I'm using Terraform to manage Google Cloud Platform (GCP) resources. I use Google Cloud Storage backend to store the state file. GCP provides a managed Key Management Service, therefore it is possible to manage keys and easily enable encryption on a bucket with those keys. So I'm using the following to encrypt my backend bucket (test-terraform-state, this bucket will only contain Terraform state).
variable my-project {}
variable my-region {}
provider "google" {
project = "${var.my-project}"
region = "${var.my-region}"
version = "1.19.1"
}
resource "google_kms_key_ring" "test-terraform-state" {
name = "test-terraform-state"
location = "${var.my-region}"
}
resource "google_kms_crypto_key" "test-terraform-state-bucket" {
name = "test-terraform-state-bucket"
key_ring = "${google_kms_key_ring.test-terraform-state.self_link}"
rotation_period = "86400s"
lifecycle {
prevent_destroy = true
}
}
resource "google_storage_bucket" "test-terraform-state" {
name = "test-terraform-state"
location = "${var.my-region}"
storage_class = "REGIONAL"
versioning {
enabled = true
}
encryption {
default_kms_key_name = "${google_kms_crypto_key.test-terraform-state-bucket.self_link}"
}
}
So my question is : bucket contents (Terraform state(s) here) can be encrypted, but is it really useful? If there are policies on the bucket, something like "only some users can access it (read/write)", is adding encryption have benefits? I only see here an extra layer of security (necessary?), because people will need access to this bucket + role roles/cloudkms.cryptoKeyEncrypterDecrypter to access the contents. But I think I'm missing some use-cases justifying Terraform state encryption.
