zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/data-solutions/cmek-via-centralized-kms/README.md

3.2 KiB
Raw Blame History

CMEK on Cloud Storage and Compute Engine via centralized Cloud KMS

This sample creates a sample Cloud KMS configuration to be used with Cloud Storage and Copute Engine. Cloud KMS is deployed in a separate project to highlight the IAM binding needed and to mock a more real scenario where you usually have a project to manage keys across all your projects in one single place.

The sample has been purposefully kept simple so that it can be used as a basis for different and more complex configuration. This is the high level diagram:

High-level diagram

Managed resources and services

This sample creates several distinct groups of resources:

  • projects
    • Cloud KMS project
    • Service Project configured for GCE instances and GCS buckets
  • networking
    • VPC network
    • One subnet
    • Firewall rules for SSH access via IAP and open communication within the VPC
  • IAM
    • One service account for the GGE instance
  • KMS
    • One key ring
    • One crypto key (Procection level: softwere) for Cloud Engine
    • One crypto key (Protection level: softwere) for Cloud Storage
  • GCE
    • One instance encrypted with a CMEK Cryptokey hosted in Cloud KMS
  • GCS
    • One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS

Variables

name description type required default
billing_account Billing account id used as default for new projects. string
projects_parent The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. string
project_kms_name Name for the new KMS Project. string my-project-kms-001
project_service_name Name for the new Service Project. string my-project-service-001
resource_location The location where resources will be deployed. string europe
resource_region The region where resources will be deployed. string europe-west1
resource_zone The zone where resources will be deployed. string europe-west1-b
vpc_ip_cidr_range Ip range used in the subnet deployef in the Service Project. string 10.0.0.0/20
vpc_name Name of the VPC created in the Service Project. string local
vpc_subnet_name Name of the subnet created in the Service Project. string subnet

Outputs

name description sensitive
buckets_keys GCS Buckets Cloud KMS crypto keys.
projects Project ids.
vms_keys GCE VMs Cloud KMS crypto keys.