Merge pull request #1332 from GoogleCloudPlatform/lcaggio/secretmanager

Add CMEK support on Secret manager module
GoogleCloudPlatform · Apr 18, 2023 · 344f74d · 344f74d
2 parents 087b4c4 + 306b382
commit 344f74d
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 6 deletions.
diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
@@ -72,17 +72,37 @@ module "secret-manager" {
 }
 # tftest modules=1 resources=5 inventory=versions.yaml
 ```
+
+### Secret with customer managed encryption key
+
+Secrets will be used if an encryption key is set in the `encryption_key` variable for the secret region.
+
+```hcl
+module "secret-manager" {
+  source     = "./fabric/modules/secret-manager"
+  project_id = "my-project"
+  secrets = {
+    test-encryption = ["europe-west1", "europe-west4"]
+  }
+  encryption_key = {
+    europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
+    europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
+  }
+}
+# tftest modules=1 resources=1
+```
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L29) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
-| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [labels](variables.tf#L23) | Optional labels for each secret. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [secrets](variables.tf#L34) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [versions](variables.tf#L40) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map&#40;map&#40;object&#40;&#123;&#10;  enabled &#61; bool&#10;  data    &#61; string&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [project_id](variables.tf#L35) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
+| [encryption_key](variables.tf#L17) | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [iam](variables.tf#L23) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [labels](variables.tf#L29) | Optional labels for each secret. | <code>map&#40;map&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [secrets](variables.tf#L40) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [versions](variables.tf#L46) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map&#40;map&#40;object&#40;&#123;&#10;  enabled &#61; bool&#10;  data    &#61; string&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 

diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf
@@ -36,7 +36,6 @@ locals {
 }
 
 resource "google_secret_manager_secret" "default" {
-  provider  = google-beta
   for_each  = var.secrets
   project   = var.project_id
   secret_id = each.key
@@ -59,6 +58,12 @@ resource "google_secret_manager_secret" "default" {
           iterator = location
           content {
             location = location.value
+            dynamic "customer_managed_encryption" {
+              for_each = try(var.encryption_key[location.value] != null ? [""] : [], [])
+              content {
+                kms_key_name = var.encryption_key[location.value]
+              }
+            }
           }
         }
       }

diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "encryption_key" {
+  description = "Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations."
+  type        = map(string)
+  default     = null
+}
+
 variable "iam" {
   description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
   type        = map(map(list(string)))