Add support for KMS key creation to project factory (#3518)

* initial implementation

* context

* tfdoc

* add support for autokey to projects

* fix typo

modules/project/main.tf

@@ -150,6 +150,16 @@ resource "google_resource_manager_lien" "lien" {
   reason       = var.lien_reason
 }
 
+resource "google_kms_key_handle" "default" {
+  for_each = var.kms_autokeys
+  project  = local.project.project_id
+  name     = each.key
+  location = try(
+    local.ctx.locations[each.value.location], each.value.location
+  )
+  resource_type_selector = each.value.resource_type_selector
+}
+
 resource "google_essential_contacts_contact" "contact" {
   provider = google-beta
   for_each = var.contacts

modules/project/outputs.tf

@@ -66,6 +66,13 @@ output "id" {
   ]
 }
 
+output "kms_autokeys" {
+  description = "KMS Autokey key ids."
+  value = {
+    for k, v in google_kms_key_handle.default : k => v.kms_key
+  }
+}
+
 output "name" {
   description = "Project name."
   value       = local.project.name

modules/project/variables.tf

@@ -166,6 +166,24 @@ variable "factories_config" {
   default  = {}
 }
 
+variable "kms_autokeys" {
+  description = "KMS Autokey key handles."
+  type = map(object({
+    location               = string
+    resource_type_selector = optional(string, "compute.googleapis.com/Disk")
+  }))
+  nullable = false
+  default  = {}
+  validation {
+    condition = alltrue([
+      for k, v in var.kms_autokeys : k == try(regex(
+        "^[a-z][a-z0-9-]+[a-z0-9]$", k
+      ), null)
+    ])
+    error_message = "Autokey keys need to be valid GCP resource names."
+  }
+}
+
 variable "labels" {
   description = "Resource labels."
   type        = map(string)