Fixes related to Apigee KMS keys (#2382)
* Fixes related to Apigee KMS keys * tfdoc --------- Co-authored-by: Ludo <ludomagno@google.com>
This commit is contained in:
parent
750cff01cd
commit
3933a747fe
|
@ -41,7 +41,15 @@ module "apigee-x-foundations" {
|
|||
api_security = true
|
||||
}
|
||||
organization = {
|
||||
analytics_region = "europe-west1"
|
||||
analytics_region = "europe-west1"
|
||||
api_consumer_data_location = "europe-west1"
|
||||
api_consumer_data_encryption_key_config = {
|
||||
auto_create = true
|
||||
}
|
||||
database_encryption_key_config = {
|
||||
auto_create = true
|
||||
}
|
||||
billing_type = "PAYG"
|
||||
}
|
||||
envgroups = {
|
||||
apis = [
|
||||
|
@ -203,7 +211,7 @@ module "apigee-x-foundations" {
|
|||
]
|
||||
}
|
||||
}
|
||||
# tftest modules=10 resources=62
|
||||
# tftest modules=7 resources=50
|
||||
```
|
||||
|
||||
### Apigee X in service project with peering disabled and exposed using Global LB
|
||||
|
@ -279,7 +287,7 @@ module "apigee-x-foundations" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=6 resources=36
|
||||
# tftest modules=4 resources=28
|
||||
```
|
||||
|
||||
### Apigee X in standalone project with peering enabled and exposed with Regional Internal LB
|
||||
|
@ -361,7 +369,7 @@ module "apigee-x-foundations" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=8 resources=48
|
||||
# tftest modules=6 resources=40
|
||||
```
|
||||
|
||||
### Apigee X in standalone project with peering disabled and exposed using Global External Application LB
|
||||
|
@ -438,7 +446,7 @@ module "apigee-x-foundations" {
|
|||
}
|
||||
enable_monitoring = true
|
||||
}
|
||||
# tftest modules=8 resources=55
|
||||
# tftest modules=6 resources=47
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 show_extra:1 -->
|
||||
|
@ -460,13 +468,13 @@ module "apigee-x-foundations" {
|
|||
|
||||
| name | description | type | required | default | producer |
|
||||
|---|---|:---:|:---:|:---:|:---:|
|
||||
| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object({ addons_config = optional(object({ advanced_api_ops = optional(bool, false) api_security = optional(bool, false) connectors_platform = optional(bool, false) integration = optional(bool, false) monetization = optional(bool, false) })) organization = object({ analytics_region = optional(string) api_consumer_data_encryption_key = optional(string) api_consumer_data_location = optional(string) authorized_network = optional(string) billing_type = optional(string) control_plane_encryption_key = optional(string) database_encryption_key = optional(string) description = optional(string, "Terraform-managed") disable_vpc_peering = optional(bool, false) display_name = optional(string) properties = optional(map(string), {}) retention = optional(string) }) envgroups = optional(map(list(string)), {}) environments = optional(map(object({ description = optional(string) display_name = optional(string) envgroups = optional(list(string), []) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) }), {}) type = optional(string) })), {}) instances = optional(map(object({ disk_encryption_key = optional(string) environments = optional(list(string), []) external = optional(bool, true) runtime_ip_cidr_range = optional(string) troubleshooting_ip_cidr_range = optional(string) })), {}) endpoint_attachments = optional(map(object({ region = string service_attachment = string dns_names = optional(list(string), []) })), {}) })">object({…})</code> | ✓ | | |
|
||||
| [project_config](variables.tf#L276) | Project configuration. | <code title="object({ billing_account_id = optional(string) compute_metadata = optional(map(string), {}) contacts = optional(map(list(string)), {}) custom_roles = optional(map(list(string)), {}) default_service_account = optional(string, "keep") descriptive_name = optional(string) iam = optional(map(list(string)), {}) group_iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) labels = optional(map(string), {}) lien_reason = optional(string) logging_data_access = optional(map(map(list(string))), {}) log_exclusions = optional(map(string), {}) logging_sinks = optional(map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string iam = optional(bool, true) type = string unique_writer = optional(bool, true) })), {}) metric_scopes = optional(list(string), []) name = string org_policies = optional(map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) })), {}) parent = optional(string) prefix = optional(string) project_create = optional(bool, true) vpc_sc = optional(object({ perimeter_name = string perimeter_bridges = optional(list(string), []) is_dry_run = optional(bool, false) })) services = optional(list(string), []) shared_vpc_host_config = optional(object({ enabled = bool service_projects = optional(list(string), []) })) shared_vpc_service_config = optional(object({ host_project = string service_identity_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) })) skip_delete = optional(bool, false) tag_bindings = optional(map(string)) })">object({…})</code> | ✓ | | |
