Skip to content

Commit

Permalink
Pub/Sub Topic CMEK/KMS support
Browse files Browse the repository at this point in the history
Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
drebes authored and modular-magician committed Jun 29, 2019
1 parent a7af291 commit db085d7
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 0 deletions.
22 changes: 22 additions & 0 deletions google-beta/resource_pubsub_topic.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ func resourcePubsubTopic() *schema.Resource {
ForceNew: true,
DiffSuppressFunc: compareSelfLinkOrResourceName,
},
"kms_key_name": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"labels": {
Type: schema.TypeMap,
Optional: true,
Expand All @@ -73,6 +78,12 @@ func resourcePubsubTopicCreate(d *schema.ResourceData, meta interface{}) error {
} else if v, ok := d.GetOkExists("name"); !isEmptyValue(reflect.ValueOf(nameProp)) && (ok || !reflect.DeepEqual(v, nameProp)) {
obj["name"] = nameProp
}
kmsKeyNameProp, err := expandPubsubTopicKmsKeyName(d.Get("kms_key_name"), d, config)
if err != nil {
return err
} else if v, ok := d.GetOkExists("kms_key_name"); !isEmptyValue(reflect.ValueOf(kmsKeyNameProp)) && (ok || !reflect.DeepEqual(v, kmsKeyNameProp)) {
obj["kmsKeyName"] = kmsKeyNameProp
}
labelsProp, err := expandPubsubTopicLabels(d.Get("labels"), d, config)
if err != nil {
return err
Expand Down Expand Up @@ -132,6 +143,9 @@ func resourcePubsubTopicRead(d *schema.ResourceData, meta interface{}) error {
if err := d.Set("name", flattenPubsubTopicName(res["name"], d)); err != nil {
return fmt.Errorf("Error reading Topic: %s", err)
}
if err := d.Set("kms_key_name", flattenPubsubTopicKmsKeyName(res["kmsKeyName"], d)); err != nil {
return fmt.Errorf("Error reading Topic: %s", err)
}
if err := d.Set("labels", flattenPubsubTopicLabels(res["labels"], d)); err != nil {
return fmt.Errorf("Error reading Topic: %s", err)
}
Expand Down Expand Up @@ -223,6 +237,10 @@ func flattenPubsubTopicName(v interface{}, d *schema.ResourceData) interface{} {
return NameFromSelfLinkStateFunc(v)
}

func flattenPubsubTopicKmsKeyName(v interface{}, d *schema.ResourceData) interface{} {
return v
}

func flattenPubsubTopicLabels(v interface{}, d *schema.ResourceData) interface{} {
return v
}
Expand All @@ -231,6 +249,10 @@ func expandPubsubTopicName(v interface{}, d TerraformResourceData, config *Confi
return GetResourceNameFromSelfLink(v.(string)), nil
}

func expandPubsubTopicKmsKeyName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
return v, nil
}

func expandPubsubTopicLabels(v interface{}, d TerraformResourceData, config *Config) (map[string]string, error) {
if v == nil {
return map[string]string{}, nil
Expand Down
43 changes: 43 additions & 0 deletions google-beta/resource_pubsub_topic_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,29 @@ func TestAccPubsubTopic_update(t *testing.T) {
})
}

func TestAccPubsubTopic_cmek(t *testing.T) {
t.Parallel()

kms := BootstrapKMSKey(t)
pid := getTestProjectFromEnv()
topicName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccPubsubTopic_cmek(pid, topicName, kms.CryptoKey.Name),
},
{
ResourceName: "google_pubsub_topic.topic",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func testAccPubsubTopic_update(topic, key, value string) string {
return fmt.Sprintf(`
resource "google_pubsub_topic" "foo" {
Expand All @@ -50,3 +73,23 @@ resource "google_pubsub_topic" "foo" {
}
`, topic, key, value)
}

func testAccPubsubTopic_cmek(pid, topicName, kmsKey string) string {
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
project = "${data.google_project.project.project_id}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
}
resource "google_pubsub_topic" "topic" {
name = "%s"
project = "${google_project_iam_member.kms-project-binding.project}"
kms_key_name = "%s"
}
`, pid, topicName, kmsKey)
}
27 changes: 27 additions & 0 deletions website/docs/r/pubsub_topic.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,25 @@ resource "google_pubsub_topic" "example" {
}
}
```
## Example Usage - Pubsub Topic Cmek


```hcl
resource "google_pubsub_topic" "example" {
name = "example-topic"
kms_key_name = "${google_kms_crypto_key.crypto_key.self_link}"
}
resource "google_kms_crypto_key" "crypto_key" {
name = "example-key"
key_ring = "${google_kms_key_ring.key_ring.self_link}"
}
resource "google_kms_key_ring" "key_ring" {
name = "example-keyring"
location = "global"
}
```

## Argument Reference

Expand All @@ -61,6 +80,14 @@ The following arguments are supported:
- - -


* `kms_key_name` -
(Optional)
The resource name of the Cloud KMS CryptoKey to be used to protect access
to messsages published on this topic. Your project's PubSub service account
(`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have
`roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`

* `labels` -
(Optional)
A set of key/value label pairs to assign to this Topic.
Expand Down

0 comments on commit db085d7

Please sign in to comment.