index d806131..29a3010 100644 --- a/sample-scripts/aws-keys/key-rotation/hsm-luna/main.tf +++ b/sample-scripts/aws-keys/key-rotation/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/key-synchronization/main.tf b/sample-scripts/aws-keys/key-synchronization/main.tf index 5525189..cadbb74 100644 --- a/sample-scripts/aws-keys/key-synchronization/main.tf +++ b/sample-scripts/aws-keys/key-synchronization/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/policy-templates/main.tf b/sample-scripts/aws-keys/policy-templates/main.tf index 0c40e5e..2f96d01 100644 --- a/sample-scripts/aws-keys/policy-templates/main.tf +++ b/sample-scripts/aws-keys/policy-templates/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/upload/ciphertrust/main.tf b/sample-scripts/aws-keys/upload/ciphertrust/main.tf index 91af03c..34700f5 100644 --- a/sample-scripts/aws-keys/upload/ciphertrust/main.tf +++ b/sample-scripts/aws-keys/upload/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/upload/dsm/main.tf b/sample-scripts/aws-keys/upload/dsm/main.tf index 37bb80b..b34638a 100644 --- a/sample-scripts/aws-keys/upload/dsm/main.tf +++ b/sample-scripts/aws-keys/upload/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/aws-keys/upload/hsm-luna/main.tf b/sample-scripts/aws-keys/upload/hsm-luna/main.tf index e0eb840..fc77b05 100644 --- a/sample-scripts/aws-keys/upload/hsm-luna/main.tf +++ b/sample-scripts/aws-keys/upload/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/create-native/ec/main.tf b/sample-scripts/azure-keys/create-native/ec/main.tf index f186e9d..2bf6901 100644 --- a/sample-scripts/azure-keys/create-native/ec/main.tf +++ b/sample-scripts/azure-keys/create-native/ec/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/create-native/hsm/main.tf b/sample-scripts/azure-keys/create-native/hsm/main.tf index 31bf8f8..92bb39b 100644 --- a/sample-scripts/azure-keys/create-native/hsm/main.tf +++ b/sample-scripts/azure-keys/create-native/hsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/create-native/rsa/main.tf b/sample-scripts/azure-keys/create-native/rsa/main.tf index 711c6cf..1ad0bd4 100644 --- a/sample-scripts/azure-keys/create-native/rsa/main.tf +++ b/sample-scripts/azure-keys/create-native/rsa/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/key-rotation/ciphertrust/main.tf b/sample-scripts/azure-keys/key-rotation/ciphertrust/main.tf index 12a2379..16e4544 100644 --- a/sample-scripts/azure-keys/key-rotation/ciphertrust/main.tf +++ b/sample-scripts/azure-keys/key-rotation/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/key-rotation/dsm/main.tf b/sample-scripts/azure-keys/key-rotation/dsm/main.tf index 066cf5b..0673b43 100644 --- a/sample-scripts/azure-keys/key-rotation/dsm/main.tf +++ b/sample-scripts/azure-keys/key-rotation/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/key-rotation/hsm-luna/main.tf b/sample-scripts/azure-keys/key-rotation/hsm-luna/main.tf index 82f1731..b4f732e 100644 --- a/sample-scripts/azure-keys/key-rotation/hsm-luna/main.tf +++ b/sample-scripts/azure-keys/key-rotation/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/key-rotation/native/main.tf b/sample-scripts/azure-keys/key-rotation/native/main.tf index 5b24fc9..481824a 100644 --- a/sample-scripts/azure-keys/key-rotation/native/main.tf +++ b/sample-scripts/azure-keys/key-rotation/native/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/key-synchronization/main.tf b/sample-scripts/azure-keys/key-synchronization/main.tf index c6e1cc8..ef796fd 100644 --- a/sample-scripts/azure-keys/key-synchronization/main.tf +++ b/sample-scripts/azure-keys/key-synchronization/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/upload/ciphertrust/main.tf b/sample-scripts/azure-keys/upload/ciphertrust/main.tf index 156e05f..bffd3d9 100644 --- a/sample-scripts/azure-keys/upload/ciphertrust/main.tf +++ b/sample-scripts/azure-keys/upload/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/upload/dsm/main.tf b/sample-scripts/azure-keys/upload/dsm/main.tf index 785b43d..4017ccb 100644 --- a/sample-scripts/azure-keys/upload/dsm/main.tf +++ b/sample-scripts/azure-keys/upload/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/upload/hsm-luna/main.tf b/sample-scripts/azure-keys/upload/hsm-luna/main.tf index 7e12321..6d3f27a 100644 --- a/sample-scripts/azure-keys/upload/hsm-luna/main.tf +++ b/sample-scripts/azure-keys/upload/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/azure-keys/upload/pfx/main.tf b/sample-scripts/azure-keys/upload/pfx/main.tf index 341b2b4..6f2fed7 100644 --- a/sample-scripts/azure-keys/upload/pfx/main.tf +++ b/sample-scripts/azure-keys/upload/pfx/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/connections/aws/main.tf b/sample-scripts/connections/aws/main.tf index 4137d55..cd8ba41 100644 --- a/sample-scripts/connections/aws/main.tf +++ b/sample-scripts/connections/aws/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/connections/azure/main.tf b/sample-scripts/connections/azure/main.tf index 1078bfe..54bdef8 100644 --- a/sample-scripts/connections/azure/main.tf +++ b/sample-scripts/connections/azure/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/connections/dsm/main.tf b/sample-scripts/connections/dsm/main.tf index 9208bba..813961c 100644 --- a/sample-scripts/connections/dsm/main.tf +++ b/sample-scripts/connections/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/connections/google/main.tf b/sample-scripts/connections/google/main.tf index c81deef..b869650 100644 --- a/sample-scripts/connections/google/main.tf +++ b/sample-scripts/connections/google/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/connections/luna-hsm/main.tf b/sample-scripts/connections/luna-hsm/main.tf index 291ee9a..cae2baa 100644 --- a/sample-scripts/connections/luna-hsm/main.tf +++ b/sample-scripts/connections/luna-hsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/data-sources/aws-key/main.tf b/sample-scripts/data-sources/aws-key/main.tf index f3ae600..c8e57a9 100644 --- a/sample-scripts/data-sources/aws-key/main.tf +++ b/sample-scripts/data-sources/aws-key/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/data-sources/azure-connection/main.tf b/sample-scripts/data-sources/azure-connection/main.tf index 902f754..955d0c0 100644 --- a/sample-scripts/data-sources/azure-connection/main.tf +++ b/sample-scripts/data-sources/azure-connection/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/data-sources/azure-key/main.tf b/sample-scripts/data-sources/azure-key/main.tf index 28235b7..d62ea5c 100644 --- a/sample-scripts/data-sources/azure-key/main.tf +++ b/sample-scripts/data-sources/azure-key/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } @@ -34,14 +34,6 @@ resource "ciphertrust_azure_vault" "azure_vault" { subscription_id = data.ciphertrust_azure_account_details.subscriptions.subscription_id name = var.vault_name } - -# Add another vault -resource "ciphertrust_azure_vault" "azure_premium_vault" { - azure_connection = ciphertrust_azure_connection.azure_connection.name - subscription_id = data.ciphertrust_azure_account_details.subscriptions.subscription_id - name = var.premium_vault_name -} - # Create an Azure key in the first vault resource "ciphertrust_azure_key" "azure_key" { name = local.key_name @@ -51,23 +43,6 @@ output "azure_key" { value = ciphertrust_azure_key.azure_key.id } -# Create an Azure key in the second vault -resource "ciphertrust_azure_key" "azure_premium_key" { - name = local.key_name - vault = ciphertrust_azure_vault.azure_premium_vault.id -} -output "azure_premium_key" { - value = ciphertrust_azure_key.azure_premium_key.id -} - -# Get the key using the Terraform resource ID -data "ciphertrust_azure_key" "key_from_terraform_id" { - id = ciphertrust_azure_key.azure_key.id -} -output "key_from_id" { - value = data.ciphertrust_azure_key.key_from_terraform_id.id -} - # Get the key using the Azure key ID data "ciphertrust_azure_key" "key_from_azure_key_id" { azure_key_id = ciphertrust_azure_key.azure_key.azure_key_id diff --git a/sample-scripts/data-sources/google-connection/gcp_vars.tf b/sample-scripts/data-sources/google-connection/gcp_vars.tf new file mode 100644 index 0000000..227f51d --- /dev/null +++ b/sample-scripts/data-sources/google-connection/gcp_vars.tf @@ -0,0 +1,15 @@ +variable "gcp_key_file" { + type = string + default = "gcp-key-file-path" +} + +variable "gcp_project" { + type = string + default = "gcp-project" +} + +variable "keyring" { + type = string + default = "gcp-keyring" +} + diff --git a/sample-scripts/data-sources/google-connection/main.tf b/sample-scripts/data-sources/google-connection/main.tf new file mode 100644 index 0000000..f2c07d7 --- /dev/null +++ b/sample-scripts/data-sources/google-connection/main.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "0.9.0-beta9" + } + } +} + +provider "ciphertrust" {} + +resource "random_id" "random" { + byte_length = 8 +} + +locals { + connection_name = "google-connection-${lower(random_id.random.hex)}" +} + +# Create a GCP connection +resource "ciphertrust_gcp_connection" "connection" { + description = "Description of the Google Cloud connection" + key_file = var.gcp_key_file + meta = { key = "value" } + name = local.connection_name +} + +# Add a GCP key ring +resource "ciphertrust_gcp_keyring" "gcp_keyring" { + gcp_connection = ciphertrust_gcp_connection.connection.name + name = var.keyring + project_id = var.gcp_project +} + +# Get the GCP connection data using the connection name +data "ciphertrust_gcp_connection" "connection_data" { + name = ciphertrust_gcp_connection.connection.name +} +output "gcp_connection_data" { + value = data.ciphertrust_gcp_connection.connection_data +} diff --git a/sample-scripts/data-sources/google-key/main.tf b/sample-scripts/data-sources/google-key/main.tf index 9732137..81f1b6d 100644 --- a/sample-scripts/data-sources/google-key/main.tf +++ b/sample-scripts/data-sources/google-key/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } @@ -34,7 +34,7 @@ resource "ciphertrust_gcp_keyring" "keyring" { project_id = var.gcp_project } -# Create a Google Key +# Create a Google cloud Key resource "ciphertrust_gcp_key" "gcp_key" { algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION" key_ring = ciphertrust_gcp_keyring.keyring.id @@ -46,28 +46,21 @@ output "gcp_key" { value = ciphertrust_gcp_key.gcp_key.id } -# Get the key from the Terraform ID -data "ciphertrust_gcp_key" "key_from_terraform_id" { - id = ciphertrust_gcp_key.gcp_key.id -} -output "key_from_terraform_id" { - value = data.ciphertrust_gcp_key.key_from_terraform_id.id -} - # Get the key from the CipherTrust key ID data "ciphertrust_gcp_key" "key_from_ciphertrust_id" { key_id = ciphertrust_gcp_key.gcp_key.key_id } output "key_from_ciphertrust_id" { - value = data.ciphertrust_gcp_key.key_from_ciphertrust_id.id + value = data.ciphertrust_gcp_key.key_from_ciphertrust_id } -# Get the key from key name and keyring name -data "ciphertrust_gcp_key" "key_from_key_name_and_keyring" { - depends_on = [ciphertrust_gcp_key.gcp_key] - name = local.key_name - key_ring = var.keyring +# Get the GCP key data using key name and other values uniquely identify the key +data "ciphertrust_gcp_key" "gcp_key_data_using_multiple_values" { + name = ciphertrust_gcp_key.gcp_key.name + key_ring = ciphertrust_gcp_keyring.keyring.id + project_id = var.gcp_project + location_id = "global" } -output "key_from_key_name_and_keyring" { - value = data.ciphertrust_gcp_key.key_from_key_name_and_keyring.id +output "gcp_key_data_using_multiple_values" { + value = data.ciphertrust_gcp_key.gcp_key_data_using_multiple_values } diff --git a/sample-scripts/data-sources/google-keyring/main.tf b/sample-scripts/data-sources/google-keyring/main.tf index 5219117..c49d80c 100644 --- a/sample-scripts/data-sources/google-keyring/main.tf +++ b/sample-scripts/data-sources/google-keyring/main.tf @@ -2,11 +2,13 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } +provider "ciphertrust" {} + resource "random_id" "random" { byte_length = 8 } @@ -15,10 +17,9 @@ locals { connection_name = "google-connection-${lower(random_id.random.hex)}" key_name = "google-keyring-datasource-${lower(random_id.random.hex)}" user_name = "google-keyring-datasource-user-${lower(random_id.random.hex)}" + user_password = "password" } -provider "ciphertrust" {} - # Create a GCP connection resource "ciphertrust_gcp_connection" "connection" { description = "Description of the Google Cloud connection" @@ -37,7 +38,7 @@ resource "ciphertrust_gcp_keyring" "gcp_keyring" { # Create a CipherTrust user resource "ciphertrust_user" "gcp_user" { username = local.user_name - password = "Temp12345#" + password = local.user_password } # Add some ACLs for that user @@ -47,24 +48,13 @@ resource "ciphertrust_gcp_acl" "gcp_user_acls" { actions = ["view", "keycreate", "keyupload", "keyupdate", "keydestroy", "keysynchronize", "keycanceldestroy"] } -# Get the GCP keyring data using the Terraform resource id -data "ciphertrust_gcp_keyring" "gcp_keyring_data_using_terraform_id" { - id = ciphertrust_gcp_keyring.gcp_keyring.id - depends_on = [ - ciphertrust_gcp_acl.gcp_user_acls - ] -} -output "gcp_keyring_data_using_terraform_id" { - value = data.ciphertrust_gcp_keyring.gcp_keyring_data_using_terraform_id -} - # Get the GCP keyring data using the keyring name -data "ciphertrust_gcp_keyring" "gcp_keyring_data_using_keyring_name" { +data "ciphertrust_gcp_keyring" "gcp_keyring_data" { name = ciphertrust_gcp_keyring.gcp_keyring.name depends_on = [ ciphertrust_gcp_acl.gcp_user_acls ] } output "gcp_keyring_data_using_keyring_name" { - value = data.ciphertrust_gcp_keyring.gcp_keyring_data_using_keyring_name + value = data.ciphertrust_gcp_keyring.gcp_keyring_data } diff --git a/sample-scripts/google-ekm-endpoints/main.tf b/sample-scripts/google-ekm-endpoints/main.tf index 8998c1b..1dc9ebd 100644 --- a/sample-scripts/google-ekm-endpoints/main.tf +++ b/sample-scripts/google-ekm-endpoints/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "thales.com/terraform/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keyring-acls/groups/main.tf b/sample-scripts/google-keyring-acls/groups/main.tf index 5cb27c1..18d58ca 100644 --- a/sample-scripts/google-keyring-acls/groups/main.tf +++ b/sample-scripts/google-keyring-acls/groups/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keyring-acls/users/main.tf b/sample-scripts/google-keyring-acls/users/main.tf index 0ee8897..cc79f33 100644 --- a/sample-scripts/google-keyring-acls/users/main.tf +++ b/sample-scripts/google-keyring-acls/users/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } @@ -45,9 +45,8 @@ resource "ciphertrust_groups" "cckm_users" { ] } -# Add an acl for the user +# Add ACLs for the user resource "ciphertrust_gcp_acl" "user_acls" { - # Add some acls for user keyring_id = ciphertrust_gcp_keyring.keyring.id user_id = ciphertrust_user.user.id actions = ["keycreate", "keydestroy", "view"] diff --git a/sample-scripts/google-keys/add-versions/ciphertrust/asymmetric/main.tf b/sample-scripts/google-keys/add-versions/ciphertrust/asymmetric/main.tf index 57d77fa..53cf6e0 100644 --- a/sample-scripts/google-keys/add-versions/ciphertrust/asymmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/ciphertrust/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/ciphertrust/symmetric/main.tf b/sample-scripts/google-keys/add-versions/ciphertrust/symmetric/main.tf index 42976e0..ee66977 100644 --- a/sample-scripts/google-keys/add-versions/ciphertrust/symmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/ciphertrust/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/dsm/asymmetric/main.tf b/sample-scripts/google-keys/add-versions/dsm/asymmetric/main.tf index 7c6be1e..ba0883d 100644 --- a/sample-scripts/google-keys/add-versions/dsm/asymmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/dsm/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/dsm/symmetric/main.tf