Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Kyvos now supports automated resource creation for GCP using Terraform.

To create Kyvos resources, read the following:

Prerequisites to run Terraform from GCP cloud shell

  • You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.

  • The following permissions are required:

    • Editor Role

    • Secret Manager Admin

    • Storage Object Admin

    • storage.buckets.get

    • storage.buckets.update

    • storage.objects.update

  • Google Console users must have the privilege to launch Google resources like Instances, Dataproc cluster, Google Storage, and Disks in the project.

  • Logged-in users must have the privilege to launch Gcloud in GCP. 

  • To use an existing service account for deployments, add the cloudfunctions.admin role. Additionally, for specific permissions, see the Prerequisites for deploying Kyvos in a GCP environment section.

  • To use an existing VPC for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.

  • To use an existing bucket for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.

Prerequisites to run Terraform form local machine

  • Download and install Terraform on your local machine.

  • To install Terraform, refer to the Terraform documentation.

  • Execute Terraform init command to verify successful installation of Terraform.

  • Jq should be installed on your local machine.

  • You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.

  • Configure GCP on your local machine.

  • For gcloud initialization, refer to the Google documentation.

Encryption Key (CMK) support in GCP Terraform

  • To run deployment with encryption, set the value of enableEncryption parameter to true.

  • To run deployment with encryption with new cmk:
    To use an existing service account for deployments, the following permissions are needed:

    • roles/cloudkms.cryptoKeyEncrypter

    • roles/cloudkms.cryptoKeyDecrypter

    • roles/cloudkms.cryptoKeyEncrypterDecrypter

Note

  • Encryption will be enabled for the following components:

    • Disk

    • Cloud storage

    • Secret manager

  • The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • Cloud Key Management Service (KMS) API must be enabled in the project before deployment.

  • The existing cmk must be in the same region as deployment.

  • The existing cmk location must be regional; global keys are not supported by GCS buckets. For more details, refer to Google documentation.

  • To use the BYOK (Bring Your Own Key) feature: The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • To use an existing key, specify cmkKeyRingName and cmkKeyName in the parameter.

  • To use an existing service account for deployments, the following permissions are needed:

    • roles/cloudkms.cryptoKeyEncrypter

    • roles/cloudkms.cryptoKeyDecrypter

    • Roles/cloudkms.cryptoKeyEncrypterDecrypter

 

  • No labels

Copyright Kyvos, Inc. All rights reserved.