feat: Add support for customer encryption keys (#34)

* Updated Requirements to match Compatibility section * Added encryption block The encryption block is dynamic to avoid adding an empty block. An empty encryption block results in terraform expecting changes every apply. Separate keys can be used for each bucket similar to versioning and force_destroy. * Reworded disclaimer for unreachable lookup default Co-Authored-By: Morgante Pell <morgante.pell@morgante.net> * Reworded encryption variable to be more descriptive encryption => encryption_key_names Co-authored-by: Morgante Pell <morgante.pell@morgante.net>
terraform-google-modules · Feb 5, 2020 · 32eff9b · 32eff9b
1 parent 36709d3
commit 32eff9b
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ Functional examples are included in the
 | bucket\_policy\_only | Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean | map | `<map>` | no |
 | bucket\_viewers | Map of lowercase unprefixed name => comma-delimited IAM-style bucket viewers. | map | `<map>` | no |
 | creators | IAM-style members who will be granted roles/storage.objectCreators on all buckets. | list | `<list>` | no |
+| encryption\_key\_names | Optional map of lowercase unprefixed name => string, empty strings are ignored. | map | `<map>` | no |
 | force\_destroy | Optional map of lowercase unprefixed name => boolean, defaults to false. | map | `<map>` | no |
 | labels | Labels to be attached to the buckets | map | `<map>` | no |
 | lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches_storage_class should be a comma delimited string. | object | `<list>` | no |
@@ -86,7 +87,8 @@ These sections describe requirements for using this module.
 
 The following dependencies must be available:
 
-- [Terraform][terraform] v0.11
+- [Terraform][terraform] v0.12
+  - For Terraform v0.11 see the [Compatibility](#compatibility) section above
 - [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0
 
 ### Service Account

diff --git a/main.tf b/main.tf
@@ -42,6 +42,23 @@ resource "google_storage_bucket" "buckets" {
       false,
     )
   }
+  # Having a permanent encryption block with default_kms_key_name = "" works but results in terraform applying a change every run
+  # There is no enabled = false attribute available to ask terraform to ignore the block
+  dynamic "encryption" {
+    # If an encryption key name is set for this bucket name -> Create a single encryption block
+    for_each = trimspace(lookup(var.encryption_key_names, lower(element(var.names, count.index)), "")) != "" ? [true] : []
+    content {
+      default_kms_key_name = trimspace(
+        lookup(
+          var.encryption_key_names,
+          lower(element(var.names, count.index)),
+          "Error retrieving kms key name", # Should be unreachable due to the for_each check
+          # Omitting default is deprecated & can help show if there was a bug
+          # https://www.terraform.io/docs/configuration/functions/lookup.html
+        )
+      )
+    }
+  }
   dynamic "lifecycle_rule" {
     for_each = var.lifecycle_rules
     content {

diff --git a/variables.tf b/variables.tf
@@ -47,6 +47,11 @@ variable "versioning" {
   default     = {}
 }
 
+variable "encryption_key_names" {
+  description = "Optional map of lowercase unprefixed name => string, empty strings are ignored."
+  default     = {}
+}
+
 variable "bucket_policy_only" {
   description = "Disable ad-hoc ACLs on specified buckets. Defaults to true. Map of lowercase unprefixed name => boolean"
   default     = {}