feat: Support setting var.disk_encryption_key for instance templates …

…to enable encryption on all disks (#181)
terraform-google-modules · Jun 14, 2021 · 227ae1a · 227ae1a
1 parent cb91eb6
commit 227ae1a
Show file tree

Hide file tree

Showing 8 changed files with 197 additions and 2 deletions.
diff --git a/examples/instance_template/encrypted_disks/README.md b/examples/instance_template/encrypted_disks/README.md
@@ -0,0 +1,24 @@
+# instance-template-additional-disks
+
+This example demonstrates how to use the instance_template module to create
+instance templates with encrypted persistent disks.
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The GCP project to use for integration tests | `string` | n/a | yes |
+| region | The GCP region to create and test resources in | `string` | `"us-central1"` | no |
+| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account. | <pre>object({<br>    email  = string<br>    scopes = set(string)<br>  })</pre> | `null` | no |
+| subnetwork | The name of the subnetwork create this instance in. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| name | Name of the instance templates |
+| self\_link | Self-link to the instance template |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/instance_template/encrypted_disks/main.tf b/examples/instance_template/encrypted_disks/main.tf
@@ -0,0 +1,77 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+
+  project = var.project_id
+  region  = var.region
+  version = "~> 3.0"
+}
+
+resource "google_kms_key_ring" "keyring" {
+  name     = "keyring-example"
+  location = "global"
+}
+
+resource "google_kms_crypto_key" "example-key" {
+  name            = "crypto-key-example"
+  key_ring        = google_kms_key_ring.keyring.id
+  rotation_period = "100000s"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+module "instance_template" {
+  source          = "../../../modules/instance_template"
+  project_id      = var.project_id
+  subnetwork      = var.subnetwork
+  service_account = var.service_account
+  name_prefix     = "additional-disks"
+
+  disk_encryption_key = google_kms_crypto_key.example-key.self_link
+
+  additional_disks = [
+    {
+      disk_name    = "disk-0"
+      device_name  = "disk-0"
+      disk_size_gb = 10
+      disk_type    = "pd-standard"
+      auto_delete  = "true"
+      boot         = "false"
+      disk_labels  = {}
+    },
+    {
+      disk_name    = "disk-1"
+      device_name  = "disk-1"
+      disk_size_gb = 10
+      disk_type    = "pd-standard"
+      auto_delete  = "true"
+      boot         = "false"
+      disk_labels  = { "foo" : "bar" }
+    },
+    {
+      disk_name    = "disk-2"
+      device_name  = "disk-2"
+      disk_size_gb = 10
+      disk_type    = "pd-standard"
+      auto_delete  = "true"
+      boot         = "false"
+      disk_labels  = { "foo" : "bar" }
+    },
+  ]
+}
diff --git a/examples/instance_template/encrypted_disks/outputs.tf b/examples/instance_template/encrypted_disks/outputs.tf
@@ -0,0 +1,26 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "self_link" {
+  description = "Self-link to the instance template"
+  value       = module.instance_template.self_link
+}
+
+output "name" {
+  description = "Name of the instance templates"
+  value       = module.instance_template.name
+}
+
diff --git a/examples/instance_template/encrypted_disks/variables.tf b/examples/instance_template/encrypted_disks/variables.tf
@@ -0,0 +1,42 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+variable "project_id" {
+  description = "The GCP project to use for integration tests"
+  type        = string
+}
+
+variable "region" {
+  description = "The GCP region to create and test resources in"
+  type        = string
+  default     = "us-central1"
+}
+
+variable "subnetwork" {
+  description = "The name of the subnetwork create this instance in."
+  default     = ""
+}
+
+variable "service_account" {
+  default = null
+  type = object({
+    email  = string
+    scopes = set(string)
+  })
+  description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#service_account."
+}
+
diff --git a/examples/instance_template/encrypted_disks/versions.tf b/examples/instance_template/encrypted_disks/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">=0.12.6"
+}
diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
@@ -17,6 +17,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | additional\_disks | List of maps of additional disks. See https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#disk_name | <pre>list(object({<br>    disk_name    = string<br>    device_name  = string<br>    auto_delete  = bool<br>    boot         = bool<br>    disk_size_gb = number<br>    disk_type    = string<br>    disk_labels  = map(string)<br>  }))</pre> | `[]` | no |
 | auto\_delete | Whether or not the boot disk should be auto-deleted | `string` | `"true"` | no |
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
+| disk\_encryption\_key | The self link of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
 | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |
 | disk\_size\_gb | Boot disk size in GB | `string` | `"100"` | no |
 | disk\_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | `string` | `"pd-standard"` | no |

diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
@@ -91,9 +91,9 @@ resource "google_compute_instance_template" "tpl" {
       labels       = lookup(disk.value, "disk_labels", null)
 
       dynamic "disk_encryption_key" {
-        for_each = lookup(disk.value, "disk_encryption_key", [])
+        for_each = compact([var.disk_encryption_key == null ? null : 1])
         content {
-          kms_key_self_link = lookup(disk_encryption_key.value, "kms_key_self_link", null)
+          kms_key_self_link = var.disk_encryption_key
         }
       }
     }

diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
@@ -105,6 +105,12 @@ variable "disk_labels" {
   default     = {}
 }
 
+variable "disk_encryption_key" {
+  description = "The self link of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance"
+  type        = string
+  default     = null
+}
+
 variable "auto_delete" {
   description = "Whether or not the boot disk should be auto-deleted"
   default     = "true"