feat: Add KMS cmek support for state bucket (#115)

terraform-google-modules · Aug 24, 2021 · 2fea4be · 2fea4be
1 parent b7b0090
commit 2fea4be
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -49,11 +49,15 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 | activate\_apis | List of APIs to enable in the seed project. | `list(string)` | <pre>[<br>  "serviceusage.googleapis.com",<br>  "servicenetworking.googleapis.com",<br>  "compute.googleapis.com",<br>  "logging.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "cloudresourcemanager.googleapis.com",<br>  "cloudbilling.googleapis.com",<br>  "iam.googleapis.com",<br>  "admin.googleapis.com",<br>  "appengine.googleapis.com",<br>  "storage-api.googleapis.com",<br>  "monitoring.googleapis.com"<br>]</pre> | no |
 | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
 | default\_region | Default region to create resources where applicable. | `string` | `"us-central1"` | no |
+| encrypt\_gcs\_bucket\_tfstate | Encrypt bucket used for storing terraform state files in seed project. | `bool` | `false` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
 | force\_destroy | If supplied, the state bucket will be deleted even while containing objects. | `bool` | `false` | no |
 | grant\_billing\_user | Grant roles/billing.user role to CFT service account | `bool` | `true` | no |
 | group\_billing\_admins | Google Group for GCP Billing Administrators | `string` | n/a | yes |
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
+| key\_protection\_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | `string` | `"SOFTWARE"` | no |
+| key\_rotation\_period | n/a | `string` | `null` | no |
+| kms\_prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no |
 | org\_admins\_org\_iam\_permissions | List of permissions granted to the group supplied in group\_org\_admins variable across the GCP organization. | `list(string)` | <pre>[<br>  "roles/billing.user",<br>  "roles/resourcemanager.organizationAdmin"<br>]</pre> | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |

diff --git a/main.tf b/main.tf
@@ -80,6 +80,31 @@ resource "google_service_account" "org_terraform" {
 /***********************************************
   GCS Bucket - Terraform State
  ***********************************************/
+data "google_storage_project_service_account" "gcs_account" {
+  project = module.seed_project.project_id
+}
+
+module "kms" {
+  count   = var.encrypt_gcs_bucket_tfstate ? 1 : 0
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 1.2"
+
+  project_id           = module.seed_project.project_id
+  location             = var.default_region
+  keyring              = "${var.project_prefix}-keyring"
+  keys                 = ["${var.project_prefix}-key"]
+  key_rotation_period  = var.key_rotation_period
+  key_protection_level = var.key_protection_level
+  set_decrypters_for   = ["${var.project_prefix}-key"]
+  set_encrypters_for   = ["${var.project_prefix}-key"]
+  decrypters = [
+    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
+  ]
+  encrypters = [
+    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
+  ]
+  prevent_destroy = var.kms_prevent_destroy
+}
 
 resource "google_storage_bucket" "org_terraform_state" {
   project                     = module.seed_project.project_id
@@ -91,6 +116,13 @@ resource "google_storage_bucket" "org_terraform_state" {
   versioning {
     enabled = true
   }
+
+  dynamic "encryption" {
+    for_each = var.encrypt_gcs_bucket_tfstate ? ["encryption"] : []
+    content {
+      default_kms_key_name = module.kms[0].keys["${var.project_prefix}-key"]
+    }
+  }
 }
 
 /***********************************************

diff --git a/variables.tf b/variables.tf
@@ -176,3 +176,25 @@ variable "tf_service_account_name" {
   type        = string
   default     = "CFT Organization Terraform Account"
 }
+
+variable "encrypt_gcs_bucket_tfstate" {
+  description = "Encrypt bucket used for storing terraform state files in seed project."
+  type        = bool
+  default     = false
+}
+
+variable "key_protection_level" {
+  type        = string
+  description = "The protection level to use when creating a version based on this template. Default value: \"SOFTWARE\" Possible values: [\"SOFTWARE\", \"HSM\"]"
+  default     = "SOFTWARE"
+}
+
+variable "key_rotation_period" {
+  type    = string
+  default = null
+}
+
+variable "kms_prevent_destroy" {
+  description = "Set the prevent_destroy lifecycle attribute on keys."
+  default     = true
+}