kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
hunfabric/modules/project/cmek.tf

97 lines
3.7 KiB
HCL
Raw Permalink Blame History

/**
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description Service Agent IAM Bindings for CMEK
locals {
# list of service agents per product that need to be granted
# cryptoKeyEncrypterDecrypter to use CMEK.
# https://cloud.google.com/kms/docs/compatible-services
# TODO: extend to support dependencies for all products
_cmek_agents_by_service = {
"aiplatform.googleapis.com" : ["aiplatform"]
"alloydb.googleapis.com" : ["alloydb"]
"artifactregistry.googleapis.com" : ["artifactregistry"]
"bigtableadmin.googleapis.com" : ["bigtable"]
"bigquery.googleapis.com" : ["bigquery-encryption"]
# the list for composer now tracks composer 3
# https://cloud.google.com/composer/docs/composer-3/configure-cmek-encryption#grant-roles-permissions
"composer.googleapis.com" : ["composer", "storage"]
"compute.googleapis.com" : ["compute"]
"container.googleapis.com" : ["compute", "container-engine-robot"]
"dataflow.googleapis.com" : ["dataflow", "compute"]
"dataform.googleapis.com" : ["dataform"]
"datafusion.googleapis.com" : [
"datafusion", "compute", "storage", "dataproc",
"pubsub", "spanner" # these 2 are optional
]
"dataproc.googleapis.com" : ["dataproc"]
"datastream.googleapis.com" : ["datastream"]
"dialogflow.googleapis.com" : ["dialogflow-cmek"]
"file.googleapis.com" : ["cloud-filer"]
"logging.googleapis.com" : ["logging"]
"pubsub.googleapis.com" : ["pubsub"]
"run.googleapis.com" : ["cloudrun"]
"secretmanager.googleapis.com" : ["secretmanager"]
"spanner.googleapis.com" : ["spanner"]
"sqladmin.googleapis.com" : ["cloud-sql"]
"storage.googleapis.com" : ["storage"]
}
_all_cmek_bindings = flatten([
for service, keys in var.service_encryption_key_ids : [
for dep in try(
local._cmek_agents_by_service[service],
[for x in local.service_agents_by_api[service] : x.name],
[service]
) : [
for key in keys : {
key_id = key
agent_name = local.aliased_service_agents[dep].name
agent_email = local.aliased_service_agents[dep].iam_email
}
]
]
])
_cmek_bindings_grouped_by_agent = {
for binding in local._all_cmek_bindings : binding.agent_name => binding...
}
_cmek_members = merge([
for agent_name, bindings in local._cmek_bindings_grouped_by_agent : {
for i, binding in bindings : "key-${i}.${agent_name}" => {
key = binding.key_id
agent = binding.agent_email
}
}
]...)
}
resource "google_kms_crypto_key_iam_member" "service_agent_cmek" {
for_each = local._cmek_members
crypto_key_id = lookup(local.ctx.kms_keys, each.value.key, each.value.key)
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = each.value.agent
depends_on = [
google_project.project,
google_project_service.project_services,
google_project_service_identity.default,
google_project_iam_member.service_agents,
data.google_project.project,
data.google_bigquery_default_service_account.bq_sa,
data.google_storage_project_service_account.gcs_sa,
data.google_logging_project_settings.logging_sa
]
}
Reference in New Issue View Git Blame Copy Permalink