Merge branch 'mark5cinco-gke-cluster-encrpytion'

pst · pst · commit f02567bafd5d · 2022-03-01T17:58:48.000+01:00
diff --git a/google/_modules/gke/cluster.tf b/google/_modules/gke/cluster.tf
@@ -25,6 +25,14 @@ resource "google_container_cluster" "current" {
     }
   }
 
+  dynamic "database_encryption" {
+    for_each = var.cluster_database_encryption_key_name != null ? toset([1]) : toset([])
+    content {
+      state = "ENCRYPTED"
+      key_name = var.cluster_database_encryption_key_name
+    }
+  }
+
   #
   #
   # Addon config
diff --git a/google/_modules/gke/variables.tf b/google/_modules/gke/variables.tf
@@ -173,3 +173,8 @@ variable "enable_tpu" {
   description = "Whether to enable GKE cloud TPU support."
   type        = bool
 }
+
+variable "cluster_database_encryption_key_name" {
+  type        = string
+  description = "Cloud KMS key name for enabling cluster database encryption."
+}
diff --git a/google/cluster/configuration.tf b/google/cluster/configuration.tf
@@ -60,6 +60,8 @@ locals {
   cluster_ipv4_cidr_block = lookup(local.cfg, "cluster_ipv4_cidr_block", null)
   services_ipv4_cidr_block = lookup(local.cfg, "services_ipv4_cidr_block", null)
 
+  cluster_database_encryption_key_name = lookup(local.cfg, "cluster_database_encryption_key_name", false)
+
   # by default include cloud_nat when private nodes are enabled
   enable_cloud_nat                       = lookup(local.cfg, "enable_cloud_nat", local.enable_private_nodes)
   cloud_nat_endpoint_independent_mapping = lookup(local.cfg, "cloud_nat_enable_endpoint_independent_mapping", null)
diff --git a/google/cluster/main.tf b/google/cluster/main.tf
@@ -63,6 +63,8 @@ module "cluster" {
   disable_workload_identity     = local.disable_workload_identity
   node_workload_metadata_config = local.node_workload_metadata_config
 
+  cluster_database_encryption_key_name = local.cluster_database_encryption_key_name
+
   enable_intranode_visibility = local.enable_intranode_visibility
   enable_tpu                  = local.enable_tpu
 }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,14 @@ resource "google_container_cluster" "current" {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
	`28`	`+ dynamic "database_encryption" {`
	`29`	`+ for_each = var.cluster_database_encryption_key_name != null ? toset([1]) : toset([])`
	`30`	`+ content {`
	`31`	`+ state = "ENCRYPTED"`
	`32`	`+ key_name = var.cluster_database_encryption_key_name`
	`33`	`+ }`
	`34`	`+ }`
	`35`	`+`
`28`	`36`	`#`
`29`	`37`	`#`
`30`	`38`	`# Addon config`
Original file line number	Diff line number	Diff line change
`@@ -173,3 +173,8 @@ variable "enable_tpu" {`
`173`	`173`	`description = "Whether to enable GKE cloud TPU support."`
`174`	`174`	`type = bool`
`175`	`175`	`}`
	`176`	`+`
	`177`	`+variable "cluster_database_encryption_key_name" {`
	`178`	`+ type = string`
	`179`	`+ description = "Cloud KMS key name for enabling cluster database encryption."`
	`180`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,8 @@ module "cluster" {`
`63`	`63`	`disable_workload_identity = local.disable_workload_identity`
`64`	`64`	`node_workload_metadata_config = local.node_workload_metadata_config`
`65`	`65`
	`66`	`+ cluster_database_encryption_key_name = local.cluster_database_encryption_key_name`
	`67`	`+`
`66`	`68`	`enable_intranode_visibility = local.enable_intranode_visibility`
`67`	`69`	`enable_tpu = local.enable_tpu`
`68`	`70`	`}`