|
||||
| [enable_monitoring](variables.tf#L92) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> | | <code>false</code> | |
|
||||
| [ext_lb_config](variables.tf#L98) | External application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) security_policy = optional(object({ advanced_options_config = optional(object({ json_parsing = optional(object({ enable = optional(bool, false) content_types = optional(list(string)) })) log_level = optional(string) })) adaptive_protection_config = optional(object({ layer_7_ddos_defense_config = optional(object({ enable = optional(bool, false) rule_visibility = optional(string) })) auto_deploy_config = optional(object({ load_threshold = optional(number) confidence_threshold = optional(number) impacted_baseline_threshold = optional(number) expiration_sec = optional(number) })) })) rate_limit_threshold = optional(object({ count = number interval_sec = number })) forbidden_src_ip_ranges = optional(list(string), []) forbidden_regions = optional(list(string), []) preconfigured_waf_rules = optional(map(object({ sensitivity = optional(number) opt_in_rule_ids = optional(list(string), []) opt_out_rule_ids = optional(list(string), []) }))) })) ssl_certificates = object({ certificate_ids = optional(list(string), []) create_configs = optional(map(object({ certificate = string private_key = string })), {}) managed_configs = optional(map(object({ domains = list(string) description = optional(string) })), {}) self_signed_configs = optional(list(string), null) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [int_cross_region_lb_config](variables.tf#L169) | Internal application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) certificate_manager_certificates = optional(list(string)) })">object({…})</code> | | <code>null</code> | |
|
||||
| [int_lb_config](variables.tf#L197) | Internal application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) ssl_certificates = object({ certificate_ids = optional(list(string), []) create_configs = optional(map(object({ certificate = string private_key = string })), {}) self_signed_configs = optional(list(string), []) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [network_config](variables.tf#L233) | Network configuration. | <code title="object({ shared_vpc = optional(object({ name = string subnets = map(string) subnets_psc = map(string) })) apigee_vpc = optional(object({ name = optional(string) auto_create = optional(bool, true) subnets = optional(map(object({ id = optional(string) name = optional(string) ip_cidr_range = optional(string) })), {}) subnets_proxy_only = optional(map(object({ name = optional(string) ip_cidr_range = string })), {}) subnets_psc = optional(map(object({ id = optional(string) name = optional(string) ip_cidr_range = optional(string) })), {}) })) })">object({…})</code> | | <code>{}</code> | |
|
||||
| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object({ addons_config = optional(object({ advanced_api_ops = optional(bool, false) api_security = optional(bool, false) connectors_platform = optional(bool, false) integration = optional(bool, false) monetization = optional(bool, false) })) organization = object({ analytics_region = optional(string) api_consumer_data_encryption_key_config = optional(object({ auto_create = optional(bool, false) id = optional(string) }), {}) api_consumer_data_location = optional(string) billing_type = optional(string) control_plane_encryption_key_config = optional(object({ auto_create = optional(bool, false) id = optional(string) }), {}) database_encryption_key_config = optional(object({ auto_create = optional(bool, false) id = optional(string) }), {}) description = optional(string, "Terraform-managed") disable_vpc_peering = optional(bool, false) display_name = optional(string) properties = optional(map(string), {}) retention = optional(string) }) envgroups = optional(map(list(string)), {}) environments = optional(map(object({ description = optional(string) display_name = optional(string) envgroups = optional(list(string), []) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) node_config = optional(object({ min_node_count = optional(number) max_node_count = optional(number) }), {}) type = optional(string) })), {}) instances = optional(map(object({ disk_encryption_key_config = optional(object({ auto_create = optional(bool, false) id = optional(string) }), {}) environments = optional(list(string), []) external = optional(bool, true) runtime_ip_cidr_range = optional(string) troubleshooting_ip_cidr_range = optional(string) })), {}) endpoint_attachments = optional(map(object({ region = string service_attachment = string dns_names = optional(list(string), []) })), {}) })">object({…})</code> | ✓ | | |
