BigQuery Dataset default CMEK encryption

GoogleCloudPlatform · Oct 4, 2019 · e30d0ef · e30d0ef
1 parent 0ea41bd
commit e30d0ef
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 0 deletions.
diff --git a/products/bigquery/api.yaml b/products/bigquery/api.yaml
@@ -215,6 +215,20 @@ objects:
           The default value is multi-regional location `US`.
           Changing this forces a new resource to be created.
         default_value: US
+      - !ruby/object:Api::Type::NestedObject
+        name: 'defaultEncryptionConfiguration'
+        description: |
+          The default encryption key for all tables in the dataset. Once this property is set,
+          all newly-created partitioned tables in the dataset will have encryption key set to
+          this value, unless table creation request (or query) overrides the key.
+        properties:
+          - !ruby/object:Api::Type::String
+            name: 'kmsKeyName'
+            required: true
+            description: |
+              Describes the Cloud KMS encryption key that will be used to protect destination
+              BigQuery table. The BigQuery Service Account associated with your project requires
+              access to this encryption key.
   - !ruby/object:Api::Resource
     name: 'Table'
     kind: 'bigquery#table'

diff --git a/products/bigquery/terraform.yaml b/products/bigquery/terraform.yaml
@@ -24,6 +24,14 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         primary_resource_id: "dataset"
         vars:
           dataset_id: "example_dataset"
+      - !ruby/object:Provider::Terraform::Examples
+        name: "bigquery_dataset_cmek"
+        skip_test: true
+        primary_resource_id: "dataset"
+        vars:
+          dataset_id: "example_dataset"
+          key_name: "example-key"
+          keyring_name: "example-keyring"
     virtual_fields:
       - !ruby/object:Provider::Terraform::VirtualFields
         name: 'delete_contents_on_destroy'

diff --git a/templates/terraform/examples/bigquery_dataset_cmek.tf.erb b/templates/terraform/examples/bigquery_dataset_cmek.tf.erb
@@ -0,0 +1,21 @@
+resource "google_bigquery_dataset" "<%= ctx[:primary_resource_id] %>" {
+  dataset_id                  = "<%= ctx[:vars]['dataset_id'] %>"
+  friendly_name               = "test"
+  description                 = "This is a test description"
+  location                    = "US"
+  default_table_expiration_ms = 3600000
+
+  default_encryption_configuration {
+    kms_key_name = "${google_kms_crypto_key.crypto_key.self_link}"
+  }
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = "<%= ctx[:vars]['key_name'] %>"
+  key_ring = "${google_kms_key_ring.key_ring.self_link}"
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "<%= ctx[:vars]['keyring_name'] %>"
+  location = "us"
+}
diff --git a/third_party/terraform/tests/resource_big_query_dataset_test.go b/third_party/terraform/tests/resource_big_query_dataset_test.go
@@ -135,6 +135,29 @@ func TestAccBigQueryDataset_regionalLocation(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryDataset_cmek(t *testing.T) {
+	t.Parallel()
+
+	kms := BootstrapKMSKeyInLocation(t, "us")
+	pid := getTestProjectFromEnv()
+	datasetID1 := fmt.Sprintf("tf_test_%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_cmek(pid, datasetID1, kms.CryptoKey.Name),
+			},
+			{
+				ResourceName:      "google_bigquery_dataset.test",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccAddTable(datasetID string, tableID string) resource.TestCheckFunc {
 	// Not actually a check, but adds a table independently of terraform
 	return func(s *terraform.State) error {
@@ -303,3 +326,31 @@ resource "google_bigquery_dataset" "access_test" {
   }
 }`, otherDatasetID, otherTableID, datasetID)
 }
+
+func testAccBigQueryDataset_cmek(pid, datasetID, kmsKey string) string {
+	return fmt.Sprintf(`
+data "google_project" "project" {
+  project_id = "%s"
+}
+
+resource "google_project_iam_member" "kms-project-binding" {
+  project = "${data.google_project.project.project_id}"
+  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member  = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
+}
+
+resource "google_bigquery_dataset" "test" {
+  dataset_id                  = "%s"
+  friendly_name               = "test"
+  description                 = "This is a test description"
+  location                    = "US"
+  default_table_expiration_ms = 3600000
+
+  default_encryption_configuration {
+    kms_key_name = "%s"
+  }
+
+  project = "${google_project_iam_member.kms-project-binding.project}"
+}
+`, pid, datasetID, kmsKey)
+}