You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: added new variable use_default_backup_encryption_key. This now means it is possible to have KMS encryption for your primary instance, and use the default encryption on the backup instance (#294)
Copy file name to clipboardExpand all lines: README.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,7 +86,7 @@ To attach access management tags to resources in this module, you need the follo
86
86
| <aname="input_admin_pass"></a> [admin\_pass](#input\_admin\_pass)| The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. The admin password must be in the range of 10-32 characters. |`string`|`null`| no |
87
87
| <a name="input_auto_scaling"></a> [auto\_scaling](#input\_auto\_scaling) | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | <pre>object({<br> disk = object({<br> capacity_enabled = optional(bool, false)<br> free_space_less_than_percent = optional(number, 10)<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 3670016)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> memory = object({<br> io_above_percent = optional(number, 90)<br> io_enabled = optional(bool, false)<br> io_over_period = optional(string, "15m")<br> rate_increase_percent = optional(number, 10)<br> rate_limit_mb_per_member = optional(number, 114688)<br> rate_period_seconds = optional(number, 900)<br> rate_units = optional(string, "mb")<br> })<br> })</pre> | `null` | no |
88
88
| <aname="input_backup_crn"></a> [backup\_crn](#input\_backup\_crn)| The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. |`string`|`null`| no |
89
-
| <aname="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn)| The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms\_key\_crn' variable is used. And if a HPCS value is passed for var.kms\_key\_crn, the database backup encryption uses the default encryption keys. |`string`|`null`| no |
89
+
| <aname="input_backup_encryption_key_crn"></a> [backup\_encryption\_key\_crn](#input\_backup\_encryption\_key\_crn)| The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms\_encryption\_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms\_key\_crn' variable is used, unless 'use\_default\_backup\_encryption\_key' is set to 'true'. And if a HPCS value is passed for var.kms\_key\_crn, the database backup encryption uses the default encryption keys. |`string`|`null`| no |
90
90
| <aname="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules)| (Optional, list) List of CBR rules to create | <pre>list(object({<br> description = string<br> account_id = string<br> rule_contexts = list(object({<br> attributes = optional(list(object({<br> name = string<br> value = string<br> }))) }))<br> enforcement_mode = string<br> }))</pre> |`[]`| no |
| <aname="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid)| The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms\_key\_crn and var.backup\_encryption\_key\_crn is coming from. Required only if var.kms\_encryption\_enabled is set to true, var.skip\_iam\_authorization\_policy is set to false, and you pass a value for var.kms\_key\_crn, var.backup\_encryption\_key\_crn, or both. |`string`|`null`| no |
@@ -108,6 +108,7 @@ To attach access management tags to resources in this module, you need the follo
108
108
| <aname="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names)| Map of name, role for service credentials that you want to create for the database |`map(string)`|`{}`| no |
109
109
| <aname="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints)| Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. |`string`|`"private"`| no |
110
110
| <aname="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy)| Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. |`bool`|`false`| no |
111
+
| <aname="input_use_default_backup_encryption_key"></a> [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key)| Set to true to use default ICD randomly generated keys. |`bool`|`false`| no |
111
112
| <aname="input_users"></a> [users](#input\_users)| A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Postgres instance. This blocks creates native postgres database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-user-management&interface=ui| <pre>list(object({<br> name = string<br> password = string # pragma: allowlist secret<br> type = string # "type" is required to generate the connection string for the outputs.<br> role = optional(string)<br> }))</pre> |`[]`| no |
Copy file name to clipboardExpand all lines: main.tf
+3-1Lines changed: 3 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -12,10 +12,12 @@ locals {
12
12
