|
|
|
|
@ -22,7 +22,59 @@ provider "google" {
|
|
|
|
|
zone = var.zone
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_project_service" "gke" {
|
|
|
|
|
#################### KMS ##################################
|
|
|
|
|
|
|
|
|
|
resource "google_project_service" "cloudkms" {
|
|
|
|
|
project = var.project
|
|
|
|
|
service = "cloudkms.googleapis.com"
|
|
|
|
|
disable_dependent_services = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_kms_key_ring" "gke_db" {
|
|
|
|
|
project = var.project
|
|
|
|
|
name = "gke-db"
|
|
|
|
|
location = var.region
|
|
|
|
|
|
|
|
|
|
lifecycle {
|
|
|
|
|
prevent_destroy = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.cloudkms
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_kms_key_ring_iam_policy" "gke_db" {
|
|
|
|
|
key_ring_id = google_kms_key_ring.gke_db.id
|
|
|
|
|
policy_data = data.google_iam_policy.gke_db.policy_data
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_kms_crypto_key" "gke_db" {
|
|
|
|
|
name = "gke-db-key"
|
|
|
|
|
key_ring = google_kms_key_ring.gke_db.id
|
|
|
|
|
|
|
|
|
|
lifecycle {
|
|
|
|
|
prevent_destroy = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.cloudkms
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data "google_iam_policy" "gke_db" {
|
|
|
|
|
binding {
|
|
|
|
|
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
|
|
|
|
|
|
|
|
|
members = [
|
|
|
|
|
"serviceAccount:${google_service_account.gke.email}",
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#################### GKE ##################################
|
|
|
|
|
|
|
|
|
|
resource "google_project_service" "container" {
|
|
|
|
|
project = var.project
|
|
|
|
|
service = "container.googleapis.com"
|
|
|
|
|
disable_dependent_services = true
|
|
|
|
|
@ -42,6 +94,16 @@ resource "google_container_cluster" "primary" {
|
|
|
|
|
remove_default_node_pool = true
|
|
|
|
|
initial_node_count = 1
|
|
|
|
|
enable_shielded_nodes = true
|
|
|
|
|
|
|
|
|
|
database_encryption {
|
|
|
|
|
state = "ENCRYPTED"
|
|
|
|
|
key_name = google_kms_crypto_key.gke_db.self_link
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.container,
|
|
|
|
|
google_kms_key_ring_iam_policy.gke_db
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "google_container_node_pool" "primary" {
|
|
|
|
|
@ -70,4 +132,8 @@ resource "google_container_node_pool" "primary" {
|
|
|
|
|
|
|
|
|
|
tags = []
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [
|
|
|
|
|
google_project_service.container
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
Tom Alexander
3 years ago
