Pub/Sub Topic CMEK/KMS support (#1982)

Merged PR #1982.

products/pubsub/api.yaml

@@ -40,6 +40,16 @@ objects:
         required: true
         description: 'Name of the topic.'
         input: true
+      - !ruby/object:Api::Type::String
+        name: 'kmsKeyName'
+        description: |
+          The resource name of the Cloud KMS CryptoKey to be used to protect access
+          to messsages published on this topic. Your project's PubSub service account
+          (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+          
+          The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`
+        input: true
       - !ruby/object:Api::Type::KeyValuePairs
         name: 'labels'
         description: |

products/pubsub/terraform.yaml

@@ -21,6 +21,14 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         primary_resource_id: "example"
         vars:
           topic_name: "example-topic"
+      - !ruby/object:Provider::Terraform::Examples
+        name: "pubsub_topic_cmek"
+        primary_resource_id: "example"
+        skip_test: true
+        vars:
+          topic_name: "example-topic"
+          key_name: "example-key"
+          keyring_name: "example-keyring"
     properties:
       name: !ruby/object:Overrides::Terraform::PropertyOverride
         diff_suppress_func: 'compareSelfLinkOrResourceName'

templates/terraform/examples/pubsub_topic_cmek.tf.erb

@@ -0,0 +1,14 @@
+resource "google_pubsub_topic" "<%= ctx[:primary_resource_id] %>" {
+  name         = "<%= ctx[:vars]['topic_name'] %>"
+  kms_key_name = "${google_kms_crypto_key.crypto_key.self_link}"
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = "<%= ctx[:vars]['key_name'] %>"
+  key_ring = "${google_kms_key_ring.key_ring.self_link}"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "<%= ctx[:vars]['keyring_name'] %>"
+  location = "global"
+}

third_party/terraform/tests/resource_pubsub_topic_test.go

@@ -40,6 +40,29 @@ func TestAccPubsubTopic_update(t *testing.T) {
 	})
 }
 
+func TestAccPubsubTopic_cmek(t *testing.T) {
+	t.Parallel()
+
+	kms := BootstrapKMSKey(t)
+	pid := getTestProjectFromEnv()
+	topicName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPubsubTopic_cmek(pid, topicName, kms.CryptoKey.Name),
+			},
+			{
+				ResourceName:      "google_pubsub_topic.topic",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccPubsubTopic_update(topic, key, value string) string {
 	return fmt.Sprintf(`
 resource "google_pubsub_topic" "foo" {
@@ -50,3 +73,23 @@ resource "google_pubsub_topic" "foo" {
 }
 `, topic, key, value)
 }
+
+func testAccPubsubTopic_cmek(pid, topicName, kmsKey string) string {
+	return fmt.Sprintf(`
+data "google_project" "project" {
+  project_id = "%s"
+}
+
+resource "google_project_iam_member" "kms-project-binding" {
+  project = "${data.google_project.project.project_id}"
+  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member  = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+}
+
+resource "google_pubsub_topic" "topic" {
+  name         = "%s"
+  project      = "${google_project_iam_member.kms-project-binding.project}"
+  kms_key_name = "%s"
+}
+`, pid, topicName, kmsKey)
+}