b/sample-scripts/google-keys/add-versions/dsm/symmetric/main.tf index d614bc8..14c1043 100644 --- a/sample-scripts/google-keys/add-versions/dsm/symmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/dsm/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/hsm-luna/asymmetric/main.tf b/sample-scripts/google-keys/add-versions/hsm-luna/asymmetric/main.tf index f4d3eff..1541119 100644 --- a/sample-scripts/google-keys/add-versions/hsm-luna/asymmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/hsm-luna/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/native/asymmetric/main.tf b/sample-scripts/google-keys/add-versions/native/asymmetric/main.tf index 4d3c78e..4b66c60 100644 --- a/sample-scripts/google-keys/add-versions/native/asymmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/native/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/add-versions/native/symmetric/main.tf b/sample-scripts/google-keys/add-versions/native/symmetric/main.tf index 629843a..298da54 100644 --- a/sample-scripts/google-keys/add-versions/native/symmetric/main.tf +++ b/sample-scripts/google-keys/add-versions/native/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/create-native/asymmetric/main.tf b/sample-scripts/google-keys/create-native/asymmetric/main.tf index 4f4831b..f32ede7 100644 --- a/sample-scripts/google-keys/create-native/asymmetric/main.tf +++ b/sample-scripts/google-keys/create-native/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/create-native/symmetric/main.tf b/sample-scripts/google-keys/create-native/symmetric/main.tf index 99657fc..76cdbbb 100644 --- a/sample-scripts/google-keys/create-native/symmetric/main.tf +++ b/sample-scripts/google-keys/create-native/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/key-rotation/ciphertrust/main.tf b/sample-scripts/google-keys/key-rotation/ciphertrust/main.tf index 075c41c..1331453 100644 --- a/sample-scripts/google-keys/key-rotation/ciphertrust/main.tf +++ b/sample-scripts/google-keys/key-rotation/ciphertrust/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/key-rotation/dsm/main.tf b/sample-scripts/google-keys/key-rotation/dsm/main.tf index 60126fa..948fb4e 100644 --- a/sample-scripts/google-keys/key-rotation/dsm/main.tf +++ b/sample-scripts/google-keys/key-rotation/dsm/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/key-rotation/hsm-luna/main.tf b/sample-scripts/google-keys/key-rotation/hsm-luna/main.tf index 9fd1745..faa13b5 100644 --- a/sample-scripts/google-keys/key-rotation/hsm-luna/main.tf +++ b/sample-scripts/google-keys/key-rotation/hsm-luna/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/key-rotation/native/main.tf b/sample-scripts/google-keys/key-rotation/native/main.tf index 9c87b8f..ac4af05 100644 --- a/sample-scripts/google-keys/key-rotation/native/main.tf +++ b/sample-scripts/google-keys/key-rotation/native/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/key-synchronization/main.tf b/sample-scripts/google-keys/key-synchronization/main.tf index f529a2e..e40e5f0 100644 --- a/sample-scripts/google-keys/key-synchronization/main.tf +++ b/sample-scripts/google-keys/key-synchronization/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/upload/ciphertrust/asymmetric/main.tf b/sample-scripts/google-keys/upload/ciphertrust/asymmetric/main.tf index 549fa1f..7200673 100644 --- a/sample-scripts/google-keys/upload/ciphertrust/asymmetric/main.tf +++ b/sample-scripts/google-keys/upload/ciphertrust/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/upload/ciphertrust/symmetric/main.tf b/sample-scripts/google-keys/upload/ciphertrust/symmetric/main.tf index 27793b8..e22ab5f 100644 --- a/sample-scripts/google-keys/upload/ciphertrust/symmetric/main.tf +++ b/sample-scripts/google-keys/upload/ciphertrust/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/upload/dsm/asymmetric/main.tf b/sample-scripts/google-keys/upload/dsm/asymmetric/main.tf index 833f874..71615b0 100644 --- a/sample-scripts/google-keys/upload/dsm/asymmetric/main.tf +++ b/sample-scripts/google-keys/upload/dsm/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/upload/dsm/symmetric/main.tf b/sample-scripts/google-keys/upload/dsm/symmetric/main.tf index f01c9d0..e3d3938 100644 --- a/sample-scripts/google-keys/upload/dsm/symmetric/main.tf +++ b/sample-scripts/google-keys/upload/dsm/symmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-keys/upload/hsm-luna/asymmetric/main.tf b/sample-scripts/google-keys/upload/hsm-luna/asymmetric/main.tf index aeb9704..7bf1e3d 100644 --- a/sample-scripts/google-keys/upload/hsm-luna/asymmetric/main.tf +++ b/sample-scripts/google-keys/upload/hsm-luna/asymmetric/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-workspace-cse/cse-endpoint/main.tf b/sample-scripts/google-workspace-cse/cse-endpoint/main.tf index 7dccda0..7b59483 100644 --- a/sample-scripts/google-workspace-cse/cse-endpoint/main.tf +++ b/sample-scripts/google-workspace-cse/cse-endpoint/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/google-workspace-cse/cse-identity/main.tf b/sample-scripts/google-workspace-cse/cse-identity/main.tf index 21820ec..c152b4e 100644 --- a/sample-scripts/google-workspace-cse/cse-identity/main.tf +++ b/sample-scripts/google-workspace-cse/cse-identity/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/README.md