diff --git a/4-projects/business_unit_3/shared/README.md b/4-projects/business_unit_3/shared/README.md
index cfcdd22c..b65cb8a9 100644
--- a/4-projects/business_unit_3/shared/README.md
+++ b/4-projects/business_unit_3/shared/README.md
@@ -11,6 +11,7 @@
| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
| location\_gcs | Case-Sensitive Location for GCS Bucket | `string` | `"US"` | no |
| location\_kms | Case-Sensitive Location for KMS Keyring | `string` | `"us"` | no |
+| prevent\_destroy | Prevent Project Key destruction. | `bool` | `true` | no |
| project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | object({
budget_amount = optional(number, 1000)
alert_spent_percents = optional(list(number), [1.2])
alert_pubsub_topic = optional(string, null)
alert_spend_basis = optional(string, "FORECASTED_SPEND")
}) | `{}` | no |
| remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
| tfc\_org\_name | Name of the TFC organization | `string` | `""` | no |
diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf
index 94e8a655..acc9abea 100644
--- a/4-projects/business_unit_3/shared/ml_infra_projects.tf
+++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf
@@ -32,4 +32,5 @@ module "ml_infra_project" {
artifacts_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]
service_catalog_infra_pipeline_sa = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]
environment_kms_project_id = ""
+ prevent_destroy = var.prevent_destroy
}
diff --git a/4-projects/business_unit_3/shared/variables.tf b/4-projects/business_unit_3/shared/variables.tf
index d06456fd..7efc60d6 100644
--- a/4-projects/business_unit_3/shared/variables.tf
+++ b/4-projects/business_unit_3/shared/variables.tf
@@ -87,3 +87,9 @@ variable "cloud_source_artifacts_repo_name" {
description = "Name to give the could source repository for Artifacts"
type = string
}
+
+variable "prevent_destroy" {
+ description = "Prevent Project Key destruction."
+ type = bool
+ default = true
+}
diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf
index 29763a6b..5eaac184 100644
--- a/4-projects/modules/ml_infra_projects/artifacts_project.tf
+++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf
@@ -57,6 +57,7 @@ module "app_infra_artifacts_project" {
business_code = var.business_code
environment_kms_project_id = var.environment_kms_project_id
project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.artifacts_project_suffix}"
+ prevent_destroy = var.prevent_destroy
}
resource "google_kms_crypto_key_iam_member" "ml_key" {
diff --git a/4-projects/modules/ml_infra_projects/locals.tf b/4-projects/modules/ml_infra_projects/locals.tf
index 95f2f96f..32210121 100644
--- a/4-projects/modules/ml_infra_projects/locals.tf
+++ b/4-projects/modules/ml_infra_projects/locals.tf
@@ -1,3 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
locals {
env_code = element(split("", var.environment), 0)
-}
\ No newline at end of file
+}
diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf
index e8fc2d07..98794cdc 100644
--- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf
+++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf
@@ -55,6 +55,7 @@ module "app_service_catalog_project" {
business_code = var.business_code
environment_kms_project_id = var.environment_kms_project_id
project_name = "${var.project_prefix}-${local.env_code}-${var.business_code}${local.service_catalog_project_suffix}"
+ prevent_destroy = var.prevent_destroy
}
resource "google_kms_crypto_key_iam_member" "sc_key" {
diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf
index 5984c23e..1032ea98 100644
--- a/4-projects/modules/ml_infra_projects/variables.tf
+++ b/4-projects/modules/ml_infra_projects/variables.tf
@@ -179,3 +179,8 @@ variable "environment_kms_project_id" {
description = "Environment level KMS Project ID."
type = string
}
+
+variable "prevent_destroy" {
+ description = "Prevent Project Key destruction."
+ type = bool
+}
diff --git a/4-projects/modules/ml_kms_key/main.tf b/4-projects/modules/ml_kms_key/main.tf
new file mode 100644
index 00000000..084303d8
--- /dev/null
+++ b/4-projects/modules/ml_kms_key/main.tf
@@ -0,0 +1,43 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ ephemeral_keys_for_each = var.prevent_destroy ? [] : var.key_rings
+ keys_for_each = var.prevent_destroy ? var.key_rings : []
+ output_keys = var.prevent_destroy ? { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v } : { for k, v in google_kms_crypto_key.ephemeral_kms_keys : split("/", k)[3] => v }
+}
+
+resource "google_kms_crypto_key" "ephemeral_kms_keys" {
+ for_each = toset(local.ephemeral_keys_for_each)
+
+ name = var.project_name
+ key_ring = each.key
+ rotation_period = var.key_rotation_period
+ lifecycle {
+ prevent_destroy = false
+ }
+}
+
+resource "google_kms_crypto_key" "kms_keys" {
+ for_each = toset(local.keys_for_each)
+
+ name = var.project_name
+ key_ring = each.key
+ rotation_period = var.key_rotation_period
+ lifecycle {
+ prevent_destroy = true
+ }
+}
diff --git a/4-projects/modules/ml_kms_key/outputs.tf b/4-projects/modules/ml_kms_key/outputs.tf
new file mode 100644
index 00000000..b456923a
--- /dev/null
+++ b/4-projects/modules/ml_kms_key/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kms_keys" {
+ description = "Keys created for the project."
