Database encryption working.
This commit is contained in:
parent
00a727be43
commit
e531077596
31
main.tf
31
main.tf
@ -1,3 +1,16 @@
|
|||||||
|
terraform {
|
||||||
|
required_providers {
|
||||||
|
google = {
|
||||||
|
source = "hashicorp/google"
|
||||||
|
version = "3.74.0"
|
||||||
|
}
|
||||||
|
random = {
|
||||||
|
source = "hashicorp/random"
|
||||||
|
version = "3.1.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
variable "project" {
|
variable "project" {
|
||||||
description = "Project ID."
|
description = "Project ID."
|
||||||
type = string
|
type = string
|
||||||
@ -22,6 +35,10 @@ provider "google" {
|
|||||||
zone = var.zone
|
zone = var.zone
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data "google_project" "project" {
|
||||||
|
project = var.project
|
||||||
|
}
|
||||||
|
|
||||||
#################### KMS ##################################
|
#################### KMS ##################################
|
||||||
|
|
||||||
resource "google_project_service" "cloudkms" {
|
resource "google_project_service" "cloudkms" {
|
||||||
@ -30,9 +47,13 @@ resource "google_project_service" "cloudkms" {
|
|||||||
disable_dependent_services = true
|
disable_dependent_services = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "random_id" "gke_db" {
|
||||||
|
byte_length = 4
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_kms_key_ring" "gke_db" {
|
resource "google_kms_key_ring" "gke_db" {
|
||||||
project = var.project
|
project = var.project
|
||||||
name = "gke-db"
|
name = "gke-db-${random_id.gke_db.hex}"
|
||||||
location = var.region
|
location = var.region
|
||||||
|
|
||||||
lifecycle {
|
lifecycle {
|
||||||
@ -47,6 +68,10 @@ resource "google_kms_key_ring" "gke_db" {
|
|||||||
resource "google_kms_key_ring_iam_policy" "gke_db" {
|
resource "google_kms_key_ring_iam_policy" "gke_db" {
|
||||||
key_ring_id = google_kms_key_ring.gke_db.id
|
key_ring_id = google_kms_key_ring.gke_db.id
|
||||||
policy_data = data.google_iam_policy.gke_db.policy_data
|
policy_data = data.google_iam_policy.gke_db.policy_data
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.cloudkms
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_kms_crypto_key" "gke_db" {
|
resource "google_kms_crypto_key" "gke_db" {
|
||||||
@ -58,7 +83,7 @@ resource "google_kms_crypto_key" "gke_db" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
depends_on = [
|
depends_on = [
|
||||||
google_project_service.cloudkms
|
google_project_service.container
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -67,7 +92,7 @@ data "google_iam_policy" "gke_db" {
|
|||||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||||
|
|
||||||
members = [
|
members = [
|
||||||
"serviceAccount:${google_service_account.gke.email}",
|
"serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user