Clients: Terraform Provider

DSM Terraform Provider 

Introduction

The Fortanix Data Security Manager (DSM) Terraform Provider transforms the functionality of the Fortanix DSM RESTful API into easy to consume human-readable configuration files. Using the Fortanix DSM Terraform Provider, you can eliminate the need to understand how to consume raw Fortanix Data Security Manager APIs.

Download

The Fortanix DSM Terraform Provider is available here.

Prerequisites

Fortanix DSM Setup

To use the Fortanix DSM Terraform Provider, the following must be pre-configured in your environment:

  • The latest Fortanix DSM version deployed.
  • A production/test account or a tenant that is already provisioned within Fortanix DSM.
    • The Username, Password, and Account ID must be available during the Fortanix DSM Terraform Provider initial setup.
    • Account ID can be found on the Fortanix DSM Settings page. Account_ID.png

AWS Setup/Permissions (Optional)

To configure the AWS group, the following are the AWS KMS permissions that the AWS Identity and Access Management (IAM) users must have to authenticate the Fortanix DSM group with AWS Key Management Services:

"Action": [
    "kms:CancelKeyDeletion",
    "kms:CreateAlias",
    "kms:CreateGrant",
    "kms:CreateKey",
    "kms:DeleteAlias",
    "kms:DeleteImportedKeyMaterial",
    "kms:Describe*",
    "kms:DisableKey",
    "kms:DisableKeyRotation",
    "kms:EnableKey",
    "kms:EnableKeyRotation",
    "kms:GenerateDataKey",
    "kms:GenerateDataKeyPair",
    "kms:GenerateDataKeyPairWithoutPlaintext",
    "kms:GenerateDataKeyWithoutPlaintext",
    "kms:GenerateRandom",
    "kms:Get*",
    "kms:ImportKeyMaterial"
    "kms:List*",
    "kms:PutKeyPolicy",
    "kms:RetireGrant",
    "kms:RevokeGrant",
    "kms:ScheduleKeyDeletion",
    "kms:Sign",
    "kms:TagResource",
    "kms:UntagResource",
    "kms:UpdateAlias",
    "kms:Verify"
]

Usage Reference

terraform {
  required_providers {
    dsm = {
      version = "0.5.15"
      source = "fortanix/dsm"
    }
  }
}
 provider "dsm" {
   endpoint = <dsm_api_endpoint>
   port     = <dsm_api_port>
   username = <dsm_username>
   password = <dsm_password>
   acct_id  = <dsm_account_id>
   insecure = <true/false>
   api_key = <DSM App API key>
   aws_profile = <AWS access key and secret>
   aws_region <AWS region>
   azure_region <Azure region>

}

Argument Reference

The following arguments are supported in the dsm provider block:

  • endpoint: Cluster IP address
  • port (optional): Cluster access port
  • username: Login username
  • password: Login password
  • acct_id: Account / Tenant ID
  • insecure (optional):  Disables the Fortanix DSM SSL
  • api_key (optional): The API Key of the app to authenticate to Fortanix DSM
  • aws_profile: The AWS Access Key and Secret Access Key for programmatic (API) access to AWS Services
  • aws_region (optional): The AWS region from which keys should be imported, by default it’s us-east-1 if not specified
  • azure_region (optional): The regions where Fortanix DSM is supported. The default is us-east if not specified

Features

The Fortanix DSM Terraform Provider SDK supports the following operations:

  • Manage app - This operation allows you to create, update, and delete a Fortanix DSM app. It also allows you to assign apps to groups.

  • Manage group - This operation allows you to create, update, and delete a Fortanix DSM group.

  • Manage security object - This operation allows you to create, update, and delete a Fortanix DSM security object. It also allows you to assign security objects to groups, and specify key links, key ops, and key states.

  • Manage AWS group - This operation allows you to create, update, and delete an AWS KMS group in Fortanix DSM.

  • Manage AWS security object - This operation allows you to create, update, and delete a Fortanix DSM security object in the AWS KMS group. It also allows you to specify group, key links, key ops, and key states.

  • Manage Azure group - This operation allows you to create, update, and delete an Azure KMS group in Fortanix DSM.

  • Manage Azure security object - This operation allows you to create, update, and delete a Fortanix DSM security object in the Azure KMS group. It also allows you to specify group, key links, key ops, and key states.

  • Manage Google Cloud Platform EKM - This operation allows you to create, update, and delete a Google EKM App in Fortanix DSM.

  • Rotate security object - This operation allows you to rotate a Fortanix DSM key using the Fortanix DSM Key Rotation feature. A key can be rotated when you want to retire an encryption key and replace that key by generating a new cryptographic key. For more details, refer to the User's Guide: Key Lifecycle Management.

  • Rotate AWS security object - This operation allows:

    • Rotating an AWS native key with another native key.
    • Rotating a Fortanix DSM source key that has linked keys belonging to an AWS group.
    • Rotate an AWS native key to a Fortanix DSM Owned key.
      For more details refer to the User's Guide: AWS External KMS.
  • Key Rotation Policy - This operation allows a Fortanix DSM key rotation to be scheduled for a future time to be done automatically by setting a key rotation policy. For more details, refer to the User's Guide: Key Lifecycle Management.

  • AWS Tags - This operation allows you to create, update, and delete AWS key tags.

  • AWS Aliases - This operation allows you to create, update, and delete AWS key aliases.

  • AWS Key Policy - This operation allows you to create, update, and delete the AWS Key policy. The AWS Policy is the primary way to control access to KMS keys.

  • AWS Schedule Key Deletion - This operation allows you to schedule a key for deletion in the configured AWS KMS.

  • AWS Key links - When a source key is copied from a regular Fortanix DSM group to an AWS group, the source key will appear as a key link in the KEY LINKS tab in the detailed view of the copied key.

  • CSR Generation - This operation allows you to generate CSR signed by DSM security object.
  • Create Quorum Policy for Groups - This operation allows you to create a Quorum approval policy for DSM groups. The policy approval will be done outside the Terraform Provider.
  • Create Quorum Policy for Accounts- This operation allows you to create a Quorum approval policy for DSM accounts. The policy approval will be done outside the Terraform Provider.
  • Secret rotation - This operation allows you to rotate a security object of type "Secret".
  • Add users to a group - This operation allows adding users to a group after group creation.
  • Return public keys in PEM format - This operation allows returning public keys in PEM format.
  • Create and update Cryptographic policy - This operation allows creating and updating Cryptographic policy for DSM accounts and groups.
  • Add plugin to a group - This operation allows creating and associating a plugin to a DSM group.
  • Assign multiple groups to an app with the Authentication method as "Google Service Account".
  • Import keys, upload a signed certificate and private key, and delete the expired certificate.
  • Support for LDAP Authentication of the user.
  • Key Access Justification Policy - This policy allows you to create and update the key access justification reasons for a security object for Google Cloud External Key Manager.

Where, "Manage" = Create, Update, and Delete operations.

References

For a more detailed guide, refer to the Fortanix Terraform Provider documentation.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful