Skip to content

docs: Add CMEK for Eventarc #827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 31, 2025
Merged

docs: Add CMEK for Eventarc #827

merged 4 commits into from
Mar 31, 2025

Conversation

@camiekim
Copy link
Contributor

@camiekim camiekim commented Mar 21, 2025

Description

Fixes b/404495162
Enable CMEK support for Eventarc through Terraform

Note: If you are not associated with Google, open an issue for discussion before submitting a pull request.

Checklist

Readiness

  • [ x] Yes, merge this PR after it is approved
  • No, don't merge this PR after it is approved

Style

Testing

  • [x ] I have performed tests described in the Contributing guide:

    • [ x] Tests pass: terraform apply
    • [x ] Lint pass: terraform fmt check

Intended location

API enablement

  • If the sample needs an API enabled to pass testing, I have added the service to the Test setup file

Review

  • If this sample adds a new directory, I have added codeowners to the CODEOWNERS file

@camiekim
docs: Create main.tf
bc096e9 
Per b/404495162
@camiekim camiekim requested review from a team as code owners March 21, 2025 18:29
@snippet-bot
Copy link

snippet-bot bot commented Mar 21, 2025
edited
Loading

Here is the summary of changes.

You are about to add 5 region tags.

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

  • Refresh this comment

@glasnt glasnt changed the title docs: Create main.tf docs: Add CMEK for Eventarc Mar 23, 2025
glasnt
glasnt reviewed Mar 23, 2025
View reviewed changes
eventarc/use_cmek/main.tf Outdated
resource "google_kms_crypto_key_iam_member" "default" {
crypto_key_id = google_kms_crypto_key.default.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.default.number}@gcp-sa-eventarc.iam.gserviceaccount.com"
Copy link
Contributor

@glasnt glasnt Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are failing due to this service account not existing. IIRC this might be due to the eventual setup of eventarc, and since we're using a brand new project for tests, this is something that may not affect docs consumers.

Other eventarc samples due a dedicated service account rather than the product service account. It doesn't look like other samples on the intended page use the product service account, so I suggest adapting the setup from https://github.com/terraform-google-modules/terraform-docs-samples/blob/main/eventarc/basic/main.tf that usesgoogle_service_account to create the service account, then reference it here.

Copy link
Contributor Author

@camiekim camiekim Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Katie! I've added using google_project_service_identity to generate the Eventarc SA....hopefully, that passes muster.

@glasnt glasnt added the waiting-response Waiting for issue author to respond. label Mar 23, 2025
@camiekim camiekim added waiting-for-codeowners and removed waiting-response Waiting for issue author to respond. labels Mar 24, 2025
@glasnt glasnt merged commit 2f6d313 into terraform-google-modules:main Mar 31, 2025
5 checks passed
niharika-98 pushed a commit to niharika-98/terraform-docs-samples that referenced this pull request Sep 7, 2025
@camiekim @gericdong @niharika-98
docs: Add CMEK for Eventarc (terraform-google-modules#827)
38bb104 
* docs: Create main.tf

Per b/404495162

* docs: Support generation of Eventarc SA

* doc: Use email attribute instead of member for google_project_service_identity

---------

Co-authored-by: Eric Dong <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glasnt glasnt glasnt approved these changes

Assignees

No one assigned

Labels

waiting-for-codeowners

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@camiekim @glasnt @gericdong