Added Pub/Sub kms key variable

ilakhtenkov · ilakhtenkov · commit f2ddb02e55a5 · 2023-01-02T16:19:39.000+01:00
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ These deployment templates are provided as is, without warranty. See [Copyright
 | <a name="input_dataflow_worker_service_account"></a> [dataflow_worker_service_account](#input_dataflow_worker_service_account) | (Optional) Name of worker service account to be created and used to execute job operations. Must be 6-30 characters long, and match the regular expression [a-z]([-a-z0-9]*[a-z0-9]). If parameter is empty, worker service account defaults to project's Compute Engine default service account. | `string` |
 | <a name="input_deploy_replay_job"></a> [deploy_replay_job](#input_deploy_replay_job) | (Optional) Defines if replay pipeline should be deployed or not (default: `false`) | `bool` |
 | <a name="input_primary_subnet_cidr"></a> [primary_subnet_cidr](#input_primary_subnet_cidr) | The CIDR Range of the primary subnet | `string` |
+| <a name="input_pubsub_kms_key_name"></a> [pubsub_kms_key_name](#input_pubsub_kms_key_name) | (Optional) The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on created topics. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. | `string` |
 | <a name="input_scoping_project"></a> [scoping_project](#input_scoping_project) | Cloud Monitoring scoping project ID to create dashboard under.<br>This assumes a pre-existing scoping project whose metrics scope contains the `project` where dataflow job is to be deployed.<br>See [Cloud Monitoring settings](https://cloud.google.com/monitoring/settings) for more details on scoping project.<br>If parameter is empty, scoping project defaults to value of `project` parameter above. | `string` |
 | <a name="input_splunk_hec_token"></a> [splunk_hec_token](#input_splunk_hec_token) | (Optional) Splunk HEC token. Must be defined if `splunk_hec_token_source` if type of `PLAINTEXT` or `KMS`. | `string` |
 | <a name="input_splunk_hec_token_kms_encryption_key"></a> [splunk_hec_token_kms_encryption_key](#input_splunk_hec_token_kms_encryption_key) | (Optional) The Cloud KMS key to decrypt the HEC token string. Required if `splunk_hec_token_source` is type of KMS (default: '') | `string` |
diff --git a/main.tf b/main.tf
@@ -76,7 +76,8 @@ locals {
 }
 
 resource "google_pubsub_topic" "dataflow_input_pubsub_topic" {
-  name = local.dataflow_input_topic_name
+  name         = local.dataflow_input_topic_name
+  kms_key_name = var.pubsub_kms_key_name
 }
 
 resource "google_pubsub_subscription" "dataflow_input_pubsub_subscription" {
diff --git a/pipeline.tf b/pipeline.tf
@@ -14,7 +14,8 @@
 
 
 resource "google_pubsub_topic" "dataflow_deadletter_pubsub_topic" {
-  name = local.dataflow_output_deadletter_topic_name
+  name         = local.dataflow_output_deadletter_topic_name
+  kms_key_name = var.pubsub_kms_key_name
 }
 
 resource "google_pubsub_subscription" "dataflow_deadletter_pubsub_sub" {
diff --git a/variables.tf b/variables.tf
@@ -194,3 +194,13 @@ variable "create_service_account" {
   default     = true
   description = "(Optional) Defines if service account provided by `dataflow_worker_service_account` variable should be created. If not all permissions (except PubSub topics) for if should be binded externally"
 }
+
+variable "pubsub_kms_key_name" {
+  type = string
+  description = "(Optional) The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on created topics. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`."
+  default = ""
+  validation {
+    condition     = can(regex("^projects\\/[^\\n\\r\\/]+\\/locations\\/[^\\n\\r\\/]+\\/keyRings\\/[^\\n\\r\\/]+\\/cryptoKeys\\/[^\\n\\r\\/]+$", var.pubsub_kms_key_name)) || var.pubsub_kms_key_name == ""
+    error_message = "Pub/Sub KMS key name must match: '^projects\\/[^\\n\\r\\/]+\\/locations\\/[^\\n\\r\\/]+\\/keyRings\\/[^\\n\\r\\/]+\\/cryptoKeys\\/[^\\n\\r\\/]+$' pattern."
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,8 @@ locals {`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`resource "google_pubsub_topic" "dataflow_input_pubsub_topic" {`
`79`		`- name = local.dataflow_input_topic_name`
	`79`	`+ name = local.dataflow_input_topic_name`
	`80`	`+ kms_key_name = var.pubsub_kms_key_name`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`resource "google_pubsub_subscription" "dataflow_input_pubsub_subscription" {`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,8 @@`
`14`	`14`
`15`	`15`
`16`	`16`	`resource "google_pubsub_topic" "dataflow_deadletter_pubsub_topic" {`
`17`		`- name = local.dataflow_output_deadletter_topic_name`
	`17`	`+ name = local.dataflow_output_deadletter_topic_name`
	`18`	`+ kms_key_name = var.pubsub_kms_key_name`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`resource "google_pubsub_subscription" "dataflow_deadletter_pubsub_sub" {`