feat: Add CMEK support to create_environment submodule by setting `km…

…s_key_name` variable (#16) BREAKING CHANGE: `create_environment` submodule now uses the `google-beta` provider.
terraform-google-modules · Jun 22, 2021 · 9cd4934 · 9cd4934
1 parent f440422
commit 9cd4934
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 0 deletions.
diff --git a/modules/create_environment/README.md b/modules/create_environment/README.md
@@ -35,6 +35,7 @@ module "composer" {
 | enable\_private\_endpoint | Configure public access to the cluster endpoint. | `bool` | `false` | no |
 | env\_variables | Variables of the airflow environment. | `map(string)` | `{}` | no |
 | image\_version | The version of the aiflow running in the cloud composer environment. | `string` | `null` | no |
+| kms\_key\_name | Customer-managed Encryption Key fully qualified resource name, i.e. projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key. | `string` | `null` | no |
 | labels | The resource labels (a map of key/value pairs) to be applied to the Cloud Composer. | `map(string)` | `{}` | no |
 | machine\_type | Machine type of Cloud Composer nodes. | `string` | `"n1-standard-8"` | no |
 | master\_ipv4\_cidr | The CIDR block from which IP range in tenant project will be reserved for the master. | `string` | `null` | no |

diff --git a/modules/create_environment/main.tf b/modules/create_environment/main.tf
@@ -20,6 +20,8 @@ locals {
 }
 
 resource "google_composer_environment" "composer_env" {
+  provider = google-beta
+
   project = var.project_id
   name    = var.composer_env_name
   region  = var.region
@@ -81,5 +83,15 @@ resource "google_composer_environment" "composer_env" {
         python_version           = software_config.value["python_version"]
       }
     }
+
+    dynamic "encryption_config" {
+      for_each = var.kms_key_name != null ? [
+        {
+          kms_key_name = var.kms_key_name
+      }] : []
+      content {
+        kms_key_name = encryption_config.value["kms_key_name"]
+      }
+    }
   }
 }
diff --git a/modules/create_environment/variables.tf b/modules/create_environment/variables.tf
@@ -171,3 +171,9 @@ variable "enable_private_endpoint" {
   type        = bool
   default     = false
 }
+
+variable "kms_key_name" {
+  description = "Customer-managed Encryption Key fully qualified resource name, i.e. projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key."
+  type        = string
+  default     = null
+}
diff --git a/modules/create_environment/versions.tf b/modules/create_environment/versions.tf
@@ -22,6 +22,11 @@ terraform {
       source  = "hashicorp/google"
       version = "~> 3.53"
     }
+
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 3.53"
+    }
   }
 
   provider_meta "google" {

diff --git a/versions.tf b/versions.tf
@@ -22,6 +22,11 @@ terraform {
       source  = "hashicorp/google"
       version = "~> 3.53"
     }
+
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 3.53"
+    }
   }
 
   provider_meta "google" {