Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added cryptoHashConfig to deidentifyTemplate #8084

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions mmv1/products/dlp/DeidentifyTemplate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -987,6 +987,61 @@ properties:
# A side-effect is null values when the field is unused, see: https://github.com/hashicorp/terraform-provider-google/issues/13201
send_empty_value: true
allow_empty_object: true
- !ruby/object:Api::Type::NestedObject
name: cryptoHashConfig
description: |
Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes.
Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
Currently, only string and integer values can be hashed.
See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
properties:
- !ruby/object:Api::Type::NestedObject
name: 'cryptoKey'
description: |
The key used by the encryption function.
properties:
- !ruby/object:Api::Type::NestedObject
name: 'transient'
description: |
Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes.
properties:
- !ruby/object:Api::Type::String
name: 'name'
required: true
description: |
Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- !ruby/object:Api::Type::NestedObject
name: 'unwrapped'
description: |
Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible.
properties:
- !ruby/object:Api::Type::String
name: 'key'
required: true
description: |
A 128/192/256 bit key.

A base64-encoded string.
- !ruby/object:Api::Type::NestedObject
name: 'kmsWrapped'
description: |
KMS wrapped key.
Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt
For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key).
Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing).
properties:
- !ruby/object:Api::Type::String
name: 'wrappedKey'
required: true
description: |
The wrapped data crypto key.

A base64-encoded string.
- !ruby/object:Api::Type::String
name: 'cryptoKeyName'
required: true
description: |
The resource name of the KMS CryptoKey to use for unwrapping.
- !ruby/object:Api::Type::NestedObject
name: 'recordTransformations'
description:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1243,6 +1243,38 @@ resource "google_data_loss_prevention_deidentify_template" "config" {
}
}

transformations {
info_types {
name = "CRYPTO_HASH_TRANSIENT_EXAMPLE"
}

primitive_transformation {
crypto_hash_config {
crypto_key {
transient {
name = "beep" # Copy-pasting from existing test that uses this field
}
}
}
}
}

transformations {
info_types {
name = "CRYPTO_HASH_UNWRAPPED_EXAMPLE"
}

primitive_transformation {
crypto_hash_config {
crypto_key {
unwrapped {
key = "VVdWVWFGZHRXbkUwZERkM0lYb2xRdz09"
}
}
}
}
}

transformations {
info_types {
name = "REDACT_EXAMPLE"
Expand Down Expand Up @@ -1369,6 +1401,40 @@ resource "google_data_loss_prevention_deidentify_template" "config" {
}
}

transformations {
info_types {
name = "CRYPTO_HASH_TRANSIENT_UPDATED_EXAMPLE"
}

primitive_transformation {
crypto_hash_config {
crypto_key {
transient {
# update value
name = "beepy-beep-updated"
}
}
}
}
}

transformations {
info_types {
name = "CRYPTO_HASH_WRAPPED_EXAMPLE"
}

primitive_transformation {
crypto_hash_config {
crypto_key {
kms_wrapped {
wrapped_key = "B64/WRAPPED/TOKENIZATION/KEY"
crypto_key_name = "%{kms_key_name}"
}
}
}
}
}

# update to remove transformations block using redact_config
}
}
Expand Down