feat: parametrize prevent_destroy for project key

4-projects/business_unit_3/shared/README.md

@@ -11,6 +11,7 @@
 | keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
 | location\_gcs | Case-Sensitive Location for GCS Bucket | `string` | `"US"` | no |
 | location\_kms | Case-Sensitive Location for KMS Keyring | `string` | `"us"` | no |
+| prevent\_destroy | Prevent Project Key destruction. | `bool` | `true` | no |
 | project\_budget | Budget configuration.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    budget_amount        = optional(number, 1000)<br>    alert_spent_percents = optional(list(number), [1.2])<br>    alert_pubsub_topic   = optional(string, null)<br>    alert_spend_basis    = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |

4-projects/business_unit_3/shared/ml_infra_projects.tf

@@ -32,4 +32,5 @@ module "ml_infra_project" {
   artifacts_infra_pipeline_sa            = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]
   service_catalog_infra_pipeline_sa      = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]
   environment_kms_project_id             = ""
+  prevent_destroy                        = var.prevent_destroy
 }

4-projects/business_unit_3/shared/variables.tf

@@ -87,3 +87,9 @@ variable "cloud_source_artifacts_repo_name" {
   description = "Name to give the could source repository for Artifacts"
   type        = string
 }
+
+variable "prevent_destroy" {
+  description = "Prevent Project Key destruction."
+  type        = bool
+  default     = true
+}

4-projects/modules/ml_infra_projects/artifacts_project.tf

@@ -57,6 +57,7 @@ module "app_infra_artifacts_project" {
   business_code              = var.business_code
   environment_kms_project_id = var.environment_kms_project_id
   project_name               = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.artifacts_project_suffix}"
+  prevent_destroy            = var.prevent_destroy
 }
 
 resource "google_kms_crypto_key_iam_member" "ml_key" {

4-projects/modules/ml_infra_projects/locals.tf

@@ -1,3 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 locals {
   env_code = element(split("", var.environment), 0)
-}
+}

4-projects/modules/ml_infra_projects/service_catalog_project.tf

@@ -55,6 +55,7 @@ module "app_service_catalog_project" {
   business_code              = var.business_code
   environment_kms_project_id = var.environment_kms_project_id
   project_name               = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.service_catalog_project_suffix}"
+  prevent_destroy            = var.prevent_destroy
 }
 
 resource "google_kms_crypto_key_iam_member" "sc_key" {

4-projects/modules/ml_infra_projects/variables.tf

@@ -179,3 +179,8 @@ variable "environment_kms_project_id" {
   description = "Environment level KMS Project ID."
   type        = string
 }
+
+variable "prevent_destroy" {
+  description = "Prevent Project Key destruction."
+  type        = bool
+}

4-projects/modules/ml_kms_key/main.tf

@@ -0,0 +1,43 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  ephemeral_keys_for_each = var.prevent_destroy ? [] : var.key_rings
+  keys_for_each           = var.prevent_destroy ? var.key_rings : []
+  output_keys             = var.prevent_destroy ? { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v } : { for k, v in google_kms_crypto_key.ephemeral_kms_keys : split("/", k)[3] => v }
+}
+
+resource "google_kms_crypto_key" "ephemeral_kms_keys" {
+  for_each = toset(local.ephemeral_keys_for_each)
+
+  name            = var.project_name
+  key_ring        = each.key
+  rotation_period = var.key_rotation_period
+  lifecycle {
+    prevent_destroy = false
+  }
+}
+
+resource "google_kms_crypto_key" "kms_keys" {
+  for_each = toset(local.keys_for_each)
+
+  name            = var.project_name
+  key_ring        = each.key
+  rotation_period = var.key_rotation_period
+  lifecycle {
+    prevent_destroy = true
+  }
+}

4-projects/modules/ml_kms_key/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kms_keys" {
+  description = "Keys created for the project."
+  value       = local.output_keys
+}

4-projects/modules/ml_kms_key/variables.tf

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_rings" {
+  description = "Keyrings to attach project key to."
+  type        = list(string)
+}
+
+variable "project_name" {
+  description = "Project Name."
+  type        = string
+}
+
+variable "key_rotation_period" {
+  description = "Rotation period in seconds to be used for KMS Key."
+  type        = string
+  default     = "7776000s"
+}
+
+variable "prevent_destroy" {
+  description = "Prevent Key destruction."
+  type        = bool
+}

4-projects/modules/ml_kms_key/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.3"
+}

4-projects/modules/ml_single_project/README.md

@@ -21,6 +21,7 @@ Create and manage a Google Cloud project with various configurations and roles r
 | key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes |
 | key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
+| prevent\_destroy | Prevent Key destruction. | `bool` | n/a | yes |
 | primary\_contact | The primary email contact for the project | `string` | n/a | yes |
 | project\_budget | Budget configuration.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    budget_amount        = optional(number, 1000)<br>    alert_spent_percents = optional(list(number), [1.2])<br>    alert_pubsub_topic   = optional(string, null)<br>    alert_spend_basis    = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | project\_name | Project Name. | `string` | n/a | yes |
@@ -41,7 +42,7 @@ Create and manage a Google Cloud project with various configurations and roles r
 | Name | Description |
 |------|-------------|
 | enabled\_apis | VPC Service Control services. |
-| kms\_keys | keys created for the project |
+| kms\_keys | Keys created for the project. |
 | project\_id | Project sample project id. |
 | project\_name | Name of the Project. |
 | project\_number | Project sample project number. |

4-projects/modules/ml_single_project/main.tf

@@ -123,14 +123,12 @@ resource "google_compute_subnetwork_iam_member" "account_role_to_vpc_subnets" {
 }
 
 // Add key for project
-resource "google_kms_crypto_key" "kms_keys" {
-  for_each        = toset(var.key_rings)
-  name            = module.project.project_name
-  key_ring        = each.key
-  rotation_period = var.key_rotation_period
-  lifecycle {
-    prevent_destroy = false
-  }
+module "kms_keys" {
+  source              = "../ml_kms_key"
+  key_rings           = var.key_rings
+  key_rotation_period = var.key_rotation_period
+  project_name        = module.project.project_name
+  prevent_destroy     = var.prevent_destroy
 }
 
 // Add crypto key viewer role to kms environment project

4-projects/modules/ml_single_project/outputs.tf

@@ -40,6 +40,6 @@ output "project_name" {
 }
 
 output "kms_keys" {
-  description = "keys created for the project"
-  value       = { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v }
+  description = "Keys created for the project."
+  value       = module.kms_keys.kms_keys
 }

4-projects/modules/ml_single_project/variables.tf

@@ -180,3 +180,8 @@ variable "project_name" {
   description = "Project Name."
   type        = string
 }
+
+variable "prevent_destroy" {
+  description = "Prevent Key destruction."
+  type        = bool
+}