Add additional encryption options #27

ilakhtenkov · 2023-01-02T23:07:53Z

Merge after Option to use external Dataflow Service Account #26

Added options to set up kms keys for Pub/Sub and GCS

rarsan

Thanks for adding this. Let's pls rebase. A couple of comments below.

rarsan · 2023-02-07T18:16:18Z

main.tf

@@ -74,7 +76,8 @@ locals {
 }

 resource "google_pubsub_topic" "dataflow_input_pubsub_topic" {
-  name = local.dataflow_input_topic_name
+  name         = local.dataflow_input_topic_name
+  kms_key_name = var.pubsub_kms_key_name


Will kms_key_name be ignored if user doesn't provide this input?

rarsan · 2023-02-07T18:19:05Z

pipeline.tf

@@ -34,6 +35,12 @@ resource "google_storage_bucket" "dataflow_job_temp_bucket" {
  name          = local.dataflow_temporary_gcs_bucket_name
  location      = var.region
  storage_class = "REGIONAL"
+  dynamic "encryption" {


I can see the intent behind this dynamic block. However it's not easy to read at all. Is there another better way to apply a conditional here? Maybe two bucket resources with conditional/count, one encrypted, the other is not enccypted.

Also, what is driving this requirement given this is a temporary bucket?

There could be organization policy applied that you are not able to create any buckets despite of their content without CMEK for example.

Thx for clarifying what's driving this PR. Org policies requiring use of CMEK for other services (GCS, PubSub or Dataflow) makes sense.

rarsan · 2023-02-07T18:19:50Z

variables.tf

+
+variable "gcs_kms_key_name" {
+  type        = string
+  description = "(Optional) The `id` of a Cloud KMS key that will be used to encrypt objects inserted into temporary bucket. User is responsible for permissions to this key for Cloud Storage Service Account."


Would be helpful to document the permissions required in the README, even if they are not managed by the module. Same for KMS key for PubSub topic.

ilakhtenkov · 2023-02-15T10:07:18Z

I will move it to draft as need to fix some points.
Also cmek is missing for dataflow service - improvements required.
I've opened issue for hardening discussions #35

rarsan suggested changes Feb 7, 2023

View reviewed changes

Added Pub/Sub kms key variable

9cec5cd

ilakhtenkov force-pushed the feature/add-additional-encryption-options branch from 553f9ed to 688e5de Compare February 7, 2023 23:04

Added GCS kms key variable.

4916f78

ilakhtenkov force-pushed the feature/add-additional-encryption-options branch from 688e5de to 4916f78 Compare February 7, 2023 23:06

rarsan assigned ilakhtenkov Feb 14, 2023

ilakhtenkov marked this pull request as draft February 15, 2023 10:09

ilakhtenkov mentioned this pull request Mar 6, 2023

Added CMEK for GCS service. Minor documentation changes. #39

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add additional encryption options #27

Add additional encryption options #27

ilakhtenkov commented Jan 2, 2023 •

edited by rarsan

Loading

rarsan left a comment

rarsan Feb 7, 2023

rarsan Feb 7, 2023

ilakhtenkov Feb 15, 2023

rarsan Feb 26, 2023

rarsan Feb 7, 2023

ilakhtenkov commented Feb 15, 2023

Add additional encryption options #27

Are you sure you want to change the base?

Add additional encryption options #27

Conversation

ilakhtenkov commented Jan 2, 2023 • edited by rarsan Loading

rarsan left a comment

Choose a reason for hiding this comment

rarsan Feb 7, 2023

Choose a reason for hiding this comment

rarsan Feb 7, 2023

Choose a reason for hiding this comment

ilakhtenkov Feb 15, 2023

Choose a reason for hiding this comment

rarsan Feb 26, 2023

Choose a reason for hiding this comment

rarsan Feb 7, 2023

Choose a reason for hiding this comment

ilakhtenkov commented Feb 15, 2023

ilakhtenkov commented Jan 2, 2023 •

edited by rarsan

Loading