From 36dd8f4db179e9ee877ed7a43d571ece36661774 Mon Sep 17 00:00:00 2001
From: ikjeong <jipark7937@gmail.com>
Date: Mon, 3 Mar 2025 11:36:54 +0900
Subject: [PATCH] feat: configure Vault KMS authentication across different GCP
 projects

---
 modules/gcp/core/gcs.tf                       |  4 ++--
 modules/gcp/core/iam.tf                       | 19 +++++++++++--------
 modules/gcp/core/kms.tf                       |  4 +++-
 modules/gcp/core/service.tf                   |  5 +++--
 modules/gcp/core/variables.tf                 | 13 +++++++------
 modules/gcp/gke/variables.tf                  |  2 +-
 modules/gcp/iam/main.tf                       | 11 ++++++-----
 modules/gcp/service/main.tf                   |  3 ++-
 modules/infra/vault/main.tf                   |  1 +
 modules/infra/vault/values.yaml               |  4 ++--
 modules/infra/vault/variables.tf              |  4 ++++
 projects/gcp/core/main.tf                     |  3 ++-
 projects/gcp/core/provider.tf                 |  2 +-
 projects/gcp/core/terraform.tfvars            |  5 +++++
 projects/gcp/core/variables.tf                | 13 +++++++------
 projects/k8s/base/terraform.tfvars            |  3 +++
 projects/k8s/gateway/deployments/output.tf    |  1 +
 projects/k8s/vault/deployments/main.tf        |  1 +
 .../k8s/vault/deployments/terraform.tfvars    |  4 ++++
 projects/k8s/vault/deployments/variables.tf   |  4 +++-
 20 files changed, 69 insertions(+), 37 deletions(-)
 create mode 100644 projects/gcp/core/terraform.tfvars
 create mode 100644 projects/k8s/base/terraform.tfvars
 create mode 100644 projects/k8s/vault/deployments/terraform.tfvars

diff --git a/modules/gcp/core/gcs.tf b/modules/gcp/core/gcs.tf
index 79b2a24..d7a9bdb 100644
--- a/modules/gcp/core/gcs.tf
+++ b/modules/gcp/core/gcs.tf
@@ -1,7 +1,7 @@
 resource "google_storage_bucket" "terraform_state" {
-  name          = "${var.project_id}-tfstate"
+  name          = "${var.main_project_id}-tfstate"
   location      = var.location
-  project       = var.project_id
+  project       = var.main_project_id
 
   versioning {
     enabled = true
diff --git a/modules/gcp/core/iam.tf b/modules/gcp/core/iam.tf
index 92f63f6..bc6c96f 100644
--- a/modules/gcp/core/iam.tf
+++ b/modules/gcp/core/iam.tf
@@ -1,18 +1,21 @@
-resource "google_service_account" "vault_kms_sa" {
-  project = var.project_id
-  account_id   = "vault-kms-sa"
-  display_name = "Vault KMS Service Account"
-}
-
 resource "google_project_iam_custom_role" "vault_kms_custom_role" {
+  project     = var.main_project_id
   role_id     = "vaultKmsRole"
   title       = "Vault KMS Custom Role"
   description = "Custom role for Vault to use KMS for auto-unseal with minimal permissions"
-  project     = var.project_id
-
+  
   permissions = [
     "cloudkms.cryptoKeyVersions.useToEncrypt",
     "cloudkms.cryptoKeyVersions.useToDecrypt",
     "cloudkms.cryptoKeys.get",
   ]
 }
+
+resource "google_kms_crypto_key_iam_binding" "vault_kms_custom_binding" {
+  crypto_key_id = "projects/${var.main_project_id}/locations/${var.region}/keyRings/${google_kms_key_ring.vault_keyring.name}/cryptoKeys/${google_kms_crypto_key.vault_crypto_key.name}"
+  role          = google_project_iam_custom_role.vault_kms_custom_role.id
+
+  members = [
+    "serviceAccount:vault-sa@${var.project_id}.iam.gserviceaccount.com"
+  ]
+}
diff --git a/modules/gcp/core/kms.tf b/modules/gcp/core/kms.tf
index 073a064..afcee0a 100644
--- a/modules/gcp/core/kms.tf
+++ b/modules/gcp/core/kms.tf
@@ -1,7 +1,9 @@
 resource "google_kms_key_ring" "vault_keyring" {
   name     = "vault-keyring"
   location = var.region
-  project  = var.project_id
+  project  = var.main_project_id
+
+  depends_on = [google_project_service.services]
 }
 
 resource "google_kms_crypto_key" "vault_crypto_key" {
diff --git a/modules/gcp/core/service.tf b/modules/gcp/core/service.tf
index d034d0c..559102b 100644
--- a/modules/gcp/core/service.tf
+++ b/modules/gcp/core/service.tf
@@ -1,13 +1,14 @@
 locals {
   services = toset([
-    "secretmanager.googleapis.com"
+    "secretmanager.googleapis.com",
+    "cloudkms.googleapis.com"
   ])
 }
 
