tf-gcp-infra/security.tf at main · csye6225-girish-kulkarni/tf-gcp-infra

History

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

data "google_project" "project" {}

# Create a Key Ring

resource "google_kms_key_ring" "key_ring" {

name = "my-key-ring-${replace(timestamp(), ":", "-")}"

provider = "google-beta"

location = var.security_location

}

resource "google_kms_crypto_key" "vm_crypto_key" {

name = "vm-crypto-key"

key_ring = google_kms_key_ring.key_ring.id

rotation_period = var.rotation_period

purpose = var.purpose

provider = "google-beta"

lifecycle {

prevent_destroy = false

}

resource "google_kms_crypto_key_iam_binding" "vm_crypto_key_iam_binding" {

crypto_key_id = google_kms_crypto_key.vm_crypto_key.id

role = var.kms_role

provider = "google-beta"

members = [

"serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",

]

}

resource "google_kms_crypto_key" "sql_crypto_key" {

name = "sql-crypto-key"

key_ring = google_kms_key_ring.key_ring.id

rotation_period = var.rotation_period # 30 days in seconds

purpose = var.purpose

provider = "google-beta"

lifecycle {

prevent_destroy = false

}

resource "google_kms_crypto_key_iam_binding" "sql_crypto_key_iam_binding" {

crypto_key_id = google_kms_crypto_key.sql_crypto_key.id

role = var.kms_role

provider = "google-beta"

members = [

"serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com",

]

}

resource "google_kms_crypto_key" "bucket_crypto_key" {

name = "bucket-crypto-key"

key_ring = google_kms_key_ring.key_ring.id

rotation_period = var.rotation_period # 30 days in seconds

purpose = var.purpose

provider = "google-beta"

lifecycle {

prevent_destroy = false

}

resource "google_kms_crypto_key_iam_binding" "bucket_crypto_key_iam_binding" {

crypto_key_id = google_kms_crypto_key.bucket_crypto_key.id

role = var.kms_role

provider = "google-beta"

members = [

"serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"

]

}

resource "google_secret_manager_secret" "vm_crypto_key_secret" {

secret_id = var.secret_id

project = var.project

labels = {

secretmanager = "vm_crypto_key"

}

replication {

user_managed {

replicas {

location = var.security_location

}

resource "google_secret_manager_secret_version" "vm_crypto_key_secret_version" {

secret = google_secret_manager_secret.vm_crypto_key_secret.id

secret_data = google_kms_crypto_key.vm_crypto_key.id

}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security.tf

security.tf

Files

security.tf

Latest commit

History

security.tf

File metadata and controls