feat: add support for destroy_scheduled_duration (#109)

terraform-google-modules · Nov 3, 2023 · c26f3fb · c26f3fb
1 parent 44d01da
commit c26f3fb
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -47,6 +47,7 @@ Functional examples are included in the
 | decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |
 | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |
 | key\_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | `string` | `"GOOGLE_SYMMETRIC_ENCRYPTION"` | no |
+| key\_destroy\_scheduled\_duration | Set the period of time that versions of keys spend in the DESTROY\_SCHEDULED state before transitioning to DESTROYED. | `string` | `null` | no |
 | key\_protection\_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | `string` | `"SOFTWARE"` | no |
 | key\_rotation\_period | Generate a new key every time this period passes. | `string` | `"7776000s"` | no |
 | keyring | Keyring name. | `string` | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -35,6 +35,8 @@ resource "google_kms_crypto_key" "key" {
     prevent_destroy = true
   }
 
+  destroy_scheduled_duration = var.key_destroy_scheduled_duration
+
   version_template {
     algorithm        = var.key_algorithm
     protection_level = var.key_protection_level
@@ -54,6 +56,8 @@ resource "google_kms_crypto_key" "key_ephemeral" {
     prevent_destroy = false
   }
 
+  destroy_scheduled_duration = var.key_destroy_scheduled_duration
+
   version_template {
     algorithm        = var.key_algorithm
     protection_level = var.key_protection_level

diff --git a/variables.tf b/variables.tf
@@ -42,6 +42,12 @@ variable "prevent_destroy" {
   default     = true
 }
 
+variable "key_destroy_scheduled_duration" {
+  description = "Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED."
+  type        = string
+  default     = null
+}
+
 variable "purpose" {
   type        = string
   description = "The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT."