Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for CMEK in alloydb cluster and automated backup #7781

Merged
merged 49 commits into from
Apr 26, 2023
Merged
Show file tree
Hide file tree
Changes from 43 commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
5a168b6
Merge pull request #1 from GoogleCloudPlatform/main
ravisiddhu Dec 5, 2022
98f5908
Added validation for "type" in cloud_sql_user_resource for preventing…
ravisiddhu Dec 5, 2022
3061b1d
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Dec 12, 2022
d11bed2
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Dec 13, 2022
8048bf8
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Dec 15, 2022
58019ac
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Dec 23, 2022
a485a52
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Dec 28, 2022
02591f4
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 2, 2023
e4c2489
Removed validation and added documentation to prevent setting of host…
ravisiddhu Jan 4, 2023
cfae3b9
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 4, 2023
dfd9ff9
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 6, 2023
ff4a378
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 9, 2023
75e9296
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 10, 2023
6cf178e
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 11, 2023
1ee0fc9
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 16, 2023
5019e13
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 18, 2023
91ab93b
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 23, 2023
937e05b
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Jan 31, 2023
0f1f118
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Feb 1, 2023
fa46861
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Feb 14, 2023
9112cc7
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Feb 20, 2023
d2d5617
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Feb 22, 2023
bd8c2a5
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Feb 28, 2023
7ad591d
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 1, 2023
c155e13
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 14, 2023
f5e7885
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 20, 2023
14f5297
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 23, 2023
e8aa075
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 27, 2023
1c9cbfe
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 28, 2023
ad136ed
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Mar 28, 2023
de0135b
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 3, 2023
48e7922
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 3, 2023
91ee61b
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 4, 2023
f10b0f3
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 10, 2023
af7927a
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 12, 2023
ad0a59b
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 14, 2023
b054c71
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 17, 2023
988ae12
Merge branch 'GoogleCloudPlatform:main' into main
ravisiddhu Apr 18, 2023
be83a1f
Added support for CMEK in alloydb cluster and automated backup.
ravisiddhu Apr 20, 2023
08ff360
Merge branch 'alloydb-kms' of https://github.com/ravisiddhu/magic-mod…
ravisiddhu Apr 20, 2023
cf08775
Merge branch 'GoogleCloudPlatform:main' into alloydb-kms
ravisiddhu Apr 21, 2023
bc37d89
Merge branch 'GoogleCloudPlatform:main' into alloydb-kms
ravisiddhu Apr 24, 2023
66a67aa
Merge branch 'main' into alloydb-kms
ravisiddhu Apr 25, 2023
cfbea7f
Merge branch 'GoogleCloudPlatform:main' into alloydb-kms
ravisiddhu Apr 25, 2023
b1d48ce
Merge branch 'main' into alloydb-kms
ravisiddhu Apr 25, 2023
2b835d9
Merge branch 'alloydb-kms' of https://github.com/ravisiddhu/magic-mod…
ravisiddhu Apr 25, 2023
a46eb5c
Merge branch 'GoogleCloudPlatform:main' into alloydb-kms
ravisiddhu Apr 26, 2023
857c785
Merge branch 'alloydb-kms' of https://github.com/ravisiddhu/magic-mod…
ravisiddhu Apr 25, 2023
d5c2da5
Merge branch 'alloydb-kms' of https://github.com/ravisiddhu/magic-mod…
ravisiddhu Apr 26, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions mmv1/products/alloydb/Cluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,36 @@ properties:
- !ruby/object:Api::Type::KeyValuePairs
name: 'labels'
description: 'User-defined labels for the alloydb cluster.'
- !ruby/object:Api::Type::NestedObject
name: "encryptionConfig"
description: |
EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key).
properties:
- !ruby/object:Api::Type::String
name: "kmsKeyName"
description: |
The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME].
immutable: true
- !ruby/object:Api::Type::NestedObject
name: "encryptionInfo"
description: |
EncryptionInfo describes the encryption information of a cluster or a backup.
output: true
properties:
- !ruby/object:Api::Type::Enum
name: 'encryptionType'
description: "Output only. Type of encryption."
values:
- :TYPE_UNSPECIFIED
- :GOOGLE_DEFAULT_ENCRYPTION
- :CUSTOMER_MANAGED_ENCRYPTION
output: true
- !ruby/object:Api::Type::Array
name: kmsKeyVersions
item_type: Api::Type::String
description: |
Output only. Cloud KMS key versions that are being used to protect the database or the backup.
output: true
ravisiddhu marked this conversation as resolved.
Show resolved Hide resolved
- !ruby/object:Api::Type::String
name: 'network'
required: true
Expand Down
281 changes: 281 additions & 0 deletions mmv1/third_party/terraform/tests/resource_alloydb_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -460,3 +460,284 @@ resource "google_compute_network" "default" {
}
`, context)
}
func TestAccAlloydbCluster_usingCMEK(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": RandString(t, 10),
"key_name": "tf-test-key-" + RandString(t, 10),
}