|
||||
| [project_config](variables.tf#L299) | Project configuration. | <code title="object({ billing_account_id = optional(string) compute_metadata = optional(map(string), {}) contacts = optional(map(list(string)), {}) custom_roles = optional(map(list(string)), {}) default_service_account = optional(string, "keep") descriptive_name = optional(string) iam = optional(map(list(string)), {}) group_iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ role = string members = list(string) condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ role = string member = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) labels = optional(map(string), {}) lien_reason = optional(string) logging_data_access = optional(map(map(list(string))), {}) log_exclusions = optional(map(string), {}) logging_sinks = optional(map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string iam = optional(bool, true) type = string unique_writer = optional(bool, true) })), {}) metric_scopes = optional(list(string), []) name = string org_policies = optional(map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) })), {}) parent = optional(string) prefix = optional(string) project_create = optional(bool, true) vpc_sc = optional(object({ perimeter_name = string perimeter_bridges = optional(list(string), []) is_dry_run = optional(bool, false) })) services = optional(list(string), []) shared_vpc_host_config = optional(object({ enabled = bool service_projects = optional(list(string), []) })) shared_vpc_service_config = optional(object({ host_project = string service_identity_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) })) skip_delete = optional(bool, false) tag_bindings = optional(map(string)) })">object({…})</code> | ✓ | | |
|
||||
| [enable_monitoring](variables.tf#L115) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> | | <code>false</code> | |
|
||||
| [ext_lb_config](variables.tf#L121) | External application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) security_policy = optional(object({ advanced_options_config = optional(object({ json_parsing = optional(object({ enable = optional(bool, false) content_types = optional(list(string)) })) log_level = optional(string) })) adaptive_protection_config = optional(object({ layer_7_ddos_defense_config = optional(object({ enable = optional(bool, false) rule_visibility = optional(string) })) auto_deploy_config = optional(object({ load_threshold = optional(number) confidence_threshold = optional(number) impacted_baseline_threshold = optional(number) expiration_sec = optional(number) })) })) rate_limit_threshold = optional(object({ count = number interval_sec = number })) forbidden_src_ip_ranges = optional(list(string), []) forbidden_regions = optional(list(string), []) preconfigured_waf_rules = optional(map(object({ sensitivity = optional(number) opt_in_rule_ids = optional(list(string), []) opt_out_rule_ids = optional(list(string), []) }))) })) ssl_certificates = object({ certificate_ids = optional(list(string), []) create_configs = optional(map(object({ certificate = string private_key = string })), {}) managed_configs = optional(map(object({ domains = list(string) description = optional(string) })), {}) self_signed_configs = optional(list(string), null) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [int_cross_region_lb_config](variables.tf#L192) | Internal application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) certificate_manager_certificates = optional(list(string)) })">object({…})</code> | | <code>null</code> | |
|
||||
| [int_lb_config](variables.tf#L220) | Internal application load balancer configuration. | <code title="object({ log_sample_rate = optional(number) outlier_detection = optional(object({ consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) interval = optional(object({ seconds = number nanos = optional(number) })) })) ssl_certificates = object({ certificate_ids = optional(list(string), []) create_configs = optional(map(object({ certificate = string private_key = string })), {}) self_signed_configs = optional(list(string), []) }) })">object({…})</code> | | <code>null</code> | |
|
||||
| [network_config](variables.tf#L256) | Network configuration. | <code title="object({ shared_vpc = optional(object({ name = string subnets = map(string) subnets_psc = map(string) })) apigee_vpc = optional(object({ name = optional(string) auto_create = optional(bool, true) subnets = optional(map(object({ id = optional(string) name = optional(string) ip_cidr_range = optional(string) })), {}) subnets_proxy_only = optional(map(object({ name = optional(string) ip_cidr_range = string })), {}) subnets_psc = optional(map(object({ id = optional(string) name = optional(string) ip_cidr_range = optional(string) })), {}) })) })">object({…})</code> | | <code>{}</code> | |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -478,4 +486,4 @@ module "apigee-x-foundations" {
