Add Support for Database Encryption to GKE (#3550)

Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · May 6, 2019 · 7c64359 · 7c64359
1 parent 4007b2c
commit 7c64359
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/google/bootstrap_utils_test.go b/google/bootstrap_utils_test.go
@@ -18,17 +18,23 @@ type bootstrappedKMS struct {
 	*cloudkms.CryptoKey
 }
 
+// BootstrapKMSKey returns a KMS key in the "global" location.
+// See BootstrapKMSKeyInLocation.
+func BootstrapKMSKey(t *testing.T) bootstrappedKMS {
+	return BootstrapKMSKeyInLocation(t, "global")
+}
+
 /**
-* BootstrapKMSkey will return a KMS key that can be used in tests that are
-* testing KMS integration with other resources.
+* BootstrapKMSKeyWithLocation will return a KMS key in a particular location
+* that can be used in tests that are testing KMS integration with other resources.
 *
 * This will either return an existing key or create one if it hasn't been created
 * in the project yet. The motivation is because keyrings don't get deleted and we
 * don't want a linear growth of disabled keyrings in a project. We also don't want
 * to incur the overhead of creating a new project for each test that needs to use
 * a KMS key.
 **/
-func BootstrapKMSKey(t *testing.T) bootstrappedKMS {
+func BootstrapKMSKeyInLocation(t *testing.T, locationID string) bootstrappedKMS {
 	if v := os.Getenv("TF_ACC"); v == "" {
 		log.Println("Acceptance tests and bootstrapping skipped unless env 'TF_ACC' set")
 
@@ -40,7 +46,6 @@ func BootstrapKMSKey(t *testing.T) bootstrappedKMS {
 	}
 
 	projectID := getTestProjectFromEnv()
-	locationID := "global"
 	keyRingParent := fmt.Sprintf("projects/%s/locations/%s", projectID, locationID)
 	keyRingName := fmt.Sprintf("%s/keyRings/%s", keyRingParent, SharedKeyRing)
 	keyParent := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", projectID, locationID, SharedKeyRing)

diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -181,6 +181,9 @@ deprecated in favour of `node_locations`.
 * `cluster_autoscaling` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html))
     Configuration for per-cluster autoscaling features, including node autoprovisioning. See [guide in Google docs](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning). Structure is documented below.
 
+* `database_encryption` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)).
+    Structure is documented below.
+
 * `description` - (Optional) Description of the cluster.
 
 * `default_max_pods_per_node` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) The default maximum number of pods per node in this cluster.
@@ -344,6 +347,12 @@ addons_config {
 }
 ```
 
+The `database_encryption` block supports:
+
+* `state` - (Required) `ENCRYPTED` or `DECRYPTED`
+
+* `key_name` - (Required) the key to use to encrypt/decrypt secrets.  See the [DatabaseEncryption definition](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.DatabaseEncryption) for more information.
+
 The `istio_config` block supports:
 
 * `disabled` - (Optional) The status of the Istio addon, which makes it easy to set up Istio for services in a