Add support for CMEK datasets to terraform. (GoogleCloudPlatform#10978)

vijaykanthm · Jul 22, 2024 · 5706708 · 5706708
1 parent 30839a7
commit 5706708
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/mmv1/products/healthcare/Dataset.yaml b/mmv1/products/healthcare/Dataset.yaml
@@ -35,6 +35,15 @@ examples:
       dataset_name: 'example-dataset'
       location: 'us-central1'
       time_zone: 'America/New_York'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'healthcare_dataset_cmek'
+    primary_resource_id: 'default'
+    vars:
+      dataset_name: 'example-dataset'
+      location: 'us-central1'
+      time_zone: 'America/New_York'
+      key_name: 'example-key'
+      keyring_name: 'example-keyring'
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   decoder: templates/terraform/decoders/long_name_to_self_link.go.erb
 parameters:
@@ -66,3 +75,18 @@ properties:
       The fully qualified name of this dataset
     output: true
     ignore_read: true
+  - !ruby/object:Api::Type::NestedObject
+    name: 'encryptionSpec'
+    required: false
+    immutable: true
+    default_from_api: true
+    properties:
+      - !ruby/object:Api::Type::String
+        name: 'kmsKeyName'
+        description: |
+          KMS encryption key that is used to secure this dataset and its sub-resources. The key used for
+          encryption and the dataset must be in the same location. If empty, the default Google encryption
+          key will be used to secure this dataset. The format is
+          projects/{projectId}/locations/{locationId}/keyRings/{keyRingId}/cryptoKeys/{keyId}.
+        required: false
+        immutable: true
diff --git a/mmv1/templates/terraform/examples/healthcare_dataset_cmek.tf.erb b/mmv1/templates/terraform/examples/healthcare_dataset_cmek.tf.erb
@@ -0,0 +1,36 @@
+data "google_project" "project" {}
+
+resource "google_healthcare_dataset" "default" {
+  name      = "<%= ctx[:vars]['dataset_name'] %>"
+  location  = "us-central1"
+  time_zone = "UTC"
+
+  encryption_spec {
+    kms_key_name = google_kms_crypto_key.crypto_key.id
+  }
+
+  depends_on = [
+    google_kms_crypto_key_iam_binding.healthcare_cmek_keyuser
+  ]
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = "<%= ctx[:vars]['key_name'] %>"
+  key_ring = google_kms_key_ring.key_ring.id
+  purpose  = "ENCRYPT_DECRYPT"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "<%= ctx[:vars]['keyring_name'] %>"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key_iam_binding" "healthcare_cmek_keyuser" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  members = [
+    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-healthcare.iam.gserviceaccount.com",
+  ]
+}
+
+