 resource "google_project_service" "services" {
   for_each = local.services
   
-  project = var.project_id
+  project = var.main_project_id
   service = each.key
   
   disable_dependent_services = true
diff --git a/modules/gcp/core/variables.tf b/modules/gcp/core/variables.tf
index 5f26342..894dadc 100644
--- a/modules/gcp/core/variables.tf
+++ b/modules/gcp/core/variables.tf
@@ -1,11 +1,12 @@
 variable "project_id" {
-  type        = string
+  description = "project id"
 }
-
-variable "location" {
-  type        = string
+variable "main_project_id" {
+  description = "main project id"
 }
-
 variable "region" {
-  type        = string
+  description = "region"
+}
+variable "location" {
+  description = "location"
 }
diff --git a/modules/gcp/gke/variables.tf b/modules/gcp/gke/variables.tf
index c4db42e..299a4f7 100644
--- a/modules/gcp/gke/variables.tf
+++ b/modules/gcp/gke/variables.tf
@@ -11,5 +11,5 @@ variable "gke_disk_size_gb" {
 }
 
 variable "gke_version" {
-  default     = "1.31.5-gke.1068000"
+  default     = "1.31.5-gke.1169000"
 }
diff --git a/modules/gcp/iam/main.tf b/modules/gcp/iam/main.tf
index 9fa53ad..7f3c4a1 100644
--- a/modules/gcp/iam/main.tf
+++ b/modules/gcp/iam/main.tf
@@ -62,20 +62,21 @@ resource "google_storage_bucket_iam_member" "terraform_state_access" {
 */
 
 # for vault
-data "google_service_account" "vault_kms_sa" {
-  account_id = "vault-kms-sa"
-  project    = var.main_project_id
+resource "google_service_account" "vault_sa" {
+  project = var.project_id
+  account_id   = "vault-sa"
+  display_name = "Vault Service Account"
 }
 
 resource "google_service_account_iam_binding" "vault_workload_identity_binding" {
-  service_account_id = data.google_service_account.vault_kms_sa.name
+  service_account_id = google_service_account.vault_sa.name
   role               = "roles/iam.workloadIdentityUser"
 
   members = [
     "serviceAccount:${var.project_id}.svc.id.goog[vault/vault-sa]"
   ]
 
-  depends_on = [data.google_service_account.vault_kms_sa]
+  depends_on = [google_service_account.vault_sa]
 }
 
 # ƒor loki
diff --git a/modules/gcp/service/main.tf b/modules/gcp/service/main.tf
index f412ab8..705c14d 100644
--- a/modules/gcp/service/main.tf
+++ b/modules/gcp/service/main.tf
@@ -6,7 +6,8 @@ locals {
     "compute.googleapis.com",
     "container.googleapis.com",
     "storage.googleapis.com",
-    "secretmanager.googleapis.com"
+    "secretmanager.googleapis.com",
+    "cloudkms.googleapis.com",
   ])
 }
 
diff --git a/modules/infra/vault/main.tf b/modules/infra/vault/main.tf
index 83f14b9..67c3066 100644
--- a/modules/infra/vault/main.tf
+++ b/modules/infra/vault/main.tf
@@ -7,6 +7,7 @@ resource "helm_release" "vault" {
 
   values = [templatefile("${path.module}/values.yaml", {
     project_id = var.project_id
+    main_project_id = var.main_project_id
     region = var.region
     key_ring_name = var.key_ring_name
     crypto_key_name = var.crypto_key_name
diff --git a/modules/infra/vault/values.yaml b/modules/infra/vault/values.yaml
index 8b6c3fb..891eb18 100644
--- a/modules/infra/vault/values.yaml
+++ b/modules/infra/vault/values.yaml
@@ -925,7 +925,7 @@ server:
         # GKMS keys must already exist, and the cluster must have a service account
         # that is authorized to access GCP KMS.
         seal "gcpckms" {
-          project     = "${project_id}"
+          project     = "${main_project_id}"
           region      = "${region}"
           key_ring    = "${key_ring_name}"
           crypto_key  = "${crypto_key_name}"
@@ -1008,7 +1008,7 @@ server:
     # YAML or a YAML-formatted multi-line templated string map of the
     # annotations to apply to the serviceAccount.
     annotations:
-      iam.gke.io/gcp-service-account: "vault-kms-sa@${project_id}.iam.gserviceaccount.com"
+      iam.gke.io/gcp-service-account: "vault-sa@${project_id}.iam.gserviceaccount.com"
     # Extra labels to attach to the serviceAccount
     # This should be a YAML map of the labels to apply to the serviceAccount
     extraLabels: {}
diff --git a/modules/infra/vault/variables.tf b/modules/infra/vault/variables.tf
index 1642d66..c8154fd 100644
--- a/modules/infra/vault/variables.tf
+++ b/modules/infra/vault/variables.tf
@@ -2,6 +2,10 @@ variable "project_id" {
   description = "The project ID"
 }
 
