feat: configurable keyrings creation in Apigee X core module

apigee · Jun 14, 2023 · 2a295f2 · 2a295f2
1 parent 1bc22cd
commit 2a295f2
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 19 deletions.
diff --git a/modules/apigee-x-core/README.md b/modules/apigee-x-core/README.md
@@ -27,15 +27,16 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_apigee_envgroups"></a> [apigee\_envgroups](#input\_apigee\_envgroups) | Apigee Environment Groups. | <pre>map(object({<br>    hostnames = list(string)<br>  }))</pre> | `{}` | no |
 | <a name="input_apigee_environments"></a> [apigee\_environments](#input\_apigee\_environments) | Apigee Environments. | <pre>map(object({<br>    display_name = optional(string)<br>    description  = optional(string, "Terraform-managed")<br>    node_config = optional(object({<br>      min_node_count = optional(number)<br>      max_node_count = optional(number)<br>    }))<br>    iam       = optional(map(list(string)))<br>    envgroups = list(string)<br>  }))</pre> | `null` | no |
-| <a name="input_apigee_instances"></a> [apigee\_instances](#input\_apigee\_instances) | Apigee Instances (only one instance for EVAL). | <pre>map(object({<br>    region       = string<br>    ip_range     = string<br>    environments = list(string)<br>  }))</pre> | `{}` | no |
-| <a name="input_apigee_org_kms_keyring_name"></a> [apigee\_org\_kms\_keyring\_name](#input\_apigee\_org\_kms\_keyring\_name) | Name of the KMS Key Ring for Apigee Organization DB. | `string` | `"apigee-x-org"` | no |
+| <a name="input_apigee_instances"></a> [apigee\_instances](#input\_apigee\_instances) | Apigee Instances (only one instance for EVAL). | <pre>map(object({<br>    region              = string<br>    ip_range            = string<br>    environments        = list(string)<br>    keyring_create      = optional(bool, true)<br>    keyring_name        = optional(string, null)<br>    keyring_location    = optional(string, null)<br>    key_name            = optional(string, "inst-disk")<br>    key_rotation_period = optional(string, "2592000s")<br>    key_labels          = optional(map(string), null)<br>  }))</pre> | `{}` | no |
 | <a name="input_ax_region"></a> [ax\_region](#input\_ax\_region) | GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli). | `string` | n/a | yes |
 | <a name="input_billing_type"></a> [billing\_type](#input\_billing\_type) | Billing type of the Apigee organization. | `string` | `null` | no |
-| <a name="input_instance_key_rotation_period"></a> [instance\_key\_rotation\_period](#input\_instance\_key\_rotation\_period) | Rotaton period for the instance disk encryption key | `string` | `"2592000s"` | no |
 | <a name="input_network"></a> [network](#input\_network) | Network (self-link) to peer with the Apigee tennant project. | `string` | n/a | yes |
 | <a name="input_org_description"></a> [org\_description](#input\_org\_description) | Apigee org description | `string` | `"Apigee org created in TF"` | no |
 | <a name="input_org_display_name"></a> [org\_display\_name](#input\_org\_display\_name) | Apigee org display name | `string` | `null` | no |
 | <a name="input_org_key_rotation_period"></a> [org\_key\_rotation\_period](#input\_org\_key\_rotation\_period) | Rotaton period for the organization DB encryption key | `string` | `"2592000s"` | no |
+| <a name="input_org_kms_keyring_create"></a> [org\_kms\_keyring\_create](#input\_org\_kms\_keyring\_create) | Set to false to manage the keyring for the Apigee Organization DB and IAM bindings in an existing keyring. | `bool` | `true` | no |
+| <a name="input_org_kms_keyring_location"></a> [org\_kms\_keyring\_location](#input\_org\_kms\_keyring\_location) | Location of the KMS Key Ring for Apigee Organization DB. Matches AX region if not provided. | `string` | `null` | no |
+| <a name="input_org_kms_keyring_name"></a> [org\_kms\_keyring\_name](#input\_org\_kms\_keyring\_name) | Name of the KMS Key Ring for Apigee Organization DB. | `string` | `"apigee-x-org"` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project id (also used for the Apigee Organization). | `string` | n/a | yes |
 
