feat: add CMEK support in persistent disks attached to the instances (#…

…12) * Updating Google Cloud provider version. We are going to need some recent features (like encryption keys in persistent disks). * Revert "Updating Google Cloud provider version. We are going to need some recent features (like encryption keys in persistent disks)." This reverts commit 44ad372. * Increase Google Cloud provider version to the latest stable one. We will be needing some recent features (CMEK in persistent disks) * Added support for Customer Managed Encryption Keys in persistent disks attached to the instances. * Fixing project factory module version * Fix lint problems * Fix output name * Fixing the fix * Increase network module version number to avoid errors with deprecated params * We actually do not need to create the KMS key here, since it is already being created in the examples. * Adding Cloud KMS API to the unit test project * Removed unused variable declaration * Update modules/netweaver/variables.tf Co-Authored-By: Morgante Pell <[email protected]> * Replace IAM binding resources with member resurces * Remove CMEK from the simple example * Omit disk_encryption_key blocks entirely if no CMEK key was provided Co-authored-by: Morgante Pell <[email protected]>
terraform-google-modules · May 4, 2020 · 90d2cc6 · 90d2cc6
1 parent 0d916e9
commit 90d2cc6
Show file tree

Hide file tree

Showing 15 changed files with 184 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,19 @@ and this project adheres to
 
 ## [Unreleased]
 
+### Added
+
+- Added support for [Customer Managed Encryption Keys](https://cloud.google.com/compute/docs/disks/customer-managed-encryption) in persistent disks attached to the instances.
+
+### Changed
+
+- Updated for Terraform 0.12. [#11]
+- Updated tests and examples to Google provider 3.13.
+
+### Fixed
+
+- Avoid metadata conflicts after SAP startup script completes. [#11]
+
 ## [0.2.0] - 2019-09-10
 
 ### Added
@@ -30,3 +43,4 @@ and this project adheres to
 [0.1.0]: https://github.com/terraform-google-modules/terraform-google-sap/releases/tag/v0.1.0
 [#2]: https://github.com/terraform-google-modules/terraform-google-sap/pull/2
 [#4]: https://github.com/terraform-google-modules/terraform-google-sap/issues/4
+[#11]: https://github.com/terraform-google-modules/terraform-google-sap/pull/11
diff --git a/examples/netweaver_simple_example/main.tf b/examples/netweaver_simple_example/main.tf
@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
 }
 
 module "gcp_netweaver" {
@@ -41,4 +41,34 @@ module "gcp_netweaver" {
   boot_disk_type         = var.boot_disk_type
   disk_type              = var.disk_type
   startup_script         = var.startup_script
+  pd_kms_key             = google_kms_crypto_key.netweaver_simple.self_link
+}
+
+# Create a KMS key to use as customer managed encryption key for the instance
+# persistent disk. This is completely optional. If you do not need to manage
+# your own keys, just remove this section and remove also the pd_kms_key
+# parameter in the module declaration above.
+resource "google_kms_key_ring" "netweaver_simple" {
+  project  = var.project_id
+  name     = "netweaver-simple-${random_id.this.hex}"
+  location = var.region
+}
+
+resource "google_kms_crypto_key" "netweaver_simple" {
+  name     = "netweaver-simple-${random_id.this.hex}"
+  key_ring = google_kms_key_ring.netweaver_simple.self_link
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_kms_crypto_key_iam_member" "netweaver_simple" {
+  crypto_key_id = google_kms_crypto_key.netweaver_simple.self_link
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
+}
+
+resource "random_id" "this" {
+  byte_length = 2
 }
diff --git a/examples/sap_hana_ha_simple_example/main.tf b/examples/sap_hana_ha_simple_example/main.tf
@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
   region  = var.region
 }
 
@@ -54,4 +54,34 @@ module "gcp_sap_hana_ha" {
   sap_vip_internal_address   = var.sap_vip_internal_address
   startup_script_1           = file(var.startup_script_1)
   startup_script_2           = file(var.startup_script_2)
+  pd_kms_key                 = google_kms_crypto_key.sap_hana_ha_simple.self_link
+}
+
+# Create a KMS key to use as customer managed encryption key for the instance
+# persistent disk. This is completely optional. If you do not need to manage
+# your own keys, just remove this section and remove also the pd_kms_key
+# parameter in the module declaration above.
+resource "google_kms_key_ring" "sap_hana_ha_simple" {
+  project  = var.project_id
+  name     = "sap-hana-ha-simple-${random_id.this.hex}"
+  location = var.region
+}
+
+resource "google_kms_crypto_key" "sap_hana_ha_simple" {
+  name     = "sap-hana-ha-simple-${random_id.this.hex}"
+  key_ring = google_kms_key_ring.sap_hana_ha_simple.self_link
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+resource "google_kms_crypto_key_iam_member" "sap_hana_ha_simple" {
+  crypto_key_id = google_kms_crypto_key.sap_hana_ha_simple.self_link
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
+}
+
+resource "random_id" "this" {
+  byte_length = 2
 }
diff --git a/examples/sap_hana_simple_example/main.tf b/examples/sap_hana_simple_example/main.tf
@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
   region  = var.region
 }
 

