From cd0c3ca78866a8b04d0351f0f8d257a1d5282948 Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Tue, 2 Jul 2019 23:22:27 +0200 Subject: [PATCH] Pub/Sub Topic CMEK/KMS support (#1982) Merged PR #1982. --- products/pubsub/api.yaml | 10 +++++ products/pubsub/terraform.yaml | 8 ++++ .../examples/pubsub_topic_cmek.tf.erb | 14 ++++++ .../tests/resource_pubsub_topic_test.go | 43 +++++++++++++++++++ 4 files changed, 75 insertions(+) create mode 100644 templates/terraform/examples/pubsub_topic_cmek.tf.erb diff --git a/products/pubsub/api.yaml b/products/pubsub/api.yaml index 872340f28d53..33e789617749 100644 --- a/products/pubsub/api.yaml +++ b/products/pubsub/api.yaml @@ -40,6 +40,16 @@ objects: required: true description: 'Name of the topic.' input: true + - !ruby/object:Api::Type::String + name: 'kmsKeyName' + description: | + The resource name of the Cloud KMS CryptoKey to be used to protect access + to messsages published on this topic. Your project's PubSub service account + (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have + `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. + + The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` + input: true - !ruby/object:Api::Type::KeyValuePairs name: 'labels' description: | diff --git a/products/pubsub/terraform.yaml b/products/pubsub/terraform.yaml index 36d288aee290..12d80e80d613 100644 --- a/products/pubsub/terraform.yaml +++ b/products/pubsub/terraform.yaml @@ -21,6 +21,14 @@ overrides: !ruby/object:Overrides::ResourceOverrides primary_resource_id: "example" vars: topic_name: "example-topic" + - !ruby/object:Provider::Terraform::Examples + name: "pubsub_topic_cmek" + primary_resource_id: "example" + skip_test: true + vars: + topic_name: "example-topic" + key_name: "example-key" + keyring_name: "example-keyring" properties: name: !ruby/object:Overrides::Terraform::PropertyOverride diff_suppress_func: 'compareSelfLinkOrResourceName' diff --git a/templates/terraform/examples/pubsub_topic_cmek.tf.erb b/templates/terraform/examples/pubsub_topic_cmek.tf.erb new file mode 100644 index 000000000000..9acefaef0d42 --- /dev/null +++ b/templates/terraform/examples/pubsub_topic_cmek.tf.erb @@ -0,0 +1,14 @@ +resource "google_pubsub_topic" "<%= ctx[:primary_resource_id] %>" { + name = "<%= ctx[:vars]['topic_name'] %>" + kms_key_name = "${google_kms_crypto_key.crypto_key.self_link}" +} + +resource "google_kms_crypto_key" "crypto_key" { + name = "<%= ctx[:vars]['key_name'] %>" + key_ring = "${google_kms_key_ring.key_ring.self_link}" +} + +resource "google_kms_key_ring" "key_ring" { + name = "<%= ctx[:vars]['keyring_name'] %>" + location = "global" +} diff --git a/third_party/terraform/tests/resource_pubsub_topic_test.go b/third_party/terraform/tests/resource_pubsub_topic_test.go index 56e6ca83c62d..7f1914f72c50 100644 --- a/third_party/terraform/tests/resource_pubsub_topic_test.go +++ b/third_party/terraform/tests/resource_pubsub_topic_test.go @@ -40,6 +40,29 @@ func TestAccPubsubTopic_update(t *testing.T) { }) } +func TestAccPubsubTopic_cmek(t *testing.T) { + t.Parallel() + + kms := BootstrapKMSKey(t) + pid := getTestProjectFromEnv() + topicName := fmt.Sprintf("tf-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccPubsubTopic_cmek(pid, topicName, kms.CryptoKey.Name), + }, + { + ResourceName: "google_pubsub_topic.topic", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccPubsubTopic_update(topic, key, value string) string { return fmt.Sprintf(` resource "google_pubsub_topic" "foo" { @@ -50,3 +73,23 @@ resource "google_pubsub_topic" "foo" { } `, topic, key, value) } + +func testAccPubsubTopic_cmek(pid, topicName, kmsKey string) string { + return fmt.Sprintf(` +data "google_project" "project" { + project_id = "%s" +} + +resource "google_project_iam_member" "kms-project-binding" { + project = "${data.google_project.project.project_id}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com" +} + +resource "google_pubsub_topic" "topic" { + name = "%s" + project = "${google_project_iam_member.kms-project-binding.project}" + kms_key_name = "%s" +} +`, pid, topicName, kmsKey) +}