Merge pull request #165 from marko7460/database_encryption

Database encryption
terraform-google-modules · Jun 24, 2019 · 402ba4e · 402ba4e
2 parents ba6d0b4 + b294685
commit 402ba4e
Show file tree

Hide file tree

Showing 11 changed files with 61 additions and 1 deletion.
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
@@ -121,6 +121,9 @@ resource "google_container_cluster" "primary" {
   }
 {% endif %}
   remove_default_node_pool = "${var.remove_default_node_pool}"
+{% if beta_cluster %}
+  database_encryption      = ["${var.database_encryption}"]
+{% endif %}
 }
 
 /******************************************

diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
@@ -121,6 +121,9 @@ resource "google_container_cluster" "zonal_primary" {
   }
 {% endif %}
   remove_default_node_pool = "${var.remove_default_node_pool}"
+{% if beta_cluster %}
+  database_encryption      = ["${var.database_encryption}"]
+{% endif %}
 }
 
 /******************************************

diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -284,6 +284,21 @@ variable "cloudrun" {
   description = "(Beta) Enable CloudRun addon"
   default     = false
 }
+
+variable "database_encryption" {
+  description = <<EOF
+  Application-layer Secrets Encryption settings. Example:
+  database_encryption = [{
+    state = "ENCRYPTED",
+    key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
+  }]
+  EOF
+  type        = "list"
+  default     = [{
+    state     = "DECRYPTED"
+    key_name  = ""
+  }]
+}
 {% endif %}
 
 variable "basic_auth_username" {

diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. Example:   database_encryption = [{     state = "ENCRYPTED",     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"   }] | list | `<list>` | no |
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |

diff --git a/modules/beta-private-cluster/cluster_regional.tf b/modules/beta-private-cluster/cluster_regional.tf
@@ -115,6 +115,7 @@ resource "google_container_cluster" "primary" {
     master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
   }
   remove_default_node_pool = "${var.remove_default_node_pool}"
+  database_encryption      = ["${var.database_encryption}"]
 }
 
 /******************************************

diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf
@@ -115,6 +115,7 @@ resource "google_container_cluster" "zonal_primary" {
     master_ipv4_cidr_block  = "${var.master_ipv4_cidr_block}"
   }
   remove_default_node_pool = "${var.remove_default_node_pool}"
+  database_encryption      = ["${var.database_encryption}"]
 }
 
 /******************************************

diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -280,6 +280,23 @@ variable "cloudrun" {
   default     = false
 }
 
+variable "database_encryption" {
+  description = <<EOF
+  Application-layer Secrets Encryption settings. Example:
+  database_encryption = [{
+    state = "ENCRYPTED",
+    key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
+  }]
+  EOF
+
+  type = "list"
+
+  default = [{
+    state    = "DECRYPTED"
+    key_name = ""
+  }]
+}
+
 variable "basic_auth_username" {
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""

diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -119,6 +119,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. Example:   database_encryption = [{     state = "ENCRYPTED",     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"   }] | list | `<list>` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |

diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf
@@ -108,6 +108,7 @@ resource "google_container_cluster" "primary" {
     }
   }
   remove_default_node_pool = "${var.remove_default_node_pool}"
+  database_encryption      = ["${var.database_encryption}"]
 }
 
 /******************************************

diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf
@@ -108,6 +108,7 @@ resource "google_container_cluster" "zonal_primary" {
     }
   }
   remove_default_node_pool = "${var.remove_default_node_pool}"
+  database_encryption      = ["${var.database_encryption}"]
 }
 
 /******************************************

diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -237,7 +237,6 @@ variable "service_account" {
   default     = "create"
 }
 
-
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   default     = false
@@ -248,6 +247,23 @@ variable "cloudrun" {
   default     = false
 }
 
+variable "database_encryption" {
+  description = <<EOF
+  Application-layer Secrets Encryption settings. Example:
+  database_encryption = [{
+    state = "ENCRYPTED",
+    key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
+  }]
+  EOF
+
+  type = "list"
+
+  default = [{
+    state    = "DECRYPTED"
+    key_name = ""
+  }]
+}
+
 variable "basic_auth_username" {
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""