Securing Your Google Kubernetes Engine (GKE) Cluster with Terraform: A Comprehensive Guide
Deploying and managing Kubernetes clusters on Google Cloud Platform (GCP) is a powerful approach for containerized applications. However, security is paramount, and ensuring your cluster is protected is crucial. One crucial aspect of GKE security is the use of certificates for authentication and authorization. This article will guide you through the process of generating, encoding, and managing certificates for your GKE cluster using Terraform.
What is Terraform?
Terraform is an infrastructure-as-code (IaC) tool that allows you to define and manage your infrastructure resources, including your GKE cluster, using a declarative configuration language called HashiCorp Configuration Language (HCL). This approach enables you to automate the provisioning, configuration, and management of your infrastructure.
Why Use Terraform for GKE Cluster Management?
Using Terraform for managing your GKE cluster offers several benefits:
- Automation: Terraform automates the creation, deployment, and configuration of your GKE cluster, saving time and reducing errors.
- Version Control: Your GKE configuration is stored in version control, enabling you to track changes, collaborate effectively, and roll back to previous versions if needed.
- Consistency: Terraform ensures that your GKE cluster is always provisioned and configured according to your defined specifications.
- Scalability: Terraform makes it easy to scale your GKE cluster up or down to meet your evolving needs.
Understanding Certificates in GKE
Certificates play a fundamental role in securing your GKE cluster. They provide a mechanism for authenticating users and services accessing your cluster, ensuring only authorized entities have access.
Types of Certificates in GKE:
- Cluster Certificate: This certificate is used for communication between the Kubernetes master nodes and the Kubernetes control plane components.
- Service Account Certificates: These certificates are associated with Kubernetes service accounts, which are used for authentication and authorization within the cluster.
Generating and Encoding Certificates with Terraform
Terraform provides resources for generating and managing certificates for your GKE cluster. Let's explore how to generate a certificate with a base64 encoded format:
resource "google_kms_crypto_key" "key" {
purpose = "ENCRYPT_DECRYPT"
version_template {
algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION_AES256_GCM"
}
name = "my-key"
ring_name = "projects/gcp-project-id/locations/global/keyRings/my-keyring"
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypt_decrypt" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key.key.id
}
resource "google_kms_crypto_key_iam_member" "sa_crypto_key_encrypter_decrypter" {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_service_account.gke_sa.email}"
crypto_key_id = google_kms_crypto_key