CMEK support for Cloud Functions (#5973) (#11627)

modular-magician · Rustem Bekmukhametov · web-flow · commit 1ef3676c447e · 2022-05-02T15:37:15.000-07:00
* CMEK support for Cloud Functions (docker_repository and kms_key_name fields)

* separate tests for CMEK and AR; added role binding for the CMEK test

* Remaining IAM configs

* Formatting

* Granting additional permissions to the service accounts

* Another attempts at fixing the IAM (potentially a race) issue

* Accounting for feedback: create kms key via bootstraping util

* documentation update

* Remove refernces to beta in the docs (feedback)

Co-authored-by: Rustem Bekmukhametov &lt;rustemb@google.com&gt;
Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;

Co-authored-by: Rustem Bekmukhametov &lt;rustemb@google.com&gt;
diff --git a/.changelog/5973.txt b/.changelog/5973.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+cloudfunctions: CMEK support for Cloud Functions
+```
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -32,17 +32,11 @@ builds:
       - -s -w -X internal/provider.Version={{.Version}}
     mod_timestamp: '{{ .CommitTimestamp }}'
 checksum:
-  extra_files:
-    - glob: 'terraform-registry-manifest.json'
-      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
 publishers:
   - name: hc-releases
     checksum: true
-    extra_files:
-      - glob: 'terraform-registry-manifest.json'
-        name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
     signature: true
     cmd: hc-releases upload-file -header="x-terraform-protocol-version={{ .Env.PROTOCOL_VERSION }}" -header="x-terraform-protocol-versions={{ .Env.PROTOCOL_VERSIONS }}" {{ abs .ArtifactPath }}
     env:
@@ -52,9 +46,6 @@ publishers:
       - AWS_SECRET_ACCESS_KEY={{ .Env.AWS_SECRET_ACCESS_KEY }}
       - AWS_SESSION_TOKEN={{ .Env.AWS_SESSION_TOKEN }}
 release:
-  extra_files:
-    - glob: 'terraform-registry-manifest.json'
-      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   ids:
     - none
 signs:
@@ -67,6 +58,7 @@ signs:
       sign
       --dearmor
       --file ${artifact}
+      --signer {{ .Env.SIGNER }}
       --out ${signature}
     artifacts: checksum
   # Signature file with GPG Public Key ID in filename (i.e. terraform-provider-awscc_VERSION_SHA256SUMS.7685B676.sig)
@@ -80,6 +72,7 @@ signs:
       sign
       --dearmor
       --file ${artifact}
+      --signer {{ .Env.SIGNER }}
       --out ${signature}
     artifacts: checksum
 snapshot:
diff --git a/google/resource_cloudfunctions_function.go b/google/resource_cloudfunctions_function.go
@@ -146,6 +146,18 @@ func resourceCloudFunctionsFunction() *schema.Resource {
 				},
 			},
 
+			"docker_repository": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `User managed repository created in Artifact Registry optionally with a customer managed encryption key. If specified, deployments will use Artifact Registry for storing images built with Cloud Build.`,
+			},
+
+			"kms_key_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources.`,
+			},
+
 			"description": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -498,6 +510,14 @@ func resourceCloudFunctionsCreate(d *schema.ResourceData, meta interface{}) erro
 		function.VpcConnectorEgressSettings = v.(string)
 	}
 
+	if v, ok := d.GetOk("docker_repository"); ok {
+		function.DockerRepository = v.(string)
+	}
+
+	if v, ok := d.GetOk("kms_key_name"); ok {
+		function.KmsKeyName = v.(string)
+	}
+
 	if v, ok := d.GetOk("max_instances"); ok {
 		function.MaxInstances = int64(v.(int))
 	}
@@ -629,6 +649,12 @@ func resourceCloudFunctionsRead(d *schema.ResourceData, meta interface{}) error
 	if err := d.Set("event_trigger", flattenEventTrigger(function.EventTrigger)); err != nil {
 		return fmt.Errorf("Error setting event_trigger: %s", err)
 	}
+	if err := d.Set("docker_repository", function.DockerRepository); err != nil {
+		return fmt.Errorf("Error setting docker_repository: %s", err)
+	}
+	if err := d.Set("kms_key_name", function.KmsKeyName); err != nil {
+		return fmt.Errorf("Error setting kms_key_name: %s", err)
+	}
 	if err := d.Set("max_instances", function.MaxInstances); err != nil {
 		return fmt.Errorf("Error setting max_instances: %s", err)
 	}
@@ -754,6 +780,16 @@ func resourceCloudFunctionsUpdate(d *schema.ResourceData, meta interface{}) erro
 		updateMaskArr = append(updateMaskArr, "eventTrigger", "eventTrigger.failurePolicy.retry")
 	}
 
+	if d.HasChange("docker_repository") {
+		function.Runtime = d.Get("docker_repository").(string)
+		updateMaskArr = append(updateMaskArr, "dockerRepository")
+	}
+
+	if d.HasChange("kms_key_name") {
+		function.Runtime = d.Get("docker_repository").(string)
+		updateMaskArr = append(updateMaskArr, "kmsKeyName")
+	}
+
 	if d.HasChange("max_instances") {
 		function.MaxInstances = int64(d.Get("max_instances").(int))
 		updateMaskArr = append(updateMaskArr, "maxInstances")
diff --git a/terraform-registry-manifest.json b/terraform-registry-manifest.json
diff --git a/website/docs/r/cloudfunctions_function.html.markdown b/website/docs/r/cloudfunctions_function.html.markdown
@@ -146,7 +146,12 @@ Eg. `"nodejs10"`, `"nodejs12"`, `"nodejs14"`, `"python37"`, `"python38"`, `"pyth
 * `source_archive_object` - (Optional) The source archive object (file) in archive bucket.
 
 * `source_repository` - (Optional) Represents parameters related to source repository where a function is hosted.
-  Cannot be set alongside `source_archive_bucket` or `source_archive_object`. Structure is [documented below](#nested_source_repository).
+  Cannot be set alongside `source_archive_bucket` or `source_archive_object`. Structure is [documented below](#nested_source_repository). It must match the pattern `projects/{project}/locations/{location}/repositories/{repository}`.* 
+
+* `docker_repository` - (Optional) User managed repository created in Artifact Registry optionally with a customer managed encryption key. If specified, deployments will use Artifact Registry. This is the repository to which the function docker image will be pushed after it is built by Cloud Build. If unspecified, Container Registry will be used by default, unless specified otherwise by other means.
+
+* `kms_key_name` - (Optional) Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources. It must match the pattern `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`.
+  If specified, you must also provide an artifact registry repository using the `docker_repository` field that was created with the same KMS crypto key. Before deploying, please complete all pre-requisites described in https://cloud.google.com/functions/docs/securing/cmek#granting_service_accounts_access_to_the_key
 
 * `max_instances` - (Optional) The limit on the maximum number of function instances that may coexist at a given time.
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	`+cloudfunctions: CMEK support for Cloud Functions`
	`3`	+```