Add KMS on CloudSQL module
This commit is contained in:
parent
1cfb5dcaec
commit
a3f03ac213
|
@ -93,6 +93,59 @@ module "db" {
|
|||
}
|
||||
# tftest modules=1 resources=6
|
||||
```
|
||||
|
||||
### CMEK encryption pippo
|
||||
```hcl
|
||||
|
||||
module "project" {
|
||||
source = "./modules/project"
|
||||
billing_account = var.billing_account_id
|
||||
parent = var.organization_id
|
||||
name = "my-db-project"
|
||||
services = [
|
||||
"servicenetworking.googleapis.com"
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_project_service_identity" "jit_si" {
|
||||
provider = google-beta
|
||||
project = module.project.project_id
|
||||
service = "sqladmin.googleapis.com"
|
||||
}
|
||||
|
||||
module "kms" {
|
||||
source = "./modules/kms"
|
||||
project_id = module.project.project_id
|
||||
keyring = {
|
||||
name = "keyring"
|
||||
location = var.region
|
||||
}
|
||||
keys = {
|
||||
key-sql = null
|
||||
}
|
||||
key_iam = {
|
||||
key-sql = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
|
||||
"serviceAccount:${google_project_service_identity.jit_si.email}"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "db" {
|
||||
source = "./modules/cloudsql-instance"
|
||||
project_id = module.project.project_id
|
||||
encryption_key_name = module.kms.keys["key-sql"].id
|
||||
network = var.vpc.self_link
|
||||
name = "db"
|
||||
region = var.region
|
||||
database_version = "POSTGRES_13"
|
||||
tier = "db-g1-small"
|
||||
}
|
||||
|
||||
# tftest modules=3 resources=8
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
|
|
@ -43,10 +43,12 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_sql_database_instance" "primary" {
|
||||
provider = google-beta
|
||||
project = var.project_id
|
||||
name = "${local.prefix}${var.name}"
|
||||
region = var.region
|
||||
database_version = var.database_version
|
||||
encryption_key_name = var.encryption_key_name
|
||||
|
||||
settings {
|
||||
tier = var.tier
|
||||
|
@ -104,11 +106,13 @@ resource "google_sql_database_instance" "primary" {
|
|||
}
|
||||
|
||||
resource "google_sql_database_instance" "replicas" {
|
||||
for_each = local.has_replicas ? var.replicas : {}
|
||||
provider = google-beta
|
||||
for_each = length(var.replicas) > 0 ? var.replicas : {}
|
||||
project = var.project_id
|
||||
name = "${local.prefix}${each.key}"
|
||||
region = each.value
|
||||
region = each.value.region
|
||||
database_version = var.database_version
|
||||
encryption_key_name = each.value.encryption_key_name
|
||||
master_instance_name = google_sql_database_instance.primary.name
|
||||
|
||||
settings {
|
||||
|
|
|
@ -66,6 +66,19 @@ output "ips" {
|
|||
}
|
||||
}
|
||||
|
||||
output "name" {
|
||||
description = "Name of the primary instance."
|
||||
value = google_sql_database_instance.primary.name
|
||||
}
|
||||
|
||||
output "names" {
|
||||
description = "Names of all instances."
|
||||
value = {
|
||||
for id, instance in local._all_intances :
|
||||
id => instance.name
|
||||
}
|
||||
}
|
||||
|
||||
output "self_link" {
|
||||
description = "Self link of the primary instance."
|
||||
value = google_sql_database_instance.primary.self_link
|
||||
|
|
|
@ -76,6 +76,12 @@ variable "disk_type" {
|
|||
default = "PD_SSD"
|
||||
}
|
||||
|
||||
variable "encryption_key_name" {
|
||||
description = "The full path to the encryption key used for the CMEK disk encryption."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "flags" {
|
||||
description = "Map FLAG_NAME=>VALUE for database-specific tuning."
|
||||
type = map(string)
|
||||
|
@ -115,9 +121,12 @@ variable "region" {
|
|||
}
|
||||
|
||||
variable "replicas" {
|
||||
description = "Map of NAME=>REGION for additional read replicas. Set to null to disable replica creation."
|
||||
type = map(any)
|
||||
default = null
|
||||
description = "Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation."
|
||||
type = map(object({
|
||||
region = string
|
||||
encryption_key_name = string
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "tier" {
|
||||
|
|
|
@ -42,6 +42,7 @@ locals {
|
|||
gcf = "service-%s@gcf-admin-robot"
|
||||
pubsub = "service-%s@gcp-sa-pubsub"
|
||||
secretmanager = "service-%s@gcp-sa-secretmanager"
|
||||
sql = "service-%s@gcp-sa-cloud-sql"
|
||||
storage = "service-%s@gs-project-accounts"
|
||||
}
|
||||
service_accounts_default = {
|
||||
|
@ -56,9 +57,10 @@ locals {
|
|||
k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
|
||||
}
|
||||
service_accounts_jit_services = [
|
||||
"secretmanager.googleapis.com",
|
||||
"cloudasset.googleapis.com",
|
||||
"pubsub.googleapis.com",
|
||||
"cloudasset.googleapis.com"
|
||||
"secretmanager.googleapis.com",
|
||||
"sqladmin.googleapis.com"
|
||||
]
|
||||
service_accounts_cmek_service_keys = distinct(flatten([
|
||||
for s in keys(var.service_encryption_key_ids) : [
|
||||
|
|
Loading…
Reference in New Issue