diff --git a/modules/netweaver/README.md b/modules/netweaver/README.md
@@ -15,7 +15,7 @@ You can go in the [examples](../../examples) folder complete working example. Ho
 
 ```hcl
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
 }
 
 module "gcp_netweaver" {
@@ -111,6 +111,7 @@ The recommended way is to use a GCS Bucket in the following way.:
 | device\_2 | Device name | string | `"sapmnt"` | no |
 | device\_3 | Device name | string | `"swap"` | no |
 | disk\_type | The GCE data disk type. May be set to pd-standard (for PD HDD) or pd-ssd. | string | n/a | yes |
+| pd\_kms\_key | Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used. | string | `null` | no |
 | instance\_name | A unique name for the resource, required by GCE. Changing this forces a new resource to be created. | string | n/a | yes |
 | instance\_type | The GCE instance/machine type. | string | n/a | yes |
 | linux\_image\_family | GCE image family. | string | n/a | yes |

diff --git a/modules/netweaver/main.tf b/modules/netweaver/main.tf
@@ -31,6 +31,14 @@ resource "google_compute_disk" "gcp_nw_pd_0" {
   zone    = var.zone
   count   = var.usr_sap_size > 0 ? 1 : 0
   size    = var.usr_sap_size
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_nw_pd_1" {
@@ -40,6 +48,14 @@ resource "google_compute_disk" "gcp_nw_pd_1" {
   zone    = var.zone
   count   = var.sap_mnt_size > 0 ? 1 : 0
   size    = var.sap_mnt_size
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_nw_pd_2" {
@@ -49,6 +65,14 @@ resource "google_compute_disk" "gcp_nw_pd_2" {
   zone    = var.zone
   count   = var.swap_size > 0 ? 1 : 0
   size    = var.swap_size
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_attached_disk" "gcp_nw_attached_pd_0" {
@@ -90,7 +114,8 @@ resource "google_compute_instance" "gcp_nw" {
   }
 
   boot_disk {
-    auto_delete = var.autodelete_disk
+    auto_delete       = var.autodelete_disk
+    kms_key_self_link = var.pd_kms_key
 
     device_name = "${var.instance_name}-${var.device_0}"
 

diff --git a/modules/netweaver/variables.tf b/modules/netweaver/variables.tf
@@ -71,6 +71,11 @@ variable "boot_disk_type" {
   description = "The GCE boot disk type. May be set to pd-standard (for PD HDD) or pd-ssd."
 }
 
+variable "pd_kms_key" {
+  description = "Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used."
+  default     = null
+}
+
 variable "service_account_email" {
   description = "Email of service account to attach to the instance."
 }

diff --git a/modules/sap_hana/README.md b/modules/sap_hana/README.md
@@ -15,7 +15,7 @@ You can go in the [examples](../../examples) folder complete working example. Ho
 
 ```hcl
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
 }
 
 module "gcp_sap_hana" {
@@ -105,6 +105,7 @@ The recommended way is to use a GCS Bucket in the following way.:
 | disk\_name\_1 | Name of second disk. | string | `"sap-hana-pd-sd-1"` | no |
 | disk\_type\_0 | The GCE data disk type. May be set to pd-ssd. | string | `"pd-ssd"` | no |
 | disk\_type\_1 | The GCE data disk type. May be set to pd-standard (for PD HDD). | string | `"pd-standard"` | no |
+| pd\_kms\_key | Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used. | string | `null` | no |
 | instance\_name | A unique name for the resource, required by GCE. Changing this forces a new resource to be created. | string | n/a | yes |
 | instance\_type | The GCE instance/machine type. | string | n/a | yes |
 | linux\_image\_family | GCE image family. | string | n/a | yes |

diff --git a/modules/sap_hana/main.tf b/modules/sap_hana/main.tf
@@ -29,6 +29,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_0" {
   type    = var.disk_type_0
   zone    = var.zone
   size    = var.pd_ssd_size != "" ? var.pd_ssd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_sap_hana_sd_1" {
@@ -37,6 +45,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_1" {
   type    = var.disk_type_1
   zone    = var.zone
   size    = var.pd_hdd_size != "" ? var.pd_hdd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_address" "gcp_sap_hana_ip" {
@@ -59,7 +75,8 @@ resource "google_compute_instance" "gcp_sap_hana" {
   }
 
