Add cmek support on google_vertex_ai_metadata_store.

2023-03-09 09:13:21 +01:00 · 2023-03-09 09:13:21 +01:00 · 3f9bbc2e5c
parent 1671c5b4f3
commit 3f9bbc2e5c
4 changed files with 21 additions and 12 deletions
--- a/blueprints/data-solutions/bq-ml/datastorage.tf
+++ b/blueprints/data-solutions/bq-ml/datastorage.tf
@ -28,5 +28,5 @@ module "dataset" {
  project_id     = module.project.project_id
  id             = "${replace(var.prefix, "-", "_")}_data"
  encryption_key = try(local.service_encryption_keys.bq, null) # Example assignment of an encryption key
-  location       = "US"
+  location       = var.location
 }
--- a/blueprints/data-solutions/bq-ml/main.tf
+++ b/blueprints/data-solutions/bq-ml/main.tf
@ -55,9 +55,10 @@ module "project" {
    host_project = local.shared_vpc_project
  }
  service_encryption_key_ids = {
-    compute = [try(local.service_encryption_keys.compute, null)]
-    bq      = [try(local.service_encryption_keys.bq, null)]
-    storage = [try(local.service_encryption_keys.storage, null)]
+    aiplatform = [try(local.service_encryption_keys.compute, null)]
+    compute    = [try(local.service_encryption_keys.compute, null)]
+    bq         = [try(local.service_encryption_keys.bq, null)]
+    storage    = [try(local.service_encryption_keys.storage, null)]
  }
  service_config = {
    disable_on_destroy = false, disable_dependent_services = false
--- a/blueprints/data-solutions/bq-ml/variables.tf
+++ b/blueprints/data-solutions/bq-ml/variables.tf
@ -52,9 +52,10 @@ variable "region" {
 variable "service_encryption_keys" {
  description = "Cloud KMS to use to encrypt different services. The key location should match the service region."
  type = object({
-    bq      = string
-    compute = string
-    storage = string
+    aiplatform = optional(string, null)
+    bq         = optional(string, null)
+    compute    = optional(string, null)
+    storage    = optional(string, null)
  })
  default = null
 }
--- a/blueprints/data-solutions/bq-ml/vertex.tf
+++ b/blueprints/data-solutions/bq-ml/vertex.tf
@ -17,13 +17,20 @@
 resource "google_vertex_ai_metadata_store" "store" {
  provider    = google-beta
  project     = module.project.project_id
-  name        = "default" #"${var.prefix}-metadata-store"
+  name        = "default"
  description = "Vertex Ai Metadata Store"
  region      = var.region
-  #TODO Check/Implement P4SA logic for IAM role
-  # encryption_spec {
-  #   kms_key_name = var.service_encryption_keys.ai_metadata_store
-  # }
+  dynamic "encryption_spec" {
+    for_each = try(var.service_encryption_keys.aiplatform, null) == null ? [] : [""]
+
+    content {
+      kms_key_name = try(var.service_encryption_keys.aiplatform, null)
+    }
+  }
+  # `state` value will be decided automatically based on the result of the configuration
+  lifecycle {
+    ignore_changes = [state]
+  }
 }

 module "service-account-notebook" {