Skip to content

Commit

Permalink
static kms keys
Browse files Browse the repository at this point in the history
  • Loading branch information
shuyama1 committed Dec 19, 2024
1 parent 37e4abb commit a2db0d7
Show file tree
Hide file tree
Showing 7 changed files with 19 additions and 61 deletions.
10 changes: 6 additions & 4 deletions mmv1/products/bigquery/Job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,10 +107,11 @@ examples:
vars:
job_id: 'job_copy'
account_name: 'bqowner'
key_name: 'example-key'
keyring_name: 'example-keyring'
kms_key_name: 'example-key'
test_env_vars:
project: 'PROJECT_NAME'
test_vars_overrides:
'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-bootstrap-bigquery-job-key1").CryptoKey.Name'
ignore_read_extra:
- 'etag'
- 'status.0.state'
Expand All @@ -119,10 +120,11 @@ examples:
vars:
job_id: 'job_copy'
account_name: 'bqowner'
key_name: 'example-key'
keyring_name: 'example-keyring'
kms_key_name: 'example-key'
test_env_vars:
project: 'PROJECT_NAME'
test_vars_overrides:
'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "global", "tf-bootstrap-bigquery-job-key2").CryptoKey.Name'
ignore_read_extra:
- 'etag'
- 'copy.0.destination_table.0.table_id'
Expand Down
4 changes: 2 additions & 2 deletions mmv1/products/dataproc/Batch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,13 +65,13 @@ examples:
vars:
dataproc_batch: 'dataproc-batch'
prevent_destroy: 'true'
key_name: 'example-key'
keyring_name: 'example-keyring'
kms_key_name: 'example-key'
bucket_name: 'dataproc-bucket'
test_env_vars:
project_name: 'PROJECT_NAME'
test_vars_overrides:
'prevent_destroy': 'false'
'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-bigquery-job-key1").CryptoKey.Name'
ignore_read_extra:
- 'runtime_config.0.properties'
- name: 'dataproc_batch_sparksql'
Expand Down
3 changes: 1 addition & 2 deletions mmv1/products/metastore/Service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,7 @@ examples:
primary_resource_id: 'default'
vars:
metastore_service_name: 'example-service'
key_name: 'example-key'
keyring_name: 'example-keyring'
'kms_key_name': 'acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-metastore-service-key1").CryptoKey.Name'
exclude_docs: true
skip_vcr: true
- name: 'dataproc_metastore_service_cmek_example'
Expand Down
16 changes: 3 additions & 13 deletions mmv1/templates/terraform/examples/bigquery_job_copy.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ resource "google_bigquery_table" "dest" {
EOF

encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
kms_key_name = "{{index $.Vars "kms_key_name"}}"
}

depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
Expand All @@ -79,22 +79,12 @@ resource "google_bigquery_dataset" "dest" {
location = "US"
}

resource "google_kms_crypto_key" "crypto_key" {
name = "{{index $.Vars "key_name"}}"
key_ring = google_kms_key_ring.key_ring.id
}

resource "google_kms_key_ring" "key_ring" {
name = "{{index $.Vars "keyring_name"}}"
location = "global"
}

data "google_project" "project" {
project_id = "{{index $.TestEnvVars "project"}}"
}

resource "google_kms_crypto_key_iam_member" "encrypt_role" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
crypto_key_id = "{{index $.Vars "kms_key_name"}}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
}
Expand Down Expand Up @@ -122,7 +112,7 @@ resource "google_bigquery_job" "{{$.PrimaryResourceId}}" {
}

destination_encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
kms_key_name = "{{index $.Vars "kms_key_name"}}"
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ resource "google_bigquery_table" "dest" {
EOF

encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
kms_key_name = "{{index $.Vars "kms_key_name"}}"
}

depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
Expand All @@ -80,22 +80,12 @@ resource "google_bigquery_dataset" "dest" {
location = "US"
}

resource "google_kms_crypto_key" "crypto_key" {
name = "{{index $.Vars "key_name"}}"
key_ring = google_kms_key_ring.key_ring.id
}

resource "google_kms_key_ring" "key_ring" {
name = "{{index $.Vars "keyring_name"}}"
location = "global"
}

data "google_project" "project" {
project_id = "{{index $.TestEnvVars "project"}}"
}

resource "google_kms_crypto_key_iam_member" "encrypt_role" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
crypto_key_id = "{{index $.Vars "kms_key_name"}}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
}
Expand All @@ -117,7 +107,7 @@ resource "google_bigquery_job" "{{$.PrimaryResourceId}}" {
}

destination_encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
kms_key_name = "{{index $.Vars "kms_key_name"}}"
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ resource "google_dataproc_batch" "{{$.PrimaryResourceId}}" {
execution_config {
ttl = "3600s"
network_tags = ["tag1"]
kms_key = google_kms_crypto_key.crypto_key.id
kms_key = "{{index $.Vars "kms_key_name"}}"
network_uri = "default"
service_account = "${data.google_project.project.number}[email protected]"
staging_bucket = google_storage_bucket.bucket.name
Expand Down Expand Up @@ -55,17 +55,6 @@ resource "google_kms_crypto_key" "crypto_key" {
purpose = "ENCRYPT_DECRYPT"
}

resource "google_kms_key_ring" "key_ring" {
name = "{{index $.Vars "keyring_name"}}"
location = "us-central1"
}

resource "google_kms_crypto_key_iam_member" "crypto_key_member_1" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@dataproc-accounts.iam.gserviceaccount.com"
}

resource "google_dataproc_cluster" "basic" {
name = "{{index $.Vars "dataproc_batch"}}"
region = "us-central1"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ resource "google_dataproc_metastore_service" "{{$.PrimaryResourceId}}" {
location = "us-central1"

encryption_config {
kms_key = google_kms_crypto_key.crypto_key.id
kms_key = "{{index $.Vars "kms_key_name"}}"
}

hive_metastore_config {
Expand All @@ -21,27 +21,15 @@ resource "google_dataproc_metastore_service" "{{$.PrimaryResourceId}}" {
]
}

resource "google_kms_crypto_key" "crypto_key" {
name = "{{index $.Vars "key_name"}}"
key_ring = google_kms_key_ring.key_ring.id

purpose = "ENCRYPT_DECRYPT"
}

resource "google_kms_key_ring" "key_ring" {
name = "{{index $.Vars "keyring_name"}}"
location = "us-central1"
}

resource "google_kms_crypto_key_iam_member" "crypto_key_member_1" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
crypto_key_id = "{{index $.Vars "kms_key_name"}}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com"
}

resource "google_kms_crypto_key_iam_member" "crypto_key_member_2" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
crypto_key_id = "{{index $.Vars "kms_key_name"}}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

member = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
Expand Down

0 comments on commit a2db0d7

Please sign in to comment.