fix: Added a random suffix in the keyring creation (#201)

* Added a randon in the kingring

* fixed the variables in the readme

README.md

@@ -51,7 +51,7 @@ module "secured_data_warehouse" {
 | bucket\_class | The storage class for the bucket being provisioned. | `string` | `"STANDARD"` | no |
 | bucket\_lifecycle\_rules | List of lifecycle rules to configure. Format is the same as described in provider documentation https://www.terraform.io/docs/providers/google/r/storage_bucket.html#lifecycle_rule except condition.matches\_storage\_class should be a comma delimited string. | <pre>set(object({<br>    action    = any<br>    condition = any<br>  }))</pre> | <pre>[<br>  {<br>    "action": {<br>      "type": "Delete"<br>    },<br>    "condition": {<br>      "age": 30,<br>      "matches_storage_class": [<br>        "STANDARD"<br>      ],<br>      "with_state": "ANY"<br>    }<br>  }<br>]</pre> | no |
 | bucket\_name | The name of for the bucket being provisioned. | `string` | n/a | yes |
-| cmek\_keyring\_name | The Keyring name for the KMS Customer Managed Encryption Keys being provisioned. | `string` | n/a | yes |
+| cmek\_keyring\_name | The Keyring prefix name for the KMS Customer Managed Encryption Keys being provisioned. | `string` | n/a | yes |
 | confidential\_access\_members | List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email} who will have access to confidential information in BigQuery. | `list(string)` | `[]` | no |
 | confidential\_data\_dataflow\_deployer\_identities | List of members in the standard GCP form: user:{email}, serviceAccount:{email} that will deploy Dataflow jobs in the Confidential Data project. These identities will be added to the VPC-SC secure data exchange egress rules. | `list(string)` | `[]` | no |
 | confidential\_data\_egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference) for the Confidential Data perimeter, each list object has a `from` and `to` value that describes egress\_from and egress\_to. See also [secure data exchange](https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange#allow_access_to_a_google_cloud_resource_outside_the_perimeter) and the [VPC-SC](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/v3.1.0/modules/regular_service_perimeter/README.md) module. | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |

examples/batch-data-ingestion/main.tf

@@ -13,11 +13,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-resource "random_id" "random_suffix" {
-  byte_length = 4
-}
-
 locals {
   region              = "us-east4"
   location            = "us-east4-a"
@@ -61,7 +56,7 @@ module "data_ingestion" {
   location                         = local.region
   region                           = local.region
   dataset_id                       = local.dataset_id
-  cmek_keyring_name                = "cmek_keyring_${random_id.random_suffix.hex}"
+  cmek_keyring_name                = "cmek_keyring"
   delete_contents_on_destroy       = var.delete_contents_on_destroy
   perimeter_additional_members     = var.perimeter_additional_members
 }

examples/bigquery-confidential-data/main.tf

@@ -46,7 +46,7 @@ module "secured_data_warehouse" {
   location                         = local.location
   dataset_id                       = local.non_confidential_dataset_id
   confidential_dataset_id          = local.confidential_dataset_id
-  cmek_keyring_name                = "cmek_keyring_${random_id.suffix.hex}"
+  cmek_keyring_name                = "cmek_keyring"
   delete_contents_on_destroy       = var.delete_contents_on_destroy
   perimeter_additional_members     = var.perimeter_additional_members
 }

examples/dataflow-with-dlp/main.tf

@@ -21,10 +21,6 @@ locals {
   cc_file_path = "${path.module}/assets"
 }
 
-resource "random_id" "random_suffix" {
-  byte_length = 4
-}
-
 module "data_ingestion" {
   source                           = "../.."
   org_id                           = var.org_id
@@ -37,7 +33,7 @@ module "data_ingestion" {
   access_context_manager_policy_id = var.access_context_manager_policy_id
   bucket_name                      = "data-ingestion"
   dataset_id                       = local.dataset_id
-  cmek_keyring_name                = "cmek_keyring_${random_id.random_suffix.hex}"
+  cmek_keyring_name                = "cmek_keyring"
   delete_contents_on_destroy       = var.delete_contents_on_destroy
   perimeter_additional_members     = var.perimeter_additional_members
 }

examples/regional-dlp/main.tf

@@ -18,10 +18,6 @@ locals {
   bq_schema = "book:STRING, author:STRING"
 }
 
-resource "random_id" "suffix" {
-  byte_length = 4
-}
-
 module "data_ingestion" {
   source                           = "../.."
   org_id                           = var.org_id
@@ -34,7 +30,7 @@ module "data_ingestion" {
   access_context_manager_policy_id = var.access_context_manager_policy_id
   bucket_name                      = "dlp-flex-data-ingestion"
   dataset_id                       = "dlp_flex_data_ingestion"
-  cmek_keyring_name                = "dlp_flex_data-ingestion-${random_id.suffix.hex}"
+  cmek_keyring_name                = "dlp_flex_data-ingestion"
   region                           = "us-east4"
   delete_contents_on_destroy       = var.delete_contents_on_destroy
   perimeter_additional_members     = var.perimeter_additional_members

examples/tutorial-standalone/main.tf

@@ -44,7 +44,7 @@ module "secured_data_warehouse" {
   location                         = local.location
   dataset_id                       = local.non_confidential_dataset_id
   confidential_dataset_id          = local.confidential_dataset_id
-  cmek_keyring_name                = "cmek_keyring_${random_id.suffix.hex}"
+  cmek_keyring_name                = "cmek_keyring"
   delete_contents_on_destroy       = var.delete_contents_on_destroy
   perimeter_additional_members     = var.perimeter_additional_members
 

modules/data-governance/main.tf

@@ -26,8 +26,9 @@ locals {
   confidential_compute_sa  = "service-${data.google_project.reid_project.number}@compute-system.iam.gserviceaccount.com"
   confidential_bigquery_sa = data.google_bigquery_default_service_account.confidential_bigquery_sa.email
 
-  data_ingestion_key_name = "data_ingestion_kms_key_${random_id.suffix.hex}"
-  bigquery_key_name       = "bigquery_kms_key_${random_id.suffix.hex}"
+  data_ingestion_keyring_name = "${var.cmek_keyring_name}_${random_id.suffix.hex}"
+  data_ingestion_key_name     = "data_ingestion_kms_key_${random_id.suffix.hex}"
+  bigquery_key_name           = "bigquery_kms_key_${random_id.suffix.hex}"
 
   reidentification_key_name      = "reidentification_kms_key_${random_id.suffix.hex}"
   confidential_bigquery_key_name = "confidential_bigquery_kms_key_${random_id.suffix.hex}"
@@ -124,7 +125,7 @@ module "cmek" {
 
   project_id           = var.data_governance_project_id
   location             = var.cmek_location
-  keyring              = var.cmek_keyring_name
+  keyring              = local.data_ingestion_keyring_name
   key_rotation_period  = var.key_rotation_period_seconds
   prevent_destroy      = !var.delete_contents_on_destroy
   keys                 = local.keys

variables.tf

@@ -149,7 +149,7 @@ variable "dataset_default_table_expiration_ms" {
 }
 
 variable "cmek_keyring_name" {
-  description = "The Keyring name for the KMS Customer Managed Encryption Keys being provisioned."
+  description = "The Keyring prefix name for the KMS Customer Managed Encryption Keys being provisioned."
   type        = string
 }