From 99aeee879a83e881de01faf7080285da62208f68 Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Sun, 23 Apr 2023 10:56:42 +0530
Subject: [PATCH 1/6] Adding support for KMS for safer GKE Cluster

---
 examples/safer_cluster_iap_bastion/README.md  |  7 ++++
 examples/safer_cluster_iap_bastion/apis.tf    |  1 +
 examples/safer_cluster_iap_bastion/cluster.tf |  6 +++
 examples/safer_cluster_iap_bastion/kms.tf     | 39 +++++++++++++++++++
 examples/safer_cluster_iap_bastion/outputs.tf | 15 +++++++
 .../safer_cluster_iap_bastion/variables.tf    | 12 ++++++
 6 files changed, 80 insertions(+)
 create mode 100644 examples/safer_cluster_iap_bastion/kms.tf

diff --git a/examples/safer_cluster_iap_bastion/README.md b/examples/safer_cluster_iap_bastion/README.md
index 7a1eb998b0..9e0cb913c4 100644
--- a/examples/safer_cluster_iap_bastion/README.md
+++ b/examples/safer_cluster_iap_bastion/README.md
@@ -4,6 +4,8 @@ This end to end example aims to showcase access patterns to a [Safer Cluster](..
 
 Additionally we deploy a [tinyproxy](https://tinyproxy.github.io/) daemon which allows `kubectl` commands to be piped through the bastion host allowing ease of development from a local machine with the security of GKE Private Clusters.
 
+GKE Autopilot clusters are deployed with Application-layer Secrets Encryption that protects your secrets in etcd with a key you manage in [Cloud KMS](https://github.com/terraform-google-modules/terraform-google-kms/blob/master/README.md).
+
 ## Setup
 
 To deploy this example:
@@ -41,6 +43,8 @@ To deploy this example:
 | cluster\_name | The name of the cluster | `string` | `"safer-cluster-iap-bastion"` | no |
 | ip\_range\_pods\_name | The secondary ip range to use for pods | `string` | `"ip-range-pods"` | no |
 | ip\_range\_services\_name | The secondary ip range to use for pods | `string` | `"ip-range-svc"` | no |
+| keyring | Keyring name. | `string` | `"gke-key"` | no |
+| keys | Key names. | `list(string)` | `[]` | no |
 | network\_name | The name of the network being created to host the cluster in | `string` | `"safer-cluster-network"` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | `"us-central1"` | no |
@@ -59,6 +63,9 @@ To deploy this example:
 | cluster\_name | Cluster name |
 | endpoint | Cluster endpoint |
 | get\_credentials\_command | gcloud get-credentials command to generate kubeconfig for the private cluster |
+| keyring | The name of the keyring. |
+| keyring\_resource | The location of the keyring. |
+| keys | Map of key name => key self link. |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |
 | network\_name | The name of the VPC being created |
diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf
index 44cfc5d757..7bd724fae6 100644
--- a/examples/safer_cluster_iap_bastion/apis.tf
+++ b/examples/safer_cluster_iap_bastion/apis.tf
@@ -32,5 +32,6 @@ module "enabled_google_apis" {
     "binaryauthorization.googleapis.com",
     "stackdriver.googleapis.com",
     "iap.googleapis.com",
+    "cloudkms.googleapis.com",
   ]
 }
diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf
index b462784548..e78884fb0e 100644
--- a/examples/safer_cluster_iap_bastion/cluster.tf
+++ b/examples/safer_cluster_iap_bastion/cluster.tf
@@ -29,6 +29,12 @@ module "gke" {
     cidr_block   = "${module.bastion.ip_address}/32"
     display_name = "Bastion Host"
   }]
+  database_encryption = [
+    {
+      "key_name" : module.kms.keys[var.keys[0]],
+      "state" : "ENCRYPTED"
+    }
+  ]
   grant_registry_access = true
   node_pools = [
     {
diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf
new file mode 100644
index 0000000000..538384492d
--- /dev/null
+++ b/examples/safer_cluster_iap_bastion/kms.tf
@@ -0,0 +1,39 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_project" "project" {}
+
+locals {
+  gke_sa = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+}
+
+module "kms" {
+  source             = "terraform-google-modules/kms/google"
+  version            = "~> 2.2.1"
+  project_id         = var.project_id
+  location           = var.region
+  keyring            = var.keyring
+  keys               = var.keys
+  prevent_destroy    = false
+  set_decrypters_for = var.keys
+  set_encrypters_for = var.keys
+  encrypters = [
+    local.gke_sa,
+  ]
+  decrypters = [
+    local.gke_sa,
+  ]
+}
diff --git a/examples/safer_cluster_iap_bastion/outputs.tf b/examples/safer_cluster_iap_bastion/outputs.tf
index 7525f0be59..8d9f9d2fdd 100644
--- a/examples/safer_cluster_iap_bastion/outputs.tf
+++ b/examples/safer_cluster_iap_bastion/outputs.tf
@@ -85,3 +85,18 @@ output "bastion_kubectl_command" {
   description = "kubectl command using the local proxy once the bastion_ssh command is running"
   value       = "HTTPS_PROXY=localhost:8888 kubectl get pods --all-namespaces"
 }
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "keyring_resource" {
+  description = "The location of the keyring."
+  value       = module.kms.keyring_resource
+}
+
+output "keys" {
+  description = "Map of key name => key self link."
+  value       = module.kms.keys
+}
diff --git a/examples/safer_cluster_iap_bastion/variables.tf b/examples/safer_cluster_iap_bastion/variables.tf
index 42dc4f5f29..aae8fa8229 100644
--- a/examples/safer_cluster_iap_bastion/variables.tf
+++ b/examples/safer_cluster_iap_bastion/variables.tf
@@ -69,3 +69,15 @@ variable "bastion_members" {
   description = "List of users, groups, SAs who need access to the bastion host"
   default     = []
 }
+
+variable "keyring" {
+  description = "Keyring name."
+  type        = string
+  default     = "gke-key"
+}
+
+variable "keys" {
+  description = "Key names."
+  type        = list(string)
+  default     = []
+}

From 5d1a03770f42b47b48abe2ce4eb1459cf1eb4494 Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Sun, 23 Apr 2023 11:02:26 +0530
Subject: [PATCH 2/6] changes for default Keys

---
 examples/safer_cluster_iap_bastion/README.md    | 4 ++--
 examples/safer_cluster_iap_bastion/variables.tf | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/safer_cluster_iap_bastion/README.md b/examples/safer_cluster_iap_bastion/README.md
index 9e0cb913c4..7edbce4ba1 100644
--- a/examples/safer_cluster_iap_bastion/README.md
+++ b/examples/safer_cluster_iap_bastion/README.md
@@ -43,8 +43,8 @@ To deploy this example:
 | cluster\_name | The name of the cluster | `string` | `"safer-cluster-iap-bastion"` | no |
 | ip\_range\_pods\_name | The secondary ip range to use for pods | `string` | `"ip-range-pods"` | no |
 | ip\_range\_services\_name | The secondary ip range to use for pods | `string` | `"ip-range-svc"` | no |
-| keyring | Keyring name. | `string` | `"gke-key"` | no |
-| keys | Key names. | `list(string)` | `[]` | no |
+| keyring | Keyring name. | `string` | `"gke-keyring"` | no |
+| keys | Key names. | `list(string)` | <pre>[<br>  "gke-key"<br>]</pre> | no |
 | network\_name | The name of the network being created to host the cluster in | `string` | `"safer-cluster-network"` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | `"us-central1"` | no |
diff --git a/examples/safer_cluster_iap_bastion/variables.tf b/examples/safer_cluster_iap_bastion/variables.tf
index aae8fa8229..7bf4635d87 100644
--- a/examples/safer_cluster_iap_bastion/variables.tf
+++ b/examples/safer_cluster_iap_bastion/variables.tf
@@ -73,11 +73,11 @@ variable "bastion_members" {
 variable "keyring" {
   description = "Keyring name."
   type        = string
-  default     = "gke-key"
+  default     = "gke-keyring"
 }
 
 variable "keys" {
   description = "Key names."
   type        = list(string)
-  default     = []
+  default     = ["gke-key"]
 }

From 432e17666bb460763142fcf7aa63a6ff3e52f1b3 Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Mon, 22 May 2023 10:01:34 +0530
Subject: [PATCH 3/6] KMS related changes

---
 examples/safer_cluster_iap_bastion/apis.tf      |  5 +++++
 examples/safer_cluster_iap_bastion/cluster.tf   |  2 +-
 examples/safer_cluster_iap_bastion/kms.tf       | 12 ++----------
 examples/safer_cluster_iap_bastion/variables.tf | 12 ------------
 4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf
index 7bd724fae6..9d37af5b54 100644
--- a/examples/safer_cluster_iap_bastion/apis.tf
+++ b/examples/safer_cluster_iap_bastion/apis.tf
@@ -20,6 +20,11 @@ module "enabled_google_apis" {
 
   project_id                  = var.project_id
   disable_services_on_destroy = false
+   activate_api_identities = [{
+    api = "container.googleapis.com",
+    roles = ["roles/cloudkms.cryptoKeyDecrypter",
+    "roles/cloudkms.cryptoKeyEncrypter"],
+  }]
 