b/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/README.md new file mode 100644 index 0000000..47d42b9 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/README.md @@ -0,0 +1,81 @@ +# Create a Policy to Allow Non-Admin User to Add an AWS KMS + +This example shows how to: +- Create a user +- Create a custom group and add the user +- Add the user to built-in groups, CCKM Users and Key Users +- Create a policy that allows a user to add an AWS KMS +- Attach the policy to the custom group +- Create an AWS connection to which the user can add an AWS KMS + +The steps in this file explain how to: +- Configure CipherTrust Manager Provider parameters required to run the examples +- Configure AWS parameters required to create an AWS connection +- Run the example + +## Configure CipherTrust Manager + +### Use environment variables + +```bash +export CM_ADDRESS=https://cm-address +export CM_USERNAME=cm-username +export CM_PASSWORD=cm-password +export CM_DOMAIN=cm-domain +``` +### Use a configuration file + +Create a ~/.ciphertrust/config file and configure these keys with your values. + +```bash +address = https://cm-address +username = cm-username +password = cm-password +domain = cm-domain +``` + +### Edit the provider block in main.tf + +```bash +provider "ciphertrust" { + address = "https://cm-address" + username = "cm-username" + password = "cm-password" + domain = "cm-domain" +} +``` + +## Configure AWS Credentials + +### Use environment variables + +```bash +export AWS_ACCESS_KEY_ID=access-key-id +export AWS_SECRET_ACCESS_KEY=secret-access_key +``` + +### Edit the connection resource in the script + +```bash +resource "ciphertrust_aws_connection" "aws-connection" { + name = "aws-connection" + access_key_id = "access-key-id" + secret_access_key = "secret-access_key" +} +``` + +## Run the Example + +```bash +terraform init +terraform apply +``` + +## Destroy Resources + +Resources must be destroyed before another sample script using the same cloud is run. + +```bash +terraform destroy +``` +Run this step even if the apply step fails. diff --git a/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/main.tf b/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/main.tf new file mode 100644 index 0000000..8dee007 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/aws/allow-kms-add/main.tf @@ -0,0 +1,101 @@ +terraform { + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "0.9.0-beta9" + } + } +} + +provider "ciphertrust" {} + +resource "random_id" "random" { + byte_length = 8 +} + +locals { + connection_name = "aws-connection-${lower(random_id.random.hex)}" + group_name = "aws-group-${lower(random_id.random.hex)}" + kms_permissions = [ + "AddKmsCCKM", + "ReadKMSCCKM", + "UpdateKmsCCKM", + ] + policy_name = "aws-policy-${lower(random_id.random.hex)}" + user_name = "aws-user-${lower(random_id.random.hex)}" + user_password = "password" +} + +resource "ciphertrust_user" "user" { + username = local.user_name + password = local.user_password +} +output "user_name" { + value = ciphertrust_user.user.username +} + +# Create a custom group and add user +resource "ciphertrust_groups" "custom_group" { + name = local.group_name + user_ids = [ + ciphertrust_user.user.id, + ] +} +output "group_name" { + value = ciphertrust_groups.custom_group.name +} + +# Add user to CCKM Users group +resource "ciphertrust_groups" "CCKM_Users_Group" { + name = "CCKM Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Add user to Key Users group +resource "ciphertrust_groups" "Key_Users_Group" { + name = "Key Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Create a policy to allow a user to add an AWS KMS +resource "ciphertrust_policies" "policy" { + name = local.policy_name + actions = local.kms_permissions + allow = true + effect = "allow" +} +output "policy_id" { + value = ciphertrust_policies.policy.id +} +output "policy_name" { + value = ciphertrust_policies.policy.name +} +output "policy" { + value = ciphertrust_policies.policy +} + +# Attach the policy to the custom group +resource "ciphertrust_policy_attachments" "attachment" { + policy = ciphertrust_policies.policy.id + principal_selector = jsonencode({ + groups = [ciphertrust_groups.custom_group.name] + }) +} +output "policy_attachment_id" { + value = ciphertrust_policy_attachments.attachment.id +} + +# Create an AWS connection so the user can add a KMS +resource "ciphertrust_aws_connection" "connection" { + name = local.connection_name +} +output "connection_id" { + value = ciphertrust_aws_connection.connection.id +} +output "connection_name" { + value = ciphertrust_aws_connection.connection.name +} diff --git a/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/README.md b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/README.md new file mode 100644 index 0000000..f665b82 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/README.md @@ -0,0 +1,95 @@ +# Create a Policy to Allow Non-Admin User to Add an Azure Vault + +This example shows how to: +- Create a user +- Create a custom group and add the user +- Add the user to built-in groups, CCKM Users and Key Users +- Create a policy that allows a user to add an Azure vault +- Attach the policy to the custom group +- Create an Azure connection to which the user can add an Azure vault + +Steps in this file