feat: Add CMEK support for cross-region read replicas (#251)

imrannayer · web-flow · commit 426724a50d19 · 2021-10-13T11:50:19.000-04:00
BREAKING CHANGE: `var.read_replicas` now requires an encryption key name. Set `encryption_key_name = null` to preserve the old behavior.
diff --git a/examples/mysql-ha/main.tf b/examples/mysql-ha/main.tf
@@ -80,37 +80,40 @@ module "mysql" {
   read_replica_name_suffix = "-test"
   read_replicas = [
     {
-      name             = "0"
-      zone             = "us-central1-a"
-      tier             = "db-n1-standard-1"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "long_query_time", value = 1 }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "0"
+      zone                = "us-central1-a"
+      tier                = "db-n1-standard-1"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "long_query_time", value = 1 }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
     {
-      name             = "1"
-      zone             = "us-central1-b"
-      tier             = "db-n1-standard-1"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "long_query_time", value = 1 }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "1"
+      zone                = "us-central1-b"
+      tier                = "db-n1-standard-1"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "long_query_time", value = 1 }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
     {
-      name             = "2"
-      zone             = "us-central1-c"
-      tier             = "db-n1-standard-1"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "long_query_time", value = 1 }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "2"
+      zone                = "us-central1-c"
+      tier                = "db-n1-standard-1"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "long_query_time", value = 1 }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
   ]
 
diff --git a/examples/postgresql-ha/main.tf b/examples/postgresql-ha/main.tf
@@ -79,37 +79,40 @@ module "pg" {
   read_replica_name_suffix = "-test"
   read_replicas = [
     {
-      name             = "0"
-      zone             = "us-central1-a"
-      tier             = "db-custom-2-13312"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "autovacuum", value = "off" }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "0"
+      zone                = "us-central1-a"
+      tier                = "db-custom-2-13312"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "autovacuum", value = "off" }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
     {
-      name             = "1"
-      zone             = "us-central1-b"
-      tier             = "db-custom-2-13312"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "autovacuum", value = "off" }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "1"
+      zone                = "us-central1-b"
+      tier                = "db-custom-2-13312"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "autovacuum", value = "off" }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
     {
-      name             = "2"
-      zone             = "us-central1-c"
-      tier             = "db-custom-2-13312"
-      ip_configuration = local.read_replica_ip_configuration
-      database_flags   = [{ name = "autovacuum", value = "off" }]
-      disk_autoresize  = null
-      disk_size        = null
-      disk_type        = "PD_HDD"
-      user_labels      = { bar = "baz" }
+      name                = "2"
+      zone                = "us-central1-c"
+      tier                = "db-custom-2-13312"
+      ip_configuration    = local.read_replica_ip_configuration
+      database_flags      = [{ name = "autovacuum", value = "off" }]
+      disk_autoresize     = null
+      disk_size           = null
+      disk_type           = "PD_HDD"
+      user_labels         = { bar = "baz" }
+      encryption_key_name = null
     },
   ]
 
diff --git a/modules/mysql/README.md b/modules/mysql/README.md
@@ -37,7 +37,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 | random\_instance\_name | Sets random suffix at the end of the Cloud SQL resource name | `bool` | `false` | no |
 | read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
 | read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
-| read\_replicas | List of read replicas to create | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>  }))</pre> | `[]` | no |
+| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>    encryption_key_name = string<br>  }))</pre> | `[]` | no |
 | region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
 | tier | The tier for the master instance. | `string` | `"db-n1-standard-1"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"10m"` | no |
diff --git a/modules/mysql/read_replica.tf b/modules/mysql/read_replica.tf
@@ -21,13 +21,15 @@ locals {
 }
 
 resource "google_sql_database_instance" "replicas" {
+  provider             = google-beta
   for_each             = local.replicas
   project              = var.project_id
   name                 = "${local.master_instance_name}-replica${var.read_replica_name_suffix}${each.value.name}"
   database_version     = var.database_version
   region               = join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))
   master_instance_name = google_sql_database_instance.default.name
   deletion_protection  = var.read_replica_deletion_protection
+  encryption_key_name  = (join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name
 
   replica_configuration {
     failover_target = false
diff --git a/modules/mysql/variables.tf b/modules/mysql/variables.tf
@@ -165,7 +165,7 @@ variable "ip_configuration" {
 
