search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.18k stars 701 forks source link

KMS alignment: remove standalone KMS resources from cai-monitoring.tf #1248

Closed eeaton closed 1 week ago

eeaton commented 1 month ago

TL;DR

The resources for cai-monitoring.tf are encrypted with CMEK, but this is inconsistent with how CMEK is enforced (or not) throughout the rest of the deployment.

Expected behavior

While many users of the blueprint will likely want to configure and implement CMEK on their sensitive resources, it doesn't make sense to implement this only for the resources under cai-monitoring. A customer typically expects consistent management of their CMEK design across all resources.

Observed behavior

CMEK is implemented only for one resource in isolation

Terraform Configuration

  1. remove module "kms"from cai-monitoring.tf
  2. remove encryption_key arg from module "cai_monitoring"
  3. check other files for references to this module

Terraform Version

n/a

Additional information

PR #1132 fixed a few other issues introduced by porting a standalone repo into this repo as a module.

A future major update to this repo will add options for applying CMEK consistently across all resources, possibly adopting KMS Autokey.

eeaton commented 2 weeks ago

Additionally, we should remove extra KMS projects under each bu folder "prj-p-bu1-kms" etc. These are redundant purposes with the environment level KMS project "prj-p-kms" and contradict guidance from the product team that KMS management projects should be split by environment. (Further delegation to each BU is an uncommon pattern, typically platform level compliance requirements are the responsibility of a central platform team).

eeaton commented 1 week ago

Addressed by 1271