From d0ff439be6074269184734100cea2e2103f4aac1 Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 1 Jul 2019 14:06:34 -0700 Subject: [PATCH] Pub/Sub Topic CMEK/KMS support (#291) Signed-off-by: Modular Magician --- plugins/modules/gcp_pubsub_topic.py | 25 ++++++++++++++++++++--- plugins/modules/gcp_pubsub_topic_facts.py | 9 ++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/plugins/modules/gcp_pubsub_topic.py b/plugins/modules/gcp_pubsub_topic.py index 3529702..46038c6 100644 --- a/plugins/modules/gcp_pubsub_topic.py +++ b/plugins/modules/gcp_pubsub_topic.py @@ -51,6 +51,14 @@ options: description: - Name of the topic. required: true + kms_key_name: + description: + - The resource name of the Cloud KMS CryptoKey to be used to protect access to + messsages published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) + must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. + - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` . + required: false + version_added: 2.9 labels: description: - A set of key/value label pairs to assign to this Topic. @@ -78,6 +86,14 @@ name: - Name of the topic. returned: success type: str +kmsKeyName: + description: + - The resource name of the Cloud KMS CryptoKey to be used to protect access to messsages + published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) + must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. + - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` . + returned: success + type: str labels: description: - A set of key/value label pairs to assign to this Topic. @@ -102,7 +118,10 @@ def main(): module = GcpModule( argument_spec=dict( - state=dict(default='present', choices=['present', 'absent'], type='str'), name=dict(required=True, type='str'), labels=dict(type='dict') + state=dict(default='present', choices=['present', 'absent'], type='str'), + name=dict(required=True, type='str'), + kms_key_name=dict(type='str'), + labels=dict(type='dict'), ) ) @@ -162,7 +181,7 @@ def delete(module, link): def resource_to_request(module): - request = {u'name': module.params.get('name'), u'labels': module.params.get('labels')} + request = {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': module.params.get('labels')} request = encode_request(request, module) return_vals = {} for k, v in request.items(): @@ -230,7 +249,7 @@ def is_different(module, response): # Remove unnecessary properties from the response. # This is for doing comparisons with Ansible's current parameters. def response_to_hash(module, response): - return {u'name': module.params.get('name'), u'labels': response.get(u'labels')} + return {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': response.get(u'labels')} def decode_request(response, module): diff --git a/plugins/modules/gcp_pubsub_topic_facts.py b/plugins/modules/gcp_pubsub_topic_facts.py index 8e3edf5..7b794fc 100644 --- a/plugins/modules/gcp_pubsub_topic_facts.py +++ b/plugins/modules/gcp_pubsub_topic_facts.py @@ -63,6 +63,15 @@ resources: - Name of the topic. returned: success type: str + kmsKeyName: + description: + - The resource name of the Cloud KMS CryptoKey to be used to protect access + to messsages published on this topic. Your project's PubSub service account + (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must + have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature. + - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` . + returned: success + type: str labels: description: - A set of key/value label pairs to assign to this Topic.