feat: Add cloudKMs permissions for service accounts of Service agents (…

…#111)

.github/workflows/linter-helm.yml

@@ -15,21 +15,21 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      
+
       - name: Set up Helm
         uses: azure/setup-helm@v3
         with:
           version: v3.12.1
-      
+
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
           python-version: '3.9'
           check-latest: true
-      
+
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
-      
+        uses: helm/chart-testing-action@v2.6.0
+
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |

container-registry/gcp/artifact-registry/README.md

@@ -45,7 +45,7 @@ No modules.
 | [google-beta_google_project_service_identity.kms](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_project_service_identity) | resource |
 | [google_artifact_registry_repository.docker](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository) | resource |
 | [google_artifact_registry_repository_iam_member.artifact_registry_roles](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository_iam_member) | resource |
-| [google_project_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_kms_crypto_key_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_iam_member) | resource |
 | [null_resource.copy_images](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |

container-registry/gcp/artifact-registry/main.tf

@@ -3,8 +3,14 @@ data "google_client_config" "current" {}
 data "google_project" "project" {}
 
 locals {
-  labels        = merge(var.labels, { module = "docker-artifact-registry" })
-  docker_images = merge(values({ for key, value in var.docker_images : key => { for element in value : "${key}-${element.image}-${element.tag}" => { name = key, image = element.image, tag = element.tag } } })...)
+  labels = merge(var.labels, { module = "docker-artifact-registry" })
+  docker_images = merge(values({
+    for key, value in var.docker_images : key => {
+      for element in value : "${key}-${element.image}-${element.tag}" => {
+        name = key, image = element.image, tag = element.tag
+      }
+    }
+  })...)
 }
 
 resource "google_project_service_identity" "kms" {
@@ -14,11 +20,11 @@ resource "google_project_service_identity" "kms" {
   service  = "artifactregistry.googleapis.com"
 }
 
-resource "google_project_iam_member" "kms" {
-  count   = can(coalesce(var.kms_key_id)) ? 1 : 0
-  project = data.google_client_config.current.project
-  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member  = "serviceAccount:${google_project_service_identity.kms[0].email}"
+resource "google_kms_crypto_key_iam_member" "kms" {
+  count         = can(coalesce(var.kms_key_id)) ? 1 : 0
+  crypto_key_id = var.kms_key_id
+  member        = "serviceAccount:${google_project_service_identity.kms[0].email}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 }
 
 resource "null_resource" "copy_images" {
@@ -63,11 +69,19 @@ resource "google_artifact_registry_repository" "docker" {
   docker_config {
     immutable_tags = var.immutable_tags
   }
-  depends_on = [google_project_iam_member.kms]
+  depends_on = [google_kms_crypto_key_iam_member.kms]
 }
 
 resource "google_artifact_registry_repository_iam_member" "artifact_registry_roles" {
-  for_each   = { for role in flatten([for role_key, role in var.iam_roles : [for member in role : { role = role_key, member = member }]]) : "${role.role}.${role.member}" => role }
+  for_each = {
+    for role in flatten([
+      for role_key, role in var.iam_roles : [
+        for member in role : {
+          role = role_key, member = member
+        }
+      ]
+    ]) : "${role.role}.${role.member}" => role
+  }
   project    = data.google_client_config.current.project
   location   = data.google_client_config.current.region
   repository = google_artifact_registry_repository.docker.name

kubernetes/gcp/gke/README.md

@@ -41,7 +41,7 @@ This module deploy:
 
 | Name | Type |
 |------|------|
-| [google_project_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_kms_crypto_key_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_iam_member) | resource |
 | [null_resource.update_kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |

kubernetes/gcp/gke/main.tf

@@ -48,13 +48,14 @@ locals {
     (local.public_autopilot ? module.autopilot[0].location : null),
     (local.private_autopilot ? module.private_autopilot[0].location : null),
   )
+  kms_key_ids = [for v in var.database_encryption : v.key_name if can(coalesce(v.key_name))]
 }
 
-resource "google_project_iam_member" "kms" {
-  count   = anytrue([for v in var.database_encryption : can(coalesce(v.key_name))]) ? 1 : 0
-  project = data.google_client_config.current.project
-  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member  = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+resource "google_kms_crypto_key_iam_member" "kms" {
+  for_each      = toset(local.kms_key_ids)
+  crypto_key_id = each.key
+  member        = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 }
 
