From 00a727be430d3c7db360dc946231e095dbb49035 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Thu, 8 Jul 2021 21:43:49 -0400
Subject: [PATCH] Start of database encryption, permissions not working.

---
 main.tf | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index d583057..9322993 100644
--- a/main.tf
+++ b/main.tf
@@ -22,7 +22,59 @@ provider "google" {
   zone    = var.zone
 }
 
-resource "google_project_service" "gke" {
+#################### KMS ##################################
+
+resource "google_project_service" "cloudkms" {
+  project                    = var.project
+  service                    = "cloudkms.googleapis.com"
+  disable_dependent_services = true
+}
+
+resource "google_kms_key_ring" "gke_db" {
+  project  = var.project
+  name     = "gke-db"
+  location = var.region
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.cloudkms
+  ]
+}
+
+resource "google_kms_key_ring_iam_policy" "gke_db" {
+  key_ring_id = google_kms_key_ring.gke_db.id
+  policy_data = data.google_iam_policy.gke_db.policy_data
+}
+
+resource "google_kms_crypto_key" "gke_db" {
+  name     = "gke-db-key"
+  key_ring = google_kms_key_ring.gke_db.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [
+    google_project_service.cloudkms
+  ]
+}
+
+data "google_iam_policy" "gke_db" {
+  binding {
+    role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+    members = [
+      "serviceAccount:${google_service_account.gke.email}",
+    ]
+  }
+}
+
+#################### GKE ##################################
+
+resource "google_project_service" "container" {
   project                    = var.project
   service                    = "container.googleapis.com"
   disable_dependent_services = true
@@ -42,6 +94,16 @@ resource "google_container_cluster" "primary" {
   remove_default_node_pool = true
   initial_node_count       = 1
   enable_shielded_nodes    = true
+
+  database_encryption {
+    state    = "ENCRYPTED"
+    key_name = google_kms_crypto_key.gke_db.self_link
+  }
+
+  depends_on = [
+    google_project_service.container,
+    google_kms_key_ring_iam_policy.gke_db
+  ]
 }
 
 resource "google_container_node_pool" "primary" {
@@ -70,4 +132,8 @@ resource "google_container_node_pool" "primary" {
 
     tags = []
   }
+
+  depends_on = [
+    google_project_service.container
+  ]
 }