From 306b38295ecc0d806d45c0fd1f52c2e00e303908 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Mon, 17 Apr 2023 23:32:13 +0200 Subject: [PATCH] Add CMEK support --- modules/secret-manager/README.md | 30 ++++++++++++++++++++++++----- modules/secret-manager/main.tf | 7 ++++++- modules/secret-manager/variables.tf | 6 ++++++ 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md index acdfa02d73..446d26bfea 100644 --- a/modules/secret-manager/README.md +++ b/modules/secret-manager/README.md @@ -72,17 +72,37 @@ module "secret-manager" { } # tftest modules=1 resources=5 inventory=versions.yaml ``` + +### Secret with customer managed encryption key + +Secrets will be used if an encryption key is set in the `encryption_key` variable for the secret region. + +```hcl +module "secret-manager" { + source = "./fabric/modules/secret-manager" + project_id = "my-project" + secrets = { + test-encryption = ["europe-west1", "europe-west4"] + } + encryption_key = { + europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY" + europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY" + } +} +# tftest modules=1 resources=1 +``` ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [project_id](variables.tf#L29) | Project id where the keyring will be created. | string | ✓ | | -| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} | -| [secrets](variables.tf#L34) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) | | {} | -| [versions](variables.tf#L40) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | +| [project_id](variables.tf#L35) | Project id where the keyring will be created. | string | ✓ | | +| [encryption_key](variables.tf#L17) | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. | map(string) | | null | +| [iam](variables.tf#L23) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [labels](variables.tf#L29) | Optional labels for each secret. | map(map(string)) | | {} | +| [secrets](variables.tf#L40) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) | | {} | +| [versions](variables.tf#L46) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | ## Outputs diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf index ed0af26bf2..73932b5e0a 100644 --- a/modules/secret-manager/main.tf +++ b/modules/secret-manager/main.tf @@ -36,7 +36,6 @@ locals { } resource "google_secret_manager_secret" "default" { - provider = google-beta for_each = var.secrets project = var.project_id secret_id = each.key @@ -59,6 +58,12 @@ resource "google_secret_manager_secret" "default" { iterator = location content { location = location.value + dynamic "customer_managed_encryption" { + for_each = try(var.encryption_key[location.value] != null ? [""] : [], []) + content { + kms_key_name = var.encryption_key[location.value] + } + } } } } diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf index f8ed111169..7d7b528484 100644 --- a/modules/secret-manager/variables.tf +++ b/modules/secret-manager/variables.tf @@ -14,6 +14,12 @@ * limitations under the License. */ +variable "encryption_key" { + description = "Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations." + type = map(string) + default = null +} + variable "iam" { description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format." type = map(map(list(string)))