 # Public GKE with beta functionalities
@@ -168,7 +169,7 @@ module "gke" {
   stub_domains                          = var.stub_domains
   timeouts                              = var.timeouts
   upstream_nameservers                  = var.upstream_nameservers
-  depends_on                            = [google_project_iam_member.kms]
+  depends_on                            = [google_kms_crypto_key_iam_member.kms]
 }
 
 # Private GKE with beta functionalities
@@ -288,7 +289,7 @@ module "private_gke" {
   stub_domains                          = var.stub_domains
   timeouts                              = var.timeouts
   upstream_nameservers                  = var.upstream_nameservers
-  depends_on                            = [google_project_iam_member.kms]
+  depends_on                            = [google_kms_crypto_key_iam_member.kms]
 }
 
 # Public autopilot with beta functionalities
@@ -356,7 +357,7 @@ module "autopilot" {
   stub_domains                      = var.stub_domains
   timeouts                          = var.timeouts
   upstream_nameservers              = var.upstream_nameservers
-  depends_on                        = [google_project_iam_member.kms]
+  depends_on                        = [google_kms_crypto_key_iam_member.kms]
 }
 
 # Private autopilot with beta functionalities
@@ -431,7 +432,7 @@ module "private_autopilot" {
   stub_domains                      = var.stub_domains
   timeouts                          = var.timeouts
   upstream_nameservers              = var.upstream_nameservers
-  depends_on                        = [google_project_iam_member.kms]
+  depends_on                        = [google_kms_crypto_key_iam_member.kms]
 }
 
 resource "null_resource" "update_kubeconfig" {

storage/gcp/gcs/README.md

@@ -31,7 +31,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_project_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_kms_crypto_key_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_iam_member) | resource |
 | [google_storage_bucket.gcs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
 | [google_storage_bucket_access_control.access_control](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_access_control) | resource |
 | [google_storage_bucket_acl.default_acl](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_acl) | resource |

storage/gcp/gcs/main.tf

@@ -2,11 +2,11 @@ data "google_client_config" "current" {}
 
 data "google_project" "project" {}
 
-resource "google_project_iam_member" "kms" {
-  count   = can(coalesce(var.default_kms_key_name)) ? 1 : 0
-  project = data.google_client_config.current.project
-  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member  = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
+resource "google_kms_crypto_key_iam_member" "kms" {
+  count         = can(coalesce(var.default_kms_key_name)) ? 1 : 0
+  crypto_key_id = var.default_kms_key_name
+  member        = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 }
 
 resource "google_storage_bucket" "gcs" {
@@ -96,7 +96,7 @@ resource "google_storage_bucket" "gcs" {
       data_locations = var.data_locations
     }
   }
-  depends_on = [google_project_iam_member.kms]
+  depends_on = [google_kms_crypto_key_iam_member.kms]
 }
 
 resource "google_storage_bucket_access_control" "access_control" {

storage/gcp/memorystore/redis/README.md

@@ -33,7 +33,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_project_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_kms_crypto_key_iam_member.kms](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key_iam_member) | resource |
 | [google_redis_instance.cache](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/redis_instance) | resource |
 | [google_client_config.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |

storage/gcp/memorystore/redis/main.tf

@@ -10,11 +10,11 @@ locals {
   read_replicas_mode      = var.tier == "STANDARD_HA" ? var.read_replicas_mode : null
 }
 
-resource "google_project_iam_member" "kms" {
-  count   = can(coalesce(var.customer_managed_key)) ? 1 : 0
-  project = data.google_client_config.current.project
-  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member  = "serviceAccount:service-${data.google_project.project.number}@cloud-redis.iam.gserviceaccount.com"
+resource "google_kms_crypto_key_iam_member" "kms" {
+  count         = can(coalesce(var.customer_managed_key)) ? 1 : 0
+  crypto_key_id = var.customer_managed_key
+  member        = "serviceAccount:service-${data.google_project.project.number}@cloud-redis.iam.gserviceaccount.com"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 }
 
 resource "google_redis_instance" "cache" {
@@ -60,5 +60,5 @@ resource "google_redis_instance" "cache" {
       }
     }
   }
-  depends_on = [google_project_iam_member.kms]
+  depends_on = [google_kms_crypto_key_iam_member.kms]
 }