Skip to content

romanini-ciandt/terraform-google-kms

 
 

Repository files navigation

Google KMS Terraform Module

Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.

The resources/services/activations/deletions that this module will create/trigger are:

  • Create a KMS keyring in the provided project
  • Create zero or more keys in the keyring
  • Create IAM role bindings for owners, encrypters, decrypters

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.2.0.

Usage

Basic usage of this module is as follows:

module "kms" {
  source  = "terraform-google-modules/kms/google"
  version = "~> 3.2"

  project_id         = "<PROJECT ID>"
  location           = "europe"
  keyring            = "sample-keyring"
  keys               = ["foo", "spam"]
  set_owners_for     = ["foo", "spam"]
  owners = [
    "group:[email protected],group:[email protected]",
    "group:[email protected]",
  ]
}

Functional examples are included in the examples directory.

Inputs

Name Description Type Default Required
crypto_key_backend (Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL_VPC' keys. string null no
decrypters List of comma-separated owners for each key declared in set_decrypters_for. list(string) [] no
encrypters List of comma-separated owners for each key declared in set_encrypters_for. list(string) [] no
import_only Whether these keys may contain imported versions only. bool false no
key_algorithm The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. string "GOOGLE_SYMMETRIC_ENCRYPTION" no
key_destroy_scheduled_duration Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. string null no
key_protection_level The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC"] string "SOFTWARE" no
key_rotation_period Generate a new key every time this period passes. string "7776000s" no
keyring Keyring name. string n/a yes
keys Key names. list(string) [] no
labels Labels, provided as a map map(string) {} no
location Location for the keyring. string n/a yes
owners List of comma-separated owners for each key declared in set_owners_for. list(string) [] no
prevent_destroy Set the prevent_destroy lifecycle attribute on keys. bool true no
project_id Project id where the keyring will be created. string n/a yes
purpose The immutable purpose of the CryptoKey. Default value is ENCRYPT_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. string "ENCRYPT_DECRYPT" no
set_decrypters_for Name of keys for which decrypters will be set. list(string) [] no
set_encrypters_for Name of keys for which encrypters will be set. list(string) [] no
set_owners_for Name of keys for which owners will be set. list(string) [] no
skip_initial_version_creation If set to true, the request will create CryptoKeys without any CryptoKeyVersions. bool false no

Outputs

Name Description
keyring Self link of the keyring.
keyring_name Name of the keyring.
keyring_resource Keyring resource.
keys Map of key name => key self link.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Service Account

A service account with one of the following roles must be used to provision the resources of this module:

  • Cloud KMS Admin: roles/cloudkms.admin or
  • Owner: roles/owner

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Key Management Service: cloudkms.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

About

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL 54.0%
  • Shell 20.8%
  • Go 18.1%
  • Makefile 7.1%