   activate_apis = [
     "serviceusage.googleapis.com",
diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf
index e78884fb0e..c1ab5f9e6c 100644
--- a/examples/safer_cluster_iap_bastion/cluster.tf
+++ b/examples/safer_cluster_iap_bastion/cluster.tf
@@ -31,7 +31,7 @@ module "gke" {
   }]
   database_encryption = [
     {
-      "key_name" : module.kms.keys[var.keys[0]],
+      "key_name" : module.kms.keys["gke-key"],
       "state" : "ENCRYPTED"
     }
   ]
diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf
index 538384492d..af29795d4c 100644
--- a/examples/safer_cluster_iap_bastion/kms.tf
+++ b/examples/safer_cluster_iap_bastion/kms.tf
@@ -25,15 +25,7 @@ module "kms" {
   version            = "~> 2.2.1"
   project_id         = var.project_id
   location           = var.region
-  keyring            = var.keyring
-  keys               = var.keys
+  keyring            = "gke-keyring"
+  keys               = ["gke-key"]
   prevent_destroy    = false
-  set_decrypters_for = var.keys
-  set_encrypters_for = var.keys
-  encrypters = [
-    local.gke_sa,
-  ]
-  decrypters = [
-    local.gke_sa,
-  ]
 }
diff --git a/examples/safer_cluster_iap_bastion/variables.tf b/examples/safer_cluster_iap_bastion/variables.tf
index 7bf4635d87..42dc4f5f29 100644
--- a/examples/safer_cluster_iap_bastion/variables.tf
+++ b/examples/safer_cluster_iap_bastion/variables.tf
@@ -69,15 +69,3 @@ variable "bastion_members" {
   description = "List of users, groups, SAs who need access to the bastion host"
   default     = []
 }
-
-variable "keyring" {
-  description = "Keyring name."
-  type        = string
-  default     = "gke-keyring"
-}
-
-variable "keys" {
-  description = "Key names."
-  type        = list(string)
-  default     = ["gke-key"]
-}

From 34a610cd41a7525755543acfa60b086a8a0c227d Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Mon, 22 May 2023 10:01:59 +0530
Subject: [PATCH 4/6] KMS related changes

---
 examples/safer_cluster_iap_bastion/kms.tf | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf
index af29795d4c..a0526126b2 100644
--- a/examples/safer_cluster_iap_bastion/kms.tf
+++ b/examples/safer_cluster_iap_bastion/kms.tf
@@ -14,12 +14,6 @@
  * limitations under the License.
  */
 
-data "google_project" "project" {}
-
-locals {
-  gke_sa = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
-}
-
 module "kms" {
   source             = "terraform-google-modules/kms/google"
   version            = "~> 2.2.1"

From 8f496814f1b18680d4c5f2cd4071c14414f866e1 Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Mon, 22 May 2023 10:10:15 +0530
Subject: [PATCH 5/6] ReadMe changes

---
 examples/safer_cluster_iap_bastion/README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/examples/safer_cluster_iap_bastion/README.md b/examples/safer_cluster_iap_bastion/README.md
index 7edbce4ba1..f527858d5e 100644
--- a/examples/safer_cluster_iap_bastion/README.md
+++ b/examples/safer_cluster_iap_bastion/README.md
@@ -43,8 +43,6 @@ To deploy this example:
 | cluster\_name | The name of the cluster | `string` | `"safer-cluster-iap-bastion"` | no |
 | ip\_range\_pods\_name | The secondary ip range to use for pods | `string` | `"ip-range-pods"` | no |
 | ip\_range\_services\_name | The secondary ip range to use for pods | `string` | `"ip-range-svc"` | no |
-| keyring | Keyring name. | `string` | `"gke-keyring"` | no |
-| keys | Key names. | `list(string)` | <pre>[<br>  "gke-key"<br>]</pre> | no |
 | network\_name | The name of the network being created to host the cluster in | `string` | `"safer-cluster-network"` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | `"us-central1"` | no |

From 473b1d63394b6799da1c707df1411a7780bf1378 Mon Sep 17 00:00:00 2001
From: avinashkumar1289 <akaavinash0@gmail.com>
Date: Tue, 23 May 2023 09:03:26 +0530
Subject: [PATCH 6/6] Terraform Format

---
 examples/safer_cluster_iap_bastion/apis.tf |  2 +-
 examples/safer_cluster_iap_bastion/kms.tf  | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf
index 9d37af5b54..8665a9b3d1 100644
--- a/examples/safer_cluster_iap_bastion/apis.tf
+++ b/examples/safer_cluster_iap_bastion/apis.tf
@@ -20,7 +20,7 @@ module "enabled_google_apis" {
 
   project_id                  = var.project_id
   disable_services_on_destroy = false
-   activate_api_identities = [{
+  activate_api_identities = [{
     api = "container.googleapis.com",
     roles = ["roles/cloudkms.cryptoKeyDecrypter",
     "roles/cloudkms.cryptoKeyEncrypter"],
diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf
index a0526126b2..93dea01c0e 100644
--- a/examples/safer_cluster_iap_bastion/kms.tf
+++ b/examples/safer_cluster_iap_bastion/kms.tf
@@ -15,11 +15,11 @@
  */
 
 module "kms" {
-  source             = "terraform-google-modules/kms/google"
-  version            = "~> 2.2.1"
-  project_id         = var.project_id
-  location           = var.region
-  keyring            = "gke-keyring"
-  keys               = ["gke-key"]
-  prevent_destroy    = false
+  source          = "terraform-google-modules/kms/google"
+  version         = "~> 2.2.1"
+  project_id      = var.project_id
+  location        = var.region
+  keyring         = "gke-keyring"
+  keys            = ["gke-key"]
+  prevent_destroy = false
 }