Add CMEK support for Redis cluster (#12999)

Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
GoogleCloudPlatform · Feb 14, 2025 · 57616ae · 57616ae
1 parent 0c7109c
commit 57616ae
Show file tree

Hide file tree

Showing 8 changed files with 111 additions and 47 deletions.
diff --git a/mmv1/products/redis/Cluster.yaml b/mmv1/products/redis/Cluster.yaml
@@ -126,9 +126,9 @@ examples:
     primary_resource_id: 'cluster-ha'
     vars:
       cluster_name: 'ha-cluster'
-      policy_name: 'mypolicy'
-      subnet_name: 'mysubnet'
-      network_name: 'mynetwork'
+      policy_name: 'my-policy'
+      subnet_name: 'my-subnet'
+      network_name: 'my-network'
       deletion_protection_enabled: 'true'
     test_vars_overrides:
       'deletion_protection_enabled': 'false'
@@ -138,9 +138,9 @@ examples:
     primary_resource_id: 'cluster-ha-single-zone'
     vars:
       cluster_name: 'ha-cluster-single-zone'
-      policy_name: 'mypolicy'
-      subnet_name: 'mysubnet'
-      network_name: 'mynetwork'
+      policy_name: 'my-policy'
+      subnet_name: 'my-subnet'
+      network_name: 'my-network'
       deletion_protection_enabled: 'true'
     test_vars_overrides:
       'deletion_protection_enabled': 'false'
@@ -168,9 +168,9 @@ examples:
     primary_resource_id: "cluster-rdb"
     vars:
       cluster_name: "rdb-cluster"
-      policy_name: "mypolicy"
-      subnet_name: "mysubnet"
-      network_name: "mynetwork"
+      policy_name: "my-policy"
+      subnet_name: "my-subnet"
+      network_name: "my-network"
       deletion_protection_enabled: 'true'
     test_vars_overrides:
       'deletion_protection_enabled': 'false'
@@ -180,14 +180,32 @@ examples:
     primary_resource_id: "cluster-aof"
     vars:
       cluster_name: "aof-cluster"
-      policy_name: "mypolicy"
-      subnet_name: "mysubnet"
-      network_name: "mynetwork"
+      policy_name: "my-policy"
+      subnet_name: "my-subnet"
+      network_name: "my-network"
       deletion_protection_enabled: 'true'
     test_vars_overrides:
       'deletion_protection_enabled': 'false'
     oics_vars_overrides:
       'deletion_protection_enabled': 'false'
+  - name: "redis_cluster_cmek"
+    primary_resource_id: "cluster-cmek"
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@cloud-redis.iam.gserviceaccount.com"
+        role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+    vars:
+      cluster_name: "cmek-cluster"
+      policy_name: "my-policy"
+      subnet_name: "my-subnet"
+      network_name: "my-network"
+      kms_key_name: "my-key"
+      kms_ring_name: "my-key-ring"
+      deletion_protection_enabled: 'true'
+    test_vars_overrides:
+      'deletion_protection_enabled': 'false'
+      'kms_key_name': 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
+    oics_vars_overrides:
+      'deletion_protection_enabled': 'false'
 parameters:
   - name: 'name'
     type: String
@@ -718,3 +736,6 @@ properties:
             - 'CONNECTION_TYPE_PRIMARY'
             - 'CONNECTION_TYPE_DISCOVERY'
           description: Type of a PSC connection targeting this service attachment.
+  - name: 'kmsKey'
+    type: String
+    description: The KMS key used to encrypt the at-rest data of the cluster.
diff --git a/mmv1/products/redis/ClusterUserCreatedConnections.yaml b/mmv1/products/redis/ClusterUserCreatedConnections.yaml
@@ -18,6 +18,8 @@ description: |
   Manages user created connections for Redis cluster
 docs:
   note: |
+    Please ensure your connections meet the requirements outlined at
+    https://cloud.devsite.corp.google.com/memorystore/docs/cluster/about-multiple-vpc-networking#application_connection_requirements.
     If you remove a connections item from the resource, the corresponding forwarding rule will no longer be functioning.
     If the corresponding forwarding rule is represented in your terraform configuration it is recommended to delete that
     `google_compute_forwarding_rule` resource at the same time.