+ value = local.output_keys
+}
diff --git a/4-projects/modules/ml_kms_key/variables.tf b/4-projects/modules/ml_kms_key/variables.tf
new file mode 100644
index 00000000..c17ee08e
--- /dev/null
+++ b/4-projects/modules/ml_kms_key/variables.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "key_rings" {
+ description = "Keyrings to attach project key to."
+ type = list(string)
+}
+
+variable "project_name" {
+ description = "Project Name."
+ type = string
+}
+
+variable "key_rotation_period" {
+ description = "Rotation period in seconds to be used for KMS Key."
+ type = string
+ default = "7776000s"
+}
+
+variable "prevent_destroy" {
+ description = "Prevent Key destruction."
+ type = bool
+}
diff --git a/4-projects/modules/ml_kms_key/versions.tf b/4-projects/modules/ml_kms_key/versions.tf
new file mode 100644
index 00000000..2ff08fd4
--- /dev/null
+++ b/4-projects/modules/ml_kms_key/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_version = ">= 1.3"
+}
diff --git a/4-projects/modules/ml_single_project/README.md b/4-projects/modules/ml_single_project/README.md
index 8078fea7..534068a4 100644
--- a/4-projects/modules/ml_single_project/README.md
+++ b/4-projects/modules/ml_single_project/README.md
@@ -21,6 +21,7 @@ Create and manage a Google Cloud project with various configurations and roles r
| key\_rings | Keyrings to attach project key to | `list(string)` | n/a | yes |
| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |
| org\_id | The organization id for the associated services | `string` | n/a | yes |
+| prevent\_destroy | Prevent Key destruction. | `bool` | n/a | yes |
| primary\_contact | The primary email contact for the project | `string` | n/a | yes |
| project\_budget | Budget configuration.
budget\_amount: The amount to use as the budget.
alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.
alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | object({
budget_amount = optional(number, 1000)
alert_spent_percents = optional(list(number), [1.2])
alert_pubsub_topic = optional(string, null)
alert_spend_basis = optional(string, "FORECASTED_SPEND")
}) | `{}` | no |
| project\_name | Project Name. | `string` | n/a | yes |
@@ -41,7 +42,7 @@ Create and manage a Google Cloud project with various configurations and roles r
| Name | Description |
|------|-------------|
| enabled\_apis | VPC Service Control services. |
-| kms\_keys | keys created for the project |
+| kms\_keys | Keys created for the project. |
| project\_id | Project sample project id. |
| project\_name | Name of the Project. |
| project\_number | Project sample project number. |
diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf
index 43a7de9f..ec62740c 100644
--- a/4-projects/modules/ml_single_project/main.tf
+++ b/4-projects/modules/ml_single_project/main.tf
@@ -123,14 +123,12 @@ resource "google_compute_subnetwork_iam_member" "account_role_to_vpc_subnets" {
}
// Add key for project
-resource "google_kms_crypto_key" "kms_keys" {
- for_each = toset(var.key_rings)
- name = module.project.project_name
- key_ring = each.key
- rotation_period = var.key_rotation_period
- lifecycle {
- prevent_destroy = false
- }
+module "kms_keys" {
+ source = "../ml_kms_key"
+ key_rings = var.key_rings
+ key_rotation_period = var.key_rotation_period
+ project_name = module.project.project_name
+ prevent_destroy = var.prevent_destroy
}
// Add crypto key viewer role to kms environment project
diff --git a/4-projects/modules/ml_single_project/outputs.tf b/4-projects/modules/ml_single_project/outputs.tf
index d1f3c130..84699128 100644
--- a/4-projects/modules/ml_single_project/outputs.tf
+++ b/4-projects/modules/ml_single_project/outputs.tf
@@ -40,6 +40,6 @@ output "project_name" {
}
output "kms_keys" {
- description = "keys created for the project"
- value = { for k, v in google_kms_crypto_key.kms_keys : split("/", k)[3] => v }
+ description = "Keys created for the project."
+ value = module.kms_keys.kms_keys
}
diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf
index 05a99cd0..65d23fb9 100644
--- a/4-projects/modules/ml_single_project/variables.tf
+++ b/4-projects/modules/ml_single_project/variables.tf
@@ -180,3 +180,8 @@ variable "project_name" {
description = "Project Name."
type = string
}
+
+variable "prevent_destroy" {
+ description = "Prevent Key destruction."
+ type = bool
+}