inspec · sa-progress · Jan 22, 2024 · Aug 4, 2022 · Aug 5, 2022 · Jan 19, 2024
@@ -0,0 +1,113 @@
+---
+title: About the google_kms_crypto_key_version resource
+platform: gcp
+---
+
+## Syntax
+A `google_kms_crypto_key_version` is used to test a Google CryptoKeyVersion resource
+
+## Examples
+```
+describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: 'kms-key') do
+  it { should exist }
+  its('crypto_key_name') { should cmp 'kms-key' }
+  its('primary_state') { should eq "ENABLED" }
+  its('purpose') { should eq "ENCRYPT_DECRYPT" }
+  its('next_rotation_time') { should be > Time.now - 100000 }
+  its('create_time') { should be > Time.now - 365*60*60*24*10 }
+end
+
+describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: "nonexistent") do
+  it { should_not exist }
+end
+```
+
+## Properties
+Properties that can be accessed from the `google_kms_crypto_key_version` resource:
+
+
+  * `name`: The resource name for the CryptoKey.
+
+  * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format.
+
+  * `generate_time`: The time that this resource was created on the server. This is in RFC3339 text format.
+
+  * `destroy_time`: The time that this resource was created on the server. This is in RFC3339 text format.
+
+  * `destroy_event_time`: The time that this resource was created on the server. This is in RFC3339 text format.
+
+  * `state`: The state of a CryptoKeyVersion, indicating if it can be used.
+  Possible values:
+    * CRYPTO_KEY_VERSION_STATE_UNSPECIFIED
+    * PENDING_GENERATION
+    * ENABLED
+    * DISABLED
+    * DESTROYED
+    * DESTROY_SCHEDULED
+    * PENDING_IMPORT
+    * IMPORT_FAILED
+
+  * `protection_level`: ProtectionLevel specifies how cryptographic operations are performed. For more information, see Protection levels.
+  Possible values:
+    * PROTECTION_LEVEL_UNSPECIFIED
+    * SOFTWARE
+    * HSM
+    * EXTERNAL
+    * EXTERNAL_VPC
+
+  * `algorithm`: The algorithm of the CryptoKeyVersion, indicating what parameters must be used for each cryptographic operation. The GOOGLE_SYMMETRIC_ENCRYPTION algorithm is usable with CryptoKey.purpose ENCRYPT_DECRYPT. Algorithms beginning with "RSA_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, RSA_SIGN_PSS_2048_SHA256 will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT_" are usable with CryptoKey.purpose ASYMMETRIC_DECRYPT. The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm. Algorithms beginning with "HMAC_" are usable with CryptoKey.purpose MAC. The suffix following "HMAC_" corresponds to the hash algorithm being used (eg. SHA256).
+  Possible values:
+    * CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED
+    * GOOGLE_SYMMETRIC_ENCRYPTION
+    * RSA_SIGN_PSS_2048_SHA256
+    * RSA_SIGN_PSS_3072_SHA256
+    * RSA_SIGN_PSS_4096_SHA256
+    * RSA_SIGN_PSS_4096_SHA512
+    * RSA_SIGN_PKCS1_2048_SHA256
+    * RSA_SIGN_PKCS1_3072_SHA256
+    * RSA_SIGN_PKCS1_4096_SHA512
+    * RSA_SIGN_PKCS1_4096_SHA256
+    * RSA_SIGN_RAW_PKCS1_2048
+    * RSA_SIGN_RAW_PKCS1_3072
+    * RSA_SIGN_RAW_PKCS1_4096
+    * RSA_DECRYPT_OAEP_2048_SHA256
+    * RSA_DECRYPT_OAEP_3072_SHA256
+    * RSA_DECRYPT_OAEP_4096_SHA256
+    * RSA_DECRYPT_OAEP_4096_SHA512
+    * RSA_DECRYPT_OAEP_2048_SHA1
+    * RSA_DECRYPT_OAEP_3072_SHA1
+    * RSA_DECRYPT_OAEP_4096_SHA1
+    * EC_SIGN_P256_SHA256
+    * EC_SIGN_P384_SHA384
+    * EC_SIGN_SECP256K1_SHA256
+    * HMAC_SHA256
+    * EXTERNAL_SYMMETRIC_ENCRYPTION
+
+  * `attestation`: Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM.
+
+    * `format`: The format of the attestation data.
+
+    * `content`: The attestation data provided by the HSM when the key operation was performed. A base64-encoded string.
+
+  * `import_job`: Output only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported.
+
+  * `import_time`: The time that this resource was created on the server. This is in RFC3339 text format.
+
+  * `import_failure_reason`: Output only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED.
+
+  * `external_protection_level_options`: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
+
+    * `external_key_uri`: The URI for an external resource that this CryptoKeyVersion represents.
+
+    * `ekm_connection_key_path`: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
+
+  * `reimport_eligible`: Output only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version.
+
+  * `key_ring`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
+
+  * `crypto_key`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'`.
+
+
+## GCP Permissions
+
+Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project.
