Start of database encryption, permissions not working.
This commit is contained in:
Tom Alexander
parent
940045b321
commit
00a727be43
GPG Key ID:
D3A179C9A53C0EDE
68
main.tf
68
main.tf
@ -22,7 +22,59 @@ provider "google" {
|
|||||||
zone = var.zone
|
zone = var.zone
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_project_service" "gke" {
|
#################### KMS ##################################
|
||||||
|
|
||||||
|
resource "google_project_service" "cloudkms" {
|
||||||
|
project = var.project
|
||||||
|
service = "cloudkms.googleapis.com"
|
||||||
|
disable_dependent_services = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_kms_key_ring" "gke_db" {
|
||||||
|
project = var.project
|
||||||
|
name = "gke-db"
|
||||||
|
location = var.region
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
prevent_destroy = true
|
||||||
|
}
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.cloudkms
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_kms_key_ring_iam_policy" "gke_db" {
|
||||||
|
key_ring_id = google_kms_key_ring.gke_db.id
|
||||||
|
policy_data = data.google_iam_policy.gke_db.policy_data
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_kms_crypto_key" "gke_db" {
|
||||||
|
name = "gke-db-key"
|
||||||
|
key_ring = google_kms_key_ring.gke_db.id
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
prevent_destroy = true
|
||||||
|
}
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.cloudkms
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
data "google_iam_policy" "gke_db" {
|
||||||
|
binding {
|
||||||
|
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||||
|
|
||||||
|
members = [
|
||||||
|
"serviceAccount:${google_service_account.gke.email}",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#################### GKE ##################################
|
||||||
|
|
||||||
|
resource "google_project_service" "container" {
|
||||||
project = var.project
|
project = var.project
|
||||||
service = "container.googleapis.com"
|
service = "container.googleapis.com"
|
||||||
disable_dependent_services = true
|
disable_dependent_services = true
|
||||||
@ -42,6 +94,16 @@ resource "google_container_cluster" "primary" {
|
|||||||
remove_default_node_pool = true
|
remove_default_node_pool = true
|
||||||
initial_node_count = 1
|
initial_node_count = 1
|
||||||
enable_shielded_nodes = true
|
enable_shielded_nodes = true
|
||||||
|
|
||||||
|
database_encryption {
|
||||||
|
state = "ENCRYPTED"
|
||||||
|
key_name = google_kms_crypto_key.gke_db.self_link
|
||||||
|
}
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.container,
|
||||||
|
google_kms_key_ring_iam_policy.gke_db
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_container_node_pool" "primary" {
|
resource "google_container_node_pool" "primary" {
|
||||||
@ -70,4 +132,8 @@ resource "google_container_node_pool" "primary" {
|
|||||||
|
|
||||||
tags = []
|
tags = []
|
||||||
}
|
}
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.container
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user