explain how to: +- Configure CipherTrust Manager Provider parameters required to run the examples +- Configure Azure parameters required to create an Azure connection +- Run the example + +## Configure CipherTrust Manager + +### Use environment variables + +```bash +export CM_ADDRESS=https://cm-address +export CM_USERNAME=cm-username +export CM_PASSWORD=cm-password +export CM_DOMAIN=cm-domain +``` +### Use a configuration file + +Create a ~/.ciphertrust/config file and configure these keys with your values. + +```bash +address = https://cm-address +username = cm-username +password = cm-password +domain = cm-domain +``` + +### Edit the provider block in main.tf + +```bash +provider "ciphertrust" { + address = "https://cm-address" + username = "cm-username" + password = "cm-password" + domain = "cm-domain" +} +``` + +## Configure Azure Credentials + +### Use environment variables + +```bash +export ARM_CLIENT_ID=client-id +export ARM_CLIENT_SECRET=client-secret +export ARM_TENANT_ID=tenant-id +``` + +### Edit the connection resource in main.tf + +```bash +resource "ciphertrust_azure_connection" "azure_connection" { + name = "azure-connection" + client_id = "client-id" + client_secret = "client-secret" + tenant_id = "tenant-id" +} +``` + +## Configure Azure Vaults + +### Update Azure for all Azure examples + +Update values in scripts/azure_vars.sh and run the script. + +This updates all azure_vars.tf files found in the subdirectories. + +### Configure for this example only + +Edit azure_vars.tf in this directory and update with your values. + +## Run the Example + +```bash +terraform init +terraform apply +``` + +## Destroy Resources + +Resources must be destroyed before another sample script using the same cloud is run. + +```bash +terraform destroy +``` +Run this step even if the apply step fails. diff --git a/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/azure_vars.tf b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/azure_vars.tf new file mode 100644 index 0000000..3f11e6d --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/azure_vars.tf @@ -0,0 +1,4 @@ +variable "vault_name" { + type = string + default = "azure-vault-name" +} diff --git a/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/main.tf b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/main.tf new file mode 100644 index 0000000..6777b41 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/azure/allow-vault-add/main.tf @@ -0,0 +1,103 @@ +terraform { + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "0.9.0-beta9" + } + } +} + +provider "ciphertrust" {} + +resource "random_id" "random" { + byte_length = 8 +} + +locals { + connection_name = "azure-connection-${lower(random_id.random.hex)}" + group_name = "azure-group-${lower(random_id.random.hex)}" + policy_name = "azure-policy-${lower(random_id.random.hex)}" + vault_permissions = [ + "AddVaultCCKM", + "GetAzurevaultCCKM", + "ReadAzureVault", + "UpdateVaultCCKM", + ] + user_name = "azure-user-${lower(random_id.random.hex)}" + user_password = "password" +} + +# Create a CipherTrust user +resource "ciphertrust_user" "user" { + username = local.user_name + password = local.user_password +} +output "user_name" { + value = ciphertrust_user.user.username +} + +# Create a custom group and add user +resource "ciphertrust_groups" "custom_group" { + name = local.group_name + user_ids = [ + ciphertrust_user.user.id, + ] +} +output "group_name" { + value = ciphertrust_groups.custom_group.name +} + +# Add user to CCKM Users group +resource "ciphertrust_groups" "CCKM_Users_Group" { + name = "CCKM Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Add user to Key Users group +resource "ciphertrust_groups" "Key_Users_Group" { + name = "Key Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Create a policy to allow a user to add an Azure key vault +resource "ciphertrust_policies" "policy" { + name = local.policy_name + actions = concat(local.vault_permissions) + allow = true + effect = "allow" +} +output "policy_id" { + value = ciphertrust_policies.policy.id +} +output "policy_name" { + value = ciphertrust_policies.policy.name +} +output "policy" { + value = ciphertrust_policies.policy +} + +# Attach the policy to the custom group +resource "ciphertrust_policy_attachments" "attachment" { + policy = ciphertrust_policies.policy.id + principal_selector = jsonencode({ + groups = [ciphertrust_groups.custom_group.name] + }) +} +output "policy_attachment_id" { + value = ciphertrust_policy_attachments.attachment.id +} + +# Create an Azure connection so the user can add a vault +resource "ciphertrust_azure_connection" "connection" { + name = local.connection_name +} +output "connection_id" { + value = ciphertrust_azure_connection.connection.id +} +output "connection_name" { + value = ciphertrust_azure_connection.connection.name +} diff --git a/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/README.md b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/README.md new file mode 100644 index 0000000..701d84e --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/README.md @@ -0,0 +1,74 @@ +# Create a Policy to Prevent a User Exporting CipherTrust Keys + +This example shows how to: +- Create a CipherTrust user +- Create a custom CipherTrust group +- Add the user to the custom