feat: Add support for autokey in postgres module

examples/postgresql-ha/main.tf

@@ -48,6 +48,7 @@ module "pg" {
   maintenance_window_hour         = 12
   maintenance_window_update_track = "stable"
 
+  use_autokey         = true
   deletion_protection = false
 
   database_flags = [{ name = "autovacuum", value = "off" }]

modules/postgresql/README.md

@@ -170,6 +170,7 @@ module "pg" {
 | secondary\_zone | The preferred zone for the replica instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
 | tier | The tier for the Cloud SQL instance. | `string` | `"db-f1-micro"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no |
+| use\_autokey | Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project. | `bool` | `false` | no |
 | user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no |
 | user\_labels | The key/value labels for the Cloud SQL instances. | `map(string)` | `{}` | no |
 | user\_name | The name of the default user | `string` | `"default"` | no |

modules/postgresql/main.tf

@@ -45,6 +45,8 @@ locals {
   connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"
 
   database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")
+
+  encryption_key = (var.encryption_key_name != null && var.use_autokey) ? google_kms_key_handle.default[0].kms_key : null
 }
 
 resource "random_id" "suffix" {
@@ -60,7 +62,7 @@ resource "google_sql_database_instance" "default" {
   database_version    = can(regex("\\d", substr(var.database_version, 0, 1))) ? format("POSTGRES_%s", var.database_version) : replace(var.database_version, substr(var.database_version, 0, 8), "POSTGRES")
   maintenance_version = var.maintenance_version
   region              = var.region
-  encryption_key_name = var.encryption_key_name
+  encryption_key_name = local.encryption_key
   deletion_protection = var.deletion_protection
   root_password       = var.root_password
 
@@ -211,6 +213,15 @@ resource "google_sql_database_instance" "default" {
   depends_on = [null_resource.module_depends_on]
 }
 
+resource "google_kms_key_handle" "default" {
+  count                  = var.use_autokey ? 1 : 0
+  provider               = google-beta
+  project                = var.project_id
+  name                   = local.instance_name
+  location               = coalesce(var.region, provider::google::region_from_zone(var.zone))
+  resource_type_selector = "sqladmin.googleapis.com/Instance"
+}
+
 resource "google_sql_database" "default" {
   count           = var.enable_default_db ? 1 : 0
   name            = var.db_name

modules/postgresql/variables.tf

@@ -456,3 +456,9 @@ variable "database_integration_roles" {
   type        = list(string)
   default     = []
 }
+
+variable "use_autokey" {
+  description = "Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project."
+  type        = bool
+  default     = false
+}

test/setup/iam.tf

@@ -17,6 +17,7 @@
 locals {
   int_required_roles = [
     "roles/cloudkms.admin",
+    "roles/cloudkms.autokeyAdmin",
     "roles/cloudkms.cryptoKeyEncrypterDecrypter",
     "roles/cloudscheduler.admin",
     "roles/cloudsql.admin",

test/setup/main.tf

@@ -54,3 +54,20 @@ resource "google_project_service_identity" "workflos_sa" {
   project  = module.project.project_id
   service  = "workflows.googleapis.com"
 }
+
+# Using same project for autokey, not ideal but should be fine for testing
+module "autokey" {
+  source                         = "GoogleCloudPlatform/autokey/google"
+  version                        = "1.1.1"
+  billing_account                = var.billing_account
+  organization_id                = var.org_id
+  create_new_folder              = false
+  folder_id                      = var.folder_id
+  create_new_autokey_key_project = false
+  autokey_key_project_name       = module.project.project_name
+  autokey_key_project_id         = module.project.project_id
+  parent_folder_id               = ""
+  autokey_folder_users           = [google_service_account.int_test.member]
+  autokey_project_kms_admins     = [google_service_account.int_test.member]
+  autokey_folder_admins          = []
+}