Merge pull request #264 from terraform-google-modules/lcaggio-kms-002

Add Service Identity for Secret Manager

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
  - Fix `message_retention_duration` variable type in `pubsub` module
  - Move `bq` robot service account into the robot service account project output
  - Add IAM cryptDecrypt role to robot service account on specified keys
+ - Add Service Identity creation on `project' module if secretmanager enabled
 
 ## [4.9.0] - 2021-06-04
 

modules/project/README.md

@@ -149,7 +149,7 @@ module "project-host" {
 # tftest:modules=5:resources=12
 ```
 
-## Cloud KMS ncryption keys
+## Cloud KMS encryption keys
 ```hcl
 module "project" {
   source          = "./modules/project"
@@ -170,7 +170,7 @@ module "project" {
     ]
   }
 }
-# tftest:modules=1:resources=6
+# tftest:modules=1:resources=7
 ```
 
 <!-- BEGIN TFDOC -->

modules/project/main.tf

@@ -370,6 +370,13 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" {
     for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
   }
   crypto_key_id = each.value.key
-  role          = "roles/cloudkms.cryptoKeyEncrypter"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
+  depends_on = [
+    google_project.project,
+    google_project_service.project_services,
+    data.google_bigquery_default_service_account.bq_sa,
+    data.google_project.project,
+    data.google_storage_project_service_account.gcs_sa,
+  ]
 }

modules/project/outputs.tf

@@ -23,7 +23,8 @@ output "project_id" {
     google_project_organization_policy.boolean,
     google_project_organization_policy.list,
     google_project_service.project_services,
-    google_compute_shared_vpc_service_project.service_projects
+    google_compute_shared_vpc_service_project.service_projects,
+    google_kms_crypto_key_iam_member.crypto_key
   ]
 }
 
@@ -34,7 +35,8 @@ output "name" {
     google_project_organization_policy.boolean,
     google_project_organization_policy.list,
     google_project_service.project_services,
-    google_compute_shared_vpc_service_project.service_projects
+    google_compute_shared_vpc_service_project.service_projects,
+    google_kms_crypto_key_iam_member.crypto_key
   ]
 }
 
@@ -45,7 +47,8 @@ output "number" {
     google_project_organization_policy.boolean,
     google_project_organization_policy.list,
     google_project_service.project_services,
-    google_compute_shared_vpc_service_project.service_projects
+    google_compute_shared_vpc_service_project.service_projects,
+    google_kms_crypto_key_iam_member.crypto_key
   ]
 }
 
@@ -56,7 +59,10 @@ output "service_accounts" {
     default        = local.service_accounts_default
     robots         = local.service_accounts_robots
   }
-  depends_on = [google_project_service.project_services]
+  depends_on = [
+    google_project_service.project_services,
+    google_kms_crypto_key_iam_member.crypto_key
+  ]
 }
 
 output "custom_roles" {

modules/project/service_accounts.tf

@@ -32,6 +32,7 @@ locals {
     gae-flex          = "gae-api-prod"
     gcf               = "gcf-admin-robot"
     pubsub            = "gcp-sa-pubsub"
+    secretmanager     = "gcp-sa-secretmanager"
     storage           = "gs-project-accounts"
   }
   service_accounts_robots = {
@@ -40,12 +41,23 @@ locals {
   }
 }
 
-data "google_storage_project_service_account" "gcs_account" {
-  count   = try(var.services["storage.googleapis.com"], false) ? 1 : 0
-  project = local.project.project_id
+data "google_storage_project_service_account" "gcs_sa" {
+  count      = contains(var.services, "storage.googleapis.com") ? 1 : 0
+  project    = local.project.project_id
+  depends_on = [google_project_service.project_services]
 }
 
 data "google_bigquery_default_service_account" "bq_sa" {
-  count   = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
-  project = local.project.project_id
+  count      = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
+  project    = local.project.project_id
+  depends_on = [google_project_service.project_services]
+}
+
+# Secret Manager SA created just in time, we need to trigger the creation.
+resource "google_project_service_identity" "sm_sa" {
+  provider   = google-beta
+  count      = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0
+  project    = local.project.project_id
+  service    = "secretmanager.googleapis.com"
+  depends_on = [google_project_service.project_services]
 }

tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py

@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 5
-  assert len(resources) == 17
+  assert len(resources) == 18

tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py

@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 14
-  assert len(resources) == 61
+  assert len(resources) == 62

tests/foundations/business_units/test_plan.py

@@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 8
-  assert len(resources) == 82
+  assert len(resources) == 83