feat: config application-level encryption for fl

platforms/gke/base/use-cases/federated-learning/common.sh

@@ -36,9 +36,15 @@ FEDERATED_LEARNING_SHARED_CONFIG_DIR="${FEDERATED_LEARNING_USE_CASE_TERRAFORM_DI
 # shellcheck disable=SC2034 # Variable is used in other scripts
 FEDERATED_LEARNING_USE_CASE_INITIALIZE_SERVICE_DIR="${FEDERATED_LEARNING_USE_CASE_TERRAFORM_DIR}/initialize"
 
+# Terraservices that are necessary for the core platform
+federated_learning_core_platform_terraservices=(
+  "initialize"
+  "key_management_service"
+)
+
 # shellcheck disable=SC2034 # Variable is used in other scripts
 federated_learning_terraservices=(
-  "initialize"
+  "${federated_learning_core_platform_terraservices[@]}"
   "container_image_repository"
   "private_google_access"
 )
@@ -55,6 +61,8 @@ TERRAFORM_INIT_BACKEND_CONFIG_COMMAND=(
 
 # shellcheck disable=SC2034 # Variable is used in other scripts
 TERRAFORM_CLUSTER_CONFIGURATION=(
+  "cluster_database_encryption_state = \"ENCRYPTED\""
+  "cluster_database_encryption_key_name = \"cluster_database_encryption_key_name_placeholder\""
 )
 
 provision_terraservice() {

platforms/gke/base/use-cases/federated-learning/deploy.sh

@@ -31,6 +31,19 @@ for configuration_variable in "${TERRAFORM_CLUSTER_CONFIGURATION[@]}"; do
 done
 terraform fmt "${ACP_PLATFORM_SHARED_CONFIG_CLUSTER_AUTO_VARS_FILE}"
 
+echo "Provision services that the core platform depends on"
+# shellcheck disable=SC2154 # variable defined in common.sh
+for terraservice in "${federated_learning_core_platform_terraservices[@]}"; do
+  provision_terraservice "${terraservice}"
+done
+
+if ! cluster_database_encryption_key_id="$(get_terraform_output "key_management_service" "cluster_database_encryption_key_id")"; then
+  echo "Error while getting cluster_database_encryption_key_id output"
+  exit 1
+fi
+# Use | as a separator in the sed command because substitution values might contain slashes
+sed -i "s|cluster_database_encryption_key_name_placeholder|${cluster_database_encryption_key_id}|g" "${ACP_PLATFORM_SHARED_CONFIG_CLUSTER_AUTO_VARS_FILE}"
+
 echo "Provisioning the core platform"
 "${ACP_PLATFORM_CORE_DIR}/deploy.sh"
 

platforms/gke/base/use-cases/federated-learning/terraform/_shared_config/uc_federated_learning_variables.tf

@@ -11,3 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+locals {
+  gke_robot_service_account           = "service-${data.google_project.default.number}@container-engine-robot.iam.gserviceaccount.com"
+  gke_robot_service_account_iam_email = "serviceAccount:${local.gke_robot_service_account}"
+}

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_cluster.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/cluster.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_cluster_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/cluster_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_platform.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/platform.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_platform_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/platform_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_terraform.auto.tfvars

@@ -0,0 +1 @@
+../../../../_shared_config/terraform.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_terraform_variables.tf

@@ -0,0 +1 @@
+../../../../_shared_config/terraform_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_uc_federated_learning.auto.tfvars

@@ -0,0 +1 @@
+../_shared_config/uc_federated_learning.auto.tfvars

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/_uc_federated_learning_variables.tf

@@ -0,0 +1 @@
+../_shared_config/uc_federated_learning_variables.tf

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/backend.tf

@@ -0,0 +1,20 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  backend "gcs" {
+    bucket = ""
+    prefix = "terraform/federated-learning/key-management-service"
+  }
+}

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/main.tf

@@ -0,0 +1,57 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# KeyRings cannot be deleted; append a random suffix to the keyring name
+resource "random_id" "keyring_suffix" {
+  byte_length = 4
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "${var.platform_name}-keyring-${random_id.keyring_suffix.hex}"
+  project  = google_project_service.cloudkms_googleapis_com.project
+  location = var.cluster_region
+}
+
+resource "google_kms_crypto_key" "cluster_secrects_key" {
+  name                          = "clusterSecretsKey"
+  key_ring                      = google_kms_key_ring.key_ring.id
+  rotation_period               = "7776000s"
+  purpose                       = "ENCRYPT_DECRYPT"
+  import_only                   = false
+  skip_initial_version_creation = false
+
+  lifecycle {
+    prevent_destroy = false
+  }
+
+  version_template {
+    # Ref: https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm
+    algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"
+
+    # Ref: https://cloud.google.com/kms/docs/reference/rest/v1/ProtectionLevel
+    protection_level = "SOFTWARE"
+  }
+}
+
+resource "google_kms_crypto_key_iam_binding" "cluster_secrets_decrypters" {
+  role          = "roles/cloudkms.cryptoKeyDecrypter"
+  crypto_key_id = google_kms_crypto_key.cluster_secrects_key.id
+  members       = [local.gke_robot_service_account_iam_email]
+}
+
+resource "google_kms_crypto_key_iam_binding" "cluster_secrets_encrypters" {
+  role          = "roles/cloudkms.cryptoKeyEncrypter"
+  crypto_key_id = google_kms_crypto_key.cluster_secrects_key.id
+  members       = [local.gke_robot_service_account_iam_email]
+}

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/output.tf

@@ -0,0 +1,18 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "cluster_database_encryption_key_id" {
+  description = "Id of the cluster database encryption key"
+  value       = google_kms_crypto_key.cluster_secrects_key.id
+}

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/project.tf

@@ -0,0 +1,24 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "google_project" "default" {
+  project_id = var.cluster_project_id
+}
+
+resource "google_project_service" "cloudkms_googleapis_com" {
+  disable_dependent_services = false
+  disable_on_destroy         = false
+  project                    = data.google_project.default.project_id
+  service                    = "cloudkms.googleapis.com"
+}

platforms/gke/base/use-cases/federated-learning/terraform/key_management_service/versions.tf

@@ -0,0 +1,36 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "6.12.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.2"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.3"
+    }
+  }
+
+  provider_meta "google" {
+    module_name = "cloud-solutions/acp_fl_kms_deploy-v1"
+  }
+}