From a6aa1ca9fe7363f9f56ed6fa784045ac7886964b Mon Sep 17 00:00:00 2001 From: Lai Jiang Date: Fri, 27 Sep 2019 12:12:58 -0400 Subject: [PATCH] Protect KMS-secured data against destruction in upcoming google provider update. (#284) Export of cl/270900150. To refer to a KMS key or key ring, we should use the stable `.self_link`. Using `.id` instead provides an unstable identifier which may change (and it will change in the upcoming update of the google provider to 2.9.1). A change in the identifier will cause Terraform to destroy and recreate the key. Destroying the key means all data associated with it is lost; the key cannot be recreated. This CL replaces `.id` with `.self_link`, so all of those problems will not happen. In addition, `prevent_destroy` protects the key against delete-and-recreate in general. --- proxy/terraform/modules/kms.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/proxy/terraform/modules/kms.tf b/proxy/terraform/modules/kms.tf index 7767ddc45..ccfbd1387 100644 --- a/proxy/terraform/modules/kms.tf +++ b/proxy/terraform/modules/kms.tf @@ -5,11 +5,16 @@ resource "google_kms_key_ring" "proxy_key_ring" { resource "google_kms_crypto_key" "proxy_key" { name = "${var.proxy_key}" - key_ring = "${google_kms_key_ring.proxy_key_ring.id}" + key_ring = google_kms_key_ring.proxy_key_ring.self_link + + lifecycle { + # If a crypto key gets destroyed, all data encrypted with it is lost. + prevent_destroy = true + } } resource "google_kms_crypto_key_iam_member" "ssl_key_decrypter" { - crypto_key_id = "${google_kms_crypto_key.proxy_key.id}" + crypto_key_id = google_kms_crypto_key.proxy_key.self_link role = "roles/cloudkms.cryptoKeyDecrypter" member = "serviceAccount:${google_service_account.proxy_service_account.email}" }