terraform-splunk-log-export icon indicating copy to clipboard operation
terraform-splunk-log-export copied to clipboard
verified publisher icon GoogleCloudPlatform

Module hardening

Open ilakhtenkov opened this issue 2 years ago • 1 comments

As a hardening measures I propose following:

  • Add an ability to provide CMEK for following services:
    • [x] GCS
    • [ ] Pub/Sub
    • [ ] Dataflow

ilakhtenkov avatar Feb 15 '23 10:02 ilakhtenkov

Thx for kicking off this discussion. This makes sense for deployments that requires services with CMEK.

How about we add this change gradually in the order you highlighted?

  1. CMEK-encrypted GCS (temporary bucket)
  2. CMEK for PubSub (source)
  3. CMEK for Dataflow (pipeline)

Each of these requires additional permissions handling: [1] https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#service-agent-access [2] https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#using_sources_and_sinks_that_are_protected_with_cloud_kms_keys [3] https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#granting_encrypterdecrypter_permissions

Since the project containing Cloud KMS key may be different that the project running Dataflow pipeline, I think the permissions should not be managed by this module, but I propose we document them in README. Let me know what you think.

rarsan avatar Feb 26 '23 22:02 rarsan