From 604207be49d1b11a854eed68067979b8148aadd7 Mon Sep 17 00:00:00 2001 From: LuizSDCit <86307064+LuizSDCit@users.noreply.github.com> Date: Wed, 7 Jul 2021 20:06:13 -0300 Subject: [PATCH] feat: Add CMEK support (#28) * km support added * Add kms configuration guide * Add kms configuration guide * Updated readme for customer managed encryption key usage * Remove duplicated Compute Engine API Co-authored-by: Bharath KKB Co-authored-by: Luiz Felipe dos Santos Dutra Co-authored-by: Bharath KKB --- README.md | 15 +++++++++++++++ main.tf | 1 + variables.tf | 5 +++++ 3 files changed, 21 insertions(+) diff --git a/README.md b/README.md index 755e0c3..6a99ba3 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ Then perform the following commands on the root folder: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | ip\_configuration | The configuration for VM IPs. Options are 'WORKER\_IP\_PUBLIC' or 'WORKER\_IP\_PRIVATE'. | `string` | `null` | no | +| kms\_key\_name | The name for the Cloud KMS key for the job. Key format is: projects/PROJECT\_ID/locations/LOCATION/keyRings/KEY\_RING/cryptoKeys/KEY | `string` | `null` | no | | machine\_type | The machine type to use for the job. | `string` | `""` | no | | max\_workers | The number of workers permitted to work on the job. More workers may improve processing speed at additional cost. | `number` | `1` | no | | name | The name of the dataflow job | `string` | n/a | yes | @@ -98,23 +99,37 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) plugin v2.18.0 ### Configure a Service Account to execute the module + In order to execute this module you must have a Service Account with the following project roles: + - roles/dataflow.admin - roles/iam.serviceAccountUser - roles/storage.admin ### Configure a Controller Service Account to create the job + If you want to use the service_account_email input to specify a service account that will identify the VMs in which the jobs are running, the service account will need the following project roles: + - roles/dataflow.worker - roles/storage.objectAdmin +### Configure a Customer Managed Encryption Key + +If you want to use [Customer Managed Encryption Keys](https://cloud.google.com/kms/docs/cmek) in the [Dataflow Job](https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys) use the variable `kms_key_name` to provide a valid key. +Follow the instructions in [Granting Encrypter/Decrypter permissions](https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#granting_encrypterdecrypter_permissions) to configure the necessary roles for the Dataflow service accounts. + ### Enable APIs + In order to launch a Dataflow Job, the Dataflow API must be enabled: - Dataflow API - `dataflow.googleapis.com` - Compute Engine API: `compute.googleapis.com` +**Note:** If you want to use a Customer Managed Encryption Key, the Cloud Key Management Service (KMS) API must be enabled: + +- Cloud Key Management Service (KMS) API: `cloudkms.googleapis.com` + ## Install ### Terraform diff --git a/main.tf b/main.tf index 4180134..5c782da 100644 --- a/main.tf +++ b/main.tf @@ -29,5 +29,6 @@ resource "google_dataflow_job" "dataflow_job" { subnetwork = var.subnetwork_self_link machine_type = var.machine_type ip_configuration = var.ip_configuration + kms_key_name = var.kms_key_name } diff --git a/variables.tf b/variables.tf index 009696c..1242b4b 100644 --- a/variables.tf +++ b/variables.tf @@ -93,3 +93,8 @@ variable "ip_configuration" { default = null } +variable "kms_key_name" { + type = string + description = "The name for the Cloud KMS key for the job. Key format is: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY" + default = null +}