Start of database encryption, permissions not working.

2021-07-08 21:43:49 -04:00 · 2021-07-08 21:43:49 -04:00 · 00a727be43
commit 00a727be43
parent 940045b321
1 changed files with 67 additions and 1 deletions
--- a/main.tf
+++ b/main.tf
@ -22,7 +22,59 @@ provider "google" {
  zone    = var.zone
 }

-resource "google_project_service" "gke" {
+#################### KMS ##################################
+
+resource "google_project_service" "cloudkms" {
+  project                    = var.project
+  service                    = "cloudkms.googleapis.com"
+  disable_dependent_services = true
+}
+
+resource "google_kms_key_ring" "gke_db" {
+  project  = var.project
+  name     = "gke-db"
+  location = var.region
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.cloudkms
+  ]
+}
+
+resource "google_kms_key_ring_iam_policy" "gke_db" {
+  key_ring_id = google_kms_key_ring.gke_db.id
+  policy_data = data.google_iam_policy.gke_db.policy_data
+}
+
+resource "google_kms_crypto_key" "gke_db" {
+  name     = "gke-db-key"
+  key_ring = google_kms_key_ring.gke_db.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.cloudkms
+  ]
+}
+
+data "google_iam_policy" "gke_db" {
+  binding {
+    role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+    members = [
+      "serviceAccount:${google_service_account.gke.email}",
+    ]
+  }
+}
+
+#################### GKE ##################################
+
+resource "google_project_service" "container" {
  project                    = var.project
  service                    = "container.googleapis.com"
  disable_dependent_services = true
@ -42,6 +94,16 @@ resource "google_container_cluster" "primary" {
  remove_default_node_pool = true
  initial_node_count       = 1
  enable_shielded_nodes    = true
+
+  database_encryption {
+    state    = "ENCRYPTED"
+    key_name = google_kms_crypto_key.gke_db.self_link
+  }
+
+  depends_on = [
+    google_project_service.container,
+    google_kms_key_ring_iam_policy.gke_db
+  ]
 }

 resource "google_container_node_pool" "primary" {
@ -70,4 +132,8 @@ resource "google_container_node_pool" "primary" {

    tags = []
  }
+
+  depends_on = [
+    google_project_service.container
+  ]
 }