Remove all CMEK references, switch to GMEK

pinetops · claude · pinetops · commit e6643ebc0ac6 · 2025-06-25T14:53:19.000+02:00
- Removed require_cmek_encryption organization policy
- Removed KMS keyring and crypto key resources
- Removed CMEK configuration from BigQuery audit logs dataset
- Removed KMS API enablement from bootstrap and security projects
- Updated documentation to remove KMS encryption references

All resources now use Google-managed encryption keys (GMEK).

🤖 Generated with Claude Code

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf
@@ -43,7 +43,6 @@ resource "google_project_service" "bootstrap_apis" {
     "iam.googleapis.com",
     "storage.googleapis.com",
     "serviceusage.googleapis.com",
-    "cloudkms.googleapis.com",
     "cloudasset.googleapis.com",
     "logging.googleapis.com",
     "pubsub.googleapis.com",
diff --git a/1-organization/main.tf b/1-organization/main.tf
@@ -73,7 +73,6 @@ module "security_baseline" {
     disable_serial_port_access = true
     skip_default_network       = true
     vm_external_ip_access      = true
-    require_cmek_encryption    = true
 
     # Advanced policies - compliant systems only (migration gets exceptions)
     require_os_login     = true  # OS Login required for compliant systems
@@ -112,7 +111,6 @@ module "security_baseline" {
         # Storage & Encryption
         "uniform_bucket_level_access",
         "public_access_prevention", 
-        "require_cmek_encryption",
         # Database
         "require_ssl_sql",
         "restrict_public_sql",
@@ -172,7 +170,6 @@ module "audit_logging" {
     }
   }
 
-  enable_cmek = false # Enable after KMS setup
 }
 
 # Configure group permissions (simplified for small org)
diff --git a/2-security/README.md b/2-security/README.md
@@ -8,7 +8,6 @@ The security phase provides:
 - **PAM (Privileged Access Manager)** - Just-in-time access with proper approvals
 - **Centralized Audit Logging** - All security events logged to BigQuery
 - **Security Monitoring** - Real-time alerts for critical events
-- **KMS Encryption** - At-rest encryption for sensitive data
 
 ## JIT Access Implementation
 
diff --git a/2-security/main.tf b/2-security/main.tf
@@ -87,7 +87,6 @@ resource "google_project_service" "security_apis" {
     "bigquery.googleapis.com",
     "cloudasset.googleapis.com",
     "securitycenter.googleapis.com",
-    "cloudkms.googleapis.com",
     "cloudfunctions.googleapis.com",
     "pubsub.googleapis.com",
     "artifactregistry.googleapis.com",
@@ -123,10 +122,6 @@ resource "google_bigquery_dataset" "audit_logs" {
   description = "Centralized audit logs for compliance and security monitoring"
 
   default_table_expiration_ms = 34560000000  # 400 days per policy
-  
-  default_encryption_configuration {
-    kms_key_name = google_kms_crypto_key.audit_logs_key.id
-  }
 
   access {
     role          = "OWNER"
@@ -150,33 +145,6 @@ resource "google_bigquery_dataset" "audit_logs" {
   }
 }
 
-# KMS keyring for security resources
-resource "google_kms_key_ring" "security" {
-  project  = google_project.security.project_id
-  name     = "security-keyring"
-  location = var.primary_region
-}
-
-# KMS key for audit logs encryption
-resource "google_kms_crypto_key" "audit_logs_key" {
-  name     = "audit-logs-key"
-  key_ring = google_kms_key_ring.security.id
-  purpose  = "ENCRYPT_DECRYPT"
-
-  rotation_period = "7776000s"  # 90 days
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-# Grant BigQuery service account permission to use the encryption key
-resource "google_kms_crypto_key_iam_member" "bigquery_encryption" {
-  crypto_key_id = google_kms_crypto_key.audit_logs_key.id
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:bq-379812091446@bigquery-encryption.iam.gserviceaccount.com"
-}
-
 # Service account for GitHub Actions CI/CD
 resource "google_service_account" "github_actions" {
   project      = google_project.security.project_id

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,6 @@ module "security_baseline" {`
`73`	`73`	`disable_serial_port_access = true`
`74`	`74`	`skip_default_network = true`
`75`	`75`	`vm_external_ip_access = true`
`76`		`- require_cmek_encryption = true`
`77`	`76`
`78`	`77`	`# Advanced policies - compliant systems only (migration gets exceptions)`
`79`	`78`	`require_os_login = true # OS Login required for compliant systems`
`@@ -112,7 +111,6 @@ module "security_baseline" {`
`112`	`111`	`# Storage & Encryption`
`113`	`112`	`"uniform_bucket_level_access",`
`114`	`113`	`"public_access_prevention",`
`115`		`- "require_cmek_encryption",`
`116`	`114`	`# Database`
`117`	`115`	`"require_ssl_sql",`
`118`	`116`	`"restrict_public_sql",`
`@@ -172,7 +170,6 @@ module "audit_logging" {`
`172`	`170`	`}`
`173`	`171`	`}`
`174`	`172`
`175`		`- enable_cmek = false # Enable after KMS setup`
`176`	`173`	`}`
`177`	`174`
`178`	`175`	`# Configure group permissions (simplified for small org)`