From 7802e3ce1f227f3e641d2e1bdb6c01db4de5cac9 Mon Sep 17 00:00:00 2001
From: Aman Pruthi <amanpruthi404@gmail.com>
Date: Tue, 23 Jul 2024 20:31:58 +0530
Subject: [PATCH 1/8] feat: Added support for encrypting the database and
 bucket with CMK (#100)

* Added support for encrypting the database and bucket with customer managed key

* Added support for encrypting the database and bucket with a W&B managed key

---------

Co-authored-by: amanpruthi <aman.pruthi@velotio.com>
Co-authored-by: Zachary Blasczyk <zachary.blasczyk@wandb.com>
---
 README.md                           |  7 +++++
 main.tf                             | 42 ++++++++++++++++++++++-------
 modules/database/main.tf            |  5 ++++
 modules/database/variables.tf       |  7 +++++
 modules/kms/main.tf                 | 30 +++++++++++++++++----
 modules/kms/outputs.tf              |  3 +++
 modules/kms/variables.tf            | 12 +++++++++
 modules/redis/main.tf               |  1 +
 modules/redis/variables.tf          |  6 +++++
 modules/storage/bucket/main.tf      | 11 +++++++-
 modules/storage/bucket/variables.tf |  6 +++++
 modules/storage/main.tf             | 29 +++++++++-----------
 modules/storage/variables.tf        |  6 +++++
 variables.tf                        | 33 +++++++++++++++++++++++
 14 files changed, 166 insertions(+), 32 deletions(-)

diff --git a/README.md b/README.md
index c2a0ce58..f510899b 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,8 @@ resources that lack official modules.
 | <a name="module_database"></a> [database](#module\_database) | ./modules/database | n/a |
 | <a name="module_gke_app"></a> [gke\_app](#module\_gke\_app) | wandb/wandb/kubernetes | 1.14.1 |
 | <a name="module_kms"></a> [kms](#module\_kms) | ./modules/kms | n/a |
+| <a name="module_kms_default_bucket"></a> [kms\_default\_bucket](#module\_kms\_default\_bucket) | ./modules/kms | n/a |
+| <a name="module_kms_default_sql"></a> [kms\_default\_sql](#module\_kms\_default\_sql) | ./modules/kms | n/a |
 | <a name="module_networking"></a> [networking](#module\_networking) | ./modules/networking | n/a |
 | <a name="module_private_link"></a> [private\_link](#module\_private\_link) | ./modules/private_link | n/a |
 | <a name="module_project_factory_project_services"></a> [project\_factory\_project\_services](#module\_project\_factory\_project\_services) | terraform-google-modules/project-factory/google//modules/project_services | ~> 14.0 |
@@ -104,6 +106,9 @@ resources that lack official modules.
 | <a name="input_allowed_inbound_cidrs"></a> [allowed\_inbound\_cidrs](#input\_allowed\_inbound\_cidrs) | Which IPv4 addresses/ranges to allow access. This must be explicitly provided, and by default is set to ["*"] | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_allowed_project_names"></a> [allowed\_project\_names](#input\_allowed\_project\_names) | A map of allowed projects where each key is a project number and the value is the connection limit. | `map(number)` | `{}` | no |
 | <a name="input_app_wandb_env"></a> [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
+| <a name="input_bucket_default_encryption"></a> [bucket\_default\_encryption](#input\_bucket\_default\_encryption) | Boolean to determine if a default bucket encryption key should be used. If true, a default key will be created. Takes precedence over `bucket_kms_key_id`. | `bool` | `false` | no |
+| <a name="input_bucket_kms_key_id"></a> [bucket\_kms\_key\_id](#input\_bucket\_kms\_key\_id) | ID of the customer-provided bucket KMS key. If not provided (empty string),  the module will create a new key unless `use_internal_queue` is `true`. | `string` | `null` | no |
+| <a name="input_bucket_location"></a> [bucket\_location](#input\_bucket\_location) | Location of the bucket (US, EU, ASIA) | `string` | `"US"` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Use an existing bucket. | `string` | `""` | no |
 | <a name="input_create_private_link"></a> [create\_private\_link](#input\_create\_private\_link) | Whether to create a private link service. | `bool` | `false` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Boolean indicating whether to provision an redis instance (true) or not (false). | `bool` | `false` | no |
@@ -111,6 +116,7 @@ resources that lack official modules.
 | <a name="input_database_machine_type"></a> [database\_machine\_type](#input\_database\_machine\_type) | Specifies the machine type to be allocated for the database | `string` | `"db-n1-standard-2"` | no |
 | <a name="input_database_sort_buffer_size"></a> [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no |
 | <a name="input_database_version"></a> [database\_version](#input\_database\_version) | Version for MySQL | `string` | `"MYSQL_8_0_31"` | no |
+| <a name="input_db_kms_key_id"></a> [db\_kms\_key\_id](#input\_db\_kms\_key\_id) | ID of the customer-provided SQL KMS key. If not provided (empty string), the module will create a new key unless `use_internal_queue` is `true`. | `string` | `null` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / Bucket can't be deleted when this value is set to `true`. | `bool` | `true` | no |
 | <a name="input_disable_code_saving"></a> [disable\_code\_saving](#input\_disable\_code\_saving) | Boolean indicating if code saving is disabled | `bool` | `false` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain for accessing the Weights & Biases UI. | `string` | `null` | no |
@@ -137,6 +143,7 @@ resources that lack official modules.
 | <a name="input_resource_limits"></a> [resource\_limits](#input\_resource\_limits) | Specifies the resource limits for the wandb deployment | `map(string)` | <pre>{<br>  "cpu": null,<br>  "memory": null<br>}</pre> | no |
 | <a name="input_resource_requests"></a> [resource\_requests](#input\_resource\_requests) | Specifies the resource requests for the wandb deployment | `map(string)` | <pre>{<br>  "cpu": "2000m",<br>  "memory": "2G"<br>}</pre> | no |
 | <a name="input_size"></a> [size](#input\_size) | Deployment size for the instance | `string` | `null` | no |
+| <a name="input_sql_default_encryption"></a> [sql\_default\_encryption](#input\_sql\_default\_encryption) | Boolean to determine if a default SQL encryption key should be used. If true, a default key will be created. Takes precedence over `db_kms_key_id`. | `bool` | `false` | no |
 | <a name="input_ssl"></a> [ssl](#input\_ssl) | Enable SSL certificate | `bool` | `true` | no |
 | <a name="input_stackdriver_sa_name"></a> [stackdriver\_sa\_name](#input\_stackdriver\_sa\_name) | n/a | `string` | `"wandb-stackdriver"` | no |
 | <a name="input_subdomain"></a> [subdomain](#input\_subdomain) | Subdomain for accessing the Weights & Biases UI. Default creates record at Route53 Route. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index cf9ade46..d8fc32f4 100644
--- a/main.tf
+++ b/main.tf
@@ -54,8 +54,27 @@ module "kms" {
   deletion_protection = var.deletion_protection
 }
 
+module "kms_default_bucket" {
+  count                          = var.bucket_default_encryption ? 1 : 0
+  source                         = "./modules/kms"
+  namespace                      = var.namespace
+  deletion_protection            = var.deletion_protection
+  key_location                   = lower(var.bucket_location)
+  bind_pubsub_service_to_kms_key = false
+}
+
+module "kms_default_sql" {
+  count                          = var.sql_default_encryption ? 1 : 0
+  source                         = "./modules/kms"
+  namespace                      = var.namespace
+  deletion_protection            = var.deletion_protection
+  key_location                   = data.google_client_config.current.region
+  bind_pubsub_service_to_kms_key = false
+}
 locals {
-  crypto_key = var.use_internal_queue ? null : module.kms[0].crypto_key
+  default_bucket_key   = length(module.kms_default_bucket) > 0 ? module.kms_default_bucket[0].crypto_key.id : var.bucket_kms_key_id
+  default_sql_key      = length(module.kms_default_sql) > 0 ? module.kms_default_sql[0].crypto_key.id : var.db_kms_key_id
+  effective_crypto_key = var.use_internal_queue ? null : (local.default_sql_key != null ? local.default_sql_key : module.kms[0].crypto_key)
 }
 
 module "storage" {
@@ -64,13 +83,14 @@ module "storage" {
   namespace = var.namespace
   labels    = var.labels
 