validate_kms_vars=var.kms_encryption_enabled&& var.kms_key_crn==null&& var.backup_encryption_key_crn==null?tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn and/or var.backup_encryption_key_crn") :true
13
13
# tflint-ignore: terraform_unused_declarations
14
14
validate_auth_policy=var.kms_encryption_enabled&& var.skip_iam_authorization_policy==false&& var.existing_kms_instance_guid==null?tobool("When var.skip_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.existing_kms_instance_guid in order to create the auth policy.") :true
15
+
# tflint-ignore: terraform_unused_declarations
16
+
validate_backup_key=var.backup_encryption_key_crn!=null&& var.use_default_backup_encryption_key==true?tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to 'true'") :true
15
17
16
18
# If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn'. If this is a HPCS key (which is not currently supported for backup encryption), default to 'null' meaning encryption is done using randomly generated keys
17
19
# More info https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs
Copy file name to clipboardExpand all lines: module-metadata.json
+23-13Lines changed: 23 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -53,13 +53,13 @@
53
53
],
54
54
"pos": {
55
55
"filename": "variables.tf",
56
-
"line": 256
56
+
"line": 262
57
57
}
58
58
},
59
59
"backup_encryption_key_crn": {
60
60
"name": "backup_encryption_key_crn",
61
61
"type": "string",
62
-
"description": "The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms_key_crn' variable is used. And if a HPCS value is passed for var.kms_key_crn, the database backup encryption uses the default encryption keys.",
62
+
"description": "The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms_key_crn' variable is used, unless 'use_default_backup_encryption_key' is set to 'true'. And if a HPCS value is passed for var.kms_key_crn, the database backup encryption uses the default encryption keys.",
63
63
"pos": {
64
64
"filename": "variables.tf",
65
65
"line": 210
@@ -79,7 +79,7 @@
79
79
],
80
80
"pos": {
81
81
"filename": "variables.tf",
82
-
"line": 236
82
+
"line": 242
83
83
}
84
84
},
85
85
"configuration": {
@@ -103,7 +103,7 @@
103
103
],
104
104
"pos": {
105
105
"filename": "variables.tf",
106
-
"line": 226
106
+
"line": 232
107
107
},
108
108
"immutable": true,
109
109
"computed": true
@@ -210,7 +210,7 @@
210
210
],
211
211
"pos": {
212
212
"filename": "variables.tf",
213
-
"line": 273
213
+
"line": 279
214
214
}
215
215
},
216
216
"pitr_time": {
@@ -222,7 +222,7 @@
222
222
],
223
223
"pos": {
224
224
"filename": "variables.tf",
225
-
"line": 279
225
+
"line": 285
226
226
}
227
227
},
228
228
"plan_validation": {
@@ -340,6 +340,16 @@
340
340
"type": "bool",
341
341
"description": "Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false.",
342
342
"default": false,
343
+
"pos": {
344
+
"filename": "variables.tf",
345
+
"line": 226
346
+
}
347
+
},
348
+
"use_default_backup_encryption_key": {
349
+
"name": "use_default_backup_encryption_key",
350
+
"type": "bool",
351
+
"description": "Set to true to use default ICD randomly generated keys.",
Copy file name to clipboardExpand all lines: variables.tf
+7-1Lines changed: 7 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -209,14 +209,20 @@ variable "kms_key_crn" {
209
209
210
210
variable"backup_encryption_key_crn" {
211
211
type=string
212
-
description="The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms_key_crn' variable is used. And if a HPCS value is passed for var.kms_key_crn, the database backup encryption uses the default encryption keys."
212
+
description="The CRN of a Key Protect key that you want to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. BYOK for backups is available only in US regions us-south and us-east, and in eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, use a key from us-south or eu-de. Hyper Protect Crypto Services for IBM Cloud Databases backups is not currently supported. If no value is passed here, the value passed for the 'kms_key_crn' variable is used, unless 'use_default_backup_encryption_key' is set to 'true'. And if a HPCS value is passed for var.kms_key_crn, the database backup encryption uses the default encryption keys."
error_message="Valid values for backup_encryption_key_crn is null or a Key Protect key CRN from us-south, us-east or eu-de"
217
217
}
218
218
}
219
219
220
+
variable"use_default_backup_encryption_key" {
221
+
type=bool
222
+
description="Set to true to use default ICD randomly generated keys."
223
+
default=false
224
+
}
225
+
220
226
variable"skip_iam_authorization_policy" {
221
227
type=bool
222
228
description="Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false."
0 commit comments