feat: 4-projects GCS CMEK example (#346)

* 4-projects GCS CMEK module

* 4-projects GCS CMEK module - Quick Fix

* 4-projects GCS CMEK module - Lint

* 4-projects GCS CMEK module - Validate

* 4-projects GCS CMEK module - README

* 4-projects GCS CMEK module - README2 + KMS version

* 4-projects GCS CMEK module - Bug Fix 2

* 4-projects GCS CMEK module - Requested Changes

* 4-projects GCS CMEK module - Bug Fix 3

* 4-projects GCS CMEK module - Key Destroy Support

* 4-projects GCS CMEK module - Key Map Update

* 4-projects GCS CMEK module - Variables

* 4-projects GCS CMEK module - Final

* CMEK - MultiEnv

* CMEK Multi-Env Explicit Depends on

4-projects/business_unit_1/development/README.md

@@ -12,12 +12,19 @@
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
+| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no |
+| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no |
+| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |
+| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
+| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
+| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list` | `[]` | no |
 | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
+| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 
@@ -28,7 +35,11 @@
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
+| bucket | The created storage bucket |
+| env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| keyring | The name of the keyring. |
+| keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |

4-projects/business_unit_1/development/example_storage_cmek.tf

@@ -0,0 +1,76 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "env_secrets_project" {
+  source                      = "../../modules/single_project"
+  impersonate_service_account = var.terraform_service_account
+  org_id                      = var.org_id
+  billing_account             = var.billing_account
+  folder_id                   = data.google_active_folder.env.name
+  environment                 = "development"
+  alert_spent_percents        = var.alert_spent_percents
+  alert_pubsub_topic          = var.alert_pubsub_topic
+  budget_amount               = var.budget_amount
+  project_suffix              = var.secrets_prj_suffix
+
+  activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"]
+
+  # Metadata
+  application_name  = "bu1-sample-application"
+  billing_code      = "1234"
+  primary_contact   = "example@example.com"
+  secondary_contact = "example2@example.com"
+  business_code     = "bu1"
+}
+
+data "google_storage_project_service_account" "gcs_account" {
+  project = module.base_shared_vpc_project.project_id
+}
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 1.2"
+
+  project_id          = module.env_secrets_project.project_id
+  keyring             = var.keyring_name
+  location            = var.location_kms
+  keys                = [var.key_name]
+  key_rotation_period = var.key_rotation_period
+  encrypters          = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  set_encrypters_for  = [var.key_name]
+  decrypters          = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  set_decrypters_for  = [var.key_name]
+  prevent_destroy     = "false"
+}
+
+resource "random_string" "bucket_name" {
+  length  = 5
+  upper   = false
+  number  = true
+  lower   = true
+  special = false
+}
+
+module "gcs_buckets" {
+  depends_on           = [module.kms]
+  source               = "terraform-google-modules/cloud-storage/google"
+  version              = "~> 1.7"
+  project_id           = module.base_shared_vpc_project.project_id
+  location             = var.location_gcs
+  names                = [random_string.bucket_name.result]
+  prefix               = var.gcs_bucket_prefix
+  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+}

4-projects/business_unit_1/development/outputs.tf

@@ -68,3 +68,23 @@ output "peering_complete" {
   description = "Output to be used as a module dependency."
   value       = module.peering.complete
 }
+
+output "env_secrets_project" {
+  description = "Project sample peering project id."
+  value       = module.env_secrets_project.project_id
+}
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "keys" {
+  description = "List of created key names."
+  value       = keys(module.kms.keys)
+}
+
+output "bucket" {
+  description = "The created storage bucket"
+  value       = module.gcs_buckets.bucket
+}

4-projects/business_unit_1/development/variables.tf

@@ -109,3 +109,45 @@ variable "app_infra_pipeline_cloudbuild_sa" {
   description = "Cloud Build SA used for deploying infrastructure"
   type        = string
 }
+
+variable "secrets_prj_suffix" {
+  description = "Name suffix to use for secrets project created."
+  type        = string
+  default     = "env-secrets"
+}
+
+variable "location_kms" {
+  description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)"
+  type        = string
+  default     = "us"
+}
+
+variable "location_gcs" {
+  description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)"
+  type        = string
+  default     = "US"
+}
+
+variable "keyring_name" {
+  description = "Name to be used for KMS Keyring"
+  type        = string
+  default     = "sample-keyring"
+}
+
+variable "key_name" {
+  description = "Name to be used for KMS Key"
+  type        = string
+  default     = "crypto-key-example"
+}
+
+variable "key_rotation_period" {
+  description = "Rotation period in seconds to be used for KMS Key"
+  type        = string
+  default     = "7776000s"
+}
+
+variable "gcs_bucket_prefix" {
+  description = "Name prefix to be used for GCS Bucket"
+  type        = string
+  default     = "cmek-encrypted-bucket"
+}

4-projects/business_unit_1/non-production/README.md

@@ -12,12 +12,19 @@
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
+| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no |
+| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no |
+| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |
+| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
+| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
+| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list` | `[]` | no |
 | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
+| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 
@@ -28,7 +35,11 @@
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
+| bucket | The created storage bucket |
+| env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| keyring | The name of the keyring. |
+| keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |

4-projects/business_unit_1/non-production/example_storage_cmek.tf

@@ -0,0 +1,76 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "env_secrets_project" {
+  source                      = "../../modules/single_project"
+  impersonate_service_account = var.terraform_service_account
+  org_id                      = var.org_id
+  billing_account             = var.billing_account
+  folder_id                   = data.google_active_folder.env.name
+  environment                 = "non-production"
+  alert_spent_percents        = var.alert_spent_percents
+  alert_pubsub_topic          = var.alert_pubsub_topic
+  budget_amount               = var.budget_amount
+  project_suffix              = var.secrets_prj_suffix
+
+  activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"]
+
+  # Metadata
+  application_name  = "bu1-sample-application"
+  billing_code      = "1234"
+  primary_contact   = "example@example.com"
+  secondary_contact = "example2@example.com"
+  business_code     = "bu1"
+}
+
+data "google_storage_project_service_account" "gcs_account" {
+  project = module.base_shared_vpc_project.project_id
+}
+
+module "kms" {
+  source  = "terraform-google-modules/kms/google"
+  version = "~> 1.2"
+
+  project_id          = module.env_secrets_project.project_id
+  keyring             = var.keyring_name
+  location            = var.location_kms
+  keys                = [var.key_name]
+  key_rotation_period = var.key_rotation_period
+  encrypters          = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  set_encrypters_for  = [var.key_name]
+  decrypters          = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
+  set_decrypters_for  = [var.key_name]
+  prevent_destroy     = "false"
+}
+
+resource "random_string" "bucket_name" {
+  length  = 5
+  upper   = false
+  number  = true
+  lower   = true
+  special = false
+}
+
+module "gcs_buckets" {
+  depends_on           = [module.kms]
+  source               = "terraform-google-modules/cloud-storage/google"
+  version              = "~> 1.7"
+  project_id           = module.base_shared_vpc_project.project_id
+  location             = var.location_gcs
+  names                = [random_string.bucket_name.result]
+  prefix               = var.gcs_bucket_prefix
+  encryption_key_names = zipmap([random_string.bucket_name.result], values(module.kms.keys))
+}

4-projects/business_unit_1/non-production/outputs.tf

@@ -68,3 +68,23 @@ output "peering_complete" {
   description = "Output to be used as a module dependency."
   value       = module.peering.complete
 }
+
+output "env_secrets_project" {
+  description = "Project sample peering project id."
+  value       = module.env_secrets_project.project_id
+}
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "keys" {
+  description = "List of created key names."
+  value       = keys(module.kms.keys)
+}
+
+output "bucket" {
+  description = "The created storage bucket"
+  value       = module.gcs_buckets.bucket
+}

4-projects/business_unit_1/non-production/variables.tf

@@ -109,3 +109,45 @@ variable "app_infra_pipeline_cloudbuild_sa" {
   description = "Cloud Build SA used for deploying infrastructure"
   type        = string
 }
+
+variable "secrets_prj_suffix" {
+  description = "Name suffix to use for secrets project created."
+  type        = string
+  default     = "env-secrets"
+}
+
+variable "location_kms" {
+  description = "Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket)"
+  type        = string
+  default     = "us"
+}
+
+variable "location_gcs" {
+  description = "Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring)"
+  type        = string
+  default     = "US"
+}
+
+variable "keyring_name" {
+  description = "Name to be used for KMS Keyring"
+  type        = string
+  default     = "sample-keyring"
+}
+
+variable "key_name" {
+  description = "Name to be used for KMS Key"
+  type        = string
+  default     = "crypto-key-example"
+}
+
+variable "key_rotation_period" {
+  description = "Rotation period in seconds to be used for KMS Key"
+  type        = string
+  default     = "7776000s"
+}
+
+variable "gcs_bucket_prefix" {
+  description = "Name prefix to be used for GCS Bucket"
+  type        = string
+  default     = "cmek-encrypted-bucket"
+}

4-projects/business_unit_1/production/README.md

@@ -13,12 +13,19 @@
 | env\_code | A short form of the environment field | `string` | `"p"` | no |
 | firewall\_enable\_logging | Toggle firewall logging for VPC Firewalls. | `bool` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. | `string` | `"fldr"` | no |
+| gcs\_bucket\_prefix | Name prefix to be used for GCS Bucket | `string` | `"cmek-encrypted-bucket"` | no |
+| key\_name | Name to be used for KMS Key | `string` | `"crypto-key-example"` | no |
+| key\_rotation\_period | Rotation period in seconds to be used for KMS Key | `string` | `"7776000s"` | no |
+| keyring\_name | Name to be used for KMS Keyring | `string` | `"sample-keyring"` | no |
+| location\_gcs | Case-Sensitive Location for GCS Bucket (Should be same region as the KMS Keyring) | `string` | `"US"` | no |
+| location\_kms | Case-Sensitive Location for KMS Keyring (Should be same region as the GCS Bucket) | `string` | `"us"` | no |
 | optional\_fw\_rules\_enabled | Toggle creation of optional firewall rules: IAP SSH, IAP RDP and Internal & Global load balancing health check and load balancing IP ranges. | `bool` | `false` | no |
 | org\_id | The organization id for the associated services | `string` | n/a | yes |
 | parent\_folder | Optional - if using a folder for testing. | `string` | `""` | no |
 | peering\_module\_depends\_on | List of modules or resources peering module depends on. | `list` | `[]` | no |
 | perimeter\_name | Access context manager service perimeter name to attach the restricted svpc project. | `string` | n/a | yes |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
+| secrets\_prj\_suffix | Name suffix to use for secrets project created. | `string` | `"env-secrets"` | no |
 | terraform\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes |
 | windows\_activation\_enabled | Enable Windows license activation for Windows workloads. | `bool` | `false` | no |
 
@@ -29,7 +36,11 @@
 | access\_context\_manager\_policy\_id | Access Context Manager Policy ID. |
 | base\_shared\_vpc\_project | Project sample base project. |
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
+| bucket | The created storage bucket |
+| env\_secrets\_project | Project sample peering project id. |
 | floating\_project | Project sample floating project. |
+| keyring | The name of the keyring. |
+| keys | List of created key names. |
 | peering\_complete | Output to be used as a module dependency. |
 | peering\_network | Peer network peering resource. |
 | peering\_project | Project sample peering project id. |