Add support for KMS

deployment/live/gcp/example-gcp/ci/terragrunt.hcl

@@ -11,5 +11,6 @@ inputs = merge(
   include.root.locals,
   {
     example_gcp_docker_image = "us-central1-docker.pkg.dev/trillian-tessera/docker-prod/example-gcp:latest"
+    log_origin = "example-gcp"
   }
 )

deployment/modules/gcp/example-gcp/main.tf

@@ -14,11 +14,38 @@ module "gcs" {
   project_id = var.project_id
 }
 
+##
+## Resources
+##
+
 # Enable Cloud Run API
 resource "google_project_service" "cloudrun_api" {
   service            = "run.googleapis.com"
   disable_on_destroy = false
 }
+resource "google_project_service" "cloudkms_googleapis_com" {
+  service = "cloudkms.googleapis.com"
+}
+
+##
+## KMS for log signing
+##
+resource "google_kms_key_ring" "log_signer" {
+  location = var.location
+  name     = var.base_name
+}
+
+resource "google_kms_crypto_key" "log_signer" {
+  key_ring = google_kms_key_ring.log_signer.id
+  name     = "log_signer"
+  purpose  = "ASYMMETRIC_SIGN"
+  version_template {
+    algorithm = "EC_SIGN_ED25519"
+  }
+}
+resource "google_kms_crypto_key_version" "log_signer" {
+  crypto_key = google_kms_crypto_key.log_signer.id
+}
 
 ###
 ### Set up Cloud Run service
@@ -71,7 +98,8 @@ resource "google_cloud_run_v2_service" "default" {
         "--spanner=projects/${var.project_id}/instances/${module.gcs.log_spanner_instance.name}/databases/${module.gcs.log_spanner_db.name}",
         "--project=${var.project_id}",
         "--listen=:8080",
-        "--signer=./testgcp.sec",
+        "--kms_key=${google_kms_crypto_key_version.log_signer.id}",
+        "--origin=${var.log_origin}",
       ]
       ports {
         container_port = 8080

deployment/modules/gcp/example-gcp/variables.tf

@@ -22,3 +22,8 @@ variable "example_gcp_docker_image" {
   description = "The full image URL (path & tag) for the example-gcp Docker image to deploy"
   type        = string
 }
+
+variable "log_origin" {
+  description = "The origin string for the example log"
+  type        = string
+}