about summary refs log tree commit diff
path: root/infra
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-09-03T14·13+0100
committerVincent Ambo <tazjin@google.com>2019-09-03T15·12+0100
commitabd5d7538c727e1aca7712455a799cf034d0fbaf (patch)
treef3983180225c8a87a84b2adad7086b626a243d0b /infra
parenteb43ba75d2399d8ae0461cb85b9ce9a6a367cc2c (diff)
feat(gcp): Create Cloud KMS resources for encrypting secrets
The idea here is to use Cloud KMS and a shell script that mimics
'pass' to trick kontemplate into using Cloud KMS to decrypt secrets.
Diffstat (limited to 'infra')
-rw-r--r--infra/gcp/default.tf36
1 files changed, 28 insertions, 8 deletions
diff --git a/infra/gcp/default.tf b/infra/gcp/default.tf
index 18096bf2b476..d13345393bd4 100644
--- a/infra/gcp/default.tf
+++ b/infra/gcp/default.tf
@@ -27,24 +27,25 @@ resource "google_project_services" "primary" {
     "bigquerystorage.googleapis.com",
     "cloudapis.googleapis.com",
     "clouddebugger.googleapis.com",
+    "cloudkms.googleapis.com",
     "cloudtrace.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "containerregistry.googleapis.com",
     "datastore.googleapis.com",
     "dns.googleapis.com",
+    "iam.googleapis.com",
+    "iamcredentials.googleapis.com",
     "logging.googleapis.com",
     "monitoring.googleapis.com",
+    "oslogin.googleapis.com",
+    "pubsub.googleapis.com",
     "servicemanagement.googleapis.com",
     "serviceusage.googleapis.com",
+    "sourcerepo.googleapis.com",
     "sql-component.googleapis.com",
     "storage-api.googleapis.com",
     "storage-component.googleapis.com",
-    "container.googleapis.com",
-    "iam.googleapis.com",
-    "compute.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "containerregistry.googleapis.com",
-    "sourcerepo.googleapis.com",
   ]
 }
 
@@ -81,3 +82,22 @@ resource "google_service_account" "nixery" {
   account_id   = "nixery"
   display_name = "Nixery service account"
 }
+
+# Configure Cloud KMS for secret encryption
+resource "google_kms_key_ring" "tazjins_keys" {
+  name     = "tazjins-keys"
+  location = "europe-north1"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_kms_crypto_key" "kontemplate_key" {
+  name     = "kontemplate-key"
+  key_ring = google_kms_key_ring.tazjins_keys.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}