This module allows creating and managing KMS crypto keys and IAM bindings at both the keyring and crypto key level. An existing keyring can be used, or a new one can be created and managed by the module if needed.
When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator.
In this module no lifecycle blocks are set on resources to prevent destroy, in order to allow for experimentation and testing where rapid apply/destroy cycles are needed. If you plan on using this module to manage non-development resources, clone it and uncomment the lifecycle blocks found in main.tf.
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "test-1"
}
keys = {
key-a = {
iam = {
"roles/cloudkms.admin" = ["group:${var.group_email}"]
}
}
key-b = {
rotation_period = "604800s"
iam_bindings_additive = {
key-b-iam1 = {
key = "key-b"
member = "group:${var.group_email}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
}
}
key-c = {
labels = {
env = "test"
}
}
}
}
# tftest modules=1 resources=6 inventory=basic.yaml e2emodule "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
iam = {
"roles/cloudkms.admin" = ["group:${var.group_email}"]
}
keyring = { location = var.region, name = var.keyring.name }
keyring_create = false
keys = { key-a = {}, key-b = {}, key-c = {} }
}
# tftest skip (uses data sources) e2emodule "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "test-2"
}
keys = {
key-a = {
purpose = "ASYMMETRIC_SIGN"
version_template = {
algorithm = "EC_SIGN_P384_SHA384"
protection_level = "HSM"
}
}
}
}
# tftest modules=1 resources=2 inventory=purpose.yaml e2emodule "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "test-3"
}
import_job = {
id = "my-import-job"
import_method = "RSA_OAEP_3072_SHA1_AES_256"
protection_level = "SOFTWARE"
}
}
# tftest modules=1 resources=2 inventory=import-job.yaml e2eRefer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
values = {
dev = {}
prod = {}
sandbox = {}
}
}
}
}
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "test-3"
}
tag_bindings = {
env-sandbox = module.org.tag_values["environment/sandbox"].id
}
}
# tftest modules=2 resources=6| name | description | type | required | default |
|---|---|---|---|---|
| keyring | Keyring attributes. | object({…}) |
✓ | |
| project_id | Project id where the keyring will be created. | string |
✓ | |
| iam | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
| import_job | Keyring import job attributes. | object({…}) |
null |
|
| keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | bool |
true |
|
| keys | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) |
{} |
|
| tag_bindings | Tag bindings for this keyring, in key => tag value id format. | map(string) |
{} |
| name | description | sensitive |
|---|---|---|
| id | Fully qualified keyring id. | |
| import_job | Keyring import job resources. | |
| key_ids | Fully qualified key ids. | |
| keyring | Keyring resource. | |
| keys | Key resources. | |
| location | Keyring location. | |
| name | Keyring name. |