chore: Attach KMS Key in Safer IAP GKE cluster (#1614)

Co-authored-by: Bharath KKB <[email protected]>

examples/safer_cluster_iap_bastion/README.md

@@ -4,6 +4,8 @@ This end to end example aims to showcase access patterns to a [Safer Cluster](..
 
 Additionally we deploy a [tinyproxy](https://tinyproxy.github.io/) daemon which allows `kubectl` commands to be piped through the bastion host allowing ease of development from a local machine with the security of GKE Private Clusters.
 
+GKE Autopilot clusters are deployed with Application-layer Secrets Encryption that protects your secrets in etcd with a key you manage in [Cloud KMS](https://github.com/terraform-google-modules/terraform-google-kms/blob/master/README.md).
+
 ## Setup
 
 To deploy this example:
@@ -59,6 +61,9 @@ To deploy this example:
 | cluster\_name | Cluster name |
 | endpoint | Cluster endpoint |
 | get\_credentials\_command | gcloud get-credentials command to generate kubeconfig for the private cluster |
+| keyring | The name of the keyring. |
+| keyring\_resource | The location of the keyring. |
+| keys | Map of key name => key self link. |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |
 | network\_name | The name of the VPC being created |

examples/safer_cluster_iap_bastion/apis.tf

@@ -20,6 +20,11 @@ module "enabled_google_apis" {
 
   project_id                  = var.project_id
   disable_services_on_destroy = false
+  activate_api_identities = [{
+    api = "container.googleapis.com",
+    roles = ["roles/cloudkms.cryptoKeyDecrypter",
+    "roles/cloudkms.cryptoKeyEncrypter"],
+  }]
 
   activate_apis = [
     "serviceusage.googleapis.com",
@@ -32,5 +37,6 @@ module "enabled_google_apis" {
     "binaryauthorization.googleapis.com",
     "stackdriver.googleapis.com",
     "iap.googleapis.com",
+    "cloudkms.googleapis.com",
   ]
 }

examples/safer_cluster_iap_bastion/cluster.tf

@@ -29,6 +29,12 @@ module "gke" {
     cidr_block   = "${module.bastion.ip_address}/32"
     display_name = "Bastion Host"
   }]
+  database_encryption = [
+    {
+      "key_name" : module.kms.keys["gke-key"],
+      "state" : "ENCRYPTED"
+    }
+  ]
   grant_registry_access = true
   node_pools = [
     {

examples/safer_cluster_iap_bastion/kms.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "kms" {
+  source          = "terraform-google-modules/kms/google"
+  version         = "~> 2.2.1"
+  project_id      = var.project_id
+  location        = var.region
+  keyring         = "gke-keyring"
+  keys            = ["gke-key"]
+  prevent_destroy = false
+}

examples/safer_cluster_iap_bastion/outputs.tf

@@ -85,3 +85,18 @@ output "bastion_kubectl_command" {
   description = "kubectl command using the local proxy once the bastion_ssh command is running"
   value       = "HTTPS_PROXY=localhost:8888 kubectl get pods --all-namespaces"
 }
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "keyring_resource" {
+  description = "The location of the keyring."
+  value       = module.kms.keyring_resource
+}
+
+output "keys" {
+  description = "Map of key name => key self link."
+  value       = module.kms.keys
+}