-  create_queue    = !var.use_internal_queue
-  bucket_location = "US"
-  service_account = module.service_accounts.service_account
-  crypto_key      = local.crypto_key
+  create_queue      = !var.use_internal_queue
+  bucket_location   = var.bucket_location
+  service_account   = module.service_accounts.service_account
+  bucket_crypto_key = local.default_bucket_key
+  crypto_key        = local.effective_crypto_key
 
   deletion_protection = var.deletion_protection
-  depends_on          = [module.project_factory_project_services]
+  depends_on          = [module.project_factory_project_services, module.kms_default_bucket]
 }
 
 module "networking" {
@@ -109,8 +129,7 @@ module "app_lb" {
   service_account       = module.service_accounts.service_account
   labels                = var.labels
   allowed_inbound_cidrs = var.allowed_inbound_cidrs
-
-  depends_on = [module.project_factory_project_services, module.app_gke]
+  depends_on            = [module.project_factory_project_services, module.app_gke]
 }
 
 module "database" {
@@ -123,7 +142,8 @@ module "database" {
   network_connection  = local.network_connection
   deletion_protection = var.deletion_protection
   labels              = var.labels
-  depends_on          = [module.project_factory_project_services]
+  crypto_key          = local.effective_crypto_key
+  depends_on          = [module.project_factory_project_services, module.kms_default_sql]
 }
 
 module "redis" {
@@ -135,7 +155,9 @@ module "redis" {
   network           = local.network
   reserved_ip_range = var.redis_reserved_ip_range
   labels            = var.labels
-  tier              = var.redis_tier
+  depends_on        = [module.project_factory_project_services, module.kms_default_sql]
+  tier              = coalesce(try(local.deployment_size[var.size].cache, null), var.redis_tier)
+  crypto_key        = local.effective_crypto_key
 }
 
 locals {
diff --git a/modules/database/main.tf b/modules/database/main.tf
index 5b18c8dc..41ec38c9 100644
--- a/modules/database/main.tf
+++ b/modules/database/main.tf
@@ -25,11 +25,16 @@ locals {
   master_instance_name = "${var.namespace}-${random_pet.mysql.id}"
 }
 
+data "google_project" "default" {
+}
+
 resource "google_sql_database_instance" "default" {
   name                = local.master_instance_name
   database_version    = var.database_version
   deletion_protection = var.deletion_protection
 
+  encryption_key_name = var.crypto_key
+
   settings {
     tier                        = var.tier
     availability_type           = var.availability_type
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
index 2964d984..c5acc1c4 100644
--- a/modules/database/variables.tf
+++ b/modules/database/variables.tf
@@ -30,6 +30,7 @@ variable "availability_type" {
   default = "REGIONAL"
 }
 
+
 variable "maintenance_window_day" {
   description = "The day of week (1-7) for the master instance maintenance."
   type        = number
@@ -72,3 +73,9 @@ variable "force_ssl" {
   type        = bool
   default     = false
 }
+
+variable "crypto_key" {
+  type        = string
+  default     = null
+  description = "Key used to encrypt and decrypt database."
+}
\ No newline at end of file
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index 0f08ba78..7fceb251 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -5,7 +5,7 @@ resource "random_pet" "key_ring" {
 
 resource "google_kms_key_ring" "default" {
   name     = "${var.namespace}-${random_pet.key_ring.id}"
-  location = "global"
+  location =  var.key_location
 }
 
 
@@ -28,21 +28,27 @@ resource "google_kms_crypto_key" "default" {
 
 data "google_project" "project" {}
 
+resource "google_project_service_identity" "gcp_sa_cloud_sql" {
+  provider = google-beta
+  project  = data.google_project.project.project_id
+  service  = "sqladmin.googleapis.com"
+}
+
 resource "google_project_service_identity" "pubsub" {
+  count    = var.bind_pubsub_service_to_kms_key ? 1 : 0
   provider = google-beta
   project  = data.google_project.project.project_id
   service  = "pubsub.googleapis.com"
 }
 
-# PubSub service account must have roles/cloudkms.cryptoKeyEncrypterDecrypter to
-# use pubsub topic encryption.
-# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic#kms_key_name
 resource "google_kms_crypto_key_iam_member" "pubsub_service_access" {
+  count         = var.bind_pubsub_service_to_kms_key ? 1 : 0
   crypto_key_id = google_kms_crypto_key.default.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:${google_project_service_identity.pubsub.email}"
+  member        = "serviceAccount:${google_project_service_identity.pubsub[0].email}"
 }
 
