chore: Attach KMS Key in Safer IAP GKE cluster

examples/safer_cluster_iap_bastion/README.md

@@ -4,6 +4,8 @@ This end to end example aims to showcase access patterns to a [Safer Cluster](..
 
 Additionally we deploy a [tinyproxy](https://tinyproxy.github.io/) daemon which allows `kubectl` commands to be piped through the bastion host allowing ease of development from a local machine with the security of GKE Private Clusters.
 
+GKE Autopilot clusters are deployed with Application-layer Secrets Encryption that protects your secrets in etcd with a key you manage in [Cloud KMS](https://github.com/terraform-google-modules/terraform-google-kms/blob/master/README.md).
+
 ## Setup
 
 To deploy this example:
@@ -41,6 +43,8 @@ To deploy this example:
 | cluster\_name | The name of the cluster | `string` | `"safer-cluster-iap-bastion"` | no |
 | ip\_range\_pods\_name | The secondary ip range to use for pods | `string` | `"ip-range-pods"` | no |
 | ip\_range\_services\_name | The secondary ip range to use for pods | `string` | `"ip-range-svc"` | no |
+| keyring | Keyring name. | `string` | `"gke-keyring"` | no |
+| keys | Key names. | `list(string)` | <pre>[<br>  "gke-key"<br>]</pre> | no |
 | network\_name | The name of the network being created to host the cluster in | `string` | `"safer-cluster-network"` | no |
 | project\_id | The project ID to host the cluster in | `string` | n/a | yes |
 | region | The region to host the cluster in | `string` | `"us-central1"` | no |
@@ -59,6 +63,9 @@ To deploy this example:
 | cluster\_name | Cluster name |
 | endpoint | Cluster endpoint |
 | get\_credentials\_command | gcloud get-credentials command to generate kubeconfig for the private cluster |
+| keyring | The name of the keyring. |
+| keyring\_resource | The location of the keyring. |
+| keys | Map of key name => key self link. |
 | location | Cluster location (region if regional cluster, zone if zonal cluster) |
 | master\_authorized\_networks\_config | Networks from which access to master is permitted |
 | network\_name | The name of the VPC being created |

examples/safer_cluster_iap_bastion/apis.tf

@@ -32,5 +32,6 @@ module "enabled_google_apis" {
     "binaryauthorization.googleapis.com",
     "stackdriver.googleapis.com",
     "iap.googleapis.com",
+    "cloudkms.googleapis.com",
   ]
 }

examples/safer_cluster_iap_bastion/cluster.tf

@@ -29,6 +29,12 @@ module "gke" {
     cidr_block   = "${module.bastion.ip_address}/32"
     display_name = "Bastion Host"
   }]
+  database_encryption = [
+    {
+      "key_name" : module.kms.keys[var.keys[0]],
+      "state" : "ENCRYPTED"
+    }
+  ]
   grant_registry_access = true
   node_pools = [
     {

examples/safer_cluster_iap_bastion/kms.tf

@@ -0,0 +1,39 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_project" "project" {}
+
+locals {
+  gke_sa = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+}
+
+module "kms" {
+  source             = "terraform-google-modules/kms/google"
+  version            = "~> 2.2.1"
+  project_id         = var.project_id
+  location           = var.region
+  keyring            = var.keyring
+  keys               = var.keys
+  prevent_destroy    = false
+  set_decrypters_for = var.keys
+  set_encrypters_for = var.keys
+  encrypters = [
+    local.gke_sa,
+  ]
+  decrypters = [
+    local.gke_sa,
+  ]
+}

examples/safer_cluster_iap_bastion/outputs.tf

@@ -85,3 +85,18 @@ output "bastion_kubectl_command" {
   description = "kubectl command using the local proxy once the bastion_ssh command is running"
   value       = "HTTPS_PROXY=localhost:8888 kubectl get pods --all-namespaces"
 }
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "keyring_resource" {
+  description = "The location of the keyring."
+  value       = module.kms.keyring_resource
+}
+
+output "keys" {
+  description = "Map of key name => key self link."
+  value       = module.kms.keys
+}

examples/safer_cluster_iap_bastion/variables.tf

@@ -69,3 +69,15 @@ variable "bastion_members" {
   description = "List of users, groups, SAs who need access to the bastion host"
   default     = []
 }
+
+variable "keyring" {
+  description = "Keyring name."
+  type        = string
+  default     = "gke-keyring"
+}
+
+variable "keys" {
+  description = "Key names."
+  type        = list(string)
+  default     = ["gke-key"]
+}