View Source

Kyvos now supports automated resource creation for GCP using Terraform.

To create Kyvos resources, read the following:

Prerequisites to run Terraform from GCP cloud shell

You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.
The following permissions are required:
- Editor Role
- Secret Manager Admin
- Storage Object Admin
- storage.buckets.get
- storage.buckets.update
- storage.objects.update
Google Console users must have the privilege to launch Google resources like Instances, Dataproc cluster, Google Storage, and Disks in the project.
Logged-in users must have the privilege to launch Gcloud in GCP.
To use an existing service account for deployments, add the cloudfunctions.admin role. Additionally, for specific permissions, see the Prerequisites for deploying Kyvos in a GCP environment section.
To use an existing VPC for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.
To use an existing bucket for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.

Download and install Terraform on your local machine.
To install Terraform, refer to the Terraform documentation.
Execute Terraform init command to verify successful installation of Terraform.
Jq should be installed on your local machine.
You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.
Configure GCP on your local machine.
For gcloud initialization, refer to the Google documentation.

To run deployment with encryption, set the value of enableEncryption parameter to true.
To run deployment with encryption with new cmk:
To use an existing service account for deployments, the following permissions are needed:
- roles/cloudkms.cryptoKeyEncrypter
- roles/cloudkms.cryptoKeyDecrypter
- roles/cloudkms.cryptoKeyEncrypterDecrypter

Note

Encryption will be enabled for the following components:
- Disk
- Cloud storage
- Secret manager
The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.
Cloud Key Management Service (KMS) API must be enabled in the project before deployment.
The existing cmk must be in the same region as deployment.
The existing cmk location must be regional; global keys are not supported by GCS buckets. For more details, refer to Google documentation.

To use the BYOK (Bring Your Own Key) feature: The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.
To use an existing key, specify cmkKeyRingName and cmkKeyName in the parameter.
To use an existing service account for deployments, the following permissions are needed:
- roles/cloudkms.cryptoKeyEncrypter
- roles/cloudkms.cryptoKeyDecrypter
- Roles/cloudkms.cryptoKeyEncrypterDecrypter