 ## Outputs

diff --git a/modules/apigee-x-core/main.tf b/modules/apigee-x-core/main.tf
@@ -20,7 +20,7 @@ locals {
     region              = value.region
     environments        = value.environments
     psa_ip_cidr_range   = value.ip_range
-    disk_encryption_key = module.kms-inst-disk[key].key_ids["inst-disk"]
+    disk_encryption_key = module.kms-inst-disk[key].key_ids[value.key_name]
   } }
 }
 
@@ -39,9 +39,10 @@ module "kms-org-db" {
     }
   }
   keyring = {
-    location = var.ax_region
-    name     = var.apigee_org_kms_keyring_name
+    location = coalesce(var.org_kms_keyring_location, var.ax_region)
+    name     = var.org_kms_keyring_name
   }
+  keyring_create = var.org_kms_keyring_create
   keys = {
     org-db = { rotation_period = var.org_key_rotation_period, labels = null }
   }
@@ -52,16 +53,20 @@ module "kms-inst-disk" {
   source     = "github.com/terraform-google-modules/cloud-foundation-fabric//modules/kms?ref=v19.0.0"
   project_id = var.project_id
   key_iam = {
-    inst-disk = {
+    "${each.value.key_name}" = {
       "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${google_project_service_identity.apigee_sa.email}"]
     }
   }
   keyring = {
-    location = each.value.region
-    name     = "apigee-${each.key}"
+    location = coalesce(each.value.keyring_location, each.value.region)
+    name     = coalesce(each.value.keyring_name, "apigee-${each.key}")
   }
+  keyring_create = each.value.keyring_create
   keys = {
-    inst-disk = { rotation_period = var.instance_key_rotation_period, labels = null }
+    "${each.value.key_name}" = {
+      rotation_period = each.value.key_rotation_period
+      labels          = each.value.key_labels
+    }
   }
 }
 

diff --git a/modules/apigee-x-core/variables.tf b/modules/apigee-x-core/variables.tf
@@ -73,9 +73,15 @@ variable "apigee_environments" {
 variable "apigee_instances" {
   description = "Apigee Instances (only one instance for EVAL)."
   type = map(object({
-    region       = string
-    ip_range     = string
-    environments = list(string)
+    region              = string
+    ip_range            = string
+    environments        = list(string)
+    keyring_create      = optional(bool, true)
+    keyring_name        = optional(string, null)
+    keyring_location    = optional(string, null)
+    key_name            = optional(string, "inst-disk")
+    key_rotation_period = optional(string, "2592000s")
+    key_labels          = optional(map(string), null)
   }))
   default = {}
 }
@@ -86,14 +92,20 @@ variable "org_key_rotation_period" {
   default     = "2592000s"
 }
 
-variable "instance_key_rotation_period" {
-  description = "Rotaton period for the instance disk encryption key"
+variable "org_kms_keyring_name" {
+  description = "Name of the KMS Key Ring for Apigee Organization DB."
   type        = string
-  default     = "2592000s"
+  default     = "apigee-x-org"
 }
 
-variable "apigee_org_kms_keyring_name" {
-  description = "Name of the KMS Key Ring for Apigee Organization DB."
+variable "org_kms_keyring_location" {
+  description = "Location of the KMS Key Ring for Apigee Organization DB. Matches AX region if not provided."
   type        = string
-  default     = "apigee-x-org"
+  default     = null
 }
+
+variable "org_kms_keyring_create" {
+  description = "Set to false to manage the keyring for the Apigee Organization DB and IAM bindings in an existing keyring."
+  type        = bool
+  default     = true
+}