![release-please[bot]](https://avatars.githubusercontent.com/in/40688?v=4&size=40){kind=avatar}
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The resources/services/activations/deletions that this module will create/trigger are:
- Create a KMS keyring in the provided project
- Create zero or more keys in the keyring
- Create IAM role bindings for owners, encrypters, decrypters
This module is meant for use with Terraform v1.3+ and tested using Terraform v1.10+. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.2.0.
Basic usage of this module is as follows:
module "kms" {
source = "terraform-google-modules/kms/google"
version = "~> 4.0"
project_id = "<PROJECT ID>"
location = "europe"
keyring = "sample-keyring"
keys = ["foo", "spam"]
set_owners_for = ["foo", "spam"]
owners = [
"group:one@example.com,group:two@example.com",
"group:one@example.com",
]
}Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| crypto_key_backend | (Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL_VPC' keys. | string |
null |
no |
| decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) |
[] |
no |
| encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) |
[] |
no |
| import_only | Whether these keys may contain imported versions only. | bool |
false |
no |
| key_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | string |
"GOOGLE_SYMMETRIC_ENCRYPTION" |
no |
| key_destroy_scheduled_duration | Set the period of time that versions of keys spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. | string |
null |
no |
| key_protection_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC"] | string |
"SOFTWARE" |
no |
| key_rotation_period | Generate a new key every time this period passes. | string |
"7776000s" |
no |
| keyring | Keyring name. | string |
n/a | yes |
| keys | Key names. | list(string) |
[] |
no |
| labels | Labels, provided as a map | map(string) |
{} |
no |
| location | Location for the keyring. | string |
n/a | yes |
| owners | List of comma-separated owners for each key declared in set_owners_for. | list(string) |
[] |
no |
| prevent_destroy | Set the prevent_destroy lifecycle attribute on keys. | bool |
true |
no |
| project_id | Project id where the keyring will be created. | string |
n/a | yes |
| purpose | The immutable purpose of the CryptoKey. Default value is ENCRYPT_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. | string |
"ENCRYPT_DECRYPT" |
no |
| set_decrypters_for | Name of keys for which decrypters will be set. | list(string) |
[] |
no |
| set_encrypters_for | Name of keys for which encrypters will be set. | list(string) |
[] |
no |
| set_owners_for | Name of keys for which owners will be set. | list(string) |
[] |
no |
| skip_initial_version_creation | If set to true, the request will create CryptoKeys without any CryptoKeyVersions. | bool |
false |
no |
| Name | Description |
|---|---|
| keyring | Self link of the keyring. |
| keyring_name | Name of the keyring. |
| keyring_resource | Keyring resource. |
| keys | Map of key name => key self link. |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform >= 1.3
- Terraform Provider for GCP plugin >= v5.31
A service account with one of the following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
![@release-please[bot]](https://avatars.githubusercontent.com/in/40688?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
