Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions examples/postgresql-ha/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ module "pg" {
maintenance_window_hour = 12
maintenance_window_update_track = "stable"

use_autokey = true
deletion_protection = false

database_flags = [{ name = "autovacuum", value = "off" }]
Expand Down
1 change: 1 addition & 0 deletions modules/postgresql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ module "pg" {
| secondary\_zone | The preferred zone for the replica instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
| tier | The tier for the Cloud SQL instance. | `string` | `"db-f1-micro"` | no |
| update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no |
| use\_autokey | Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project. | `bool` | `false` | no |
| user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no |
| user\_labels | The key/value labels for the Cloud SQL instances. | `map(string)` | `{}` | no |
| user\_name | The name of the default user | `string` | `"default"` | no |
Expand Down
13 changes: 12 additions & 1 deletion modules/postgresql/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ locals {
connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"

database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")

encryption_key = (var.encryption_key_name != null && var.use_autokey) ? google_kms_key_handle.default[0].kms_key : null
}

resource "random_id" "suffix" {
Expand All @@ -60,7 +62,7 @@ resource "google_sql_database_instance" "default" {
database_version = can(regex("\\d", substr(var.database_version, 0, 1))) ? format("POSTGRES_%s", var.database_version) : replace(var.database_version, substr(var.database_version, 0, 8), "POSTGRES")
maintenance_version = var.maintenance_version
region = var.region
encryption_key_name = var.encryption_key_name
encryption_key_name = local.encryption_key
deletion_protection = var.deletion_protection
root_password = var.root_password

Expand Down Expand Up @@ -211,6 +213,15 @@ resource "google_sql_database_instance" "default" {
depends_on = [null_resource.module_depends_on]
}

resource "google_kms_key_handle" "default" {
count = var.use_autokey ? 1 : 0
provider = google-beta
project = var.project_id
name = local.instance_name
location = coalesce(var.region, provider::google::region_from_zone(var.zone))
resource_type_selector = "sqladmin.googleapis.com/Instance"
}

resource "google_sql_database" "default" {
count = var.enable_default_db ? 1 : 0
name = var.db_name
Expand Down
6 changes: 6 additions & 0 deletions modules/postgresql/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -456,3 +456,9 @@ variable "database_integration_roles" {
type = list(string)
default = []
}

variable "use_autokey" {
description = "Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project."
type = bool
default = false
}
1 change: 1 addition & 0 deletions test/setup/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
locals {
int_required_roles = [
"roles/cloudkms.admin",
"roles/cloudkms.autokeyAdmin",
"roles/cloudkms.cryptoKeyEncrypterDecrypter",
"roles/cloudscheduler.admin",
"roles/cloudsql.admin",
Expand Down
17 changes: 17 additions & 0 deletions test/setup/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,20 @@ resource "google_project_service_identity" "workflos_sa" {
project = module.project.project_id
service = "workflows.googleapis.com"
}

# Using same project for autokey, not ideal but should be fine for testing
module "autokey" {
source = "GoogleCloudPlatform/autokey/google"
version = "1.1.1"
billing_account = var.billing_account
organization_id = var.org_id
create_new_folder = false
folder_id = var.folder_id
create_new_autokey_key_project = false
autokey_key_project_name = module.project.project_name
autokey_key_project_id = module.project.project_id
parent_folder_id = ""
autokey_folder_users = [google_service_account.int_test.member]
autokey_project_kms_admins = [google_service_account.int_test.member]
autokey_folder_admins = []
}