Closed eeaton closed 1 week ago
Additionally, we should remove extra KMS projects under each bu folder "prj-p-bu1-kms" etc. These are redundant purposes with the environment level KMS project "prj-p-kms" and contradict guidance from the product team that KMS management projects should be split by environment. (Further delegation to each BU is an uncommon pattern, typically platform level compliance requirements are the responsibility of a central platform team).
Addressed by 1271
TL;DR
The resources for cai-monitoring.tf are encrypted with CMEK, but this is inconsistent with how CMEK is enforced (or not) throughout the rest of the deployment.
Expected behavior
While many users of the blueprint will likely want to configure and implement CMEK on their sensitive resources, it doesn't make sense to implement this only for the resources under cai-monitoring. A customer typically expects consistent management of their CMEK design across all resources.
Observed behavior
CMEK is implemented only for one resource in isolation
Terraform Configuration
module "kms"
from cai-monitoring.tfencryption_key
arg frommodule "cai_monitoring"
Terraform Version
Additional information
PR #1132 fixed a few other issues introduced by porting a standalone repo into this repo as a module.
A future major update to this repo will add options for applying CMEK consistently across all resources, possibly adopting KMS Autokey.