From 32eff9b9330e6c9bb683cfd75d0baf9d9798b7eb Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 5 Feb 2020 19:30:41 +0000 Subject: [PATCH] feat: Add support for customer encryption keys (#34) * Updated Requirements to match Compatibility section * Added encryption block The encryption block is dynamic to avoid adding an empty block. An empty encryption block results in terraform expecting changes every apply. Separate keys can be used for each bucket similar to versioning and force_destroy. * Reworded disclaimer for unreachable lookup default Co-Authored-By: Morgante Pell * Reworded encryption variable to be more descriptive encryption => encryption_key_names Co-authored-by: Morgante Pell --- README.md | 4 +++- main.tf | 17 +++++++++++++++++ variables.tf | 5 +++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index aafc1225..66838e2d 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ Functional examples are included in the | bucket\_policy\_only | Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean | map | `` | no | | bucket\_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style bucket viewers. | map | `` | no | | creators | IAM-style members who will be granted roles/storage.objectCreators on all buckets. | list | `` | no | +| encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | map | `` | no | | force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | map | `` | no | | labels | Labels to be attached to the buckets | map | `` | no | | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string. | object | `` | no | @@ -86,7 +87,8 @@ These sections describe requirements for using this module. The following dependencies must be available: -- [Terraform][terraform] v0.11 +- [Terraform][terraform] v0.12 + - For Terraform v0.11 see the [Compatibility](#compatibility) section above - [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0 ### Service Account diff --git a/main.tf b/main.tf index 98b18fe8..3d2b49a5 100644 --- a/main.tf +++ b/main.tf @@ -42,6 +42,23 @@ resource "google_storage_bucket" "buckets" { false, ) } + # Having a permanent encryption block with default_kms_key_name = "" works but results in terraform applying a change every run + # There is no enabled = false attribute available to ask terraform to ignore the block + dynamic "encryption" { + # If an encryption key name is set for this bucket name -> Create a single encryption block + for_each = trimspace(lookup(var.encryption_key_names, lower(element(var.names, count.index)), "")) != "" ? [true] : [] + content { + default_kms_key_name = trimspace( + lookup( + var.encryption_key_names, + lower(element(var.names, count.index)), + "Error retrieving kms key name", # Should be unreachable due to the for_each check + # Omitting default is deprecated & can help show if there was a bug + # https://www.terraform.io/docs/configuration/functions/lookup.html + ) + ) + } + } dynamic "lifecycle_rule" { for_each = var.lifecycle_rules content { diff --git a/variables.tf b/variables.tf index cc8a0b76..22570cdd 100644 --- a/variables.tf +++ b/variables.tf @@ -47,6 +47,11 @@ variable "versioning" { default = {} } +variable "encryption_key_names" { + description = "Optional map of lowercase unprefixed name => string, empty strings are ignored." + default = {} +} + variable "bucket_policy_only" { description = "Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean" default = {}