Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Kyvos now supports automated resource creation for GCP using Terraform.

To create Kyvos resources, read the following:

Prerequisites to run Terraform from GCP cloud shell

  • You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.

  • The following permissions are required:

    • Editor Role

    • Secret Manager Admin

    • Storage Object Admin

    • storage.buckets.get

    • storage.buckets.update

    • storage.objects.update

  • Google Console users must have the privilege to launch Google resources like Instances, Dataproc cluster, Google Storage, and Disks in the project.

  • Logged-in users must have the privilege to launch Gcloud in GCP. 

  • To use an existing service account for deployments, add the cloudfunctions.admin role. Additionally, for specific permissions, see the Prerequisites for deploying Kyvos in a GCP environment section.

  • To use an existing VPC for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.

  • To use an existing bucket for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.

Prerequisites to run Terraform form local machine

  • Download and install Terraform on your local machine.

  • To install Terraform, refer to the Terraform documentation.

  • Execute Terraform init command to verify successful installation of Terraform.

  • Jq should be installed on your local machine.

  • You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.

  • Configure GCP on your local machine.

  • For gcloud initialization, refer to the Google documentation.

Automated resource creation using Terraform from GCP

To create resources using Terraform from GCP, perform the following steps.

  1. To execute Terraform on Google Cloud Platform's Cloud Shell, activate Cloud Shell, then click Open Editor to create the necessary folders

  2. Create a directory named terraform and add subdirectories and files according to the following specifications:

    image-20241017-081850.png

  3. Access the kyvosparams.tfvars file located in the conf directory, and configure the parameters as needed for your deployment

  4. In the Cloud Shell interface on Google Cloud Platform, open a new terminal by clicking on the terminal icon located on the left-hand side.

Note

After opening the terminal in Cloud Shell, ensure that Cloud Shell is configured to operate within the same project where you intend to deploy your resources.

  1. From the terminal, navigate to the directory where your files are stored. For example, use cd terraform. Once navigate to the bin folder, execute the ./deploy.sh command. This command will initialize Terraform, generate a plan, and apply the configuration as specified in the kyvosparams.tfvars file.

  2. Review the output to ensure Terraform will create, modify, or delete the resources as expected.

    • If you need to interrupt the script while it's running, press Ctrl+Z.

    • If you need to make modifications to the kyvosparams.tfvars file, do so accordingly.

  3. Upon successful execution of this command, Terraform will display the outputs as specified in the configuration.

  4. Terraform will generate an output.json file containing all outputs, which Kyvos Manager will utilize for configurations.

  5. To destroy your entire deployment, simply execute the ./deploy.sh destroy command.

Note

  • After successfully executing the configuration, Terraform will automatically generate a .tfstate file. To create a new file using the same configuration files, first destroy the existing deployment configured in those files.

  • To change the sourceImage or kmSourceImage, navigate to the source folder, open the variable.tf file, and update the default value as needed.

Automated resource creation using Terraform from Local Machine

 To create resources using Terraform from Local Machine, perform the following steps.

  1. Open a terminal or command prompt on your local machine.

  2. Navigate to your Terraform configuration directory (where your .tf files are located).

  3. Create a directory named terraform and add subdirectories and files according to the following specifications:

    Picture16.png

  4. Access the kyvosparams.tfvars file located in the conf directory, and configure the parameters as needed for your deployment

  5. Cd inside the bin folder, execute the ./deploy.sh command. This command will initialize Terraform, generate a plan, and apply the configuration as specified in the kyvosparams.tfvars file.

  6. Review the output to ensure Terraform will create, modify, or delete the resources as expected.

    • If you need to interrupt the script while it's running, press Ctrl+Z.

    • If you need to make modifications to the kyvosparams.tfvars file, do so accordingly.

  7. Upon successful execution of this command, Terraform will display the outputs as specified in the configuration.

  8. To destroy your entire deployment, simply execute the ./deploy.sh destroy command.

Encryption Key (CMK) support in GCP Terraform

  • To run deployment with encryption, set the value of enableEncryption parameter to true.

  • To run deployment with encryption with new cmk:
    To use an existing service account for deployments, the following permissions are needed:

    • roles/cloudkms.cryptoKeyEncrypter

    • roles/cloudkms.cryptoKeyDecrypter

    • roles/cloudkms.cryptoKeyEncrypterDecrypter

Note

  • Encryption will be enabled for the following components:

    • Disk

    • Cloud storage

    • Secret manager

  • The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • Cloud Key Management Service (KMS) API must be enabled in the project before deployment.

  • The existing cmk must be in the same region as deployment.

  • The existing cmk location must be regional; global keys are not supported by GCS buckets. For more details, refer to Google documentation.

  • To use the BYOK (Bring Your Own Key) feature: The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • To use an existing key, specify cmkKeyRingName and cmkKeyName in the parameter.

  • To use an existing service account for deployments, the following permissions are needed:

    • roles/cloudkms.cryptoKeyEncrypter

    • roles/cloudkms.cryptoKeyDecrypter

    • Roles/cloudkms.cryptoKeyEncrypterDecrypter

 

  • No labels

Copyright Kyvos, Inc. All rights reserved.