Skip to content

Instantly share code, notes, and snippets.

@gbrayut

gbrayut/kcc-cloudsql-kms-cmek.yaml

Created December 12, 2022 20:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gbrayut/c493eeb04f819faa70c0d2ad3af5ee41 to your computer and use it in GitHub Desktop.
Save gbrayut/c493eeb04f819faa70c0d2ad3af5ee41 to your computer and use it in GitHub Desktop.
Download ZIP
KCC CloudSQL KMS KMSCryptoKey encryptionKMSCryptoKeyRef
Raw
kcc-cloudsql-kms-cmek.yaml
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
name: sqladmin.googleapis.com
spec:
projectRef:
external: projects/gregbray-gke
# If error: Per-product, per-project service account not found
# Fix using: gcloud beta services identity create --service=sqladmin.googleapis.com --project=gregbray-gke
#
# If error: Insufficient permission to use KMS key
# Fix using: gcloud projects add-iam-policy-binding "gregbray-kms" \
# --member "serviceAccount:service-1071993867227@gcp-sa-cloud-sql.iam.gserviceaccount.com" \
# --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
annotations:
cnrm.cloud.google.com/project-id: gregbray-kms
cnrm.cloud.google.com/deletion-policy: abandon
name: my-cloudsql-key
spec:
destroyScheduledDuration: 86400s
keyRingRef:
# https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
name: my-key-ring
namespace: config-control
# or
# external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
purpose: ENCRYPT_DECRYPT
resourceID: my-cloudsql-key
versionTemplate:
algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
protectionLevel: SOFTWARE
---
# From https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance#postgres_sql_instance_with_kms_encryption
apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLInstance
metadata:
name: my-sql-instance
spec:
databaseVersion: POSTGRES_14
encryptionKMSCryptoKeyRef:
# https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance
name: my-cloudsql-key
namespace: config-control
# or
#external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-cloudsql-key
region: us-central1
settings:
availabilityType: REGIONAL
tier: db-f1-micro
backupConfiguration:
enabled: true
pointInTimeRecoveryEnabled: true
databaseFlags:
- name: cloudsql.enable_pgaudit
value: 'on'
- name: pgaudit.log
value: all
- name: cloudsql.iam_authentication
value: 'on'
diskAutoresize: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment