-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathkms.ts
77 lines (68 loc) · 2.07 KB
/
kms.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import * as gcp from '@pulumi/gcp';
import * as random from '@pulumi/random';
interface VaultKeyRingArgs {
serviceAccount: gcp.serviceAccount.Account;
projectServices: gcp.projects.Service[];
kmsCryptoKey: string;
kmsKeyRingPrefix: string;
project: string;
region: string;
}
/**
* Create the KMS key ring, the crypto key for encrypting init keys, grant
* service account access to the key, create the crypto key for encrypting
* Kubernetes secrets and grant GKE access to the key.
*/
export default function createKMS(
args: VaultKeyRingArgs
): {
keyRing: gcp.kms.KeyRing;
cryptoKey: gcp.kms.CryptoKey;
cryptoKeyIamRole: gcp.kms.CryptoKeyIAMMember;
k8sSecret: gcp.kms.CryptoKey;
k8sSecretGke: gcp.kms.CryptoKeyIAMMember;
} {
const vaultKmsId = new random.RandomId('random-kms-id', {
prefix: 'vault-',
byteLength: 8,
}).hex;
const keyRing = new gcp.kms.KeyRing(
'vault',
{ name: vaultKmsId, location: args.region },
{ dependsOn: args.projectServices }
);
const cryptoKey = new gcp.kms.CryptoKey('vault-init', {
name: args.kmsCryptoKey,
keyRing: keyRing.id,
rotationPeriod: '604800s',
});
const cryptoKeyIamRole = new gcp.kms.CryptoKeyIAMMember('vault-init', {
cryptoKeyId: cryptoKey.id,
role: 'roles/cloudkms.cryptoKeyEncrypterDecrypter',
member: args.serviceAccount.email.apply(email => `serviceAccount:${email}`),
});
const k8sSecret = new gcp.kms.CryptoKey('vault-kubernetes-secrets', {
name: 'kubernetes-secrets',
keyRing: keyRing.id,
rotationPeriod: '604800s',
});
const projectNumber = gcp.organizations.getProject({
projectId: args.project,
}).number;
const k8sSecretGke = new gcp.kms.CryptoKeyIAMMember(
'vault-kubernetes-secrets-gke',
{
cryptoKeyId: k8sSecret.id,
role: 'roles/cloudkms.cryptoKeyEncrypterDecrypter',
member: `serviceAccount:service-${projectNumber}@container-engine-robot.iam.gserviceaccount.com`,
},
{ dependsOn: args.serviceAccount }
);
return {
keyRing,
cryptoKey,
cryptoKeyIamRole,
k8sSecret,
k8sSecretGke,
};
}