bschaatsbergen · October 30, 2022 15:56 · Oct 30, 2022 · Oct 16, 2022 · Oct 10, 2022 · Oct 9, 2022
diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -38,7 +38,7 @@ Once these resources have been created we can encrypt our plaintext secret using
 To do so we can use the [gcloud kms encrypt](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) command, see below:
 
 ```
-$ echo -n a-super-secret-slack-oauth-token | gcloud kms encrypt --plaintext-file=- \ 
+$ echo -n my-super-secret-string | gcloud kms encrypt --plaintext-file=- \ 
 --ciphertext-file=- --location=global --keyring=default-ring \ 
 --key=default-crypto-key | base64
 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -5,7 +5,7 @@
 
 The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.
 
-Before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key 🔑.
+Before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key.
 
 ```hcl
 # Create a KMS key ring in order to attach a KMS crypto key to.
@@ -25,10 +25,10 @@ resource "google_kms_crypto_key" "default" {
   }
 }
 
-# Optionally we can grant Bob access to decrypt our secret too.
-resource "google_kms_crypto_key_iam_member" "bob_crypto_key_decrypter" {
+# Optionally we can grant Bob access to encrypt and decrypt.
+resource "google_kms_crypto_key_iam_member" "bob_crypto_key_encrypter_decrypter" {
   crypto_key_id = google_kms_crypto_key.default.id
-  role          = "roles/cloudkms.cryptoKeyDecrypter"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "user:bob@example.com"
 }
 ```

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -33,7 +33,7 @@ resource "google_kms_crypto_key_iam_member" "bob_crypto_key_decrypter" {
 }
 ```
 
-Once these resources have been created we can decrypt our plaintext secret using our newly created KMS crypto key.
+Once these resources have been created we can encrypt our plaintext secret using our newly created KMS crypto key.
 
 To do so we can use the [gcloud kms encrypt](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) command, see below:
 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -1,4 +1,4 @@
-# Managing secrets in you Terraform code (the GCP way).
+# Managing secrets in your Terraform code (the GCP way).
 
 > ❗ Important note: using this method, the plaintext value of the secret will be persisted into your Terraform state file.
 > This ideally shouldn't pose a problem as long as your Terraform state files are properly secured and encrypted too. 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -1,4 +1,4 @@
-# Secrets in Terraform GCP
+# Managing secrets in you Terraform code (the GCP way).
 
 > ❗ Important note: using this method, the plaintext value of the secret will be persisted into your Terraform state file.
 > This ideally shouldn't pose a problem as long as your Terraform state files are properly secured and encrypted too. 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -60,5 +60,5 @@ data "google_kms_secret" "slack_oauth_token" {
 }
 ```
 
-I personally like to hardcode the base64 encrypted secret together with the data source, like I do in [data.tf](data.tf). 
+I personally like to hardcode the base64 encrypted secret together with the data source. 
 This is useful because it shows me which KMS crypto key is associated with the encryption operation and I'm able to easily figure out who has access to that KMS crypto key.
diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -38,7 +38,7 @@ Once these resources have been created we can decrypt our plaintext secret using
 To do so we can use the [gcloud kms encrypt](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) command, see below:
 
 ```
-$ echo -n super-secret-slack-oauth-token | gcloud kms encrypt --plaintext-file=- \ 
+$ echo -n a-super-secret-slack-oauth-token | gcloud kms encrypt --plaintext-file=- \ 
 --ciphertext-file=- --location=global --keyring=default-ring \ 
 --key=default-crypto-key | base64
 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -38,7 +38,7 @@ Once these resources have been created we can decrypt our plaintext secret using
 To do so we can use the [gcloud kms encrypt](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) command, see below:
 
 ```
-$ echo -n my-password | gcloud kms encrypt --plaintext-file=- \ 
+$ echo -n super-secret-slack-oauth-token | gcloud kms encrypt --plaintext-file=- \ 
 --ciphertext-file=- --location=global --keyring=default-ring \ 
 --key=default-crypto-key | base64
 
@@ -54,7 +54,7 @@ This data source allows us to decrypt the secret and extract the value as plaint
 
 ```hcl
 # Here we decrypt a base64 encoded string using our newly created KMS crypto key.
-data "google_kms_secret" "password" {
+data "google_kms_secret" "slack_oauth_token" {
   crypto_key = google_kms_crypto_key.default.id
   ciphertext = "CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBUh+2GUAfYWScf+ZkHCsZAPMDUldaLvQ2DSzk99h1mY18="
 }

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -45,7 +45,7 @@ $ echo -n my-password | gcloud kms encrypt --plaintext-file=- \
 CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBUh+2GUAfYWScf+ZkHCsZAPMDUldaLvQ2DSzk99h1mY18=
 ```
 
-> We base64 encode the output as that's expected by the Terraform Google provider resource we're passing this value to ⛓️.
+> We base64 encode the output as that's required by the Terraform Google provider data source we're going to use ⛓️.
 
 Now that we have a base64 encrypted secret we can safely store this in Git, it's meaningless to attackers.
 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -5,7 +5,7 @@
 
 The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.
 
-But before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key 🔑.
+Before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key 🔑.
 
