From 476d2c79e972ec91a5f1b72ea79a00ce372d81d3 Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Fri, 11 Jun 2021 16:00:20 +0200
Subject: [PATCH] Add IAM cryptDecrypt role to robo service account on
 specified keys

---
 modules/project/main.tf             | 17 +++++++++++++++++
 modules/project/service_accounts.tf | 11 +++++++++++
 modules/project/variables.tf        |  6 ++++++
 3 files changed, 34 insertions(+)

diff --git a/modules/project/main.tf b/modules/project/main.tf
index 4f07a595..c13e7bd3 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,6 +65,14 @@ locals {
       if sink.iam && sink.type == type
     }
   }
+  service_encryption_key_ids_flatten = flatten([
+    for service in keys(var.service_encryption_key_ids) : [
+      for key in var.service_encryption_key_ids[service] : {
+        service = service
+        key     = key
+      }
+    ]
+  ])
 }
 
 data "google_project" "project" {
@@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
   perimeter_name = each.value
   resource       = "projects/${local.project.number}"
 }
+
+resource "google_kms_crypto_key_iam_member" "crypto_key" {
+  for_each = {
+    for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
+  }
+  crypto_key_id = each.value.key
+  role          = "roles/cloudkms.cryptoKeyEncrypter"
+  member        = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
+}
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index b0a64017..e136eb1c 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -40,3 +40,14 @@ locals {
     service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
   }
 }
+
+data "google_storage_project_service_account" "gcs_account" {
+  count   = try(var.services["storage.googleapis.com"], false) ? 1 : 0
+  project = local.project.project_id
+}
+
+data "google_bigquery_default_service_account" "bq_sa" {
+  count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
+
+  project = local.project.project_id
+}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index fa4c84da..8096afd4 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -148,6 +148,12 @@ variable "service_config" {
   }
 }
 
+variable "service_encryption_key_ids" {
+  description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "shared_vpc_host_config" {
   description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
   type = object({