temp tf

2025-06-17 01:59:08 +00:00 · 2020-10-09 10:54:55 -04:00 · 2020-10-09 10:54:55 -04:00 · ec505739c8
commit ec505739c8
parent a5e2fdc7a7
31 changed files with 1394 additions and 0 deletions
--- a/terraform/platform/bootstrap/vault-kms.tf
+++ b/terraform/platform/bootstrap/vault-kms.tf
@ -0,0 +1,42 @@
+resource "google_kms_key_ring" "vault-kms-ring" {
+  name     = "vault-keyring"
+  location = "global"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+locals {
+  iam_members = [
+    "serviceAccount:${google_service_account.vault-svcacct.email}"
+  ]
+}
+
+data "google_iam_policy" "vault" {
+  binding {
+    role    = "roles/editor"
+    members = local.iam_members
+  }
+
+  binding {
+    role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+    members = local.iam_members
+  }
+}
+
+resource "google_kms_key_ring_iam_policy" "vault-binding" {
+  key_ring_id = google_kms_key_ring.vault-kms-ring.id
+  policy_data = data.google_iam_policy.vault.policy_data
+}
+
+resource "google_kms_crypto_key" "vault-key" {
+  name            = "vault-key"
+  key_ring        = google_kms_key_ring.vault-kms-ring.id
+  rotation_period = "100000s" // just over one day
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+