Skip to content

Expand CMEK options for GCP and AWS

Grant Young requested to merge gy-cmek-additions into main

What does this MR do?

Follow up to !1248 (merged)

MR expands and refines CMEK options as follows:

  • GCP CMEK can now be configured for Object Storage as support in the product was added.
  • AWS CMEK option was added for EKS Node disks. This previously wasn't an option but it can be now after we recently switched to Launch Templates
  • Refactored the AWS CMEK approach to be more modular moving forward and to reduce accidental blast radius.
    • default_kms_key_arn is now deprecated (but maintained until 4.x) and it's now recommended to pass in KMS keys individually for each service type via default_disk_kms_key_arn, object_storage_kms_key_arn, eks_default_disk_kms_key_arn, rds_postgres_kms_key_arn, elasticache_redis_kms_key_arn and opensearch_service_kms_key_arn accordingly - This matches the approach taken with GCP and is recommended security wise to have separate keys.

Related issues

Relates #834 (closed)

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers:

  • Merge request:
    • Corresponding Issue raised and reviewed by the GET maintainers team.
    • Merge Request Title and Description are up-to-date, accurate, and descriptive
    • MR targeting the appropriate branch
    • MR has a green pipeline
    • MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
  • Code:
    • Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.).
    • Documentation created/updated in the same MR.
    • If this MR adds an optional configuration - check that all permutations continue to work.
    • For Terraform changes: set up a previous version environment, then run a terraform plan with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
  • Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Grant Young

Merge request reports