feat: adding cmek settings in log bucket (#191)

Author: Saloni-Patidar

examples/logbucket/project/main.tf

@@ -57,7 +57,7 @@ module "log_export_same_proj" {
 module "dest_same_proj" {
   source                        = "../../..//modules/logbucket"
   project_id                    = var.project_destination_logbkt_id
-  name                          = "logbucket_from_same_project_${random_string.suffix.result}"
+  name                          = "logbucket_from_same_projct_${random_string.suffix.result}"
   location                      = "global"
   enable_analytics              = true
   linked_dataset_id             = "log_analytics_dataset_same"

modules/logbucket/README.md

@@ -39,6 +39,7 @@ module "destination" {
 |------|-------------|------|---------|:--------:|
 | enable\_analytics | (Optional) Whether or not Log Analytics is enabled. A Log bucket with Log Analytics enabled can be queried in the Log Analytics page using SQL queries. Cannot be disabled once enabled. | `bool` | `false` | no |
 | grant\_write\_permission\_on\_bkt | (Optional) Indicates whether the module is responsible for granting write permission on the logbucket. This permission will be given by default, but if the user wants, this module can skip this step. This is the case when the sink route logs to a log bucket in the same Cloud project, no new service account will be created and this module will need to bypass granting permissions. | `bool` | `true` | no |
+| kms\_key\_name | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.The kms\_key\_name should be of the format projects/{project ID}/locations/{region}/keyRings/{keyring name}/cryptoKeys/{key name} | `string` | `null` | no |
 | linked\_dataset\_description | A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters. | `string` | `null` | no |
 | linked\_dataset\_id | The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters. | `string` | `null` | no |
 | location | The location of the log bucket. | `string` | `"global"` | no |

modules/logbucket/main.tf

@@ -40,6 +40,12 @@ resource "google_logging_project_bucket_config" "bucket" {
   enable_analytics = var.enable_analytics
   bucket_id        = var.name
   locked           = var.locked
+  dynamic "cmek_settings" {
+    for_each = var.kms_key_name == null ? [] : [var.kms_key_name]
+    content {
+      kms_key_name = var.kms_key_name
+    }
+  }
 }
 
 #-------------------------#

modules/logbucket/metadata.yaml

@@ -107,6 +107,10 @@ spec:
     type: number
     default: 30
     required: false
+  - name: kms_key_name
+    description: To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+    type: string
+    required: false
   outputs:
   - name: console_link
     description: The console link to the destination log buckets

modules/logbucket/variables.tf

@@ -70,3 +70,11 @@ variable "locked" {
   default     = null
   type        = bool
 }
+
+variable "kms_key_name" {
+  description = "To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.The kms_key_name should be of the format projects/{project ID}/locations/{region}/keyRings/{keyring name}/cryptoKeys/{key name} "
+  type        = string
+  default     = null
+}
+
+