Add support for Dataproc Metastore CMEK config (GoogleCloudPlatform#5881

)
betsy-lichtenberg · Apr 25, 2022 · ddc3a22 · ddc3a22
1 parent c68c176
commit ddc3a22
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 0 deletions.
diff --git a/mmv1/products/metastore/api.yaml b/mmv1/products/metastore/api.yaml
@@ -144,6 +144,21 @@ objects:
               - :FRIDAY
               - :SATURDAY
               - :SUNDAY
+      - !ruby/object:Api::Type::NestedObject
+        name: 'encryptionConfig'
+        min_version: beta
+        description: |
+          Information used to configure the Dataproc Metastore service to encrypt
+          customer data at rest.
+        properties:
+          - !ruby/object:Api::Type::String
+            name: 'kmsKey'
+            min_version: beta
+            description: |
+              The fully qualified customer provided Cloud KMS key name to use for customer data encryption.
+              Use the following format: `projects/([^/]+)/locations/([^/]+)/keyRings/([^/]+)/cryptoKeys/([^/]+)`
+            required: true
+            input: true
       - !ruby/object:Api::Type::NestedObject
         name: 'hiveMetastoreConfig'
         description: |

diff --git a/mmv1/products/metastore/terraform.yaml b/mmv1/products/metastore/terraform.yaml
@@ -23,6 +23,24 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         primary_resource_id: "default"
         vars:
           metastore_service_name: "metastore-srv"
+      - !ruby/object:Provider::Terraform::Examples
+        name: "dataproc_metastore_service_cmek_test"
+        min_version: beta
+        skip_docs: true
+        primary_resource_id: "default"
+        vars:
+          metastore_service_name: "example-service"
+          key_name: "example-key"
+          keyring_name: "example-keyring"
+      - !ruby/object:Provider::Terraform::Examples
+        name: "dataproc_metastore_service_cmek_example"
+        min_version: beta
+        skip_test: true
+        primary_resource_id: "default"
+        vars:
+          metastore_service_name: "example-service"
+          key_name: "example-key"
+          keyring_name: "example-keyring"
     properties:
       network: !ruby/object:Overrides::Terraform::PropertyOverride
         default_from_api: true

diff --git a/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb
@@ -0,0 +1,27 @@
+resource "google_dataproc_metastore_service" "<%= ctx[:primary_resource_id] %>" {
+  provider   = google-beta
+  service_id = "<%= ctx[:vars]['metastore_service_name'] %>"
+  location   = "us-central1"
+
+  encryption_config {
+    kms_key = google_kms_crypto_key.crypto_key.id
+  }
+
+  hive_metastore_config {
+    version = "3.1.2"
+  }
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['key_name'] %>"
+  key_ring = google_kms_key_ring.key_ring.id
+
+  purpose  = "ENCRYPT_DECRYPT"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['keyring_name'] %>"
+  location = "us-central1"
+}
diff --git a/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb
@@ -0,0 +1,49 @@
+data "google_project" "project" {
+  provider = google-beta
+}
+
+data "google_storage_project_service_account" "gcs_account" {
+  provider = google-beta
+}
+
+
+resource "google_dataproc_metastore_service" "<%= ctx[:primary_resource_id] %>" {
+  provider   = google-beta
+  service_id = "<%= ctx[:vars]['metastore_service_name'] %>"
+  location   = "us-central1"
+
+  encryption_config {
+    kms_key = google_kms_crypto_key.crypto_key.id
+  }
+
+  hive_metastore_config {
+    version = "3.1.2"
+  }
+
+  depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding]
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['key_name'] %>"
+  key_ring = google_kms_key_ring.key_ring.id
+
+  purpose  = "ENCRYPT_DECRYPT"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  provider = google-beta
+  name     = "<%= ctx[:vars]['keyring_name'] %>"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" {
+  provider      = google-beta
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com",
+    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
+  ]
+}