 ```hcl
 # Create a KMS key ring in order to attach a KMS crypto key to.

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -5,7 +5,7 @@
 
 The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.
 
-But before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key.
+But before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key 🔑.
 
 ```hcl
 # Create a KMS key ring in order to attach a KMS crypto key to.
@@ -45,7 +45,7 @@ $ echo -n my-password | gcloud kms encrypt --plaintext-file=- \
 CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBUh+2GUAfYWScf+ZkHCsZAPMDUldaLvQ2DSzk99h1mY18=
 ```
 
-> We base64 encode the output as that's expected by the Terraform Google provider resource we're passing this value to.
+> We base64 encode the output as that's expected by the Terraform Google provider resource we're passing this value to ⛓️.
 
 Now that we have a base64 encrypted secret we can safely store this in Git, it's meaningless to attackers.
 

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -1,6 +1,6 @@
 # Secrets in Terraform GCP
 
-> Important note: using this method, the plaintext value of the secret will be persisted into your Terraform state file.
+> ❗ Important note: using this method, the plaintext value of the secret will be persisted into your Terraform state file.
 > This ideally shouldn't pose a problem as long as your Terraform state files are properly secured and encrypted too. 
 
 The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -5,7 +5,7 @@
 
 The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.
 
-Before we can store secrets in Git we first have to create a KMS key Ring and a KMS crypto key.
+But before we can start committing our secrets in a Git repositoriy we first have to create a KMS key ring and a KMS crypto key.
 
 ```hcl
 # Create a KMS key ring in order to attach a KMS crypto key to.

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -49,7 +49,7 @@ CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBU
 
 Now that we have a base64 encrypted secret we can safely store this in Git, it's meaningless to attackers.
 
-Now if we want to get the actual value of our secret, we can use a data source called [google_kms_secret](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_secret).
+If we want to get the actual value of our secret, we can use a data source called [google_kms_secret](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_secret).
 This data source allows us to decrypt the secret and extract the value as plaintext.
 
 ```hcl

diff --git a/secrets-in-terraform-gcp.md b/secrets-in-terraform-gcp.md
@@ -0,0 +1,64 @@
+# Secrets in Terraform GCP
+
+> Important note: using this method, the plaintext value of the secret will be persisted into your Terraform state file.
+> This ideally shouldn't pose a problem as long as your Terraform state files are properly secured and encrypted too. 
+
+The Google Cloud Terraform provider provides a very clean and intuitive interface in order to store secrets in Git.
+
+Before we can store secrets in Git we first have to create a KMS key Ring and a KMS crypto key.
+
+```hcl
+# Create a KMS key ring in order to attach a KMS crypto key to.
+resource "google_kms_key_ring" "default" {
+  name     = "default-ring"
+  location = "global"
+}
+
+# Create a KMS crypto key that's being prevented from being destroyed.
+resource "google_kms_crypto_key" "default" {
+  name            = "default-crypto-key"
+  key_ring        = google_kms_key_ring.default.id
+  rotation_period = "604800s"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# Optionally we can grant Bob access to decrypt our secret too.
+resource "google_kms_crypto_key_iam_member" "bob_crypto_key_decrypter" {
+  crypto_key_id = google_kms_crypto_key.default.id
+  role          = "roles/cloudkms.cryptoKeyDecrypter"
+  member        = "user:bob@example.com"
+}
+```
+
+Once these resources have been created we can decrypt our plaintext secret using our newly created KMS crypto key.
+
+To do so we can use the [gcloud kms encrypt](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) command, see below:
+
+```
+$ echo -n my-password | gcloud kms encrypt --plaintext-file=- \ 
+--ciphertext-file=- --location=global --keyring=default-ring \ 
+--key=default-crypto-key | base64
+
+CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBUh+2GUAfYWScf+ZkHCsZAPMDUldaLvQ2DSzk99h1mY18=
+```
+
+> We base64 encode the output as that's expected by the Terraform Google provider resource we're passing this value to.
+
+Now that we have a base64 encrypted secret we can safely store this in Git, it's meaningless to attackers.
+
+Now if we want to get the actual value of our secret, we can use a data source called [google_kms_secret](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_secret).
+This data source allows us to decrypt the secret and extract the value as plaintext.
+
+```hcl
+# Here we decrypt a base64 encoded string using our newly created KMS crypto key.
+data "google_kms_secret" "password" {
+  crypto_key = google_kms_crypto_key.default.id
+  ciphertext = "CiQAa2/tURAxviiz3qT4J3h4L4Vf759k65N4sSa+fhN/lZEbn08SNAAUPVwiGojZWfA7wAPr7xG4RbBUh+2GUAfYWScf+ZkHCsZAPMDUldaLvQ2DSzk99h1mY18="
+}
+```
+
+I personally like to hardcode the base64 encrypted secret together with the data source, like I do in [data.tf](data.tf). 
+This is useful because it shows me which KMS crypto key is associated with the encryption operation and I'm able to easily figure out who has access to that KMS crypto key.
No results found