@@ -0,0 +1,44 @@
+---
+title: About the google_kms_crypto_key_versions resource
+platform: gcp
+---
+
+## Syntax
+A `google_kms_crypto_key_versions` is used to test a Google CryptoKeyVersion resource
+
+## Examples
+```
+describe google_kms_crypto_key_versions(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '') do
+  its('count') { should be >= 1 }
+  its('crypto_key_names') { should include 'kms-key' }
+end
+```
+
+## Properties
+Properties that can be accessed from the `google_kms_crypto_key_versions` resource:
+
+See [google_kms_crypto_key_version.md](google_kms_crypto_key_version.md) for more detailed information
+  * `names`: an array of `google_kms_crypto_key_version` name
+  * `create_times`: an array of `google_kms_crypto_key_version` create_time
+  * `generate_times`: an array of `google_kms_crypto_key_version` generate_time
+  * `destroy_times`: an array of `google_kms_crypto_key_version` destroy_time
+  * `destroy_event_times`: an array of `google_kms_crypto_key_version` destroy_event_time
+  * `states`: an array of `google_kms_crypto_key_version` state
+  * `protection_levels`: an array of `google_kms_crypto_key_version` protection_level
+  * `algorithms`: an array of `google_kms_crypto_key_version` algorithm
+  * `attestations`: an array of `google_kms_crypto_key_version` attestation
+  * `import_jobs`: an array of `google_kms_crypto_key_version` import_job
+  * `import_times`: an array of `google_kms_crypto_key_version` import_time
+  * `import_failure_reasons`: an array of `google_kms_crypto_key_version` import_failure_reason
+  * `external_protection_level_options`: an array of `google_kms_crypto_key_version` external_protection_level_options
+  * `reimport_eligibles`: an array of `google_kms_crypto_key_version` reimport_eligible
+  * `key_rings`: an array of `google_kms_crypto_key_version` key_ring
+  * `crypto_keys`: an array of `google_kms_crypto_key_version` crypto_key
+
+## Filter Criteria
+This resource supports all of the above properties as filter criteria, which can be used
+with `where` as a block or a method.
+
+## GCP Permissions
+
+Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project.
@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+module GoogleInSpec
+  module KMS
+    module Property
+      class CryptoKeyVersionAttestation
+        attr_reader :format
+
+        attr_reader :content
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @format = args['format']
+          @content = args['content']
+        end
+
+        def to_s
+          "#{@parent_identifier} CryptoKeyVersionAttestation"
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+module GoogleInSpec
+  module KMS
+    module Property
+      class CryptoKeyVersionExternalProtectionLevelOptions
+        attr_reader :external_key_uri
+
+        attr_reader :ekm_connection_key_path
+
+        def initialize(args = nil, parent_identifier = nil)
+          return if args.nil?
+          @parent_identifier = parent_identifier
+          @external_key_uri = args['externalKeyUri']
+          @ekm_connection_key_path = args['ekmConnectionKeyPath']
+        end
+
+        def to_s
+          "#{@parent_identifier} CryptoKeyVersionExternalProtectionLevelOptions"
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,92 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'gcp_backend'
+require 'google/kms/property/cryptokeyversion_attestation'
+require 'google/kms/property/cryptokeyversion_external_protection_level_options'
+
+# A provider to manage Cloud Key Management Service resources.
+class KMSCryptoKeyVersion < GcpResourceBase
+  name 'google_kms_crypto_key_version'
+  desc 'CryptoKeyVersion'
+  supports platform: 'gcp'
+
+  attr_reader :params
+  attr_reader :name
+  attr_reader :create_time
+  attr_reader :generate_time
+  attr_reader :destroy_time
+  attr_reader :destroy_event_time
+  attr_reader :state
+  attr_reader :protection_level
+  attr_reader :algorithm
+  attr_reader :attestation
+  attr_reader :import_job
+  attr_reader :import_time
+  attr_reader :import_failure_reason
+  attr_reader :external_protection_level_options
+  attr_reader :reimport_eligible
+  attr_reader :key_ring
+  attr_reader :crypto_key
+
+  def initialize(params)
+    super(params.merge({ use_http_transport: true }))
+    @params = params
+    @fetched = @connection.fetch(product_url(params[:beta]), resource_base_url, params, 'Get')
+    parse unless @fetched.nil?
+  end
+
+  def parse
+    @name = @fetched['name']
+    @create_time = parse_time_string(@fetched['createTime'])
+    @generate_time = parse_time_string(@fetched['generateTime'])
+    @destroy_time = parse_time_string(@fetched['destroyTime'])
+    @destroy_event_time = parse_time_string(@fetched['destroyEventTime'])
+    @state = @fetched['state']
+    @protection_level = @fetched['protectionLevel']
+    @algorithm = @fetched['algorithm']
+    @attestation = GoogleInSpec::KMS::Property::CryptoKeyVersionAttestation.new(@fetched['attestation'], to_s)
+    @import_job = @fetched['importJob']
+    @import_time = parse_time_string(@fetched['importTime'])
+    @import_failure_reason = @fetched['importFailureReason']
+    @external_protection_level_options = GoogleInSpec::KMS::Property::CryptoKeyVersionExternalProtectionLevelOptions.new(@fetched['externalProtectionLevelOptions'], to_s)
+    @reimport_eligible = @fetched['reimportEligible']
+    @key_ring = @fetched['keyRing']
+    @crypto_key = @fetched['cryptoKey']
+  end
+
+  # Handles parsing RFC3339 time string
+  def parse_time_string(time_string)
+    time_string ? Time.parse(time_string) : nil
+  end
+
+  def exists?
+    [email protected]?
+  end
+
+  def to_s
+    "CryptoKeyVersion #{@params[:name]}"
+  end
+
+  private
+
+  def product_url(_ = nil)
+    'https://cloudkms.googleapis.com/v1/'
+  end
+
+  def resource_base_url
+    'projects/{{project}}/locations/{{location}}/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}/cryptoKeyVersions/{{name}}'
+  end
+end