Encrypt Terraform state with KMS managed keys for GCS backend #24967
Description
Current Terraform Version
v0.12.25
Use-cases
Following up on #16836 and #16936, currently the GCS backend supports customer-supplied encryption key, which is stored in clear text on the client, when configured using the encryption_key parameter for the backend.
Instead, GCS has supported customer-managed keys for some time now, which could provide a simple way to encrypt Terraform state with KMS.
Attempted Solutions
We may be able to use default customer-managed keys, which enable transparent encryption/decryption of objects, without any explicit configuration for the GCS backend in Terraform.
Proposal
It would be great to be able to explicitly specify a KMS Customer-Managed encryption key in GCS backend:
terraform {
backend "gcs" {
bucket = "tf-state-prod"
prefix = "terraform/state"
kms_encryption_key {
location = "us-east1" # optional, defaults to 'global'
key_ring = "terraform-keyring"
key = "terraform-key"
}
}
}This would allow us to enforce the encryption on the bucket, instead of relying on the implicit configuration of the default key for the bucket (which can oftentimes be overlooked).
Additionally, this would prevent the encryption key leakage (as it would not be stored on the client) and enable its rotation through KMS, as opposed to the current static setting for encryption_key.