zydronium/google-nomulus

Fork 0

mirror of https://github.com/google/nomulus.git synced 2025-05-02 04:57:51 +02:00

Commit graph

Author	SHA1	Message	Date
Lai Jiang	a6aa1ca9fe	Protect KMS-secured data against destruction in upcoming google provider update. (#284 ) Export of cl/270900150. To refer to a KMS key or key ring, we should use the stable `.self_link`. Using `.id` instead provides an unstable identifier which may change (and it will change in the upcoming update of the google provider to 2.9.1). A change in the identifier will cause Terraform to destroy and recreate the key. Destroying the key means all data associated with it is lost; the key cannot be recreated. This CL replaces `.id` with `.self_link`, so all of those problems will not happen. In addition, `prevent_destroy` protects the key against delete-and-recreate in general.	2019-09-27 12:12:58 -04:00
Lai Jiang	3202665660	Update IAM binding to restrict proxy service account's access to GCS (#125 ) Per https://cloud.google.com/container-registry/docs/access-control#granting_users_and_other_projects_access_to_a_registry, for a service account to access GCR, it does not need reader access to all buckets in a project, but just the specific one. This is duped from cl/254092941.	2019-06-21 15:59:01 -04:00
Lai Jiang	684bb119db	Move terraform and kubernetes folder to be under proxy (#127 ) * Move terraform and kubernetes folder to be under proxy There is no reason for them to be under proxy/src/... any more now that we have a Gradle-idiomatic folder structure.	2019-06-20 14:28:32 -04:00

Author

SHA1

Message

Date

Lai Jiang

a6aa1ca9fe

Protect KMS-secured data against destruction in upcoming google provider update. (#284 )

Export of cl/270900150.

To refer to a KMS key or key ring, we should use the stable `.self_link`. Using `.id` instead provides an unstable identifier which may change (and it will change in the upcoming update of the google provider to 2.9.1). A change in the identifier will cause Terraform to destroy and recreate the key. Destroying the key means all data associated with it is lost; the key cannot be recreated.

This CL replaces `.id` with `.self_link`, so all of those problems will not happen. In addition, `prevent_destroy` protects the key against delete-and-recreate in general.

2019-09-27 12:12:58 -04:00

Lai Jiang

3202665660

Update IAM binding to restrict proxy service account's access to GCS (#125 )

Per
https://cloud.google.com/container-registry/docs/access-control#granting_users_and_other_projects_access_to_a_registry,
for a service account to access GCR, it does not need reader access to *all*
buckets in a project, but just the specific one.

This is duped from cl/254092941.

2019-06-21 15:59:01 -04:00

Lai Jiang

684bb119db

Move terraform and kubernetes folder to be under proxy (#127 )

* Move terraform and kubernetes folder to be under proxy

There is no reason for them to be under proxy/src/... any more now that
we have a Gradle-idiomatic folder structure.

2019-06-20 14:28:32 -04:00

3 commits