Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt Terraform state with KMS managed keys for GCS backend #24967

Closed
dinvlad opened this issue May 15, 2020 · 3 comments · Fixed by #31786
Closed

Encrypt Terraform state with KMS managed keys for GCS backend #24967

dinvlad opened this issue May 15, 2020 · 3 comments · Fixed by #31786
Assignees
@SarahFrench
Labels
backend/gcs enhancement

Comments

@dinvlad
Copy link

dinvlad commented May 15, 2020

Current Terraform Version

v0.12.25

Use-cases

Following up on #16836 and #16936, currently the GCS backend supports customer-supplied encryption key, which is stored in clear text on the client, when configured using the encryption_key parameter for the backend.

Instead, GCS has supported customer-managed keys for some time now, which could provide a simple way to encrypt Terraform state with KMS.

Attempted Solutions

We may be able to use default customer-managed keys, which enable transparent encryption/decryption of objects, without any explicit configuration for the GCS backend in Terraform.

Proposal

It would be great to be able to explicitly specify a KMS Customer-Managed encryption key in GCS backend:

terraform {
  backend "gcs" {
    bucket  = "tf-state-prod"
    prefix  = "terraform/state"
    kms_encryption_key {
      location = "us-east1" # optional, defaults to 'global'
      key_ring = "terraform-keyring"
      key = "terraform-key" 
    }
  }
}

This would allow us to enforce the encryption on the bucket, instead of relying on the implicit configuration of the default key for the bucket (which can oftentimes be overlooked).

Additionally, this would prevent the encryption key leakage (as it would not be stored on the client) and enable its rotation through KMS, as opposed to the current static setting for encryption_key.

References
@FranAguiar
Copy link

Are there any chance for this enhacement?

@crw
Copy link
Contributor

crw commented Sep 8, 2022

@FranAguiar, thanks for the question! The GCP team has looked into the feasibility of this feature, but there is not currently a specific commitment or timeline. If that changes we will update this ticket. Thanks again!

@SarahFrench SarahFrench mentioned this issue Sep 14, 2022
Merged
@SarahFrench SarahFrench self-assigned this Sep 16, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Nov 4, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@SarahFrench SarahFrench

Labels
backend/gcs enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add customer-managed encryption key (KMS) support to GCS backend hashicorp/terraform
4 participants
@crw @dinvlad @SarahFrench @FranAguiar