Merge branch 'master' into ncc

2023-03-09 13:10:36 +01:00 · 2023-03-09 13:10:36 +01:00 · 7eb9fbf676
parent 3e85175f67 ec016edfbb
commit 7eb9fbf676
6 changed files with 24 additions and 14 deletions
--- a/blueprints/data-solutions/bq-ml/README.md
+++ b/blueprints/data-solutions/bq-ml/README.md
@ -69,8 +69,8 @@ To run the demo:
 | [location](variables.tf#L17) | The location where resources will be deployed. | <code>string</code> |  | <code>&#34;US&#34;</code> |
 | [project_create](variables.tf#L32) | Provide values if project creation is needed, use existing project if null. Parent format:  folders/folder_id or organizations/org_id. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [region](variables.tf#L46) | The region where resources will be deployed. | <code>string</code> |  | <code>&#34;us-central1&#34;</code> |
-| [service_encryption_keys](variables.tf#L52) | Cloud KMS to use to encrypt different services. The key location should match the service region. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  compute &#61; string&#10;  storage &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_config](variables.tf#L62) | Shared VPC network configurations to use. If null networks will be created in projects with pre-configured values. | <code title="object&#40;&#123;&#10;  host_project      &#61; string&#10;  network_self_link &#61; string&#10;  subnet_self_link  &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [service_encryption_keys](variables.tf#L52) | Cloud KMS to use to encrypt different services. The key location should match the service region. | <code title="object&#40;&#123;&#10;  aiplatform &#61; optional&#40;string, null&#41;&#10;  bq         &#61; optional&#40;string, null&#41;&#10;  compute    &#61; optional&#40;string, null&#41;&#10;  storage    &#61; optional&#40;string, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_config](variables.tf#L63) | Shared VPC network configurations to use. If null networks will be created in projects with pre-configured values. | <code title="object&#40;&#123;&#10;  host_project      &#61; string&#10;  network_self_link &#61; string&#10;  subnet_self_link  &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |

 ## Outputs

--- a/blueprints/data-solutions/bq-ml/datastorage.tf
+++ b/blueprints/data-solutions/bq-ml/datastorage.tf
@ -28,5 +28,5 @@ module "dataset" {
  project_id     = module.project.project_id
  id             = "${replace(var.prefix, "-", "_")}_data"
  encryption_key = try(local.service_encryption_keys.bq, null) # Example assignment of an encryption key
-  location       = "US"
+  location       = var.location
 }
--- a/blueprints/data-solutions/bq-ml/main.tf
+++ b/blueprints/data-solutions/bq-ml/main.tf
@ -55,9 +55,10 @@ module "project" {
    host_project = local.shared_vpc_project
  }
  service_encryption_key_ids = {
-    compute = [try(local.service_encryption_keys.compute, null)]
-    bq      = [try(local.service_encryption_keys.bq, null)]
-    storage = [try(local.service_encryption_keys.storage, null)]
+    aiplatform = [try(local.service_encryption_keys.compute, null)]
+    compute    = [try(local.service_encryption_keys.compute, null)]
+    bq         = [try(local.service_encryption_keys.bq, null)]
+    storage    = [try(local.service_encryption_keys.storage, null)]
  }
  service_config = {
    disable_on_destroy = false, disable_dependent_services = false
--- a/blueprints/data-solutions/bq-ml/variables.tf
+++ b/blueprints/data-solutions/bq-ml/variables.tf
@ -52,9 +52,10 @@ variable "region" {
 variable "service_encryption_keys" {
  description = "Cloud KMS to use to encrypt different services. The key location should match the service region."
  type = object({
-    bq      = string
-    compute = string
-    storage = string
+    aiplatform = optional(string, null)
+    bq         = optional(string, null)
+    compute    = optional(string, null)
+    storage    = optional(string, null)
  })
  default = null
 }
--- a/blueprints/data-solutions/bq-ml/vertex.tf
+++ b/blueprints/data-solutions/bq-ml/vertex.tf
@ -17,13 +17,20 @@
 resource "google_vertex_ai_metadata_store" "store" {
  provider    = google-beta
  project     = module.project.project_id
-  name        = "default" #"${var.prefix}-metadata-store"
+  name        = "default"
  description = "Vertex Ai Metadata Store"
  region      = var.region
-  #TODO Check/Implement P4SA logic for IAM role
-  # encryption_spec {
-  #   kms_key_name = var.service_encryption_keys.ai_metadata_store
-  # }
+  dynamic "encryption_spec" {
+    for_each = try(var.service_encryption_keys.aiplatform, null) == null ? [] : [""]
+
+    content {
+      kms_key_name = try(var.service_encryption_keys.aiplatform, null)
+    }
+  }
+  # `state` value will be decided automatically based on the result of the configuration
+  lifecycle {
+    ignore_changes = [state]
+  }
 }

 module "service-account-notebook" {
--- a/modules/project/service-accounts.tf
+++ b/modules/project/service-accounts.tf
@ -25,6 +25,7 @@ locals {
    "dataflow" : ["dataflow", "compute"]
  }
  _service_accounts_robot_services = {
+    aiplatform        = "service-%s@gcp-sa-aiplatform"
    apigee            = "service-%s@gcp-sa-apigee"
    artifactregistry  = "service-%s@gcp-sa-artifactregistry"
    bq                = "bq-%s@bigquery-encryption"