kms

# 1
gsutil mb gs://secrets-bucket-256acd5

# 2
gcloud kms keyrings create my-key-ring --location global

# 3
gcloud kms keys create my-key \
  --location global \
  --keyring my-key-ring \
  --purpose encryption

# 4 - Encrypt root user's password
echo "<ROOT_PASSWORD>" | \
gcloud kms encrypt \
  --location=global \
  --keyring=my-key-ring \
  --key=my-key \
  --plaintext-file=- \
  --ciphertext-file=admin-password.encrypted

gsutil cp admin-password.encrypted gs://secrets-bucket-256acd5

gcloud dataproc clusters create ${CLUSTER_NAME} \
  --region ${REGION} \
  --scopes cloud-platform \
  --initialization-actions gs://goog-dataproc-initialization-actions-${REGION}/cloud-sql-proxy.sh \
  --properties hive:hive.metastore.warehouse.dir=gs://${HIVE_DATA_BUCKET}/hive-warehouse \
  --metadata "hive-metastore-instance=${PROJECT_ID}:${REGION}:${INSTANCE_NAME}" \
  --metadata "kms-key-uri=projects/${PROJECT_ID}/locations/global/keyRings/my-key-ring/cryptoKeys/my-key" \
  --metadata "db-admin-password-uri=gs://${SECRETS_BUCKET}/admin-password.encrypted" \
  --metadata "db-hive-password-uri=gs://${SECRETS_BUCKET}/hive-password.encrypted"