feat: Added support for encrypting the database and bucket with CMK

wandb / terraform-google-wandb

A Terraform module for deploying Weights & Biases on GCP.

Apache License 2.0

12 stars 6 forks source link

feat: Added support for encrypting the database and bucket with CMK #100

Closed amanpruthi closed 2 months ago

amanpruthi commented 7 months ago

…naged key

gls4 commented 7 months ago

We're running into these errors when applying terraform:

╷
│ Error: Missing resource instance key
│ 
│   on ../../modules/kms/main.tf line 50, in resource "google_kms_crypto_key_iam_member" "pubsub_service_access":
│   50:   member        = "serviceAccount:${google_project_service_identity.pubsub.email}"
│ 
│ Because google_project_service_identity.pubsub has "count" set, its attributes must be accessed on specific instances.
│ 
│ For example, to correlate with indices of a referring resource, use:
│     google_project_service_identity.pubsub[count.index]
╵
╷
│ Error: Missing resource instance key
│ 
│   on ../../modules/kms/main.tf line 50, in resource "google_kms_crypto_key_iam_member" "pubsub_service_access":
│   50:   member        = "serviceAccount:${google_project_service_identity.pubsub.email}"
│ 
│ Because google_project_service_identity.pubsub has "count" set, its attributes must be accessed on specific instances.
│ 
│ For example, to correlate with indices of a referring resource, use:
│     google_project_service_identity.pubsub[count.index]

gls4 commented 7 months ago

When applying these changes against an instance built using the main branch, I get the errors below. Once these are fixed, I can move to testing.

╷
│ Error: Duplicate local value definition
│ 
│   on ../../main.tf line 35, in locals:
│   35:   deployment_size = {
│   36:     small = {
│   37:       db            = "db-n1-highmem-2",
│   38:       node_count    = 2,
│   39:       node_instance = "n2-highmem-4"
│   40:       cache         = "Standard 6 GB"
│   41:     },
│   42:     medium = {
│   43:       db            = "db-n1-highmem-4",
│   44:       node_count    = 2,
│   45:       node_instance = "n2-highmem-4"
│   46:       cache         = "Standard 6 GB"
│   47:     },
│   48:     large = {
│   49:       db            = "db-n1-highmem-8",
│   50:       node_count    = 2,
│   51:       node_instance = "n2-highmem-8"
│   52:       cache         = "Standard 13 GB"
│   53:     },
│   54:     xlarge = {
│   55:       db            = "db-n1-highmem-16",
│   56:       node_count    = 3,
│   57:       node_instance = "n2-highmem-8"
│   58:       cache         = "Standard 13 GB"
│   59:     },
│   60:     xxlarge = {
│   61:       db            = "db-n1-highmem-32",
│   62:       node_count    = 3,
│   63:       node_instance = "n2-highmem-16"
│   64:       cache         = "Standard 26 GB"
│   65:     }
│   66:   }
│ 
│ A local value named "deployment_size" was already defined at ../../deployment-size.tf:3,3-34,4. Local value names must be unique within a module.
╵

zacharyblasczyk commented 2 months ago

Summary of Scenarios:

Use Default Keys:
- bucket_default_encryption true: kms_default_bucket is created and used.
- sql_default_encryption true: kms_default_sql is created and used.
Use Custom-Provided Keys:
- bucket_kms_key_id provided: Used unless bucket_default_encryption is true.
- db_kms_key_id provided: Used unless sql_default_encryption is true.
No Encryption or Internal Queue:
- use_internal_queue true: effective_crypto_key is null and kms module is not created.
- If false and db_kms_key_id is null: Use module.kms[0].crypto_key.

jsbroks commented 2 months ago

This PR is included in version 5.1.0 :tada: