2.9 KiB
2.9 KiB
Google KMS Module
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The protected
flag in the key_attributes
variable sets the prevent_destroy
lifecycle argument on an a per-key basis.
Examples
Minimal example
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
}
Granting access to keys via IAM
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
iam_roles = {
key-a = ["roles/cloudkms.cryptoKeyDecrypter"]
}
iam_members = {
key-a = {
"roles/cloudkms.cryptoKeyDecrypter" = ["user:me@example.org"]
}
}
}
Variables
name | description | type | required | default |
---|---|---|---|---|
keyring | Keyring name. | string |
✓ | |
location | Location for the keyring. | string |
✓ | |
project_id | Project id where the keyring will be created. | string |
✓ | |
iam_members | IAM members keyed by key name and role. | map(map(list(string))) |
{} |
|
iam_roles | IAM roles keyed by key name. | map(list(string)) |
{} |
|
key_attributes | Optional key attributes per key. | map(object({...})) |
{} |
|
key_defaults | Key attribute defaults. | object({...}) |
... |
|
keys | Key names. | list(string) |
[] |
Outputs
name | description | sensitive |
---|---|---|
key_self_links | Key self links. | |
keyring | Keyring resource. | |
keys | Key resources. | |
location | Keyring self link. | |
name | Keyring self link. | |
self_link | Keyring self link. |
Requirements
These sections describe requirements for using this module.
IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.admin
or - Owner:
roles/owner
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com