Add Cloud KMS support to GCS module (#87)

* Add support to Cloud KMS * Fixes * Fix tests * Fix tests * - change variable name to be consistent with BQ module - remove output, not needed - change string default value to null * use locals to pre-populate kms key variable for all names * rename kms variable, fix prefix check in locals Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
2020-06-05 21:59:34 +02:00
parent 24e9e0c280
commit 1b450fe444
4 changed files with 53 additions and 8 deletions
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -26,6 +26,31 @@ module "buckets" {
 }
 ```

+### Example with Cloud KMS
+
+```hcl
+module "buckets" {
+  source     = "./modules/gcs"
+  project_id = "myproject"
+  prefix     = "test"
+  names      = ["bucket-one", "bucket-two"]
+  bucket_policy_only = {
+    bucket-one = false
+  }
+  iam_members = {
+    bucket-two = {
+      "roles/storage.admin" = ["group:storage@example.com"]
+    }
+  }
+  iam_roles = {
+    bucket-two = ["roles/storage.admin"]
+  }
+  kms_keys = {
+    bucket-two = local.kms_key.self_link,
+  }
+}
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables

@@ -34,12 +59,13 @@ module "buckets" {
 | names | Bucket name suffixes. | <code title="list&#40;string&#41;">list(string)</code> | ✓ |  |
 | project_id | Bucket project id. | <code title="">string</code> | ✓ |  |
 | *bucket_policy_only* | Optional map to disable object ACLS keyed by name, defaults to true. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
+| *encryption_keys* | Per-bucket KMS keys that will be used for encryption. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *force_destroy* | Optional map to set force destroy keyed by name, defaults to false. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
-| *iam_members* | IAM members keyed by bucket name and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">null</code> |
-| *iam_roles* | IAM roles keyed by bucket name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">null</code> |
+| *iam_members* | IAM members keyed by bucket name and role. | <code title="map&#40;map&#40;list&#40;string&#41;&#41;&#41;">map(map(list(string)))</code> |  | <code title="">{}</code> |
+| *iam_roles* | IAM roles keyed by bucket name. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *labels* | Labels to be attached to all buckets. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *location* | Bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
-| *prefix* | Prefix used to generate the bucket name. | <code title="">string</code> |  | <code title=""></code> |
+| *prefix* | Prefix used to generate the bucket name. | <code title="">string</code> |  | <code title="">null</code> |
 | *storage_class* | Bucket storage class. | <code title="">string</code> |  | <code title="">MULTI_REGIONAL</code> |
 | *versioning* | Optional map to set versioning keyed by name, defaults to false. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |

--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -31,7 +31,12 @@ locals {
    "${pair.name}-${pair.role}" => pair
  }
  iam_members = var.iam_members == null ? {} : var.iam_members
-  prefix      = var.prefix == "" ? "" : join("-", [var.prefix, lower(var.location), ""])
+  prefix = (
+    var.prefix == null || var.prefix == "" # keep "" for backward compatibility
+    ? ""
+    : join("-", [var.prefix, lower(var.location), ""])
+  )
+  kms_keys = { for name in var.names : name => lookup(var.encryption_keys, name, null) }
 }

 resource "google_storage_bucket" "buckets" {
@@ -50,6 +55,14 @@ resource "google_storage_bucket" "buckets" {
    name          = lower(each.key)
    storage_class = lower(var.storage_class)
  })
+
+  dynamic encryption {
+    for_each = local.kms_keys[each.key] == null ? [] : [""]
+
+    content {
+      default_kms_key_name = local.kms_keys[each.key]
+    }
+  }
 }

 resource "google_storage_bucket_iam_binding" "bindings" {
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -29,13 +29,19 @@ variable "force_destroy" {
 variable "iam_members" {
  description = "IAM members keyed by bucket name and role."
  type        = map(map(list(string)))
-  default     = null
+  default     = {}
 }

 variable "iam_roles" {
  description = "IAM roles keyed by bucket name."
  type        = map(list(string))
-  default     = null
+  default     = {}
+}
+
+variable "encryption_keys" {
+  description = "Per-bucket KMS keys that will be used for encryption."
+  type        = map(string)
+  default     = {}
 }

 variable "labels" {
@@ -58,7 +64,7 @@ variable "names" {
 variable "prefix" {
  description = "Prefix used to generate the bucket name."
  type        = string
-  default     = ""
+  default     = null
 }

 variable "project_id" {
--- a/tests/modules/gcs/fixture/variables.tf
+++ b/tests/modules/gcs/fixture/variables.tf
@@ -41,7 +41,7 @@ variable "labels" {

 variable "prefix" {
  type    = string
-  default = ""
+  default = null
 }

 variable "storage_class" {