VcrTest(t, resource.TestCase{
PreCheck: func() { AccTestPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckAlloydbClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccAlloydbCluster_usingCMEK(context),
},
{
ResourceName: "google_alloydb_cluster.default",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"cluster_id", "location"},
},
},
})
}

func testAccAlloydbCluster_usingCMEK(context map[string]interface{}) string {
return Nprintf(`
resource "google_alloydb_cluster" "default" {
cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
location = "us-central1"
network = "projects/${data.google_project.project.number}/global/networks/${google_compute_network.default.name}"
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
}
resource "google_compute_network" "default" {
name = "tf-test-alloydb-cluster%{random_suffix}"
}
data "google_project" "project" {}
resource "google_kms_key_ring" "keyring" {
name = "%{key_name}"
location = "us-central1"
}
resource "google_kms_crypto_key" "key" {
name = "%{key_name}"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
`, context)
}

func TestAccAlloydbCluster_CMEKInAutomatedBackupIsUpdatable(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": RandString(t, 10),
"key_name": "tf-test-key-" + RandString(t, 10),
}

VcrTest(t, resource.TestCase{
PreCheck: func() { AccTestPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckAlloydbClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccAlloydbCluster_usingCMEKInClusterAndAutomatedBackup(context),
},
{
ResourceName: "google_alloydb_cluster.default",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"cluster_id", "location"},
},
{
Config: testAccAlloydbCluster_updateCMEKInAutomatedBackup(context),
},
{
ResourceName: "google_alloydb_cluster.default",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"cluster_id", "location"},
},
{
Config: testAccAlloydbCluster_usingCMEKallowDeletion(context),
},
{
ResourceName: "google_alloydb_cluster.default",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"cluster_id", "location"},
},
},
})
}

func testAccAlloydbCluster_usingCMEKInClusterAndAutomatedBackup(context map[string]interface{}) string {
return Nprintf(`
resource "google_alloydb_cluster" "default" {
cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
location = "us-central1"
network = "projects/${data.google_project.project.number}/global/networks/${google_compute_network.default.name}"
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
automated_backup_policy {
location = "us-central1"
backup_window = "1800s"
enabled = true
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
time_based_retention {
retention_period = "510s"
}
}
lifecycle {
prevent_destroy = true
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
}
resource "google_compute_network" "default" {
name = "tf-test-alloydb-cluster%{random_suffix}"
}
data "google_project" "project" {}
resource "google_kms_key_ring" "keyring" {
name = "%{key_name}"
location = "us-central1"
}
resource "google_kms_crypto_key" "key" {
name = "%{key_name}"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
`, context)
}

func testAccAlloydbCluster_updateCMEKInAutomatedBackup(context map[string]interface{}) string {
return Nprintf(`
resource "google_alloydb_cluster" "default" {
cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
location = "us-central1"
network = "projects/${data.google_project.project.number}/global/networks/${google_compute_network.default.name}"
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
automated_backup_policy {
location = "us-central1"
backup_window = "1800s"
enabled = true
encryption_config {
kms_key_name = google_kms_crypto_key.key2.id
}
time_based_retention {
retention_period = "510s"
}
}
lifecycle {
prevent_destroy = true
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
}
resource "google_compute_network" "default" {
name = "tf-test-alloydb-cluster%{random_suffix}"
}
data "google_project" "project" {}
resource "google_kms_key_ring" "keyring" {
name = "%{key_name}"
location = "us-central1"
}
resource "google_kms_crypto_key" "key" {
name = "%{key_name}"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key" "key2" {
name = "%{key_name}-2"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
resource "google_kms_crypto_key_iam_binding" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
`, context)
}

func testAccAlloydbCluster_usingCMEKallowDeletion(context map[string]interface{}) string {
return Nprintf(`
resource "google_alloydb_cluster" "default" {
cluster_id = "tf-test-alloydb-cluster%{random_suffix}"
location = "us-central1"
network = "projects/${data.google_project.project.number}/global/networks/${google_compute_network.default.name}"
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
automated_backup_policy {
location = "us-central1"
backup_window = "1800s"
enabled = true
encryption_config {
kms_key_name = google_kms_crypto_key.key2.id
}
time_based_retention {
retention_period = "510s"
}
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
}
resource "google_compute_network" "default" {
name = "tf-test-alloydb-cluster%{random_suffix}"
}
data "google_project" "project" {}
resource "google_kms_key_ring" "keyring" {
name = "%{key_name}"
location = "us-central1"
}
resource "google_kms_crypto_key" "key" {
name = "%{key_name}"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key" "key2" {
name = "%{key_name}-2"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
resource "google_kms_crypto_key_iam_binding" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
}
`, context)
}