|
|||
| [int_cross_region_lb_ip_addresses](outputs.tf#L32) | Internal IP addresses. | | |
|
||||
| [int_lb_ip_addresses](outputs.tf#L37) | Internal IP addresses. | | |
|
||||
| [project_id](outputs.tf#L42) | Project. | | |
|
||||
<!-- END TFDOC -->
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -14,24 +14,45 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "apigee" {
|
||||
source = "../../../modules/apigee"
|
||||
project_id = module.project.project_id
|
||||
organization = merge(var.apigee_config.organization, var.network_config.apigee_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
|
||||
authorized_network = module.apigee_vpc[0].id
|
||||
} : var.network_config.shared_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
|
||||
authorized_network = module.shared_vpc[0].id
|
||||
} : {},
|
||||
var.apigee_config.organization.database_encryption_key == null ? {} : {
|
||||
database_encryption_key = module.database_kms[0].keys["database-key"].id
|
||||
}, {
|
||||
locals {
|
||||
control_plan_in_eu_or_us = (
|
||||
try(contains(["europe", "us"],
|
||||
split("-", var.apigee_config.organization.api_consumer_data_location)[0]), false)
|
||||
)
|
||||
organization = merge(var.apigee_config.organization,
|
||||
{
|
||||
authorized_network = (var.apigee_config.organization.disable_vpc_peering
|
||||
? null :
|
||||
try(module.apigee_vpc[0].id, module.shared_vpc[0].id)
|
||||
)
|
||||
database_encryption_key = try(
|
||||
module.database_kms[0].key_ids["database-key"],
|
||||
var.apigee_config.organization.database_encryption_key_config.id)
|
||||
api_consumer_data_encryption_key = try(
|
||||
module.api_consumer_data_kms[0].key_ids["api-consumer-data-key"],
|
||||
var.apigee_config.organization.api_consumer_data_encryption_key_config.id)
|
||||
control_plane_encryption_key = try(
|
||||
module.control_plane_kms[0].key_ids["control-plane-key"],
|
||||
var.apigee_config.organization.control_plane_encryption_key_config.id)
|
||||
runtime_type = "CLOUD"
|
||||
})
|
||||
envgroups = var.apigee_config.envgroups
|
||||
environments = var.apigee_config.environments
|
||||
instances = { for k, v in var.apigee_config.instances : k => merge(v, v.disk_encryption_key == null ? {
|
||||
disk_encryption_key = module.disks_kms[k].key_ids["disk-key"]
|
||||
} : {}) }
|
||||
}
|
||||
)
|
||||
instances = { for k, v in var.apigee_config.instances : k => merge(v, {
|
||||
disk_encryption_key = try(
|
||||
module.disks_kms[k].key_ids["disk-key"],
|
||||
v.disk_encryption_key_config.id,
|
||||
null
|
||||
)
|
||||
}) }
|
||||
}
|
||||
|
||||
module "apigee" {
|
||||
source = "../../../modules/apigee"
|
||||
project_id = module.project.project_id
|
||||
organization = local.organization
|
||||
envgroups = var.apigee_config.envgroups
|
||||
environments = var.apigee_config.environments
|
||||
instances = local.instances
|
||||
endpoint_attachments = var.apigee_config.endpoint_attachments
|
||||
addons_config = var.apigee_config.addons_config
|
||||
}
|
||||
|
|
|
@ -15,21 +15,33 @@
|
|||
*/
|
||||
|
||||
resource "random_id" "database_kms" {
|
||||
count = var.apigee_config.organization.database_encryption_key_config.auto_create ? 1 : 0
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
resource "random_id" "control_plane_kms" {
|
||||
count = (var.apigee_config.organization.control_plane_encryption_key_config.auto_create &&
|
||||
local.control_plan_in_eu_or_us) ? 1 : 0
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
resource "random_id" "api_consumer_data_kms" {
|
||||
count = var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create ? 1 : 0
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
resource "random_id" "disks_kms" {
|
||||
for_each = var.apigee_config.instances
|
||||
for_each = toset([for k, v in var.apigee_config.instances : k if v.disk_encryption_key_config.auto_create])
|
||||
byte_length = 4
|
||||
}
|
||||
|
||||
module "database_kms" {
|
||||
count = try(var.apigee_config.organization.database_encryption_key, null) == null ? 1 : 0
|
||||
count = var.apigee_config.organization.database_encryption_key_config.auto_create ? 1 : 0
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.project.project_id
|
||||
keyring = {
|
||||
location = "global"
|
||||
name = "apigee-${random_id.database_kms.hex}"
|
||||
location = var.apigee_config.organization.api_consumer_data_location == null ? "global" : var.apigee_config.organization.api_consumer_data_location
|
||||
name = "apigee-database-${random_id.database_kms[0].hex}"
|
||||
}
|
||||
keys = {
|
||||
database-key = {
|
||||
|
@ -43,13 +55,54 @@ module "database_kms" {
|
|||
}
|
||||
}
|
||||
|
||||
module "api_consumer_data_kms" {
|
||||
count = var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create ? 1 : 0
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.project.project_id
|
||||