 // Read Replicas
 variable "read_replicas" {
-  description = "List of read replicas to create"
+  description = "List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null"
   type = list(object({
     name            = string
     tier            = string
@@ -184,6 +184,7 @@ variable "read_replicas" {
       private_network     = string
       require_ssl         = bool
     })
+    encryption_key_name = string
   }))
   default = []
 }
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
@@ -39,7 +39,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 | random\_instance\_name | Sets random suffix at the end of the Cloud SQL resource name | `bool` | `false` | no |
 | read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
 | read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
-| read\_replicas | List of read replicas to create | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>  }))</pre> | `[]` | no |
+| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>    encryption_key_name = string<br>  }))</pre> | `[]` | no |
 | region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
 | tier | The tier for the master instance. | `string` | `"db-f1-micro"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"15m"` | no |
diff --git a/modules/postgresql/read_replica.tf b/modules/postgresql/read_replica.tf
@@ -21,13 +21,15 @@ locals {
 }
 
 resource "google_sql_database_instance" "replicas" {
+  provider             = google-beta
   for_each             = local.replicas
   project              = var.project_id
   name                 = "${local.master_instance_name}-replica${var.read_replica_name_suffix}${each.value.name}"
   database_version     = var.database_version
   region               = join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))
   master_instance_name = google_sql_database_instance.default.name
   deletion_protection  = var.read_replica_deletion_protection
+  encryption_key_name  = (join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name
 
   replica_configuration {
     failover_target = false
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
@@ -172,7 +172,7 @@ variable "ip_configuration" {
 
 // Read Replicas
 variable "read_replicas" {
-  description = "List of read replicas to create"
+  description = "List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null"
   type = list(object({
     name            = string
     tier            = string
@@ -191,6 +191,7 @@ variable "read_replicas" {
       private_network     = string
       require_ssl         = bool
     })
+    encryption_key_name = string
   }))
   default = []
 }
diff --git a/modules/safer_mysql/README.md b/modules/safer_mysql/README.md
@@ -192,7 +192,7 @@ mysql -S $HOME/mysql_sockets/myproject:region:instance -u user -p
 | random\_instance\_name | Sets random suffix at the end of the Cloud SQL resource name | `bool` | `false` | no |
 | read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
 | read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
-| read\_replicas | List of read replicas to create | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>  }))</pre> | `[]` | no |
+| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br>    name            = string<br>    tier            = string<br>    zone            = string<br>    disk_type       = string<br>    disk_autoresize = bool<br>    disk_size       = string<br>    user_labels     = map(string)<br>    database_flags = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    ip_configuration = object({<br>      authorized_networks = list(map(string))<br>      ipv4_enabled        = bool<br>      private_network     = string<br>      require_ssl         = bool<br>    })<br>    encryption_key_name = string<br>  }))</pre> | `[]` | no |
 | region | The region of the Cloud SQL resources | `string` | n/a | yes |
 | tier | The tier for the master instance. | `string` | `"db-n1-standard-1"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"15m"` | no |
diff --git a/modules/safer_mysql/variables.tf b/modules/safer_mysql/variables.tf
@@ -165,7 +165,7 @@ variable "read_replica_name_suffix" {
 }
 
 variable "read_replicas" {
-  description = "List of read replicas to create"
+  description = "List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null"
   type = list(object({
     name            = string
     tier            = string
@@ -184,6 +184,7 @@ variable "read_replicas" {
       private_network     = string
       require_ssl         = bool
     })
+    encryption_key_name = string
   }))
   default = []
 }
