From 9516ff1cd7109adac92225caf819178e61281ff1 Mon Sep 17 00:00:00 2001
From: Calvin Behling <calvin.behling@agosto.com>
Date: Tue, 19 May 2020 17:40:31 -0500
Subject: [PATCH] feat: Add custom KMS key support (#25)

Co-authored-by: Calvin Behling <behling@pythian.com>
---
 README.md                 |  1 +
 examples/kms/README.md    | 39 +++++++++++++++++++++
 examples/kms/main.tf      | 73 +++++++++++++++++++++++++++++++++++++++
 examples/kms/outputs.tf   | 30 ++++++++++++++++
 examples/kms/variables.tf | 41 ++++++++++++++++++++++
 main.tf                   |  9 ++---
 variables.tf              |  6 ++++
 7 files changed, 195 insertions(+), 4 deletions(-)
 create mode 100644 examples/kms/README.md
 create mode 100644 examples/kms/main.tf
 create mode 100644 examples/kms/outputs.tf
 create mode 100644 examples/kms/variables.tf

diff --git a/README.md b/README.md
index adb73e5..099aa2e 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ module "pubsub" {
 | pull\_subscriptions | The list of the pull subscriptions | list(map(string)) | `<list>` | no |
 | push\_subscriptions | The list of the push subscriptions | list(map(string)) | `<list>` | no |
 | topic | The Pub/Sub topic name | string | n/a | yes |
+| topic\_kms\_key\_name | The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. | string | `"null"` | no |
 | topic\_labels | A map of labels to assign to the Pub/Sub topic | map(string) | `<map>` | no |
 
 ## Outputs
diff --git a/examples/kms/README.md b/examples/kms/README.md
new file mode 100644
index 0000000..fb32edb
--- /dev/null
+++ b/examples/kms/README.md
@@ -0,0 +1,39 @@
+# KMS Example
+
+This example illustrates how to use the `pubsub` module with a custom `kms` key.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| kms\_key\_name | Name of KMS key to use for pubsub topic | string | n/a | yes |
+| kms\_keyring\_name | Name of KMS key ring to use for pubsub topic | string | n/a | yes |
+| project\_id | The project ID to manage the Pub/Sub resources | string | n/a | yes |
+| topic\_labels | A map of labels to assign to the Pub/Sub topic | map(string) | `<map>` | no |
+| topic\_name | The name for the Pub/Sub topic | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project ID |
+| topic\_labels | The labels of the Pub/Sub topic created |
+| topic\_name | The name of the Pub/Sub topic created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+The following sections describe the requirements which must be met in
+order to invoke this example. The requirements of the
+[root module][root-module-requirements] must be met.
+
+## Usage
+
+To provision this example, populate `terraform.tfvars` with the [required variables](#inputs) and run the following commands within
+this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure
diff --git a/examples/kms/main.tf b/examples/kms/main.tf
new file mode 100644
index 0000000..3ccb025
--- /dev/null
+++ b/examples/kms/main.tf
@@ -0,0 +1,73 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.13"
+  region  = "us-central1"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+locals {
+  pubsub_svc_account_email = "service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+}
+
+data "google_iam_role" "kms_encrypt_decrypt" {
+  name = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+}
+
+resource "google_kms_key_ring" "my_key_ring" {
+  name     = "my-key-ring-crqif"
+  location = "us-central1"
+  project  = var.project_id
+}
+
+resource "google_kms_crypto_key" "my_crypto_key" {
+  name     = "my-crypto-key-ra5jb"
+  key_ring = google_kms_key_ring.my_key_ring.id
+}
+
+resource "google_project_iam_member" "project" {
+  project = var.project_id
+  role    = data.google_iam_role.kms_encrypt_decrypt.name
+  member  = "serviceAccount:${local.pubsub_svc_account_email}"
+}
+
+module "pubsub" {
+  source             = "../../"
+  project_id         = var.project_id
+  topic              = var.topic_name
+  topic_labels       = var.topic_labels
+  topic_kms_key_name = google_kms_crypto_key.my_crypto_key.id
+
+  pull_subscriptions = [
+    {
+      name                 = "pull"
+      ack_deadline_seconds = 10
+    },
+  ]
+
+  push_subscriptions = [
+    {
+      name                 = "push"
+      push_endpoint        = "https://${var.project_id}.appspot.com/"
+      x-goog-version       = "v1beta1"
+      ack_deadline_seconds = 20
+    },
+  ]
+}
diff --git a/examples/kms/outputs.tf b/examples/kms/outputs.tf
new file mode 100644
index 0000000..2cd492c
--- /dev/null
+++ b/examples/kms/outputs.tf
@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project ID"
+}
+
+output "topic_name" {
+  value       = module.pubsub.topic
+  description = "The name of the Pub/Sub topic created"
+}
+
+output "topic_labels" {
+  value       = module.pubsub.topic_labels
+  description = "The labels of the Pub/Sub topic created"
+}
diff --git a/examples/kms/variables.tf b/examples/kms/variables.tf
new file mode 100644
index 0000000..51e3def
--- /dev/null
+++ b/examples/kms/variables.tf
@@ -0,0 +1,41 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to manage the Pub/Sub resources"
+}
+
+variable "topic_name" {
+  type        = string
+  description = "The name for the Pub/Sub topic"
+}
+
+variable "topic_labels" {
+  type        = map(string)
+  description = "A map of labels to assign to the Pub/Sub topic"
+  default     = {}
+}
+
+variable "kms_key_name" {
+  type        = string
+  description = "Name of KMS key to use for pubsub topic"
+}
+
+variable "kms_keyring_name" {
+  type        = string
+  description = "Name of KMS key ring to use for pubsub topic"
+}
diff --git a/main.tf b/main.tf
index 5ea9c10..c70ebac 100644
--- a/main.tf
+++ b/main.tf
@@ -19,10 +19,11 @@ locals {
 }
 
 resource "google_pubsub_topic" "topic" {
-  count   = var.create_topic ? 1 : 0
-  project = var.project_id
-  name    = var.topic
-  labels  = var.topic_labels
+  count        = var.create_topic ? 1 : 0
+  project      = var.project_id
+  name         = var.topic
+  labels       = var.topic_labels
+  kms_key_name = var.topic_kms_key_name
 
   dynamic "message_storage_policy" {
     for_each = var.message_storage_policy
diff --git a/variables.tf b/variables.tf
index 97e29ff..1bcc4e0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -53,3 +53,9 @@ variable "message_storage_policy" {
   description = "A map of storage policies. Default - inherit from organization's Resource Location Restriction policy."
   default     = {}
 }
+
+variable "topic_kms_key_name" {
+  type        = string
+  description = "The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic."
+  default     = null
+}