# Google KMS Module
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The `protected` flag in the `key_attributes` variable sets the `prevent_destroy` lifecycle argument on an a per-key basis.
## Examples
### Minimal example
```hcl
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
}
```
### Granting access to keys via IAM
```hcl
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
iam_roles = {
key-a = ["roles/cloudkms.cryptoKeyDecrypter"]
}
iam_members = {
key-a = {
"roles/cloudkms.cryptoKeyDecrypter" = ["user:me@example.org"]
}
}
}
```
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| keyring | Keyring name. | string
| ✓ | |
| location | Location for the keyring. | string
| ✓ | |
| project_id | Project id where the keyring will be created. | string
| ✓ | |
| *iam_members* | IAM members keyed by key name and role. | map(map(list(string)))
| | {}
|
| *iam_roles* | IAM roles keyed by key name. | map(list(string))
| | {}
|
| *key_attributes* | Optional key attributes per key. | map(object({...}))
| | {}
|
| *key_defaults* | Key attribute defaults. | object({...})
| | ...
|
| *keys* | Key names. | list(string)
| | []
|
## Outputs
| name | description | sensitive |
|---|---|:---:|
| key_self_links | Key self links. | |
| keyring | Keyring resource. | |
| keys | Key resources. | |
| location | Keyring self link. | |
| name | Keyring self link. | |
| self_link | Keyring self link. | |
## Requirements
These sections describe requirements for using this module.
### IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin: `roles/cloudkms.admin` or
- Owner: `roles/owner`
### APIs
A project with the following APIs enabled must be used to host the
resources of this module:
- Google Cloud Key Management Service: `cloudkms.googleapis.com`