-
Notifications
You must be signed in to change notification settings - Fork 0
/
kms.tf
33 lines (25 loc) · 969 Bytes
/
kms.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
resource "google_kms_key_ring" "main" {
project = var.project_id
# Key rings can be deleted from the Terraform state but not GCP, so let's add a suffix in case
# we need to recreate it.
name = "authority-${var.instance_name}-${random_id.unique_suffix.hex}"
location = var.region
}
resource "google_project_iam_member" "kms_admin" {
project = var.project_id
role = "roles/cloudkms.admin"
member = "serviceAccount:${google_service_account.main.email}"
condition {
title = "Limit app access to KMS key ring"
expression = "resource.name.startsWith(\"${google_kms_key_ring.main.id}\")"
}
}
resource "google_project_iam_member" "kms_operator" {
project = var.project_id
role = "roles/cloudkms.cryptoOperator"
member = "serviceAccount:${google_service_account.main.email}"
condition {
title = "Limit app access to KMS key ring"
expression = "resource.name.startsWith(\"${google_kms_key_ring.main.id}\")"
}
}