From 476d2c79e972ec91a5f1b72ea79a00ce372d81d3 Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Fri, 11 Jun 2021 16:00:20 +0200
Subject: [PATCH 1/4] Add IAM cryptDecrypt role to robo service account on
 specified keys

---
 modules/project/main.tf             | 17 +++++++++++++++++
 modules/project/service_accounts.tf | 11 +++++++++++
 modules/project/variables.tf        |  6 ++++++
 3 files changed, 34 insertions(+)

diff --git a/modules/project/main.tf b/modules/project/main.tf
index 4f07a595a..c13e7bd39 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,6 +65,14 @@ locals {
       if sink.iam && sink.type == type
     }
   }
+  service_encryption_key_ids_flatten = flatten([
+    for service in keys(var.service_encryption_key_ids) : [
+      for key in var.service_encryption_key_ids[service] : {
+        service = service
+        key     = key
+      }
+    ]
+  ])
 }
 
 data "google_project" "project" {
@@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
   perimeter_name = each.value
   resource       = "projects/${local.project.number}"
 }
+
+resource "google_kms_crypto_key_iam_member" "crypto_key" {
+  for_each = {
+    for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
+  }
+  crypto_key_id = each.value.key
+  role          = "roles/cloudkms.cryptoKeyEncrypter"
+  member        = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
+}
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index b0a64017b..e136eb1c4 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -40,3 +40,14 @@ locals {
     service => "service-${local.project.number}@${name}.iam.gserviceaccount.com"
   }
 }
+
+data "google_storage_project_service_account" "gcs_account" {
+  count   = try(var.services["storage.googleapis.com"], false) ? 1 : 0
+  project = local.project.project_id
+}
+
+data "google_bigquery_default_service_account" "bq_sa" {
+  count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
+
+  project = local.project.project_id
+}
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index fa4c84da7..8096afd4f 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -148,6 +148,12 @@ variable "service_config" {
   }
 }
 
+variable "service_encryption_key_ids" {
+  description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
+  type        = map(list(string))
+  default     = {}
+}
+
 variable "shared_vpc_host_config" {
   description = "Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project)."
   type = object({

From dc01db0426c5617213e9f0647f8f93b096505d13 Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Fri, 11 Jun 2021 17:38:27 +0200
Subject: [PATCH 2/4] Update Readme and rename variable

---
 modules/project/README.md | 1 +
 modules/project/main.tf   | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/project/README.md b/modules/project/README.md
index 8000082ef..099feb0dd 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -177,6 +177,7 @@ module "project-host" {
 | *prefix* | Prefix used to generate project id and name. | <code title="">string</code> |  | <code title="">null</code> |
 | *project_create* | Create project. When set to false, uses a data source to reference existing project. | <code title="">bool</code> |  | <code title="">true</code> |
 | *service_config* | Configure service API activation. | <code title="object&#40;&#123;&#10;disable_on_destroy         &#61; bool&#10;disable_dependent_services &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;disable_on_destroy         &#61; true&#10;disable_dependent_services &#61; true&#10;&#125;">...</code> |
+| *service_encryption_key_ids* | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *service_perimeter_bridges* | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">null</code> |
 | *service_perimeter_standard* | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | <code title="">string</code> |  | <code title="">null</code> |
 | *services* | Service APIs to enable. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
diff --git a/modules/project/main.tf b/modules/project/main.tf
index c13e7bd39..80b8b7c37 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,7 +65,7 @@ locals {
       if sink.iam && sink.type == type
     }
   }
-  service_encryption_key_ids_flatten = flatten([
+  service_encryption_key_ids = flatten([
     for service in keys(var.service_encryption_key_ids) : [
       for key in var.service_encryption_key_ids[service] : {
         service = service
@@ -367,7 +367,7 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
 
 resource "google_kms_crypto_key_iam_member" "crypto_key" {
   for_each = {
-    for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
+    for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
   }
   crypto_key_id = each.value.key
   role          = "roles/cloudkms.cryptoKeyEncrypter"

From 136fe03e1dac6ccc018ba88e245e6cc0390274ac Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Fri, 11 Jun 2021 17:41:19 +0200
Subject: [PATCH 3/4] Remove extralines

---
 modules/project/service_accounts.tf | 3 +--
 modules/project/variables.tf        | 2 --
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
index e136eb1c4..dd0b50bfb 100644
--- a/modules/project/service_accounts.tf
+++ b/modules/project/service_accounts.tf
@@ -47,7 +47,6 @@ data "google_storage_project_service_account" "gcs_account" {
 }
 
 data "google_bigquery_default_service_account" "bq_sa" {
-  count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
-
+  count   = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
   project = local.project.project_id
 }
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index 8096afd4f..d4f917b33 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -198,7 +198,6 @@ variable "logging_exclusions" {
   default     = {}
 }
 
-
 variable "contacts" {
   description = "List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES"
   type        = map(list(string))
@@ -211,7 +210,6 @@ variable "service_perimeter_standard" {
   default     = null
 }
 
-
 variable "service_perimeter_bridges" {
   description = "Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'."
   type        = list(string)

From 4a2ba0c36c5f6d703393b93a4409914b212d122f Mon Sep 17 00:00:00 2001
From: Lorenzo Caggioni <lorenzo.caggioni@gmail.com>
Date: Fri, 11 Jun 2021 18:02:35 +0200
Subject: [PATCH 4/4] Add example

---
 modules/project/README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/modules/project/README.md b/modules/project/README.md
index 099feb0dd..281a77768 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -149,6 +149,29 @@ module "project-host" {
 # tftest:modules=5:resources=12
 ```
 
+## Cloud KMS ncryption keys
+```hcl
+module "project" {
+  source          = "./modules/project"
+  name            = "my-project"
+  billing_account = "123456-123456-123456"
+  prefix          = "foo"
+  services = [
+    "compute.googleapis.com",
+    "storage.googleapis.com"
+  ]
+  service_encryption_key_ids = {
+    compute = [
+      "projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce",
+      "projects/kms-central-prj/locations/europe-west4/keyRings/my-keyring/cryptoKeys/europe4-gce"
+    ]
+    storage = [
+      "projects/kms-central-prj/locations/europe/keyRings/my-keyring/cryptoKeys/europe-gcs"
+    ]
+  }
+}
+# tftest:modules=1:resources=6
+```
 
 <!-- BEGIN TFDOC -->
 ## Variables