CipherTrust group +- Add the user to built-in groups, 'CCKM Users' and 'Key User' +- Create a policy to deny CipherTrust key export +- Attach the policy to the custom group + +Steps in this file explain how to: +- Configure CipherTrust Manager Provider parameters required to run the examples +- Configure Google Cloud parameters required to create Google Cloud keys +- Run the example + +## Configure CipherTrust Manager + +### Use environment variables + +```bash +export CM_ADDRESS=https://cm-address +export CM_USERNAME=cm-username +export CM_PASSWORD=cm-password +export CM_DOMAIN=cm-domain +``` +### Use a configuration file + +Create a ~/.ciphertrust/config file and configure these keys with your values. + +```bash +address = https://cm-address +username = cm-username +password = cm-password +domain = cm-domain +``` + +### Edit the provider block in main.tf + +```bash +provider "ciphertrust" { + address = "https://cm-address" + username = "cm-username" + password = "cm-password" + domain = "cm-domain" +} +``` + +## Configure Google Cloud Credentials and Keyrings + +### Configure for all Google Cloud examples + +Update values in scripts/gcp_vars.sh and run the script. + +This updates all gcp_vars.tf files found in the subdirectories. + +### Configure for this example only + +Edit gcp_vars.tf in this directory and update with your values. + +## Run the Example + +```bash +terraform init +terraform apply +``` + +## Destroy Resources + +Resources must be destroyed before another sample script using the same cloud is run. + +```bash +terraform destroy +``` +Run this step even if the apply step fails. diff --git a/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/gcp_vars.tf b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/gcp_vars.tf new file mode 100644 index 0000000..227f51d --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/gcp_vars.tf @@ -0,0 +1,15 @@ +variable "gcp_key_file" { + type = string + default = "gcp-key-file-path" +} + +variable "gcp_project" { + type = string + default = "gcp-project" +} + +variable "keyring" { + type = string + default = "gcp-keyring" +} + diff --git a/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/main.tf b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/main.tf new file mode 100644 index 0000000..ba374ff --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/deny-cmkey-export/main.tf @@ -0,0 +1,81 @@ +terraform { + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "0.9.0-beta9" + } + } +} + +provider "ciphertrust" {} + +resource "random_id" "random" { + byte_length = 8 +} + +locals { + group_name = "group-${lower(random_id.random.hex)}" + policy_name = "policy-${lower(random_id.random.hex)}" + user_name = "user-${lower(random_id.random.hex)}" + user_password = "password" +} + +resource "ciphertrust_user" "user" { + username = local.user_name + password = local.user_password +} +output "user_name" { + value = ciphertrust_user.user.username +} + +# Create a custom group, adding user +resource "ciphertrust_groups" "custom_group" { + name = local.group_name + user_ids = [ + ciphertrust_user.user.id, + ] +} +output "group_name" { + value = ciphertrust_groups.custom_group.name +} + +# Add user to CCKM Users group +resource "ciphertrust_groups" "CCKM_Users_Group" { + name = "CCKM Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Add user to Key Users group +resource "ciphertrust_groups" "Key_Users_Group" { + name = "Key Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Create a policy to deny export privileges of the CipherTrust key +resource "ciphertrust_policies" "policy" { + name = local.policy_name + actions = ["ExportKey"] + allow = true + effect = "deny" +} +output "policy_id" { + value = ciphertrust_policies.policy.id +} +output "policy_name" { + value = ciphertrust_policies.policy.name +} + +# Attach the policy to the custom group +resource "ciphertrust_policy_attachments" "attachment" { + policy = ciphertrust_policies.policy.id + principal_selector = jsonencode({ + groups = [ciphertrust_groups.custom_group.name] + }) +} +output "policy_attachment_id" { + value = ciphertrust_policy_attachments.attachment.id +} diff --git a/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/README.md b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/README.md new file mode 100644 index 0000000..dff8b4f --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/README.md @@ -0,0 +1,74 @@ +# Allow Non-Admin User to Create a Google Cloud Keyring + +This example shows how to: +- Create a user +- Create a custom group and add the user +- Add the user to built-in groups, CCKM Users and Key Users +- Create a policy that allows a user to add a GCP keyring +- Attach the policy to the custom group +- Create a Google cloud connection to which the user can add a keyring + +Steps in this file explain how to: +- Configure CipherTrust Manager Provider parameters required to run the examples +- Configure Google Cloud parameters required to create a Google cloud connection +- Run the example + +## Configure CipherTrust Manager + +### Use environment variables + +```bash +export CM_ADDRESS=https://cm-address +export CM_USERNAME=cm-username +export CM_PASSWORD=cm-password +export CM_DOMAIN=cm-domain +``` +### Use a configuration file + +Create a ~/.ciphertrust/config file