Pub/Sub Topic CMEK/KMS support

Signed-off-by: Modular Magician <[email protected]>
modular-magician · Jun 29, 2019 · 41f58f9 · 41f58f9
1 parent 273a58f
commit 41f58f9
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/lib/ansible/modules/cloud/google/gcp_pubsub_topic.py b/lib/ansible/modules/cloud/google/gcp_pubsub_topic.py
@@ -51,6 +51,14 @@
     description:
     - Name of the topic.
     required: true
+  kms_key_name:
+    description:
+    - The resource name of the Cloud KMS CryptoKey to be used to protect access to
+      messsages published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`)
+      must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+    - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+    required: false
+    version_added: 2.9
   labels:
     description:
     - A set of key/value label pairs to assign to this Topic.
@@ -78,6 +86,14 @@
   - Name of the topic.
   returned: success
   type: str
+kmsKeyName:
+  description:
+  - The resource name of the Cloud KMS CryptoKey to be used to protect access to messsages
+    published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`)
+    must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+  - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+  returned: success
+  type: str
 labels:
   description:
   - A set of key/value label pairs to assign to this Topic.
@@ -102,7 +118,10 @@ def main():
 
     module = GcpModule(
         argument_spec=dict(
-            state=dict(default='present', choices=['present', 'absent'], type='str'), name=dict(required=True, type='str'), labels=dict(type='dict')
+            state=dict(default='present', choices=['present', 'absent'], type='str'),
+            name=dict(required=True, type='str'),
+            kms_key_name=dict(type='str'),
+            labels=dict(type='dict'),
         )
     )
 
@@ -162,7 +181,7 @@ def delete(module, link):
 
 
 def resource_to_request(module):
-    request = {u'name': module.params.get('name'), u'labels': module.params.get('labels')}
+    request = {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': module.params.get('labels')}
     request = encode_request(request, module)
     return_vals = {}
     for k, v in request.items():
@@ -230,7 +249,7 @@ def is_different(module, response):
 # Remove unnecessary properties from the response.
 # This is for doing comparisons with Ansible's current parameters.
 def response_to_hash(module, response):
-    return {u'name': module.params.get('name'), u'labels': response.get(u'labels')}
+    return {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': response.get(u'labels')}
 
 
 def decode_request(response, module):

diff --git a/lib/ansible/modules/cloud/google/gcp_pubsub_topic_facts.py b/lib/ansible/modules/cloud/google/gcp_pubsub_topic_facts.py
@@ -63,6 +63,15 @@
       - Name of the topic.
       returned: success
       type: str
+    kmsKeyName:
+      description:
+      - The resource name of the Cloud KMS CryptoKey to be used to protect access
+        to messsages published on this topic. Your project's PubSub service account
+        (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must
+        have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+      - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+      returned: success
+      type: str
     labels:
       description:
       - A set of key/value label pairs to assign to this Topic.