   boot_disk {
-    auto_delete = var.autodelete_disk
+    auto_delete       = var.autodelete_disk
+    kms_key_self_link = var.pd_kms_key
 
     initialize_params {
       image = "projects/${var.linux_image_project}/global/images/family/${var.linux_image_family}"

diff --git a/modules/sap_hana/variables.tf b/modules/sap_hana/variables.tf
@@ -95,6 +95,11 @@ variable "device_name_pd_hdd" {
   default     = "backup"
 }
 
+variable "pd_kms_key" {
+  description = "Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used.."
+  default     = null
+}
+
 variable "service_account_email" {
   description = "Email of service account to attach to the instance."
 }

diff --git a/modules/sap_hana_ha/README.md b/modules/sap_hana_ha/README.md
@@ -15,7 +15,7 @@ You can go in the [examples](../../examples) folder complete working example. Ho
 
 ```hcl
 provider "google" {
-  version = "~> 2.6.0"
+  version = "~> 3.13.0"
   region  = var.region
 }
 
@@ -114,6 +114,7 @@ It is the recommended way is to use a GCS Bucket in the following way.:
 | disk\_name\_3 | Name of fourth disk. | string | `"sap-hana-pd-sd-3"` | no |
 | disk\_type\_0 | The GCE data disk type. May be set to pd-ssd. | string | `"pd-ssd"` | no |
 | disk\_type\_1 | The GCE data disk type. May be set to pd-standard (for PD HDD). | string | `"pd-standard"` | no |
+| pd\_kms\_key | Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used. | string | `null` | no |
 | instance\_type | The GCE instance/machine type. | string | n/a | yes |
 | linux\_image\_family | GCE image family. | string | n/a | yes |
 | linux\_image\_project | Project name containing the linux image. | string | n/a | yes |

diff --git a/modules/sap_hana_ha/main.tf b/modules/sap_hana_ha/main.tf
@@ -50,6 +50,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_0" {
   type    = var.disk_type_0
   zone    = var.primary_zone
   size    = var.pd_ssd_size != "" ? var.pd_ssd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_sap_hana_sd_1" {
@@ -58,6 +66,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_1" {
   type    = var.disk_type_1
   zone    = var.primary_zone
   size    = var.pd_hdd_size != "" ? var.pd_hdd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_sap_hana_sd_2" {
@@ -66,6 +82,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_2" {
   type    = var.disk_type_0
   zone    = var.secondary_zone
   size    = var.pd_ssd_size != "" ? var.pd_ssd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_disk" "gcp_sap_hana_sd_3" {
@@ -74,6 +98,14 @@ resource "google_compute_disk" "gcp_sap_hana_sd_3" {
   type    = var.disk_type_1
   zone    = var.secondary_zone
   size    = var.pd_hdd_size != "" ? var.pd_hdd_size : module.sap_hana.diskSize
+
+  # Add the disk_encryption_key block only if a pd_kms_key was provided
+  dynamic "disk_encryption_key" {
+    for_each = var.pd_kms_key != null ? [""] : []
+    content {
+      kms_key_self_link = var.pd_kms_key
+    }
+  }
 }
 
 resource "google_compute_instance" "primary" {
@@ -90,7 +122,8 @@ resource "google_compute_instance" "primary" {
   }
 
   boot_disk {
-    auto_delete = var.autodelete_disk
+    auto_delete       = var.autodelete_disk
+    kms_key_self_link = var.pd_kms_key
 
     initialize_params {
       image = "projects/${var.linux_image_project}/global/images/family/${var.linux_image_family}"
@@ -161,7 +194,8 @@ resource "google_compute_instance" "secondary" {
   }
 
   boot_disk {
-    auto_delete = var.autodelete_disk
+    auto_delete       = var.autodelete_disk
+    kms_key_self_link = var.pd_kms_key
 
     initialize_params {
       image = "projects/${var.linux_image_project}/global/images/family/${var.linux_image_family}"

diff --git a/modules/sap_hana_ha/variables.tf b/modules/sap_hana_ha/variables.tf
@@ -152,6 +152,11 @@ variable "disk_name_3" {
   default     = "sap-hana-pd-sd-3"
 }
 
+variable "pd_kms_key" {
+  description = "Customer managed encryption key to use in persistent disks. If none provided, a Google managed key will be used.."
+  default     = null
+}
+
 variable "service_account_email" {
   description = "Email of service account to attach to the instance."
 }