Feat: Encrypt bucket with CMEK (#325)

terraform-google-modules · Jul 9, 2024 · 07e3a4e · 07e3a4e
1 parent 0856434
commit 07e3a4e
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 8 deletions.
diff --git a/examples/simple_bucket/main.tf b/examples/simple_bucket/main.tf
@@ -42,5 +42,6 @@ module "bucket" {
     member = "group:[email protected]"
   }]
 
-  autoclass = true
+  autoclass  = true
+  encryption = { default_kms_key_name = null }
 }
diff --git a/modules/simple_bucket/README.md b/modules/simple_bucket/README.md
@@ -42,7 +42,7 @@ Functional examples are included in the
 | bucket\_policy\_only | Enables Bucket Policy Only access to a bucket. | `bool` | `true` | no |
 | cors | Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. | `any` | `[]` | no |
 | custom\_placement\_config | Configuration of the bucket's custom location in a dual-region bucket setup. If the bucket is designated a single or multi-region, the variable are null. | <pre>object({<br>    data_locations = list(string)<br>  })</pre> | `null` | no |
-| encryption | A Cloud KMS key that will be used to encrypt objects inserted into this bucket | <pre>object({<br>    default_kms_key_name = string<br>  })</pre> | `null` | no |
+| encryption | A Cloud KMS key that will be used to encrypt objects inserted into this bucket. If default\_kms\_key\_name is set to 'null' a new keyring and key pair will be created and used to encrypt bucket using CMEK. | <pre>object({<br>    default_kms_key_name = string<br>  })</pre> | `null` | no |
 | force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
 | iam\_members | The list of IAM members to grant permissions on the bucket. | <pre>list(object({<br>    role   = string<br>    member = string<br>  }))</pre> | `[]` | no |
 | labels | A set of key/value label pairs to assign to the bucket. | `map(string)` | `null` | no |

diff --git a/modules/simple_bucket/main.tf b/modules/simple_bucket/main.tf
@@ -43,7 +43,7 @@ resource "google_storage_bucket" "bucket" {
   dynamic "encryption" {
     for_each = var.encryption == null ? [] : [var.encryption]
     content {
-      default_kms_key_name = var.encryption.default_kms_key_name
+      default_kms_key_name = var.encryption.default_kms_key_name != null ? var.encryption.default_kms_key_name : module.encryption_key[0].keys[var.name]
     }
   }
 
@@ -120,3 +120,22 @@ resource "google_storage_bucket_iam_member" "members" {
   role   = each.value.role
   member = each.value.member
 }
+
+data "google_storage_project_service_account" "gcs_account" {
+  project = var.project_id
+}
+
+module "encryption_key" {
+  count              = var.encryption == null ? 0 : (var.encryption.default_kms_key_name == null ? 1 : 0)
+  source             = "terraform-google-modules/kms/google"
+  version            = "~> 2.0"
+  project_id         = var.project_id
+  location           = var.location
+  keyring            = var.name
+  prevent_destroy    = false
+  keys               = [var.name]
+  set_decrypters_for = [var.name]
+  set_encrypters_for = [var.name]
+  decrypters         = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  encrypters         = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+}
diff --git a/modules/simple_bucket/variables.tf b/modules/simple_bucket/variables.tf
@@ -99,7 +99,7 @@ variable "cors" {
 }
 
 variable "encryption" {
-  description = "A Cloud KMS key that will be used to encrypt objects inserted into this bucket"
+  description = "A Cloud KMS key that will be used to encrypt objects inserted into this bucket. If default_kms_key_name is set to 'null' a new keyring and key pair will be created and used to encrypt bucket using CMEK."
   type = object({
     default_kms_key_name = string
   })

diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -16,8 +16,9 @@
 
 locals {
   int_required_roles = [
-    "roles/storage.admin",
+    "roles/cloudkms.admin",
     "roles/iam.serviceAccountUser",
+    "roles/storage.admin",
   ]
 }
 

diff --git a/test/setup/main.tf b/test/setup/main.tf
@@ -25,10 +25,11 @@ module "project" {
   billing_account   = var.billing_account
 
   activate_apis = [
-    "iam.googleapis.com",
-    "storage-api.googleapis.com",
+    "cloudkms.googleapis.com",
     "cloudresourcemanager.googleapis.com",
     "compute.googleapis.com",
-    "serviceusage.googleapis.com"
+    "iam.googleapis.com",
+    "serviceusage.googleapis.com",
+    "storage-api.googleapis.com",
   ]
 }