gbrayut · December 12, 2022 20:51
diff --git a/kcc-cloudsql-kms-cmek.yaml b/kcc-cloudsql-kms-cmek.yaml
 apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
 kind: Service
 metadata:
  name: sqladmin.googleapis.com
 spec:
  projectRef:
    external: projects/gregbray-gke
 # If error: Per-product, per-project service account not found
 # Fix using: gcloud beta services identity create --service=sqladmin.googleapis.com --project=gregbray-gke
 #
 # If error: Insufficient permission to use KMS key
 # Fix using: gcloud projects add-iam-policy-binding "gregbray-kms" \
 #  --member "serviceAccount:[email protected]" \
 #  --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 ---
 apiVersion: kms.cnrm.cloud.google.com/v1beta1
 kind: KMSCryptoKey
 metadata:
  annotations:
    cnrm.cloud.google.com/project-id: gregbray-kms
    cnrm.cloud.google.com/deletion-policy: abandon
  name: my-cloudsql-key
 spec:
  destroyScheduledDuration: 86400s
  keyRingRef:
  # https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
    name: my-key-ring
    namespace: config-control
  # or
  #  external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
  purpose: ENCRYPT_DECRYPT
  resourceID: my-cloudsql-key
  versionTemplate:
    algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
    protectionLevel: SOFTWARE
 ---
 # From https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance#postgres_sql_instance_with_kms_encryption
 apiVersion: sql.cnrm.cloud.google.com/v1beta1
 kind: SQLInstance
 metadata:
  name: my-sql-instance
 spec:
  databaseVersion: POSTGRES_14
  encryptionKMSCryptoKeyRef:
    # https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance
    name: my-cloudsql-key
    namespace: config-control
    # or
    #external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-cloudsql-key
  region: us-central1
  settings:
    availabilityType: REGIONAL
    tier: db-f1-micro
    backupConfiguration:
      enabled: true
      pointInTimeRecoveryEnabled: true
    databaseFlags:
    - name: cloudsql.enable_pgaudit
      value: 'on'
    - name: pgaudit.log
      value: all
    - name: cloudsql.iam_authentication
      value: 'on'
    diskAutoresize: true
	apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
	kind: Service
	metadata:
	name: sqladmin.googleapis.com
	spec:
	projectRef:
	external: projects/gregbray-gke
	# If error: Per-product, per-project service account not found
	# Fix using: gcloud beta services identity create --service=sqladmin.googleapis.com --project=gregbray-gke
	#
	# If error: Insufficient permission to use KMS key
	# Fix using: gcloud projects add-iam-policy-binding "gregbray-kms" \
	# --member "serviceAccount:[email protected]" \
	# --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
	---
	apiVersion: kms.cnrm.cloud.google.com/v1beta1
	kind: KMSCryptoKey
	metadata:
	annotations:
	cnrm.cloud.google.com/project-id: gregbray-kms
	cnrm.cloud.google.com/deletion-policy: abandon
	name: my-cloudsql-key
	spec:
	destroyScheduledDuration: 86400s
	keyRingRef:
	# https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
	name: my-key-ring
	namespace: config-control
	# or
	# external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
	purpose: ENCRYPT_DECRYPT
	resourceID: my-cloudsql-key
	versionTemplate:
	algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
	protectionLevel: SOFTWARE
	---
	# From https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance#postgres_sql_instance_with_kms_encryption
	apiVersion: sql.cnrm.cloud.google.com/v1beta1
	kind: SQLInstance
	metadata:
	name: my-sql-instance
	spec:
	databaseVersion: POSTGRES_14
	encryptionKMSCryptoKeyRef:
	# https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance
	name: my-cloudsql-key
	namespace: config-control
	# or
	#external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-cloudsql-key
	region: us-central1
	settings:
	availabilityType: REGIONAL
	tier: db-f1-micro
	backupConfiguration:
	enabled: true
	pointInTimeRecoveryEnabled: true
	databaseFlags:
	- name: cloudsql.enable_pgaudit
	value: 'on'
	- name: pgaudit.log
	value: all
	- name: cloudsql.iam_authentication
	value: 'on'
	diskAutoresize: true