keyring = {
|
||||
location = var.apigee_config.organization.api_consumer_data_location
|
||||
name = "apigee-api-consumer-data-${random_id.api_consumer_data_kms[0].hex}"
|
||||
}
|
||||
keys = {
|
||||
api-consumer-data-key = {
|
||||
purpose = "ENCRYPT_DECRYPT"
|
||||
rotation_period = "2592000s"
|
||||
labels = null
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "control_plane_kms" {
|
||||
count = (var.apigee_config.organization.control_plane_encryption_key_config.auto_create
|
||||
&& local.control_plan_in_eu_or_us ? 1 : 0)
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.project.project_id
|
||||
keyring = {
|
||||
location = var.apigee_config.organization.api_consumer_data_location
|
||||
name = "apigee-control-plane-${random_id.control_plane_kms[0].hex}"
|
||||
}
|
||||
keys = {
|
||||
control-plane-key = {
|
||||
purpose = "ENCRYPT_DECRYPT"
|
||||
rotation_period = "2592000s"
|
||||
labels = null
|
||||
iam = {
|
||||
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "disks_kms" {
|
||||
for_each = var.apigee_config.instances
|
||||
for_each = toset([for k, v in var.apigee_config.instances : k if v.disk_encryption_key_config.auto_create])
|
||||
source = "../../../modules/kms"
|
||||
project_id = module.project.project_id
|
||||
keyring = {
|
||||
location = each.key
|
||||
name = "apigee-${each.key}-${random_id.disks_kms[each.key].hex}"
|
||||
name = "apigee-disk-${each.value}-${random_id.disks_kms[each.value].hex}"
|
||||
}
|
||||
keys = {
|
||||
disk-key = {
|
||||
|
|
|
@ -25,18 +25,26 @@ variable "apigee_config" {
|
|||
monetization = optional(bool, false)
|
||||
}))
|
||||
organization = object({
|
||||
analytics_region = optional(string)
|
||||
api_consumer_data_encryption_key = optional(string)
|
||||
api_consumer_data_location = optional(string)
|
||||
authorized_network = optional(string)
|
||||
billing_type = optional(string)
|
||||
control_plane_encryption_key = optional(string)
|
||||
database_encryption_key = optional(string)
|
||||
description = optional(string, "Terraform-managed")
|
||||
disable_vpc_peering = optional(bool, false)
|
||||
display_name = optional(string)
|
||||
properties = optional(map(string), {})
|
||||
retention = optional(string)
|
||||
analytics_region = optional(string)
|
||||
api_consumer_data_encryption_key_config = optional(object({
|
||||
auto_create = optional(bool, false)
|
||||
id = optional(string)
|
||||
}), {})
|
||||
api_consumer_data_location = optional(string)
|
||||
billing_type = optional(string)
|
||||
control_plane_encryption_key_config = optional(object({
|
||||
auto_create = optional(bool, false)
|
||||
id = optional(string)
|
||||
}), {})
|
||||
database_encryption_key_config = optional(object({
|
||||
auto_create = optional(bool, false)
|
||||
id = optional(string)
|
||||
}), {})
|
||||
description = optional(string, "Terraform-managed")
|
||||
disable_vpc_peering = optional(bool, false)
|
||||
display_name = optional(string)
|
||||
properties = optional(map(string), {})
|
||||
retention = optional(string)
|
||||
})
|
||||
envgroups = optional(map(list(string)), {})
|
||||
environments = optional(map(object({
|
||||
|
@ -69,7 +77,10 @@ variable "apigee_config" {
|
|||
type = optional(string)
|
||||
})), {})
|
||||
instances = optional(map(object({
|
||||
disk_encryption_key = optional(string)
|
||||
disk_encryption_key_config = optional(object({
|
||||
auto_create = optional(bool, false)
|
||||
id = optional(string)
|
||||
}), {})
|
||||
environments = optional(list(string), [])
|
||||
external = optional(bool, true)
|
||||
runtime_ip_cidr_range = optional(string)
|
||||
|
@ -86,6 +97,18 @@ variable "apigee_config" {
|
|||
alltrue([for k, v in var.apigee_config.endpoint_attachments : length(v.dns_names) == 0]))
|
||||
error_message = "If disable_vpc_peering is true for the organization, DNS names cannot be used for endpoint attachments."
|
||||
}
|
||||
validation {
|
||||
condition = !(var.apigee_config.organization.database_encryption_key_config.auto_create && var.apigee_config.organization.database_encryption_key_config.id != null)
|
||||
error_message = "If the database encryption key is to be created you should not be passing an id."
|
||||
}
|
||||
validation {
|
||||
condition = !(var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create && var.apigee_config.organization.api_consumer_data_encryption_key_config.id != null)
|
||||
error_message = "If the api consumer data encryption key is to be created you should not be passing an id."
|
||||
}
|
||||
validation {
|
||||
condition = !(var.apigee_config.organization.control_plane_encryption_key_config.auto_create && var.apigee_config.organization.control_plane_encryption_key_config.id != null)
|
||||
error_message = "If the control plane encryption key is to be created you should not be passing an id."
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue