diff --git a/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl b/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl index b6863ced..5e27853f 100644 --- a/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl +++ b/deployment/live/gcp/static-ct/cloudbuild/prod/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.12.0" - constraints = "6.12.0" + version = "6.28.0" + constraints = "6.28.0" hashes = [ - "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", - "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", - "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", - "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", - "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", - "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", - "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", - "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", - "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", - "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", - "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", - "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", + "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=", + "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0", + "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c", + "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297", + "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3", + "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef", + "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed", + "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038", + "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240", + "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6", + "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c", ] } \ No newline at end of file diff --git a/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl b/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl index f5a3aab9..c898d4b9 100644 --- a/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl +++ b/deployment/live/gcp/static-ct/logs/ci/.terraform.lock.hcl @@ -2,22 +2,22 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.12.0" - constraints = "6.12.0" + version = "6.28.0" + constraints = "6.28.0" hashes = [ - "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", - "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", - "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", - "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", - "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", - "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", - "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", - "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", - "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", - "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", - "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", - "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", + "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=", + "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0", + "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c", + "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297", + "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3", + "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef", + "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed", + "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038", + "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240", + "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6", + "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c", ] } diff --git a/deployment/live/gcp/test/.terraform.lock.hcl b/deployment/live/gcp/test/.terraform.lock.hcl index f5a3aab9..c898d4b9 100644 --- a/deployment/live/gcp/test/.terraform.lock.hcl +++ b/deployment/live/gcp/test/.terraform.lock.hcl @@ -2,22 +2,22 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "6.12.0" - constraints = "6.12.0" + version = "6.28.0" + constraints = "6.28.0" hashes = [ - "h1:rvZHMkoxkHrBYQXb/waoZiD2oo3FS1AF8HoWHlb6SN8=", - "zh:14701aa307a832d99f567b8056a4c5e4ee5a403d984c98f024deee7507a3f29c", - "zh:344eca00ffb2643c2fa7f52f069b659d50bb4c9369df4cad96ea0fadb54282c8", - "zh:5fb57c0acfd4d30a39941900040d5518a909d8c975af0c4366a7bfd0d0bb09a8", - "zh:617a77048a5b9aa568e8bc706cc84307a237b2dd0e49709028b283f8bbe42475", - "zh:677837a05fefe0342cf4d4bdc494e8fd4d62331cac947820e73df37e8f512688", - "zh:7b79f6e02474eef4a1480fc6589afb63ed16b25bf019b6056f9838e2845e2ef8", - "zh:7d891fceb5b15e81240d829f42e1a36e4c812bfc1abe7856756e59101932205f", - "zh:97f1e0ac799faf382426e070e888fac36b0867597b460dc95b0e7f657de21ba9", - "zh:9855f2f2f5919ff6a6a2c982439c910d28c8978ad18cd8f549a5d1ba9b4dc4c3", - "zh:ac551367180eb396af2a50244e80243d333d600a76002e29935262d76a02290b", - "zh:c354f34e6579933d21a98ce7f31f4ef8aeaceb04cfaedaff6d3f3c0be56b2c79", + "h1:s/EZB00Y4Mct8G43Vp/X1BpDNGq9j7AbIPBj4icIv0A=", + "zh:2528b47d20d378283478feafdf16aade01d56d42c3283d7c904fd7a108f150f0", + "zh:36ef5e5b960375a166434f5836b5b957d760c34edfa256133c575e865ff4ee3c", + "zh:5fb97ca9465379dc5b965e407c5ccaa6c41fc1984214497fbf5b2bb49a585297", + "zh:78d2adcf6623f170aab3956d26d115032fecea11db4f62ee9ee76b67389546f3", + "zh:832bb0a957d4d1e664391186791af1cea14e0af878ea12d1b0ce5bb0a5dc98ef", + "zh:8c1eee42fd21b64596b72b4808595b6b1e07c3c614990e22b347c35a42360fed", + "zh:8fcb3165c29944d4465ce9db93daf2b9c816223bf6fcbd95818814525a706038", + "zh:931d05f9ba329942e6888873022e31c458048a8c2a3e42a6d1952337d2f9b240", + "zh:b78472cd5750b6d2d363c735a5e8d2a7bb98d0979ab7e42b8c5f9d17a2e5bbb6", + "zh:d203df11df368d2316894c481d34be2de9e54d1f90cec0056ef5154d06a9edc7", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fecb0db6ab81777a0f48d315838f911753e9c5d66e22eebd491abd83c49fde2c", ] } diff --git a/deployment/modules/gcp/artifactregistry/main.tf b/deployment/modules/gcp/artifactregistry/main.tf index 1bc437b7..6f870cd4 100644 --- a/deployment/modules/gcp/artifactregistry/main.tf +++ b/deployment/modules/gcp/artifactregistry/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } diff --git a/deployment/modules/gcp/cloudbuild/conformance/main.tf b/deployment/modules/gcp/cloudbuild/conformance/main.tf index 8e53c2f2..f40d75bb 100644 --- a/deployment/modules/gcp/cloudbuild/conformance/main.tf +++ b/deployment/modules/gcp/cloudbuild/conformance/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } diff --git a/deployment/modules/gcp/cloudbuild/preloaded/main.tf b/deployment/modules/gcp/cloudbuild/preloaded/main.tf index d1f5545d..c7e51d19 100644 --- a/deployment/modules/gcp/cloudbuild/preloaded/main.tf +++ b/deployment/modules/gcp/cloudbuild/preloaded/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } diff --git a/deployment/modules/gcp/cloudrun/main.tf b/deployment/modules/gcp/cloudrun/main.tf index 92fbade9..6eb404dc 100644 --- a/deployment/modules/gcp/cloudrun/main.tf +++ b/deployment/modules/gcp/cloudrun/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } diff --git a/deployment/modules/gcp/insecuretlskey/README.md b/deployment/modules/gcp/insecuretlskey/README.md new file mode 100644 index 00000000..71ec8b26 --- /dev/null +++ b/deployment/modules/gcp/insecuretlskey/README.md @@ -0,0 +1,3 @@ +# [WARNING] +# This module will store unencrypted private keys in the Terraform state file. +# DO NOT use this for production logs. diff --git a/deployment/modules/gcp/insecuretlskey/main.tf b/deployment/modules/gcp/insecuretlskey/main.tf new file mode 100644 index 00000000..d84f23fd --- /dev/null +++ b/deployment/modules/gcp/insecuretlskey/main.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + tls = { + source = "hashicorp/tls" + version = "4.0.6" + } + } +} + +# ECDSA key with P256 elliptic curve. Do NOT use this in production environment. +# +# Security Notice +# The private key generated by this resource will be stored unencrypted in your +# Terraform state file. Use of this resource for production deployments is not +# recommended. +# +# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key. +resource "tls_private_key" "ecdsa_p256" { + algorithm = "ECDSA" + ecdsa_curve = "P256" +} diff --git a/deployment/modules/gcp/insecuretlskey/outputs.tf b/deployment/modules/gcp/insecuretlskey/outputs.tf new file mode 100644 index 00000000..dccf986b --- /dev/null +++ b/deployment/modules/gcp/insecuretlskey/outputs.tf @@ -0,0 +1,9 @@ +output "tls_private_key_ecdsa_p256_public_key_pem" { + value = tls_private_key.ecdsa_p256.public_key_pem + sensitive = true +} + +output "tls_private_key_ecdsa_p256_private_key_pem" { + value = tls_private_key.ecdsa_p256.private_key_pem + sensitive = true +} diff --git a/deployment/modules/gcp/secretmanager/main.tf b/deployment/modules/gcp/secretmanager/main.tf index d68b3355..6306490d 100644 --- a/deployment/modules/gcp/secretmanager/main.tf +++ b/deployment/modules/gcp/secretmanager/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } @@ -14,19 +14,6 @@ resource "google_project_service" "secretmanager_googleapis_com" { disable_on_destroy = false } -# ECDSA key with P256 elliptic curve. Do NOT use this in production environment. -# -# Security Notice -# The private key generated by this resource will be stored unencrypted in your -# Terraform state file. Use of this resource for production deployments is not -# recommended. -# -# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key. -resource "tls_private_key" "sctfe_ecdsa_p256" { - algorithm = "ECDSA" - ecdsa_curve = "P256" -} - resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" { secret_id = "${var.base_name}-ecdsa-p256-public-key" @@ -44,7 +31,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" { resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" { secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id - secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem + secret_data = var.tls_private_key_ecdsa_p256_public_key_pem } resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" { @@ -62,7 +49,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" { } resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" { - secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id - - secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem + secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id + secret_data_wo_version = 1 + secret_data_wo = var.tls_private_key_ecdsa_p256_private_key_pem } diff --git a/deployment/modules/gcp/secretmanager/variables.tf b/deployment/modules/gcp/secretmanager/variables.tf index 8fbfd505..af6aaa49 100644 --- a/deployment/modules/gcp/secretmanager/variables.tf +++ b/deployment/modules/gcp/secretmanager/variables.tf @@ -2,3 +2,15 @@ variable "base_name" { description = "Base name to use when naming resources" type = string } + +variable "tls_private_key_ecdsa_p256_public_key_pem" { + description = "Public ECDSA key with P256 elliptic curve in PEM format." + type = string + sensitive = true +} + +variable "tls_private_key_ecdsa_p256_private_key_pem" { + description = "Private ECDSA key with P256 elliptic curve in PEM format." + type = string + sensitive = true +} diff --git a/deployment/modules/gcp/storage/main.tf b/deployment/modules/gcp/storage/main.tf index 8c95592f..ad26cf41 100644 --- a/deployment/modules/gcp/storage/main.tf +++ b/deployment/modules/gcp/storage/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "registry.terraform.io/hashicorp/google" - version = "6.12.0" + version = "6.28.0" } } } diff --git a/deployment/modules/gcp/tesseract/conformance/main.tf b/deployment/modules/gcp/tesseract/conformance/main.tf index e067fb60..d267f634 100644 --- a/deployment/modules/gcp/tesseract/conformance/main.tf +++ b/deployment/modules/gcp/tesseract/conformance/main.tf @@ -14,7 +14,16 @@ module "storage" { module "secretmanager" { source = "../../secretmanager" - base_name = var.base_name + base_name = var.base_name + tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem + tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem +} + +# [WARNING] +# This module will store unencrypted private keys in the Terraform state file. +# DO NOT use this for production logs. +module "insecuretlskey" { + source = "../../insecuretlskey" } module "cloudrun" { diff --git a/deployment/modules/gcp/tesseract/test/main.tf b/deployment/modules/gcp/tesseract/test/main.tf index bcb40b58..fb85d2ba 100644 --- a/deployment/modules/gcp/tesseract/test/main.tf +++ b/deployment/modules/gcp/tesseract/test/main.tf @@ -14,5 +14,14 @@ module "storage" { module "secretmanager" { source = "../../secretmanager" - base_name = var.base_name + base_name = var.base_name + tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem + tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem +} + +# [WARNING] +# This module will store unencrypted private keys in the Terraform state file. +# DO NOT use this for production logs. +module "insecuretlskey" { + source = "../../insecuretlskey" }