add vault & common kms keys
This commit is contained in:
parent
e25184900b
commit
f9a7d98aef
@ -35,6 +35,7 @@ resource "oci_core_instance" "compute" {
|
||||
source_details {
|
||||
source_type = "image"
|
||||
source_id = data.oci_core_images.selected[each.value.key].images[0].id
|
||||
kms_key_id = var.use_vault.volume ? try(data.oci_kms_key.key["volume"].id, null) : null
|
||||
boot_volume_size_in_gbs = each.value.key == "flex" ? 100 : 50
|
||||
boot_volume_vpus_per_gb = 120
|
||||
is_preserve_boot_volume_enabled = false
|
||||
|
@ -2,6 +2,15 @@ data "oci_identity_tenancy" "tenancy" {
|
||||
tenancy_id = var.tenancy_id
|
||||
}
|
||||
|
||||
# use this instead of oci_kms_key.key to await supporting policy creation
|
||||
data "oci_kms_key" "key" {
|
||||
for_each = var.create_vault ? var.use_vault : {}
|
||||
|
||||
management_endpoint = oci_kms_vault.vault[0].management_endpoint
|
||||
key_id = oci_kms_key.key[each.key].id
|
||||
depends_on = [oci_identity_policy.kms_service_policy]
|
||||
}
|
||||
|
||||
data "oci_identity_availability_domains" "available" {
|
||||
compartment_id = oci_identity_compartment.compartment.id
|
||||
}
|
||||
|
38
oci.vault.tf
38
oci.vault.tf
@ -0,0 +1,38 @@
|
||||
resource "oci_kms_vault" "vault" {
|
||||
count = var.create_vault ? 1 : 0
|
||||
|
||||
compartment_id = oci_identity_compartment.compartment.id
|
||||
display_name = join("", [var.prefix, "vault"])
|
||||
vault_type = "DEFAULT"
|
||||
freeform_tags = local.freeform_tags
|
||||
}
|
||||
|
||||
resource "oci_kms_key" "key" {
|
||||
for_each = var.create_vault ? var.use_vault : {}
|
||||
|
||||
compartment_id = oci_identity_compartment.compartment.id
|
||||
management_endpoint = oci_kms_vault.vault[0].management_endpoint
|
||||
display_name = join("", [var.prefix, each.key, "-key"])
|
||||
desired_state = "ENABLED"
|
||||
protection_mode = "HSM"
|
||||
key_shape {
|
||||
algorithm = "AES"
|
||||
length = 32
|
||||
}
|
||||
freeform_tags = local.freeform_tags
|
||||
}
|
||||
|
||||
resource "oci_identity_policy" "kms_service_policy" {
|
||||
compartment_id = oci_identity_compartment.compartment.id
|
||||
name = "kms-service-policy"
|
||||
description = "kms service policy"
|
||||
statements = [
|
||||
!var.use_vault.volume ? "" :
|
||||
"allow service blockstorage to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["volume"].id}'",
|
||||
!var.use_vault.object ? "" :
|
||||
"allow service objectstorage-${var.oci_region} to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["object"].id}'",
|
||||
!var.use_vault.database ? "" :
|
||||
"allow service dbcs to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["database"].id}'",
|
||||
]
|
||||
freeform_tags = local.freeform_tags
|
||||
}
|
Loading…
Reference in New Issue
Block a user