+variable "main_project_id" {
+  description = "The main project ID"
+}
+
 variable "region" {
   description = "The region"
 }
diff --git a/projects/gcp/core/main.tf b/projects/gcp/core/main.tf
index db9d92d..159425f 100644
--- a/projects/gcp/core/main.tf
+++ b/projects/gcp/core/main.tf
@@ -20,8 +20,9 @@ terraform {
 module "core" {
   source = "../../../modules/gcp/core"
   project_id = var.project_id
-  location = var.location
+  main_project_id = var.main_project_id
   region = var.region
+  location = var.location
 }
 
 module "acme" {
diff --git a/projects/gcp/core/provider.tf b/projects/gcp/core/provider.tf
index 75f4c48..8324272 100644
--- a/projects/gcp/core/provider.tf
+++ b/projects/gcp/core/provider.tf
@@ -1,5 +1,5 @@
 provider "google" {
-  project = var.project_id
+  project = var.main_project_id
   region = var.region
 }
 
diff --git a/projects/gcp/core/terraform.tfvars b/projects/gcp/core/terraform.tfvars
new file mode 100644
index 0000000..45afb83
--- /dev/null
+++ b/projects/gcp/core/terraform.tfvars
@@ -0,0 +1,5 @@
+# Google Cloud Platform
+project_id = "goboolean-452007"
+main_project_id = "goboolean-450909"
+region     = "asia-northeast3"
+location   = "ASIA-NORTHEAST3"
diff --git a/projects/gcp/core/variables.tf b/projects/gcp/core/variables.tf
index 5f26342..894dadc 100644
--- a/projects/gcp/core/variables.tf
+++ b/projects/gcp/core/variables.tf
@@ -1,11 +1,12 @@
 variable "project_id" {
-  type        = string
+  description = "project id"
 }
-
-variable "location" {
-  type        = string
+variable "main_project_id" {
+  description = "main project id"
 }
-
 variable "region" {
-  type        = string
+  description = "region"
+}
+variable "location" {
+  description = "location"
 }
diff --git a/projects/k8s/base/terraform.tfvars b/projects/k8s/base/terraform.tfvars
new file mode 100644
index 0000000..9005dae
--- /dev/null
+++ b/projects/k8s/base/terraform.tfvars
@@ -0,0 +1,3 @@
+# Google Cloud Platform
+project_id = "goboolean-450909"
+region     = "asia-northeast3"
diff --git a/projects/k8s/gateway/deployments/output.tf b/projects/k8s/gateway/deployments/output.tf
index 5656f72..9b232ac 100644
--- a/projects/k8s/gateway/deployments/output.tf
+++ b/projects/k8s/gateway/deployments/output.tf
@@ -1,3 +1,4 @@
 output "istio_gateway_ip" {
   value = module.istio.istio_gateway_ip
+  sensitive = true
 }
diff --git a/projects/k8s/vault/deployments/main.tf b/projects/k8s/vault/deployments/main.tf
index a0ccf99..12fda90 100644
--- a/projects/k8s/vault/deployments/main.tf
+++ b/projects/k8s/vault/deployments/main.tf
@@ -8,6 +8,7 @@ terraform {
 module "vault" {
   source = "../../../../modules/infra/vault"
   project_id = var.project_id
+  main_project_id = var.main_project_id
   region = var.region
   key_ring_name = local.vault_kms_keyring_name
   crypto_key_name = local.vault_kms_crypto_key_name
diff --git a/projects/k8s/vault/deployments/terraform.tfvars b/projects/k8s/vault/deployments/terraform.tfvars
new file mode 100644
index 0000000..caec064
--- /dev/null
+++ b/projects/k8s/vault/deployments/terraform.tfvars
@@ -0,0 +1,4 @@
+# Google Cloud Platform
+project_id = "goboolean-452007"
+main_project_id = "goboolean-450909"
+region     = "asia-northeast3"
diff --git a/projects/k8s/vault/deployments/variables.tf b/projects/k8s/vault/deployments/variables.tf
index c3aa77c..ad207b4 100644
--- a/projects/k8s/vault/deployments/variables.tf
+++ b/projects/k8s/vault/deployments/variables.tf
@@ -1,7 +1,9 @@
 variable "project_id" {
   description = "project id"
 }
-
+variable "main_project_id" {
+  description = "main project id"
+}
 variable "region" {
   description = "region"
 }