From ddc3a22c14e904b771016f4f623f94e92a773db5 Mon Sep 17 00:00:00 2001 From: Cameron Moberg Date: Mon, 11 Apr 2022 15:32:40 -0700 Subject: [PATCH] Add support for Dataproc Metastore CMEK config (#5881) --- mmv1/products/metastore/api.yaml | 15 ++++++ mmv1/products/metastore/terraform.yaml | 18 +++++++ ...proc_metastore_service_cmek_example.tf.erb | 27 ++++++++++ ...ataproc_metastore_service_cmek_test.tf.erb | 49 +++++++++++++++++++ 4 files changed, 109 insertions(+) create mode 100644 mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb create mode 100644 mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb diff --git a/mmv1/products/metastore/api.yaml b/mmv1/products/metastore/api.yaml index a860ffb1d3dc..bd947da0a784 100644 --- a/mmv1/products/metastore/api.yaml +++ b/mmv1/products/metastore/api.yaml @@ -144,6 +144,21 @@ objects: - :FRIDAY - :SATURDAY - :SUNDAY + - !ruby/object:Api::Type::NestedObject + name: 'encryptionConfig' + min_version: beta + description: | + Information used to configure the Dataproc Metastore service to encrypt + customer data at rest. + properties: + - !ruby/object:Api::Type::String + name: 'kmsKey' + min_version: beta + description: | + The fully qualified customer provided Cloud KMS key name to use for customer data encryption. + Use the following format: `projects/([^/]+)/locations/([^/]+)/keyRings/([^/]+)/cryptoKeys/([^/]+)` + required: true + input: true - !ruby/object:Api::Type::NestedObject name: 'hiveMetastoreConfig' description: | diff --git a/mmv1/products/metastore/terraform.yaml b/mmv1/products/metastore/terraform.yaml index 29ebc9a699ed..2819d7a6b4e8 100644 --- a/mmv1/products/metastore/terraform.yaml +++ b/mmv1/products/metastore/terraform.yaml @@ -23,6 +23,24 @@ overrides: !ruby/object:Overrides::ResourceOverrides primary_resource_id: "default" vars: metastore_service_name: "metastore-srv" + - !ruby/object:Provider::Terraform::Examples + name: "dataproc_metastore_service_cmek_test" + min_version: beta + skip_docs: true + primary_resource_id: "default" + vars: + metastore_service_name: "example-service" + key_name: "example-key" + keyring_name: "example-keyring" + - !ruby/object:Provider::Terraform::Examples + name: "dataproc_metastore_service_cmek_example" + min_version: beta + skip_test: true + primary_resource_id: "default" + vars: + metastore_service_name: "example-service" + key_name: "example-key" + keyring_name: "example-keyring" properties: network: !ruby/object:Overrides::Terraform::PropertyOverride default_from_api: true diff --git a/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb new file mode 100644 index 000000000000..6adc9b4039f7 --- /dev/null +++ b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_example.tf.erb @@ -0,0 +1,27 @@ +resource "google_dataproc_metastore_service" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + service_id = "<%= ctx[:vars]['metastore_service_name'] %>" + location = "us-central1" + + encryption_config { + kms_key = google_kms_crypto_key.crypto_key.id + } + + hive_metastore_config { + version = "3.1.2" + } +} + +resource "google_kms_crypto_key" "crypto_key" { + provider = google-beta + name = "<%= ctx[:vars]['key_name'] %>" + key_ring = google_kms_key_ring.key_ring.id + + purpose = "ENCRYPT_DECRYPT" +} + +resource "google_kms_key_ring" "key_ring" { + provider = google-beta + name = "<%= ctx[:vars]['keyring_name'] %>" + location = "us-central1" +} diff --git a/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb new file mode 100644 index 000000000000..cccf0a9bfdee --- /dev/null +++ b/mmv1/templates/terraform/examples/dataproc_metastore_service_cmek_test.tf.erb @@ -0,0 +1,49 @@ +data "google_project" "project" { + provider = google-beta +} + +data "google_storage_project_service_account" "gcs_account" { + provider = google-beta +} + + +resource "google_dataproc_metastore_service" "<%= ctx[:primary_resource_id] %>" { + provider = google-beta + service_id = "<%= ctx[:vars]['metastore_service_name'] %>" + location = "us-central1" + + encryption_config { + kms_key = google_kms_crypto_key.crypto_key.id + } + + hive_metastore_config { + version = "3.1.2" + } + + depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding] +} + +resource "google_kms_crypto_key" "crypto_key" { + provider = google-beta + name = "<%= ctx[:vars]['key_name'] %>" + key_ring = google_kms_key_ring.key_ring.id + + purpose = "ENCRYPT_DECRYPT" +} + +resource "google_kms_key_ring" "key_ring" { + provider = google-beta + name = "<%= ctx[:vars]['keyring_name'] %>" + location = "us-central1" +} + +resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" { + provider = google-beta + crypto_key_id = google_kms_crypto_key.crypto_key.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + members = [ + "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com", + "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}" + ] +}