Add KMS on CloudSQL module

2022-04-12 19:01:34 +02:00 · 2022-04-12 19:01:34 +02:00 · c7c77541fb
parent cde0b5d051
commit c7c77541fb
5 changed files with 92 additions and 11 deletions
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@ -93,6 +93,59 @@ module "db" {
 }
 # tftest modules=1 resources=6
 ```
+
+### CMEK encryption pippo
+```hcl
+
+module "project" {
+  source          = "./modules/project"
+  billing_account = var.billing_account_id
+  parent          = var.organization_id
+  name            = "my-db-project"
+  services = [
+    "servicenetworking.googleapis.com"
+  ]
+}
+
+resource "google_project_service_identity" "jit_si" {
+  provider   = google-beta
+  project    = module.project.project_id
+  service    = "sqladmin.googleapis.com"
+}
+
+module "kms" {
+  source     = "./modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    name     = "keyring"
+    location = var.region
+  }
+  keys = {
+    key-sql = null
+  }
+  key_iam = {
+    key-sql = {
+      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+        "serviceAccount:${google_project_service_identity.jit_si.email}"
+      ]
+    }
+  }
+}
+
+module "db" {
+  source              = "./modules/cloudsql-instance"
+  project_id          = module.project.project_id
+  encryption_key_name = module.kms.keys["key-sql"].id
+  network             = var.vpc.self_link
+  name                = "db"
+  region              = var.region
+  database_version    = "POSTGRES_13"
+  tier                = "db-g1-small"
+}
+
+# tftest modules=3 resources=8
+```
+
 <!-- BEGIN TFDOC -->

 ## Variables
--- a/modules/cloudsql-instance/main.tf
+++ b/modules/cloudsql-instance/main.tf
@ -39,10 +39,12 @@ locals {
 }

 resource "google_sql_database_instance" "primary" {
-  project          = var.project_id
-  name             = "${local.prefix}${var.name}"
-  region           = var.region
-  database_version = var.database_version
+  provider            = google-beta
+  project             = var.project_id
+  name                = "${local.prefix}${var.name}"
+  region              = var.region
+  database_version    = var.database_version
+  encryption_key_name = var.encryption_key_name

  settings {
    tier              = var.tier
@ -99,11 +101,13 @@ resource "google_sql_database_instance" "primary" {
 }

 resource "google_sql_database_instance" "replicas" {
-  for_each             = local.has_replicas ? var.replicas : {}
+  provider             = google-beta
+  for_each             = length(var.replicas) > 0 ? var.replicas : {}
  project              = var.project_id
  name                 = "${local.prefix}${each.key}"
-  region               = each.value
+  region               = each.value.region
  database_version     = var.database_version
+  encryption_key_name  = each.value.encryption_key_name
  master_instance_name = google_sql_database_instance.primary.name

  settings {
--- a/modules/cloudsql-instance/outputs.tf
+++ b/modules/cloudsql-instance/outputs.tf
@ -66,6 +66,19 @@ output "ips" {
  }
 }

+output "name" {
+  description = "Name of the primary instance."
+  value       = google_sql_database_instance.primary.name
+}
+
+output "names" {
+  description = "Names of all instances."
+  value = {
+    for id, instance in local._all_intances :
+    id => instance.name
+  }
+}
+
 output "self_link" {
  description = "Self link of the primary instance."
  value       = google_sql_database_instance.primary.self_link
--- a/modules/cloudsql-instance/variables.tf
+++ b/modules/cloudsql-instance/variables.tf
@ -76,6 +76,12 @@ variable "disk_type" {
  default     = "PD_SSD"
 }

+variable "encryption_key_name" {
+  description = "The full path to the encryption key used for the CMEK disk encryption."
+  type        = string
+  default     = null
+}
+
 variable "flags" {
  description = "Map FLAG_NAME=>VALUE for database-specific tuning."
  type        = map(string)
@ -115,9 +121,12 @@ variable "region" {
 }

 variable "replicas" {
-  description = "Map of NAME=>REGION for additional read replicas. Set to null to disable replica creation."
-  type        = map(any)
-  default     = null
+  description = "Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation."
+  type = map(object({
+    region              = string
+    encryption_key_name = string
+  }))
+  default = {}
 }

 variable "tier" {
--- a/modules/project/service-accounts.tf
+++ b/modules/project/service-accounts.tf
@ -42,6 +42,7 @@ locals {
    gcf           = "service-%s@gcf-admin-robot"
    pubsub        = "service-%s@gcp-sa-pubsub"
    secretmanager = "service-%s@gcp-sa-secretmanager"
+    sql           = "service-%s@gcp-sa-cloud-sql"
    storage       = "service-%s@gs-project-accounts"
  }
  service_accounts_default = {
@ -56,9 +57,10 @@ locals {
    k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
  }
  service_accounts_jit_services = [
-    "secretmanager.googleapis.com",
+    "cloudasset.googleapis.com",
    "pubsub.googleapis.com",
-    "cloudasset.googleapis.com"
+    "secretmanager.googleapis.com",
+    "sqladmin.googleapis.com"
  ]
  service_accounts_cmek_service_keys = distinct(flatten([
    for s in keys(var.service_encryption_key_ids) : [