and configure these keys with your values. + +```bash +address = https://cm-address +username = cm-username +password = cm-password +domain = cm-domain +``` + +### Edit the provider block in main.tf + +```bash +provider "ciphertrust" { + address = "https://cm-address" + username = "cm-username" + password = "cm-password" + domain = "cm-domain" +} +``` + +## Configure Google Cloud Credentials and Keyrings + +### Configure for all Google Cloud examples + +Update values in scripts/gcp_vars.sh and run the script. + +This updates all gcp_vars.tf files found in the subdirectories. + +### Configure for this example only + +Edit gcp_vars.tf in this directory and update with your values. + +## Run the Example + +```bash +terraform init +terraform apply +``` + +## Destroy Resources + +Resources must be destroyed before another sample script using the same cloud is run. + +```bash +terraform destroy +``` +Run this step even if the apply step fails. diff --git a/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/gcp_vars.tf b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/gcp_vars.tf new file mode 100644 index 0000000..a372eb3 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/gcp_vars.tf @@ -0,0 +1,14 @@ +variable "gcp_key_file" { + type = string + default = "../../../server_certs/gcp-key-file.json" +} + +variable "gcp_project" { + type = string + default = "gemalto-kyloeng" +} + +variable "keyring_ex1" { + type = string + default = "projects/gemalto-kyloeng/locations/global/keyRings/CCKM-Automation1" +} diff --git a/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/main.tf b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/main.tf new file mode 100644 index 0000000..621e133 --- /dev/null +++ b/sample-scripts/policies/cloud-key-manager/google/allow-keyring-create/main.tf @@ -0,0 +1,103 @@ +terraform { + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "0.9.0-beta9" + } + } +} + +provider "ciphertrust" {} + +resource "random_id" "random" { + byte_length = 8 +} + +locals { + group_name = "google-group-${lower(random_id.random.hex)}" + policy_name = "google-policy-${lower(random_id.random.hex)}" + connection_name = "google-connection-${lower(random_id.random.hex)}" + keyring_permissions = [ + "AddKeyRingsCCKM", + "ReadGcpKeyRing", + "GetKeyRingsCCKM", + ] + user_name = "google-user-${lower(random_id.random.hex)}" + user_password = "password" +} + +# Create a CipherTrust user +resource "ciphertrust_user" "user" { + username = local.user_name + password = local.user_password +} +output "user_name" { + value = ciphertrust_user.user.username +} + +# Create a custom group and add user +resource "ciphertrust_groups" "custom_group" { + name = local.group_name + user_ids = [ + ciphertrust_user.user.id, + ] +} +output "group_name" { + value = ciphertrust_groups.custom_group.name +} + +# Add user to CCKM Users group +resource "ciphertrust_groups" "CCKM_Users_Group" { + name = "CCKM Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Add user to Key Users group +resource "ciphertrust_groups" "Key_Users_Group" { + name = "Key Users" + user_ids = [ + ciphertrust_user.user.id, + ] +} + +# Create a policy to allow a user to add GCP keyrings +resource "ciphertrust_policies" "policy" { + name = local.policy_name + actions = concat(local.keyring_permissions) + allow = true + effect = "allow" +} +output "policy_id" { + value = ciphertrust_policies.policy.id +} +output "policy_name" { + value = ciphertrust_policies.policy.name +} +output "policy" { + value = ciphertrust_policies.policy +} + +# Attach the policy to the custom group +resource "ciphertrust_policy_attachments" "attachment" { + policy = ciphertrust_policies.policy.id + principal_selector = jsonencode({ + groups = [ciphertrust_groups.custom_group.name] + }) +} +output "policy_attachment_id" { + value = ciphertrust_policy_attachments.attachment.id +} + +# Create a GCP connection so the user can add a keyring +resource "ciphertrust_gcp_connection" "connection" { + key_file = var.gcp_key_file + name = local.connection_name +} +output "gcp_connection_id" { + value = ciphertrust_gcp_connection.connection.id +} +output "gcp_connection_name" { + value = ciphertrust_gcp_connection.connection.name +} diff --git a/sample-scripts/practical-examples/aws_s3_bucket/main.tf b/sample-scripts/practical-examples/aws_s3_bucket/main.tf index 40a42b3..7876719 100644 --- a/sample-scripts/practical-examples/aws_s3_bucket/main.tf +++ b/sample-scripts/practical-examples/aws_s3_bucket/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/practical-examples/azure_storage_account/main.tf b/sample-scripts/practical-examples/azure_storage_account/main.tf index 0ddabba..9943e8e 100644 --- a/sample-scripts/practical-examples/azure_storage_account/main.tf +++ b/sample-scripts/practical-examples/azure_storage_account/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } } } diff --git a/sample-scripts/practical-examples/cluster/main.tf b/sample-scripts/practical-examples/cluster/main.tf index a09019a..aaa6dc7 100644 --- a/sample-scripts/practical-examples/cluster/main.tf +++ b/sample-scripts/practical-examples/cluster/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { ciphertrust = { source = "ThalesGroup/ciphertrust" - version = "0.9.0-beta7" + version = "0.9.0-beta9" } aws = {