Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Full examples for CMEK examples #2546

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 52 additions & 8 deletions modules/alloydb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -147,23 +147,71 @@ module "alloydb" {
### CMEK encryption

```hcl
module "project" {
source = "./fabric/modules/project"
name = "alloycmek"
billing_account = var.billing_account_id
prefix = var.prefix
parent = var.folder_id
services = [
"alloydb.googleapis.com",
"cloudkms.googleapis.com",
"servicenetworking.googleapis.com"
]
}

module "kms" {
source = "./fabric/modules/kms"
project_id = module.project.project_id
keyring = {
location = var.region
name = "keyring"
}
keys = {
"key-regional" = {
}
}
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
module.project.service_agents.alloydb.iam_email
]
}
}

module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = module.project.project_id
name = "my-network"
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "production"
region = var.region
},
]
psa_configs = [{
ranges = { myrange = "10.0.1.0/24" }
}]
}


module "alloydb" {
source = "./fabric/modules/alloydb"
project_id = var.project_id
project_id = module.project.project_id
cluster_name = "primary"
location = var.region
name = "primary"
network_config = {
psa_config = {
network = var.vpc.id
network = module.vpc.id
}
}
encryption_config = {
primary_kms_key_name = var.kms_key.id
primary_kms_key_name = module.kms.keys.key-regional.id
}
}

# tftest modules=1 resources=3 fixtures=fixtures/alloydb-kms-iam-grant.tf inventory=cmek.yaml e2e
# tftest inventory=cmek.yaml e2e
```

## Tag bindings
Expand Down Expand Up @@ -257,8 +305,4 @@ module "alloydb" {
| [service_attachment](outputs.tf#L90) | AlloyDB Primary instance service attachment. | |
| [service_attachments](outputs.tf#L95) | AlloyDB instances service attachment. | |
| [user_passwords](outputs.tf#L102) | Map of containing the password of all users created through terraform. | ✓ |

## Fixtures

- [alloydb-kms-iam-grant.tf](../../tests/fixtures/alloydb-kms-iam-grant.tf)
<!-- END TFDOC -->
6 changes: 3 additions & 3 deletions modules/artifact-registry/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ module "registry-docker" {
| name | description | sensitive |
|---|---|:---:|
| [id](outputs.tf#L17) | Fully qualified repository id. | |
| [name](outputs.tf#L22) | Repository name. | |
| [repository](outputs.tf#L27) | Repository object. | |
| [url](outputs.tf#L32) | Repository URL. | |
| [name](outputs.tf#L25) | Repository name. | |
| [repository](outputs.tf#L33) | Repository object. | |
| [url](outputs.tf#L41) | Repository URL. | |
<!-- END TFDOC -->
14 changes: 13 additions & 1 deletion modules/artifact-registry/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,25 @@
output "id" {
description = "Fully qualified repository id."
value = google_artifact_registry_repository.registry.id
depends_on = [
google_artifact_registry_repository_iam_binding.bindings
]
}

output "name" {
description = "Repository name."
value = google_artifact_registry_repository.registry.name
depends_on = [
google_artifact_registry_repository_iam_binding.bindings
]
}

output "repository" {
description = "Repository object."
value = google_artifact_registry_repository.registry
depends_on = [
google_artifact_registry_repository_iam_binding.bindings
]
}

output "url" {
Expand All @@ -36,5 +45,8 @@ output "url" {
var.project_id,
var.name
])
depends_on = [google_artifact_registry_repository.registry]
depends_on = [
google_artifact_registry_repository.registry,
google_artifact_registry_repository_iam_binding.bindings
]
}
16 changes: 8 additions & 8 deletions modules/bigquery-dataset/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -347,12 +347,12 @@ module "bigquery-dataset" {
|---|---|:---:|
| [dataset](outputs.tf#L17) | Dataset resource. | |
| [dataset_id](outputs.tf#L22) | Dataset id. | |
| [id](outputs.tf#L36) | Fully qualified dataset id. | |
| [materialized_view_ids](outputs.tf#L50) | Map of fully qualified materialized view ids keyed by view ids. | |
| [materialized_views](outputs.tf#L55) | Materialized view resources. | |
| [self_link](outputs.tf#L60) | Dataset self link. | |
| [table_ids](outputs.tf#L74) | Map of fully qualified table ids keyed by table ids. | |
| [tables](outputs.tf#L79) | Table resources. | |
| [view_ids](outputs.tf#L84) | Map of fully qualified view ids keyed by view ids. | |
| [views](outputs.tf#L89) | View resources. | |
| [id](outputs.tf#L37) | Fully qualified dataset id. | |
| [materialized_view_ids](outputs.tf#L52) | Map of fully qualified materialized view ids keyed by view ids. | |
| [materialized_views](outputs.tf#L57) | Materialized view resources. | |
| [self_link](outputs.tf#L62) | Dataset self link. | |
| [table_ids](outputs.tf#L77) | Map of fully qualified table ids keyed by table ids. | |
| [tables](outputs.tf#L82) | Table resources. | |
| [view_ids](outputs.tf#L87) | Map of fully qualified view ids keyed by view ids. | |
| [views](outputs.tf#L92) | View resources. | |
<!-- END TFDOC -->
9 changes: 6 additions & 3 deletions modules/bigquery-dataset/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ output "dataset_id" {
google_bigquery_dataset_access.domain,
google_bigquery_dataset_access.group_by_email,
google_bigquery_dataset_access.special_group,
google_bigquery_dataset_access.user_by_email
google_bigquery_dataset_access.user_by_email,
google_bigquery_dataset_iam_binding.bindings,
]
}