diff --git a/mmv1/templates/terraform/examples/redis_cluster_aof.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_aof.tf.tmpl
@@ -2,7 +2,7 @@ resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
   name           = "{{index $.Vars "cluster_name"}}"
   shard_count    = 3
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
   region = "us-central1"
   replica_count = 0
@@ -44,20 +44,20 @@ resource "google_network_connectivity_service_connection_policy" "default" {
   location = "us-central1"
   service_class = "gcp-memorystore-redis"
   description   = "my basic service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "producer_subnet" {
+resource "google_compute_subnetwork" "consumer_subnet" {
   name          = "{{index $.Vars "subnet_name"}}"
   ip_cidr_range = "10.0.0.248/29"
   region        = "us-central1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
-resource "google_compute_network" "producer_net" {
+resource "google_compute_network" "consumer_net" {
   name                    = "{{index $.Vars "network_name"}}"
   auto_create_subnetworks = false
 }
diff --git a/mmv1/templates/terraform/examples/redis_cluster_cmek.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_cmek.tf.tmpl
@@ -0,0 +1,41 @@
+resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
+  name           = "{{index $.Vars "cluster_name"}}"
+  shard_count    = 3
+  psc_configs {
+    network = google_compute_network.consumer_net.id
+  }
+  kms_key = "{{index $.Vars "kms_key_name"}}"
+  region = "us-central1"
+  deletion_protection_enabled = {{index $.Vars "deletion_protection_enabled"}}
+  depends_on = [
+    google_network_connectivity_service_connection_policy.default
+  ]
+}
+
+
+data "google_project" "project" {
+}
+
+resource "google_network_connectivity_service_connection_policy" "default" {
+  name = "{{index $.Vars "policy_name"}}"
+  location = "us-central1"
+  service_class = "gcp-memorystore-redis"
+  description   = "my basic service connection policy"
+  network = google_compute_network.consumer_net.id
+  psc_config {
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
+  }
+}
+
+resource "google_compute_subnetwork" "consumer_subnet" {
+  name          = "{{index $.Vars "subnet_name"}}"
+  ip_cidr_range = "10.0.0.248/29"
+  region        = "us-central1"
+  network       = google_compute_network.consumer_net.id
+}
+
+resource "google_compute_network" "consumer_net" {
+  name                    = "{{index $.Vars "network_name"}}"
+  auto_create_subnetworks = false
+}
+
diff --git a/mmv1/templates/terraform/examples/redis_cluster_ha.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_ha.tf.tmpl
@@ -2,7 +2,7 @@ resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
   name           = "{{index $.Vars "cluster_name"}}"
   shard_count    = 3
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
   region = "us-central1"
   replica_count = 1
@@ -38,20 +38,20 @@ resource "google_network_connectivity_service_connection_policy" "default" {
   location = "us-central1"
   service_class = "gcp-memorystore-redis"
   description   = "my basic service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "producer_subnet" {
+resource "google_compute_subnetwork" "consumer_subnet" {
   name          = "{{index $.Vars "subnet_name"}}"
   ip_cidr_range = "10.0.0.248/29"
   region        = "us-central1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
-resource "google_compute_network" "producer_net" {
+resource "google_compute_network" "consumer_net" {
   name                    = "{{index $.Vars "network_name"}}"
   auto_create_subnetworks = false
 }
diff --git a/mmv1/templates/terraform/examples/redis_cluster_ha_single_zone.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_ha_single_zone.tf.tmpl
@@ -2,7 +2,7 @@ resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
   name           = "{{index $.Vars "cluster_name"}}"
   shard_count    = 3
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
   region = "us-central1"
   zone_distribution_config {
@@ -32,20 +32,20 @@ resource "google_network_connectivity_service_connection_policy" "default" {
   location = "us-central1"
   service_class = "gcp-memorystore-redis"
   description   = "my basic service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "producer_subnet" {
+resource "google_compute_subnetwork" "consumer_subnet" {
   name          = "{{index $.Vars "subnet_name"}}"
   ip_cidr_range = "10.0.0.248/29"
   region        = "us-central1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
-resource "google_compute_network" "producer_net" {
+resource "google_compute_network" "consumer_net" {
   name                    = "{{index $.Vars "network_name"}}"
   auto_create_subnetworks = false
 }
diff --git a/mmv1/templates/terraform/examples/redis_cluster_rdb.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_rdb.tf.tmpl
@@ -2,7 +2,7 @@ resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
   name           = "{{index $.Vars "cluster_name"}}"
   shard_count    = 3
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
   region = "us-central1"
   replica_count = 0
@@ -45,20 +45,20 @@ resource "google_network_connectivity_service_connection_policy" "default" {
   location = "us-central1"
   service_class = "gcp-memorystore-redis"
   description   = "my basic service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "producer_subnet" {
+resource "google_compute_subnetwork" "consumer_subnet" {
   name          = "{{index $.Vars "subnet_name"}}"
   ip_cidr_range = "10.0.0.248/29"
   region        = "us-central1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
-resource "google_compute_network" "producer_net" {
+resource "google_compute_network" "consumer_net" {
   name                    = "{{index $.Vars "network_name"}}"
   auto_create_subnetworks = false
 }
diff --git a/mmv1/templates/terraform/examples/redis_cluster_secondary.tf.tmpl b/mmv1/templates/terraform/examples/redis_cluster_secondary.tf.tmpl
@@ -3,7 +3,7 @@ resource "google_redis_cluster" "primary_cluster" {
   name          = "{{index $.Vars "primary_cluster_name"}}"
   region        = "us-east1"
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
 
