diff --git a/modules/project/README.md b/modules/project/README.md
index 8000082e..281a7776 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -149,6 +149,29 @@ module "project-host" {
# tftest:modules=5:resources=12
```
+## Cloud KMS ncryption keys
+```hcl
+module "project" {
+ source = "./modules/project"
+ name = "my-project"
+ billing_account = "123456-123456-123456"
+ prefix = "foo"
+ services = [
+ "compute.googleapis.com",
+ "storage.googleapis.com"
+ ]
+ service_encryption_key_ids = {
+ compute = [
+ "projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce",
+ "projects/kms-central-prj/locations/europe-west4/keyRings/my-keyring/cryptoKeys/europe4-gce"
+ ]
+ storage = [
+ "projects/kms-central-prj/locations/europe/keyRings/my-keyring/cryptoKeys/europe-gcs"
+ ]
+ }
+}
+# tftest:modules=1:resources=6
+```
## Variables
@@ -177,6 +200,7 @@ module "project-host" {
| *prefix* | Prefix used to generate project id and name. | string
| | null
|
| *project_create* | Create project. When set to false, uses a data source to reference existing project. | bool
| | true
|
| *service_config* | Configure service API activation. | object({...})
| | ...
|
+| *service_encryption_key_ids* | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string))
| | {}
|
| *service_perimeter_bridges* | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | list(string)
| | null
|
| *service_perimeter_standard* | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | string
| | null
|
| *services* | Service APIs to enable. | list(string)
| | []
|
diff --git a/modules/project/main.tf b/modules/project/main.tf
index 4f07a595..80b8b7c3 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,6 +65,14 @@ locals {
if sink.iam && sink.type == type
}
}
+ service_encryption_key_ids = flatten([
+ for service in keys(var.service_encryption_key_ids) : [
+ for key in var.service_encryption_key_ids[service] : {
+ service = service
+ key = key
+ }
+ ]
+ ])
}
data "google_project" "project" {
@@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
perimeter_name = each.value
resource = "projects/${local.project.number}"
}
+
+resource "google_kms_crypto_key_iam_member" "crypto_key" {
+ for_each = {
+ for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
+ }
+ crypto_key_id = each.value.key
+ role = "roles/cloudkms.cryptoKeyEncrypter"
+ member = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
+}
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index a801a8e0..f949f33f 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -39,3 +39,13 @@ locals {
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
}
}
+
+data "google_storage_project_service_account" "gcs_account" {
+ count = try(var.services["storage.googleapis.com"], false) ? 1 : 0
+ project = local.project.project_id
+}
+
+data "google_bigquery_default_service_account" "bq_sa" {
+ count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
+ project = local.project.project_id
+}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index fa4c84da..d4f917b3 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -148,6 +148,12 @@ variable "service_config" {
}
}
+variable "service_encryption_key_ids" {
+ description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
+ type = map(list(string))
+ default = {}
+}
+
variable "shared_vpc_host_config" {
description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
type = object({
@@ -192,7 +198,6 @@ variable "logging_exclusions" {
default = {}
}
-
variable "contacts" {
description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
type = map(list(string))
@@ -205,7 +210,6 @@ variable "service_perimeter_standard" {
default = null
}
-
variable "service_perimeter_bridges" {
description = "Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
type = list(string)