Merge pull request #44 from danistrebel/feature/kms-rotation

feat: Add default KMS rotation
apigee · Aug 2, 2022 · 2da2fe8 · 2da2fe8
2 parents cadb83e + 61fe6c8
commit 2da2fe8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/modules/apigee-x-core/README.md b/modules/apigee-x-core/README.md
@@ -31,7 +31,9 @@
 | <a name="input_apigee_instances"></a> [apigee\_instances](#input\_apigee\_instances) | Apigee Instances (only one instance for EVAL). | <pre>map(object({<br>    region       = string<br>    ip_range     = string<br>    environments = list(string)<br>  }))</pre> | `{}` | no |
 | <a name="input_ax_region"></a> [ax\_region](#input\_ax\_region) | GCP region for storing Apigee analytics data (see https://cloud.google.com/apigee/docs/api-platform/get-started/install-cli). | `string` | n/a | yes |
 | <a name="input_billing_type"></a> [billing\_type](#input\_billing\_type) | Billing type of the Apigee organization. | `string` | `null` | no |
+| <a name="input_instance_key_rotation_period"></a> [instance\_key\_rotation\_period](#input\_instance\_key\_rotation\_period) | Rotaton period for the instance disk encryption key | `string` | `"2592000s"` | no |
 | <a name="input_network"></a> [network](#input\_network) | Network (self-link) to peer with the Apigee tennant project. | `string` | n/a | yes |
+| <a name="input_org_key_rotation_period"></a> [org\_key\_rotation\_period](#input\_org\_key\_rotation\_period) | Rotaton period for the organization DB encryption key | `string` | `"2592000s"` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project id (also used for the Apigee Organization). | `string` | n/a | yes |
 
 ## Outputs

diff --git a/modules/apigee-x-core/main.tf b/modules/apigee-x-core/main.tf
@@ -33,7 +33,7 @@ module "kms-org-db" {
     name     = "apigee-x-org"
   }
   keys = {
-    org-db = null
+    org-db = { rotation_period = var.org_key_rotation_period, labels = null }
   }
 }
 
@@ -67,7 +67,7 @@ module "kms-inst-disk" {
     name     = "apigee-${each.key}"
   }
   keys = {
-    inst-disk = null
+    inst-disk = { rotation_period = var.instance_key_rotation_period, labels = null }
   }
 }
 

diff --git a/modules/apigee-x-core/variables.tf b/modules/apigee-x-core/variables.tf
@@ -59,3 +59,15 @@ variable "apigee_instances" {
   }))
   default = {}
 }
+
+variable "org_key_rotation_period" {
+  description = "Rotaton period for the organization DB encryption key"
+  type = string
+  default = "2592000s"
+}
+
+variable "instance_key_rotation_period" {
+  description = "Rotaton period for the instance disk encryption key"
+  type = string
+  default = "2592000s"
+}