add env kms project id as variable

caetano-colin · May 14, 2024 · 8676a28 · 8676a28
1 parent a3bab22
commit 8676a28
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 13 deletions.
diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf
@@ -31,4 +31,5 @@ module "ml_infra_project" {
   remote_state_bucket                    = var.remote_state_bucket
   artifacts_infra_pipeline_sa            = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]
   service_catalog_infra_pipeline_sa      = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]
+  environment_kms_project_id             = ""
 }
diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf
@@ -48,12 +48,13 @@ module "app_infra_artifacts_project" {
     "sourcerepo.googleapis.com",
   ]
   # Metadata
-  project_suffix    = "artifacts"
-  application_name  = "app-infra-artifacts"
-  billing_code      = var.billing_code
-  primary_contact   = var.primary_contact
-  secondary_contact = var.secondary_contact
-  business_code     = var.business_code
+  project_suffix             = "artifacts"
+  application_name           = "app-infra-artifacts"
+  billing_code               = var.billing_code
+  primary_contact            = var.primary_contact
+  secondary_contact          = var.secondary_contact
+  business_code              = var.business_code
+  environment_kms_project_id = var.environment_kms_project_id
 }
 
 resource "google_kms_crypto_key_iam_member" "ml_key" {

diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf
@@ -46,12 +46,13 @@ module "app_service_catalog_project" {
     "sourcerepo.googleapis.com",
   ]
   # Metadata
-  project_suffix    = "service-catalog"
-  application_name  = "app-infra-ml"
-  billing_code      = var.billing_code
-  primary_contact   = var.primary_contact
-  secondary_contact = var.secondary_contact
-  business_code     = var.business_code
+  project_suffix             = "service-catalog"
+  application_name           = "app-infra-ml"
+  billing_code               = var.billing_code
+  primary_contact            = var.primary_contact
+  secondary_contact          = var.secondary_contact
+  business_code              = var.business_code
+  environment_kms_project_id = var.environment_kms_project_id
 }
 
 resource "google_kms_crypto_key_iam_member" "sc_key" {

diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf
@@ -174,3 +174,8 @@ variable "service_catalog_infra_pipeline_sa" {
   description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger"
   type        = string
 }
+
+variable "environment_kms_project_id" {
+  description = "Environment level KMS Project ID."
+  type        = string
+}
diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf
@@ -136,7 +136,7 @@ resource "google_kms_crypto_key" "kms_keys" {
 // Add crypto key viewer role to kms environment project
 resource "google_project_iam_member" "kms_viewer" {
   for_each = var.environment != "common" ? toset(local.pipeline_kms_sas) : toset([])
-  project  = local.environment_kms_project_id
+  project  = var.environment_kms_project_id
   role     = "roles/cloudkms.viewer"
   member   = "serviceAccount:${each.key}"
 }
diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf
@@ -167,6 +167,11 @@ variable "remote_state_bucket" {
 
 variable "default_service_account" {
   description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`."
+  type        = string
   default     = "disable"
+}
+
+variable "environment_kms_project_id" {
+  description = "Environment level KMS Project ID."
   type        = string
 }