+
 # Enable notifications by giving the correct IAM permission to the unique
 # service account.
 data "google_storage_project_service_account" "default" {
@@ -52,4 +58,18 @@ resource "google_kms_crypto_key_iam_member" "storage_service_access" {
   crypto_key_id = google_kms_crypto_key.default.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "serviceAccount:${data.google_storage_project_service_account.default.email_address}"
+}
+
+data "google_storage_project_service_account" "gcs_account" {
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto_key" {
+
+  crypto_key_id = google_kms_crypto_key.default.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  members = [
+    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
+    "serviceAccount:${google_project_service_identity.gcp_sa_cloud_sql.email}",
+    "serviceAccount:service-${data.google_project.project.number}@cloud-redis.iam.gserviceaccount.com"
+  ]
 }
\ No newline at end of file
diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf
index 9e64a0b5..90fe7325 100644
--- a/modules/kms/outputs.tf
+++ b/modules/kms/outputs.tf
@@ -1,3 +1,6 @@
 output "crypto_key" {
   value = google_kms_crypto_key.default
+}
+output "google_kms_crypto_key_iam_binding" {
+ value = google_kms_crypto_key_iam_binding.crypto_key
 }
\ No newline at end of file
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 4ce4e582..ac3328dc 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -7,4 +7,16 @@ variable "deletion_protection" {
   description = "If the instance should have deletion protection enabled. The database / Bucket can't be deleted when this value is set to `true`."
   type        = bool
   default     = true
+}
+
+variable "key_location" {
+  type        = string
+  description = "Location where the KMS key will be created."
+  default = "global"
+}
+
+variable "bind_pubsub_service_to_kms_key" {
+  type        = bool
+  description = "Whether to bind the Pub/Sub service account to the KMS key for encrypter/decrypter access."
+  default = true
 }
\ No newline at end of file
diff --git a/modules/redis/main.tf b/modules/redis/main.tf
index f6c526fb..c3740901 100644
--- a/modules/redis/main.tf
+++ b/modules/redis/main.tf
@@ -6,6 +6,7 @@ resource "google_redis_instance" "default" {
   display_name   = "${var.namespace} W&B Instance"
   tier           = var.tier
   memory_size_gb = var.memory_size_gb
+  customer_managed_key = var.crypto_key
 
   location_id             = data.google_compute_zones.available.names.0
   alternative_location_id = data.google_compute_zones.available.names.1
diff --git a/modules/redis/variables.tf b/modules/redis/variables.tf
index b7025d0e..53928e0e 100644
--- a/modules/redis/variables.tf
+++ b/modules/redis/variables.tf
@@ -27,4 +27,10 @@ variable "reserved_ip_range" {
 variable "tier" {
   type        = string
   description = "Specifies the tier for this Redis instance"
+}
+
+variable "crypto_key" {
+  type        = string
+  default     = null
+  description = "Key used to encrypt and decrypt redis."
 }
\ No newline at end of file
diff --git a/modules/storage/bucket/main.tf b/modules/storage/bucket/main.tf
index b17c6700..678d7d3c 100644
--- a/modules/storage/bucket/main.tf
+++ b/modules/storage/bucket/main.tf
@@ -5,6 +5,8 @@ locals {
 resource "random_pet" "file_storage" {
   length = 2
 }
+data "google_project" "default" {
+}
 
 resource "google_storage_bucket" "file_storage" {
   name     = "${var.namespace}-${random_pet.file_storage.id}"
@@ -15,6 +17,13 @@ resource "google_storage_bucket" "file_storage" {
   force_destroy               = !var.deletion_protection
 
   labels = var.labels
+  
+   dynamic "encryption" {
+    for_each = var.crypto_key != null ? [1] : []
+    content {
+      default_kms_key_name = var.crypto_key
+    }
+  }
 
