feat: add cmek support in composer_env_v2 (#113)

Sarapuce · web-flow · commit 0fe2605df22e · 2024-01-30T08:50:57.000-06:00
diff --git a/modules/create_environment_v2/README.md b/modules/create_environment_v2/README.md
@@ -69,6 +69,7 @@ module "simple-composer-environment" {
 | environment\_size | The environment size controls the performance parameters of the managed Cloud Composer infrastructure that includes the Airflow database. Values for environment size are: `ENVIRONMENT_SIZE_SMALL`, `ENVIRONMENT_SIZE_MEDIUM`, and `ENVIRONMENT_SIZE_LARGE`. | `string` | `"ENVIRONMENT_SIZE_MEDIUM"` | no |
 | grant\_sa\_agent\_permission | Cloud Composer relies on Workload Identity as Google API authentication mechanism for Airflow. | `bool` | `true` | no |
 | image\_version | The version of the aiflow running in the cloud composer environment. | `string` | `"composer-2.5.0-airflow-2.6.3"` | no |
+| kms\_key\_name | Customer-managed Encryption Key fully qualified resource name, i.e. projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key. | `string` | `null` | no |
 | labels | The resource labels (a map of key/value pairs) to be applied to the Cloud Composer. | `map(string)` | `{}` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `null` | no |
 | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `null` | no |
diff --git a/modules/create_environment_v2/main.tf b/modules/create_environment_v2/main.tf
@@ -199,6 +199,13 @@ resource "google_composer_environment" "composer_env" {
       }
     }
 
+    dynamic "encryption_config" {
+      for_each = var.kms_key_name != null ? ["encryption_config"] : []
+      content {
+        kms_key_name = var.kms_key_name
+      }
+    }
+
   }
 
   depends_on = [google_project_iam_member.composer_agent_service_account]
diff --git a/modules/create_environment_v2/variables.tf b/modules/create_environment_v2/variables.tf
@@ -282,3 +282,9 @@ variable "web_server_network_access_control" {
   default     = null
   description = "The network-level access control policy for the Airflow web server. If unspecified, no network-level access restrictions are applied"
 }
+
+variable "kms_key_name" {
+  description = "Customer-managed Encryption Key fully qualified resource name, i.e. projects/project-id/locations/location/keyRings/keyring/cryptoKeys/key."
+  type        = string
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,13 @@ resource "google_composer_environment" "composer_env" {`
`199`	`199`	`}`
`200`	`200`	`}`
`201`	`201`
	`202`	`+ dynamic "encryption_config" {`
	`203`	`+ for_each = var.kms_key_name != null ? ["encryption_config"] : []`
	`204`	`+ content {`
	`205`	`+ kms_key_name = var.kms_key_name`
	`206`	`+ }`
	`207`	`+ }`
	`208`	`+`
`202`	`209`	`}`
`203`	`210`
`204`	`211`	`depends_on = [google_project_iam_member.composer_agent_service_account]`