Expand All @@ -43,7 +44,8 @@ output "id" {
google_bigquery_dataset_access.domain,
google_bigquery_dataset_access.group_by_email,
google_bigquery_dataset_access.special_group,
google_bigquery_dataset_access.user_by_email
google_bigquery_dataset_access.user_by_email,
google_bigquery_dataset_iam_binding.bindings,
]
}

Expand All @@ -67,7 +69,8 @@ output "self_link" {
google_bigquery_dataset_access.domain,
google_bigquery_dataset_access.group_by_email,
google_bigquery_dataset_access.special_group,
google_bigquery_dataset_access.user_by_email
google_bigquery_dataset_access.user_by_email,
google_bigquery_dataset_iam_binding.bindings,
]
}

Expand Down
97 changes: 78 additions & 19 deletions modules/cloud-function-v1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,11 @@ module "cf-http" {
bundle_config = {
path = "assets/sample-function/"
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
# tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
```

### PubSub and non-HTTP triggers
Expand All @@ -62,6 +65,10 @@ module "cf-http" {
event = "google.pubsub.topic.publish"
resource = module.pubsub.topic.name
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]

}
# tftest modules=2 resources=7 fixtures=fixtures/pubsub.tf,fixtures/functions-default-sa-iam-grants.tf e2e
```
Expand All @@ -83,8 +90,11 @@ module "cf-http" {
iam = {
"roles/cloudfunctions.invoker" = ["allUsers"]
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=iam.yaml e2e
# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=iam.yaml e2e
```

### GCS bucket creation
Expand All @@ -106,8 +116,11 @@ module "cf-http" {
bundle_config = {
path = "assets/sample-function/"
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=bucket-creation.yaml e2e
# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=bucket-creation.yaml e2e
```

### Service account management
Expand All @@ -125,6 +138,9 @@ module "cf-http" {
path = "assets/sample-function/"
}
service_account_create = true
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
```
Expand All @@ -142,6 +158,9 @@ module "cf-http" {
path = "assets/sample-function/"
}
service_account = var.service_account.email
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
```
Expand Down Expand Up @@ -170,6 +189,9 @@ module "cf-http" {
excludes = ["__pycache__"]
}
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
```
Expand All @@ -189,6 +211,9 @@ module "cf-http" {
bundle_config = {
path = "assets/sample-function/"
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=1 resources=6 fixtures=fixtures/cloudbuild-custom-pool.tf,fixtures/functions-default-sa-iam-grants.tf e2e
```
Expand Down Expand Up @@ -218,8 +243,11 @@ module "cf-http-two" {
bundle_config = {
path = "assets/sample-function/"
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=2 resources=7 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=multiple_functions.yaml e2e
# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=multiple_functions.yaml e2e
```

### Mounting secrets from Secret Manager
Expand Down Expand Up @@ -256,61 +284,92 @@ module "cf-http" {
]
}
}
depends_on = [
google_project_iam_member.bucket_default_compute_account_grant,
]
}
# tftest modules=2 resources=8 fixtures=fixtures/secret-credentials.tf,fixtures/functions-default-sa-iam-grants.tf inventory=secrets.yaml e2e
# tftest fixtures=fixtures/secret-credentials.tf,fixtures/functions-default-sa-iam-grants.tf inventory=secrets.yaml e2e
```

### Using CMEK to encrypt function resources

This encrypt bucket _gcf-sources-*_ with the provided kms key. The repository has to be encrypted with the same kms key.

```hcl
module "project" {
source = "./fabric/modules/project"
name = "cf-v1"
billing_account = var.billing_account_id
prefix = var.prefix
parent = var.folder_id
services = [
"artifactregistry.googleapis.com",
"cloudbuild.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudkms.googleapis.com",
"compute.googleapis.com",
"storage.googleapis.com",
]
iam = {
# grant compute default service account that is used by Cloud Founction
# permission to read from the buckets so it can function sources
"roles/storage.objectViewer" = [
"serviceAccount:${module.project.default_service_accounts.compute}"
]
}
}

module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
project_id = module.project.project_id
keyring = {
location = var.regions.secondary
name = "function-cmek"
name = "keyring"
}
keys = {
"key" = {}
"key-regional" = {
}
}
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
"serviceAccount:service-${var.project_number}@gcf-admin-robot.iam.gserviceaccount.com",
"serviceAccount:service-${var.project_number}@gcp-sa-artifactregistry.iam.gserviceaccount.com",
"serviceAccount:service-${var.project_number}@gs-project-accounts.iam.gserviceaccount.com",
module.project.service_agents["artifactregistry"].iam_email,
module.project.service_agents["cloudfunctions"].iam_email,
module.project.service_agents["storage"].iam_email,
]
}
}

module "artifact-registry" {
source = "./fabric/modules/artifact-registry"
project_id = var.project_id
project_id = module.project.project_id
location = var.regions.secondary
name = "registry"
format = { docker = { standard = {} } }
encryption_key = module.kms.key_ids["key"]
depends_on = [
module.kms
]
encryption_key = module.kms.key_ids["key-regional"]
iam = {
"roles/artifactregistry.createOnPushWriter" = [
# grant compute default service account that is used by Cloud Build
# permission to push compiled container into Artifact Registry
"serviceAccount:${module.project.default_service_accounts.compute}",
]
}
}

module "cf-http" {
source = "./fabric/modules/cloud-function-v1"
project_id = var.project_id
project_id = module.project.project_id
region = var.regions.secondary
name = "test-cf-http"
bucket_name = var.bucket
bundle_config = {
path = "assets/sample-function/"
}
kms_key = module.kms.key_ids["key"]
kms_key = module.kms.key_ids["key-regional"]
repository_settings = {
repository = module.artifact-registry.id
}
}
# tftest modules=3 resources=9 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
# tftest modules=4 resources=25
```
<!-- BEGIN TFDOC -->
## Variables
Expand Down
Loading