   cors {
     origin          = ["*"]
@@ -28,4 +37,4 @@ resource "google_storage_bucket_iam_member" "object_admin" {
   bucket = google_storage_bucket.file_storage.name
   member = local.sa_member
   role   = "roles/storage.objectAdmin"
-}
+}
\ No newline at end of file
diff --git a/modules/storage/bucket/variables.tf b/modules/storage/bucket/variables.tf
index 9d987738..e45549cf 100644
--- a/modules/storage/bucket/variables.tf
+++ b/modules/storage/bucket/variables.tf
@@ -30,3 +30,9 @@ variable "project_id" {
   default     = null
   description = "The project ID to deploy to. If unset, the provider's default project is used."
 }
+
+variable "crypto_key" {
+  type        = string
+  default     = null
+  description = "Key used to encrypt and decrypt pubsub."
+}
\ No newline at end of file
diff --git a/modules/storage/main.tf b/modules/storage/main.tf
index 20726898..c203c9e9 100644
--- a/modules/storage/main.tf
+++ b/modules/storage/main.tf
@@ -1,25 +1,22 @@
 module "bucket" {
-  source     = "./bucket"
-  project_id = var.project_id
-  namespace  = var.namespace
-  labels     = var.labels
-
-  bucket_location = var.bucket_location
-  service_account = var.service_account
-
+  source              = "./bucket"
+  project_id          = var.project_id
+  namespace           = var.namespace
+  labels              = var.labels
+  bucket_location     = var.bucket_location
+  service_account     = var.service_account
   deletion_protection = var.deletion_protection
+  crypto_key          = var.bucket_crypto_key
 }
 
 module "pubsub" {
   count = var.create_queue ? 1 : 0
 
-  source    = "./pubsub"
-  namespace = var.namespace
-  labels    = var.labels
-
-  bucket          = module.bucket.bucket_name
-  service_account = var.service_account
-  crypto_key      = var.crypto_key
-
+  source              = "./pubsub"
+  namespace           = var.namespace
+  labels              = var.labels
+  bucket              = module.bucket.bucket_name
+  service_account     = var.service_account
+  crypto_key          = var.crypto_key
   deletion_protection = var.deletion_protection
 }
diff --git a/modules/storage/variables.tf b/modules/storage/variables.tf
index 03641fca..a4c00ce9 100644
--- a/modules/storage/variables.tf
+++ b/modules/storage/variables.tf
@@ -36,6 +36,12 @@ variable "crypto_key" {
   description = "Key used to encrypt and decrypt pubsub."
 }
 
+variable "bucket_crypto_key" {
+  type        = string
+  default     = null
+  description = "Key used to encrypt and decrypt storage bucket."
+}
+
 variable "project_id" {
   type        = string
   default     = null
diff --git a/variables.tf b/variables.tf
index 53530fad..d3478fe7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -198,6 +198,12 @@ variable "bucket_name" {
   default     = ""
 }
 
+variable "bucket_location" {
+  type        = string
+  description = "Location of the bucket (US, EU, ASIA)"
+  default     = "US"
+}
+
 ##########################################
 # K8s                                    #
 ##########################################
@@ -230,6 +236,33 @@ variable "other_wandb_env" {
   default     = {}
 }
 
+##########################################
+# KMS                                    #
+##########################################
+variable "sql_default_encryption" {
+  description = "Boolean to determine if a default SQL encryption key should be used. If true, a default key will be created. Takes precedence over `db_kms_key_id`."
+  type        = bool
+  default     = false
+}
+
+variable "bucket_default_encryption" {
+  description = "Boolean to determine if a default bucket encryption key should be used. If true, a default key will be created. Takes precedence over `bucket_kms_key_id`."
+  type        = bool
+  default     = false
+}
+
+variable "db_kms_key_id" {
+  description = "ID of the customer-provided SQL KMS key. If not provided (empty string), the module will create a new key unless `use_internal_queue` is `true`."
+  type        = string
+  default     = null
+}
+
+variable "bucket_kms_key_id" {
+  description = "ID of the customer-provided bucket KMS key. If not provided (empty string),  the module will create a new key unless `use_internal_queue` is `true`."
+  type        = string
+  default     = null
+}
+
 variable "size" {
   description = "Deployment size for the instance"
   type        = string

From 72d75e263ea11841787e1c53385936cc6224c4bf Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Tue, 23 Jul 2024 15:02:26 +0000
Subject: [PATCH 2/8] chore(release): version 5.1.0 [skip ci]

## [5.1.0](https://github.com/wandb/terraform-google-wandb/compare/v5.0.1...v5.1.0) (2024-07-23)

### Features

* Added support for encrypting the database and bucket with CMK ([#100](https://github.com/wandb/terraform-google-wandb/issues/100)) ([7802e3c](https://github.com/wandb/terraform-google-wandb/commit/7802e3ce1f227f3e641d2e1bdb6c01db4de5cac9))
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c7073b8..a60bae15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## [5.1.0](https://github.com/wandb/terraform-google-wandb/compare/v5.0.1...v5.1.0) (2024-07-23)
+
+
+### Features
+
+* Added support for encrypting the database and bucket with CMK ([#100](https://github.com/wandb/terraform-google-wandb/issues/100)) ([7802e3c](https://github.com/wandb/terraform-google-wandb/commit/7802e3ce1f227f3e641d2e1bdb6c01db4de5cac9))
+
 ### [5.0.1](https://github.com/wandb/terraform-google-wandb/compare/v5.0.0...v5.0.1) (2024-07-22)
 
 

From 5d632e4408d91674f1ff33ebae49e6b583e91d72 Mon Sep 17 00:00:00 2001
From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com>
Date: Tue, 23 Jul 2024 16:01:02 -0500
Subject: [PATCH 3/8] fix: Tier typo/mistake (#153)

---
 main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index d8fc32f4..3824efd0 100644
--- a/main.tf
+++ b/main.tf
@@ -154,10 +154,10 @@ module "redis" {
   memory_size_gb    = coalesce(try(local.deployment_size[var.size].cache, 6))
   network           = local.network
   reserved_ip_range = var.redis_reserved_ip_range
+  tier              = var.redis_tier
   labels            = var.labels
-  depends_on        = [module.project_factory_project_services, module.kms_default_sql]
-  tier              = coalesce(try(local.deployment_size[var.size].cache, null), var.redis_tier)
   crypto_key        = local.effective_crypto_key
+  depends_on        = [module.project_factory_project_services, module.kms_default_sql]
 }
 
 locals {

From fbd99556ae66ec42505063483ac62c3bca62231e Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Tue, 23 Jul 2024 21:01:36 +0000
Subject: [PATCH 4/8] chore(release): version 5.1.1 [skip ci]

### [5.1.1](https://github.com/wandb/terraform-google-wandb/compare/v5.1.0...v5.1.1) (2024-07-23)

### Bug Fixes

* Tier typo/mistake ([#153](https://github.com/wandb/terraform-google-wandb/issues/153)) ([5d632e4](https://github.com/wandb/terraform-google-wandb/commit/5d632e4408d91674f1ff33ebae49e6b583e91d72))
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a60bae15..68ef07ff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+### [5.1.1](https://github.com/wandb/terraform-google-wandb/compare/v5.1.0...v5.1.1) (2024-07-23)
+
+
+### Bug Fixes
+
+* Tier typo/mistake ([#153](https://github.com/wandb/terraform-google-wandb/issues/153)) ([5d632e4](https://github.com/wandb/terraform-google-wandb/commit/5d632e4408d91674f1ff33ebae49e6b583e91d72))
+
 ## [5.1.0](https://github.com/wandb/terraform-google-wandb/compare/v5.0.1...v5.1.0) (2024-07-23)
 
 

From e68805c0eb7115f3ff13a42d80fdefa0d966024c Mon Sep 17 00:00:00 2001
From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com>
Date: Tue, 23 Jul 2024 16:17:16 -0500
Subject: [PATCH 5/8] fix: Correct Encryption Logic (#154)

* Fix: Correct Encryption Logic
---
 README.md    |  4 ++--
 main.tf      | 11 +++++------
 variables.tf |  4 ++--
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index f510899b..1299db71 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ resources that lack official modules.
 | <a name="input_allowed_project_names"></a> [allowed\_project\_names](#input\_allowed\_project\_names) | A map of allowed projects where each key is a project number and the value is the connection limit. | `map(number)` | `{}` | no |
 | <a name="input_app_wandb_env"></a> [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_bucket_default_encryption"></a> [bucket\_default\_encryption](#input\_bucket\_default\_encryption) | Boolean to determine if a default bucket encryption key should be used. If true, a default key will be created. Takes precedence over `bucket_kms_key_id`. | `bool` | `false` | no |
-| <a name="input_bucket_kms_key_id"></a> [bucket\_kms\_key\_id](#input\_bucket\_kms\_key\_id) | ID of the customer-provided bucket KMS key. If not provided (empty string),  the module will create a new key unless `use_internal_queue` is `true`. | `string` | `null` | no |
+| <a name="input_bucket_kms_key_id"></a> [bucket\_kms\_key\_id](#input\_bucket\_kms\_key\_id) | ID of the customer-provided bucket KMS key. | `string` | `null` | no |
 | <a name="input_bucket_location"></a> [bucket\_location](#input\_bucket\_location) | Location of the bucket (US, EU, ASIA) | `string` | `"US"` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Use an existing bucket. | `string` | `""` | no |
 | <a name="input_create_private_link"></a> [create\_private\_link](#input\_create\_private\_link) | Whether to create a private link service. | `bool` | `false` | no |
@@ -116,7 +116,7 @@ resources that lack official modules.
 | <a name="input_database_machine_type"></a> [database\_machine\_type](#input\_database\_machine\_type) | Specifies the machine type to be allocated for the database | `string` | `"db-n1-standard-2"` | no |
 | <a name="input_database_sort_buffer_size"></a> [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no |
 | <a name="input_database_version"></a> [database\_version](#input\_database\_version) | Version for MySQL | `string` | `"MYSQL_8_0_31"` | no |
-| <a name="input_db_kms_key_id"></a> [db\_kms\_key\_id](#input\_db\_kms\_key\_id) | ID of the customer-provided SQL KMS key. If not provided (empty string), the module will create a new key unless `use_internal_queue` is `true`. | `string` | `null` | no |
+| <a name="input_db_kms_key_id"></a> [db\_kms\_key\_id](#input\_db\_kms\_key\_id) | ID of the customer-provided SQL KMS key. | `string` | `null` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / Bucket can't be deleted when this value is set to `true`. | `bool` | `true` | no |
 | <a name="input_disable_code_saving"></a> [disable\_code\_saving](#input\_disable\_code\_saving) | Boolean indicating if code saving is disabled | `bool` | `false` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain for accessing the Weights & Biases UI. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index 3824efd0..0775679a 100644
--- a/main.tf
+++ b/main.tf
@@ -72,9 +72,8 @@ module "kms_default_sql" {
   bind_pubsub_service_to_kms_key = false
 }
 locals {
-  default_bucket_key   = length(module.kms_default_bucket) > 0 ? module.kms_default_bucket[0].crypto_key.id : var.bucket_kms_key_id
-  default_sql_key      = length(module.kms_default_sql) > 0 ? module.kms_default_sql[0].crypto_key.id : var.db_kms_key_id
-  effective_crypto_key = var.use_internal_queue ? null : (local.default_sql_key != null ? local.default_sql_key : module.kms[0].crypto_key)
+  default_bucket_key = length(module.kms_default_bucket) > 0 ? module.kms_default_bucket[0].crypto_key.id : var.bucket_kms_key_id
+  default_sql_key    = length(module.kms_default_sql) > 0 ? module.kms_default_sql[0].crypto_key.id : var.db_kms_key_id
 }
 
 module "storage" {
@@ -87,7 +86,7 @@ module "storage" {
   bucket_location   = var.bucket_location
   service_account   = module.service_accounts.service_account
   bucket_crypto_key = local.default_bucket_key
-  crypto_key        = local.effective_crypto_key
+  crypto_key        = var.use_internal_queue ? null : module.kms[0].crypto_key
 
   deletion_protection = var.deletion_protection
   depends_on          = [module.project_factory_project_services, module.kms_default_bucket]
@@ -142,7 +141,7 @@ module "database" {
   network_connection  = local.network_connection
   deletion_protection = var.deletion_protection
   labels              = var.labels
-  crypto_key          = local.effective_crypto_key
+  crypto_key          = local.default_sql_key
   depends_on          = [module.project_factory_project_services, module.kms_default_sql]
 }
 
