From 8676a28bcf5f37c2c004935a1f42b23291d34147 Mon Sep 17 00:00:00 2001
From: caetano-colin <ccolin@ciandt.com>
Date: Tue, 14 May 2024 08:56:40 -0300
Subject: [PATCH] add env kms project id as variable

---
 .../business_unit_3/shared/ml_infra_projects.tf     |  1 +
 .../modules/ml_infra_projects/artifacts_project.tf  | 13 +++++++------
 .../ml_infra_projects/service_catalog_project.tf    | 13 +++++++------
 4-projects/modules/ml_infra_projects/variables.tf   |  5 +++++
 4-projects/modules/ml_single_project/main.tf        |  2 +-
 4-projects/modules/ml_single_project/variables.tf   |  5 +++++
 6 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/4-projects/business_unit_3/shared/ml_infra_projects.tf b/4-projects/business_unit_3/shared/ml_infra_projects.tf
index 72c1f76d..94e8a655 100644
--- a/4-projects/business_unit_3/shared/ml_infra_projects.tf
+++ b/4-projects/business_unit_3/shared/ml_infra_projects.tf
@@ -31,4 +31,5 @@ module "ml_infra_project" {
   remote_state_bucket                    = var.remote_state_bucket
   artifacts_infra_pipeline_sa            = module.infra_pipelines[0].terraform_service_accounts["bu3-artifact-publish"]
   service_catalog_infra_pipeline_sa      = module.infra_pipelines[0].terraform_service_accounts["bu3-service-catalog"]
+  environment_kms_project_id             = ""
 }
diff --git a/4-projects/modules/ml_infra_projects/artifacts_project.tf b/4-projects/modules/ml_infra_projects/artifacts_project.tf
index c565f478..eb29db3a 100644
--- a/4-projects/modules/ml_infra_projects/artifacts_project.tf
+++ b/4-projects/modules/ml_infra_projects/artifacts_project.tf
@@ -48,12 +48,13 @@ module "app_infra_artifacts_project" {
     "sourcerepo.googleapis.com",
   ]
   # Metadata
-  project_suffix    = "artifacts"
-  application_name  = "app-infra-artifacts"
-  billing_code      = var.billing_code
-  primary_contact   = var.primary_contact
-  secondary_contact = var.secondary_contact
-  business_code     = var.business_code
+  project_suffix             = "artifacts"
+  application_name           = "app-infra-artifacts"
+  billing_code               = var.billing_code
+  primary_contact            = var.primary_contact
+  secondary_contact          = var.secondary_contact
+  business_code              = var.business_code
+  environment_kms_project_id = var.environment_kms_project_id
 }
 
 resource "google_kms_crypto_key_iam_member" "ml_key" {
diff --git a/4-projects/modules/ml_infra_projects/service_catalog_project.tf b/4-projects/modules/ml_infra_projects/service_catalog_project.tf
index 672e5ed0..8867f093 100644
--- a/4-projects/modules/ml_infra_projects/service_catalog_project.tf
+++ b/4-projects/modules/ml_infra_projects/service_catalog_project.tf
@@ -46,12 +46,13 @@ module "app_service_catalog_project" {
     "sourcerepo.googleapis.com",
   ]
   # Metadata
-  project_suffix    = "service-catalog"
-  application_name  = "app-infra-ml"
-  billing_code      = var.billing_code
-  primary_contact   = var.primary_contact
-  secondary_contact = var.secondary_contact
-  business_code     = var.business_code
+  project_suffix             = "service-catalog"
+  application_name           = "app-infra-ml"
+  billing_code               = var.billing_code
+  primary_contact            = var.primary_contact
+  secondary_contact          = var.secondary_contact
+  business_code              = var.business_code
+  environment_kms_project_id = var.environment_kms_project_id
 }
 
 resource "google_kms_crypto_key_iam_member" "sc_key" {
diff --git a/4-projects/modules/ml_infra_projects/variables.tf b/4-projects/modules/ml_infra_projects/variables.tf
index d0675b43..5984c23e 100644
--- a/4-projects/modules/ml_infra_projects/variables.tf
+++ b/4-projects/modules/ml_infra_projects/variables.tf
@@ -174,3 +174,8 @@ variable "service_catalog_infra_pipeline_sa" {
   description = "Service Catalog SA to be used by the Infra Pipeline CloudBuild trigger"
   type        = string
 }
+
+variable "environment_kms_project_id" {
+  description = "Environment level KMS Project ID."
+  type        = string
+}
diff --git a/4-projects/modules/ml_single_project/main.tf b/4-projects/modules/ml_single_project/main.tf
index e493ef2a..ec922cc3 100644
--- a/4-projects/modules/ml_single_project/main.tf
+++ b/4-projects/modules/ml_single_project/main.tf
@@ -136,7 +136,7 @@ resource "google_kms_crypto_key" "kms_keys" {
 // Add crypto key viewer role to kms environment project
 resource "google_project_iam_member" "kms_viewer" {
   for_each = var.environment != "common" ? toset(local.pipeline_kms_sas) : toset([])
-  project  = local.environment_kms_project_id
+  project  = var.environment_kms_project_id
   role     = "roles/cloudkms.viewer"
   member   = "serviceAccount:${each.key}"
 }
diff --git a/4-projects/modules/ml_single_project/variables.tf b/4-projects/modules/ml_single_project/variables.tf
index 751bba9d..a6442459 100644
--- a/4-projects/modules/ml_single_project/variables.tf
+++ b/4-projects/modules/ml_single_project/variables.tf
@@ -167,6 +167,11 @@ variable "remote_state_bucket" {
 
 variable "default_service_account" {
   description = "Project default service account setting: can be one of `delete`, `depriviledge`, or `keep`."
+  type        = string
   default     = "disable"
+}
+
+variable "environment_kms_project_id" {
+  description = "Environment level KMS Project ID."
   type        = string
 }