feat: Add custom KMS key support (#25)

Co-authored-by: Calvin Behling <[email protected]>

README.md

@@ -46,6 +46,7 @@ module "pubsub" {
 | pull\_subscriptions | The list of the pull subscriptions | list(map(string)) | `<list>` | no |
 | push\_subscriptions | The list of the push subscriptions | list(map(string)) | `<list>` | no |
 | topic | The Pub/Sub topic name | string | n/a | yes |
+| topic\_kms\_key\_name | The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. | string | `"null"` | no |
 | topic\_labels | A map of labels to assign to the Pub/Sub topic | map(string) | `<map>` | no |
 
 ## Outputs

examples/kms/README.md

@@ -0,0 +1,39 @@
+# KMS Example
+
+This example illustrates how to use the `pubsub` module with a custom `kms` key.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| kms\_key\_name | Name of KMS key to use for pubsub topic | string | n/a | yes |
+| kms\_keyring\_name | Name of KMS key ring to use for pubsub topic | string | n/a | yes |
+| project\_id | The project ID to manage the Pub/Sub resources | string | n/a | yes |
+| topic\_labels | A map of labels to assign to the Pub/Sub topic | map(string) | `<map>` | no |
+| topic\_name | The name for the Pub/Sub topic | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project ID |
+| topic\_labels | The labels of the Pub/Sub topic created |
+| topic\_name | The name of the Pub/Sub topic created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+The following sections describe the requirements which must be met in
+order to invoke this example. The requirements of the
+[root module][root-module-requirements] must be met.
+
+## Usage
+
+To provision this example, populate `terraform.tfvars` with the [required variables](#inputs) and run the following commands within
+this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/kms/main.tf

@@ -0,0 +1,73 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.13"
+  region  = "us-central1"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+locals {
+  pubsub_svc_account_email = "service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+}
+
+data "google_iam_role" "kms_encrypt_decrypt" {
+  name = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+}
+
+resource "google_kms_key_ring" "my_key_ring" {
+  name     = "my-key-ring-crqif"
+  location = "us-central1"
+  project  = var.project_id
+}
+
+resource "google_kms_crypto_key" "my_crypto_key" {
+  name     = "my-crypto-key-ra5jb"
+  key_ring = google_kms_key_ring.my_key_ring.id
+}
+
+resource "google_project_iam_member" "project" {
+  project = var.project_id
+  role    = data.google_iam_role.kms_encrypt_decrypt.name
+  member  = "serviceAccount:${local.pubsub_svc_account_email}"
+}
+
+module "pubsub" {
+  source             = "../../"
+  project_id         = var.project_id
+  topic              = var.topic_name
+  topic_labels       = var.topic_labels
+  topic_kms_key_name = google_kms_crypto_key.my_crypto_key.id
+
+  pull_subscriptions = [
+    {
+      name                 = "pull"
+      ack_deadline_seconds = 10
+    },
+  ]
+
+  push_subscriptions = [
+    {
+      name                 = "push"
+      push_endpoint        = "https://${var.project_id}.appspot.com/"
+      x-goog-version       = "v1beta1"
+      ack_deadline_seconds = 20
+    },
+  ]
+}

examples/kms/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project ID"
+}
+
+output "topic_name" {
+  value       = module.pubsub.topic
+  description = "The name of the Pub/Sub topic created"
+}
+
+output "topic_labels" {
+  value       = module.pubsub.topic_labels
+  description = "The labels of the Pub/Sub topic created"
+}

examples/kms/variables.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to manage the Pub/Sub resources"
+}
+
+variable "topic_name" {
+  type        = string
+  description = "The name for the Pub/Sub topic"
+}
+
+variable "topic_labels" {
+  type        = map(string)
+  description = "A map of labels to assign to the Pub/Sub topic"
+  default     = {}
+}
+
+variable "kms_key_name" {
+  type        = string
+  description = "Name of KMS key to use for pubsub topic"
+}
+
+variable "kms_keyring_name" {
+  type        = string
+  description = "Name of KMS key ring to use for pubsub topic"
+}

main.tf

@@ -19,10 +19,11 @@ locals {
 }
 
 resource "google_pubsub_topic" "topic" {
-  count   = var.create_topic ? 1 : 0
-  project = var.project_id
-  name    = var.topic
-  labels  = var.topic_labels
+  count        = var.create_topic ? 1 : 0
+  project      = var.project_id
+  name         = var.topic
+  labels       = var.topic_labels
+  kms_key_name = var.topic_kms_key_name
 
   dynamic "message_storage_policy" {
     for_each = var.message_storage_policy

variables.tf

@@ -53,3 +53,9 @@ variable "message_storage_policy" {
   description = "A map of storage policies. Default - inherit from organization's Resource Location Restriction policy."
   default     = {}
 }
+
+variable "topic_kms_key_name" {
+  type        = string
+  description = "The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic."
+  default     = null
+}