@@ -156,7 +155,7 @@ module "redis" {
   reserved_ip_range = var.redis_reserved_ip_range
   tier              = var.redis_tier
   labels            = var.labels
-  crypto_key        = local.effective_crypto_key
+  crypto_key        = local.default_sql_key
   depends_on        = [module.project_factory_project_services, module.kms_default_sql]
 }
 
diff --git a/variables.tf b/variables.tf
index d3478fe7..c78cea32 100644
--- a/variables.tf
+++ b/variables.tf
@@ -252,13 +252,13 @@ variable "bucket_default_encryption" {
 }
 
 variable "db_kms_key_id" {
-  description = "ID of the customer-provided SQL KMS key. If not provided (empty string), the module will create a new key unless `use_internal_queue` is `true`."
+  description = "ID of the customer-provided SQL KMS key."
   type        = string
   default     = null
 }
 
 variable "bucket_kms_key_id" {
-  description = "ID of the customer-provided bucket KMS key. If not provided (empty string),  the module will create a new key unless `use_internal_queue` is `true`."
+  description = "ID of the customer-provided bucket KMS key."
   type        = string
   default     = null
 }

From c829e9af0e29bfac9a338c9b865df5f3567685bf Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Tue, 23 Jul 2024 21:17:47 +0000
Subject: [PATCH 6/8] chore(release): version 5.1.2 [skip ci]

### [5.1.2](https://github.com/wandb/terraform-google-wandb/compare/v5.1.1...v5.1.2) (2024-07-23)

### Bug Fixes

* Correct Encryption Logic ([#154](https://github.com/wandb/terraform-google-wandb/issues/154)) ([e68805c](https://github.com/wandb/terraform-google-wandb/commit/e68805c0eb7115f3ff13a42d80fdefa0d966024c))
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 68ef07ff..ab996fc5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+### [5.1.2](https://github.com/wandb/terraform-google-wandb/compare/v5.1.1...v5.1.2) (2024-07-23)
+
+
+### Bug Fixes
+
+* Correct Encryption Logic ([#154](https://github.com/wandb/terraform-google-wandb/issues/154)) ([e68805c](https://github.com/wandb/terraform-google-wandb/commit/e68805c0eb7115f3ff13a42d80fdefa0d966024c))
+
 ### [5.1.1](https://github.com/wandb/terraform-google-wandb/compare/v5.1.0...v5.1.1) (2024-07-23)
 
 

From 2262da2f1a36647194c9f8292814798f15cb33a1 Mon Sep 17 00:00:00 2001
From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com>
Date: Thu, 25 Jul 2024 16:45:07 -0500
Subject: [PATCH 7/8] fix: Typo on SA Member (#155)

---
 modules/service_accounts/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
index 453e3e52..824dae01 100644
--- a/modules/service_accounts/main.tf
+++ b/modules/service_accounts/main.tf
@@ -101,7 +101,7 @@ resource "google_project_iam_member" "storage" {
 resource "google_storage_bucket_iam_member" "gcs_admin" {
   count  = var.create_workload_identity == true && var.bucket_name != "" ? 1 : 0
   bucket = var.bucket_name
-  member = google_service_account.kms_gcs_sa[0].email
+  member = "serviceAccount:${google_service_account.kms_gcs_sa[0].email}"
   role   = "roles/storage.objectAdmin"
 }
 

From 861187e93cbc3ccba8509228f0ec2dbd6d38cd10 Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Thu, 25 Jul 2024 21:45:36 +0000
Subject: [PATCH 8/8] chore(release): version 5.1.3 [skip ci]

### [5.1.3](https://github.com/wandb/terraform-google-wandb/compare/v5.1.2...v5.1.3) (2024-07-25)

### Bug Fixes

* Typo on SA Member ([#155](https://github.com/wandb/terraform-google-wandb/issues/155)) ([2262da2](https://github.com/wandb/terraform-google-wandb/commit/2262da2f1a36647194c9f8292814798f15cb33a1))
---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab996fc5..22e48cc3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+### [5.1.3](https://github.com/wandb/terraform-google-wandb/compare/v5.1.2...v5.1.3) (2024-07-25)
+
+
+### Bug Fixes
+
+* Typo on SA Member ([#155](https://github.com/wandb/terraform-google-wandb/issues/155)) ([2262da2](https://github.com/wandb/terraform-google-wandb/commit/2262da2f1a36647194c9f8292814798f15cb33a1))
+
 ### [5.1.2](https://github.com/wandb/terraform-google-wandb/compare/v5.1.1...v5.1.2) (2024-07-23)