zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/data-solutions/cmek-via-centralized-kms
History
Ludovico Magnocavallo fae5654e33
Refactor VPC firewall module for Terraform 1.3 (#949) 
* module and module tests/examples

* align blueprints and fast

* fix null ranges

* make ports optional

* tfdoc

* make rules optional defaulting to all protocols

* review comments

* last round of comments

* invert precedence of template variables

* add option to disable all default rules

* add option to disable all default rules

* split egress/ingress

* tests

* fix tests
 		2022-11-04 13:56:07 +01:00
..
README.md Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
backend.tf.sample Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
diagram.png Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
main.tf Refactor VPC firewall module for Terraform 1.3 (#949) 2022-11-04 13:56:07 +01:00
outputs.tf Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
variables.tf Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
versions.tf Update provider version (needed for dns logging support). 2022-10-25 12:15:02 +02:00

README.md

GCE and GCS CMEK via centralized Cloud KMS

This example creates a sample centralized Cloud KMS configuration, and uses it to implement CMEK for Cloud Storage and Compute Engine in a separate project.

The example is designed to match real-world use cases with a minimum amount of resources, and be used as a starting point for scenarios where application projects implement CMEK using keys managed by a central team. It also includes the IAM wiring needed to make such scenarios work.

This is the high level diagram:

High-level diagram

Managed resources and services

This sample creates several distinct groups of resources:

  • projects
    • Cloud KMS project
    • Service Project configured for GCE instances and GCS buckets
  • networking
    • VPC network
    • One subnet
    • Firewall rules for SSH access via IAP and open communication within the VPC
  • IAM
    • One service account for the GGE instance
  • KMS
    • One key ring
    • One crypto key (Protection level: software) for Cloud Engine
    • One crypto key (Protection level: software) for Cloud Storage
  • GCE
    • One instance encrypted with a CMEK Cryptokey hosted in Cloud KMS
  • GCS
    • One bucket encrypted with a CMEK Cryptokey hosted in Cloud KMS

Variables

name description type required default
billing_account Billing account id used as default for new projects. string
root_node The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. string
location The location where resources will be deployed. string "europe"
project_kms_name Name for the new KMS Project. string "my-project-kms-001"
project_service_name Name for the new Service Project. string "my-project-service-001"
region The region where resources will be deployed. string "europe-west1"
vpc_ip_cidr_range Ip range used in the subnet deployef in the Service Project. string "10.0.0.0/20"
vpc_name Name of the VPC created in the Service Project. string "local"
vpc_subnet_name Name of the subnet created in the Service Project. string "subnet"

Outputs

name description sensitive
bucket GCS Bucket URL.
bucket_keys GCS Bucket Cloud KMS crypto keys.
projects Project ids.
vm GCE VM.
vm_keys GCE VM Cloud KMS crypto keys.