Skip to content

cmek-via-centralized-kms

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

cmek-via-centralized-kms

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
backend.tf.sample
backend.tf.sample
 
 
diagram.png
diagram.png
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

GCE and GCS CMEK via centralized Cloud KMS

This example creates a sample centralized Cloud KMS configuration, and uses it to implement CMEK for Cloud Storage and Compute Engine in a separate project.

The example is designed to match real-world use cases with a minimum amount of resources, and be used as a starting point for scenarios where application projects implement CMEK using keys managed by a central team. It also includes the IAM wiring needed to make such scenarios work.

This is the high level diagram:

High-level diagram

Managed resources and services

This sample creates several distinct groups of resources:

  • projects
    • Cloud KMS project
    • Service Project configured for GCE instances and GCS buckets
  • networking
    • VPC network
    • One subnet
    • Firewall rules for SSH access via IAP and open communication within the VPC
  • IAM
    • One service account for the GGE instance
  • KMS
    • One key ring
    • One crypto key (Protection level: software) for Cloud Engine
    • One crypto key (Protection level: software) for Cloud Storage
  • GCE
    • One instance encrypted with a CMEK Cryptokey hosted in Cloud KMS
  • GCS
    • One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS

Variables

name description type required default
billing_account Billing account id used as default for new projects. string
root_node The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. string
location The location where resources will be deployed. string "europe"
project_kms_name Name for the new KMS Project. string "my-project-kms-001"
project_service_name Name for the new Service Project. string "my-project-service-001"
region The region where resources will be deployed. string "europe-west1"
vpc_ip_cidr_range Ip range used in the subnet deployef in the Service Project. string "10.0.0.0/20"
vpc_name Name of the VPC created in the Service Project. string "local"
vpc_subnet_name Name of the subnet created in the Service Project. string "subnet"

Outputs

name description sensitive
bucket GCS Bucket URL.
bucket_keys GCS Bucket Cloud KMS crypto keys.
projects Project ids.
vm GCE VM.
vm_keys GCE VM Cloud KMS crypto keys.