Merge pull request #263 from terraform-google-modules/lcaggio-kms-prj
Add IAM cryptDecrypt role to robot service account on specified keys
This commit is contained in:
commit
1a7fe48c46
|
@ -149,6 +149,29 @@ module "project-host" {
|
|||
# tftest:modules=5:resources=12
|
||||
```
|
||||
|
||||
## Cloud KMS ncryption keys
|
||||
```hcl
|
||||
module "project" {
|
||||
source = "./modules/project"
|
||||
name = "my-project"
|
||||
billing_account = "123456-123456-123456"
|
||||
prefix = "foo"
|
||||
services = [
|
||||
"compute.googleapis.com",
|
||||
"storage.googleapis.com"
|
||||
]
|
||||
service_encryption_key_ids = {
|
||||
compute = [
|
||||
"projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce",
|
||||
"projects/kms-central-prj/locations/europe-west4/keyRings/my-keyring/cryptoKeys/europe4-gce"
|
||||
]
|
||||
storage = [
|
||||
"projects/kms-central-prj/locations/europe/keyRings/my-keyring/cryptoKeys/europe-gcs"
|
||||
]
|
||||
}
|
||||
}
|
||||
# tftest:modules=1:resources=6
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
@ -177,6 +200,7 @@ module "project-host" {
|
|||
| *prefix* | Prefix used to generate project id and name. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *project_create* | Create project. When set to false, uses a data source to reference existing project. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
| *service_config* | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({...})</code> | | <code title="{ disable_on_destroy = true disable_dependent_services = true }">...</code> |
|
||||
| *service_encryption_key_ids* | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *service_perimeter_bridges* | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code title="list(string)">list(string)</code> | | <code title="">null</code> |
|
||||
| *service_perimeter_standard* | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *services* | Service APIs to enable. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
||||
|
|
|
@ -65,6 +65,14 @@ locals {
|
|||
if sink.iam && sink.type == type
|
||||
}
|
||||
}
|
||||
service_encryption_key_ids = flatten([
|
||||
for service in keys(var.service_encryption_key_ids) : [
|
||||
for key in var.service_encryption_key_ids[service] : {
|
||||
service = service
|
||||
key = key
|
||||
}
|
||||
]
|
||||
])
|
||||
}
|
||||
|
||||
data "google_project" "project" {
|
||||
|
@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
|
|||
perimeter_name = each.value
|
||||
resource = "projects/${local.project.number}"
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key_iam_member" "crypto_key" {
|
||||
for_each = {
|
||||
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
|
||||
}
|
||||
crypto_key_id = each.value.key
|
||||
role = "roles/cloudkms.cryptoKeyEncrypter"
|
||||
member = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
|
||||
}
|
||||
|
|
|
@ -39,3 +39,13 @@ locals {
|
|||
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||
}
|
||||
}
|
||||
|
||||
data "google_storage_project_service_account" "gcs_account" {
|
||||
count = try(var.services["storage.googleapis.com"], false) ? 1 : 0
|
||||
project = local.project.project_id
|
||||
}
|
||||
|
||||
data "google_bigquery_default_service_account" "bq_sa" {
|
||||
count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
|
||||
project = local.project.project_id
|
||||
}
|
||||
|
|
|
@ -148,6 +148,12 @@ variable "service_config" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "service_encryption_key_ids" {
|
||||
description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "shared_vpc_host_config" {
|
||||
description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
|
||||
type = object({
|
||||
|
@ -192,7 +198,6 @@ variable "logging_exclusions" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
|
||||
variable "contacts" {
|
||||
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
|
||||
type = map(list(string))
|
||||
|
@ -205,7 +210,6 @@ variable "service_perimeter_standard" {
|
|||
default = null
|
||||
}
|
||||
|
||||
|
||||
variable "service_perimeter_bridges" {
|
||||
description = "Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
|
||||
type = list(string)
|
||||
|
|
Loading…
Reference in New Issue