Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Attach KMS Key in Safer IAP GKE cluster #1614

Merged
merged 12 commits into from
May 23, 2023
Merged

chore: Attach KMS Key in Safer IAP GKE cluster #1614

merged 12 commits into from
May 23, 2023

Conversation

avinashkumar1289
Copy link
Contributor

@avinashkumar1289 avinashkumar1289 commented Apr 23, 2023
edited
Loading

This request have changes

  1. KMS.tf file : Generating a new KMS Key in the GKE Project
  2. Attaching the key to GKE cluster for application encryption

@avinashkumar1289 avinashkumar1289 changed the title Avinashjha/gke kms feat: Support for KMS in Safer IAP cluster Apr 23, 2023
@Jberlinsky
Copy link
Contributor

To be clear -- this PR does not create new support for KMS, it just adds an example of providing a KMS key to the existing module. Is that the intent?

@avinashkumar1289
Copy link
Contributor Author

Yes so it provide an example of creating a KMS Key and attach the key to GKE that's the intent.

@avinashkumar1289 avinashkumar1289 changed the title feat: Support for KMS in Safer IAP cluster feat: Attach KMS Key in Safer IAP GKE cluster Apr 24, 2023
@bharathkkb
Copy link
Member

/gcbrun

bharathkkb
bharathkkb reviewed May 11, 2023
View reviewed changes
Copy link
Member

@bharathkkb bharathkkb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @avinashkumar1289

examples/safer_cluster_iap_bastion/kms.tf Outdated
Comment on lines 17 to 22
data "google_project" "project" {}

locals {
gke_sa = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can generate this using service identities from the project services module in apis.tf and use the enabled_api_identities output to retrieve the sa email.

Copy link
Contributor Author

@avinashkumar1289 avinashkumar1289 May 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @bharathkkb Thanks for the response. activate_api_identities requires the api and the role. I can pass the api but what should be the role I need to pass ? Because this service account needs the KMS encrypter/Decrypter role which is taken care at the KMS Module
Something like. this

 encrypters = [
   "serviceAccount:${module.enabled_google_apis.enabled_api_identities["container.googleapis.com"]}",
  ]
  decrypters = [
  "serviceAccount:${module.enabled_google_apis.enabled_api_identities["container.googleapis.com"]}",
  ]
  
  activate_api_identities     = [{
    api = "container.googleapis.com",
    roles = [????],
  }]

Copy link
Contributor Author

@avinashkumar1289 avinashkumar1289 May 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updating the role at api_identities and removed thee role from KMS module

examples/safer_cluster_iap_bastion/variables.tf Outdated
Comment on lines 73 to 83
variable "keyring" {
description = "Keyring name."
type = string
default = "gke-keyring"
}

variable "keys" {
description = "Key names."
type = list(string)
default = ["gke-key"]
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are transitioning to inline these variables so you can directly provide them in kms.tf

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bharathkkb updated the comment

@bharathkkb bharathkkb changed the title feat: Attach KMS Key in Safer IAP GKE cluster chore: Attach KMS Key in Safer IAP GKE cluster May 11, 2023
@bharathkkb
Copy link
Member

/gcbrun

@bharathkkb bharathkkb merged commit e87044f into terraform-google-modules:master May 23, 2023
2 of 3 checks passed
@avinashkumar1289 avinashkumar1289 deleted the avinashjha/gke-kms branch May 24, 2023 03:25
@michaellzc michaellzc mentioned this pull request Nov 23, 2023
Merged
@yorik yorik mentioned this pull request May 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bharathkkb bharathkkb bharathkkb approved these changes

@Jberlinsky Jberlinsky Awaiting requested review from Jberlinsky

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@avinashkumar1289 @Jberlinsky @bharathkkb