Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The resources/services/activations/deletions that this module will create/trigger are:
- Create a KMS keyring in the provided project
- Create zero or more keys in the keyring
- Create IAM role bindings for owners, encrypters, decrypters
This module is meant for use with Terraform 1.0+.
Basic usage of this module is as follows:
module "kms" {
source = "github.com/p2p-org/terraform-google-kms?ref=v2.0.0"
project_id = "<PROJECT ID>"
location = "europe"
keyring = "sample-keyring"
keys = ["foo", "spam"]
key_opts = [
{
key = "foo"
rotation_period = "100000s"
},
]
owners = ["group:[email protected]","user:[email protected]"]
## additional ACLs
acl = [
{
key = "spam"
decrypters = ["serviceAccount:[email protected]"]
}
]
}Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| owners | Owners shared for all the managed keys. | list(string) |
[] |
|
| encrypters | Encrypters shared for all the managed keys. | list(string) |
[] |
|
| decrypters | Decrypters shared for all the managed keys. | list(string) |
[] |
|
| acl | Additional ACL for for the managed keys. | list(any) |
[] |
no |
| existing_keyring | Use existing keyring | bool |
false |
no |
| key_opts | Specifies key specific options. | list(any) |
[] |
no |
| keyring | Keyring name. | string |
n/a | yes |
| keys | Key names. | list(string) |
[] |
no |
| location | Location for the keyring. | string |
n/a | yes |
| prevent_destroy | Set the prevent_destroy lifecycle attribute on keys. | bool |
true |
no |
| project_id | Project id where the keyring will be created. | string |
n/a | yes |
| Name | Description |
|---|---|
| existing_keyring | Existing keyring is used, i.e. keyring has been created. |
| keyring_id | Self link of the keyring. |
| keyring_name | Name of the keyring. |
| keyring_project | Project of the keyring. |
| keys | Map of key name => id. |
| kms_keys | Managed kms keys details. |
| location | Location of the keyring. |
These sections describe requirements for using this module.
A service account with one of the following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.