   // Settings that should match on primary and secondary clusters. 
@@ -54,7 +54,7 @@ resource "google_redis_cluster" "{{$.PrimaryResourceId}}" {
   name          = "{{index $.Vars "secondary_cluster_name"}}"
   region        = "europe-west1"
   psc_configs {
-    network = google_compute_network.producer_net.id
+    network = google_compute_network.consumer_net.id
   }
 
   // Settings that should match on primary and secondary clusters. 
@@ -113,17 +113,17 @@ resource "google_network_connectivity_service_connection_policy" "primary_cluste
   location = "us-east1"
   service_class = "gcp-memorystore-redis"
   description   = "Primary cluster service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.primary_cluster_producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.primary_cluster_consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "primary_cluster_producer_subnet" {
+resource "google_compute_subnetwork" "primary_cluster_consumer_subnet" {
   name          = "{{index $.Vars "primary_cluster_subnet_name"}}"
   ip_cidr_range = "10.0.1.0/29"
   region        = "us-east1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
 
@@ -132,20 +132,20 @@ resource "google_network_connectivity_service_connection_policy" "secondary_clus
   location = "europe-west1"
   service_class = "gcp-memorystore-redis"
   description   = "Secondary cluster service connection policy"
-  network = google_compute_network.producer_net.id
+  network = google_compute_network.consumer_net.id
   psc_config {
-    subnetworks = [google_compute_subnetwork.secondary_cluster_producer_subnet.id]
+    subnetworks = [google_compute_subnetwork.secondary_cluster_consumer_subnet.id]
   }
 }
 
-resource "google_compute_subnetwork" "secondary_cluster_producer_subnet" {
+resource "google_compute_subnetwork" "secondary_cluster_consumer_subnet" {
   name          = "{{index $.Vars "secondary_cluster_subnet_name"}}"
   ip_cidr_range = "10.0.2.0/29"
   region        = "europe-west1"
-  network       = google_compute_network.producer_net.id
+  network       = google_compute_network.consumer_net.id
 }
 
-resource "google_compute_network" "producer_net" {
+resource "google_compute_network" "consumer_net" {
   name                    = "{{index $.Vars "network_name"}}"
   auto_create_subnetworks = false
 }