3.2 KiB
3.2 KiB
CMEK on Cloud Storage and Compute Engine via centralized Cloud KMS
This sample creates a sample Cloud KMS configuration to be used with Cloud Storage and Copute Engine. Cloud KMS is deployed in a separate project to highlight the IAM binding needed and to mock a more real scenario where you usually have a project to manage keys across all your projects in one single place.
The sample has been purposefully kept simple so that it can be used as a basis for different and more complex configuration. This is the high level diagram:
Managed resources and services
This sample creates several distinct groups of resources:
- projects
- Cloud KMS project
- Service Project configured for GCE instances and GCS buckets
- networking
- VPC network
- One subnet
- Firewall rules for SSH access via IAP and open communication within the VPC
- IAM
- One service account for the GGE instance
- KMS
- One key ring
- One crypto key (Procection level: softwere) for Cloud Engine
- One crypto key (Protection level: softwere) for Cloud Storage
- GCE
- One instance encrypted with a CMEK Cryptokey hosted in Cloud KMS
- GCS
- One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS
Variables
name | description | type | required | default |
---|---|---|---|---|
billing_account | Billing account id used as default for new projects. | string |
✓ | |
projects_parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | string |
✓ | |
project_kms_name | Name for the new KMS Project. | string |
my-project-kms-001 |
|
project_service_name | Name for the new Service Project. | string |
my-project-service-001 |
|
resource_location | The location where resources will be deployed. | string |
europe |
|
resource_region | The region where resources will be deployed. | string |
europe-west1 |
|
resource_zone | The zone where resources will be deployed. | string |
europe-west1-b |
|
vpc_ip_cidr_range | Ip range used in the subnet deployef in the Service Project. | string |
10.0.0.0/20 |
|
vpc_name | Name of the VPC created in the Service Project. | string |
local |
|
vpc_subnet_name | Name of the subnet created in the Service Project. | string |
subnet |
Outputs
name | description | sensitive |
---|---|---|
buckets_keys | GCS Buckets Cloud KMS crypto keys. | |
projects | Project ids. | |
vms_keys | GCE VMs Cloud KMS crypto keys. |