From e8fd42b09501d7d1d387bf1f1cb163efc8cca2f2 Mon Sep 17 00:00:00 2001 From: Petri Autero Date: Tue, 24 Sep 2019 10:18:21 +0300 Subject: [PATCH 1/2] Add database encryption --- modules/gke-cluster/main.tf | 14 +++++++++++++- modules/gke-cluster/variables.tf | 6 ++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf index 1926114..393a22a 100644 --- a/modules/gke-cluster/main.tf +++ b/modules/gke-cluster/main.tf @@ -133,7 +133,7 @@ resource "google_container_cluster" "cluster" { ] } - # If a var.gsuite_domain_name is non-empty, initialize the cluster with a G Suite security group + # If var.gsuite_domain_name is non-empty, initialize the cluster with a G Suite security group dynamic "authenticator_groups_config" { for_each = [ for x in [var.gsuite_domain_name] : x if var.gsuite_domain_name != null @@ -143,6 +143,18 @@ resource "google_container_cluster" "cluster" { security_group = "gke-security-groups@${authenticator_groups_config.value}" } } + + # If var.secrets_encryption_kms_key is non-empty, create ´database_encryption´ -block to encrypt secrets at rest in etcd + dynamic "database_encryption" { + for_each = [ + for x in [var.secrets_encryption_kms_key] : x if var.secrets_encryption_kms_key != null + ] + + content { + state = "ENCRYPTED" + key_name = database_encryption.value + } + } } # --------------------------------------------------------------------------------------------------------------------- diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index ddaa041..f7eb1f9 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -197,3 +197,9 @@ variable "gsuite_domain_name" { type = string default = null } + +variable "secrets_encryption_kms_key" { + description = "The CloudKMS key to use for the encryption of secrets in etcd, ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" + type = string + default = null +} From d90b558b5ce26802fafe30d6c73a1bfe074d389f Mon Sep 17 00:00:00 2001 From: autero1 Date: Mon, 30 Sep 2019 11:32:29 +0300 Subject: [PATCH 2/2] [skip ci] Update modules/gke-cluster/variables.tf Co-Authored-By: Rob Morgan --- modules/gke-cluster/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf index f7eb1f9..cc16a63 100644 --- a/modules/gke-cluster/variables.tf +++ b/modules/gke-cluster/variables.tf @@ -199,7 +199,7 @@ variable "gsuite_domain_name" { } variable "secrets_encryption_kms_key" { - description = "The CloudKMS key to use for the encryption of secrets in etcd, ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" + description = "The Cloud KMS key to use for the encryption of secrets in etcd, e.g: projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" type = string default = null }