2.9 KiB
2.9 KiB
Google KMS Module
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The protected flag in the key_attributes variable sets the prevent_destroy lifecycle argument on an a per-key basis.
Examples
Minimal example
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
}
Granting access to keys via IAM
module "kms" {
source = "../modules/kms"
project_id = "my-project"
keyring = "test"
location = "europe"
keys = ["key-a", "key-b"]
iam_roles = {
key-a = ["roles/cloudkms.cryptoKeyDecrypter"]
}
iam_members = {
key-a = {
"roles/cloudkms.cryptoKeyDecrypter" = ["user:me@example.org"]
}
}
}
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| keyring | Keyring name. | string |
✓ | |
| location | Location for the keyring. | string |
✓ | |
| project_id | Project id where the keyring will be created. | string |
✓ | |
| iam_members | IAM members keyed by key name and role. | map(map(list(string))) |
{} |
|
| iam_roles | IAM roles keyed by key name. | map(list(string)) |
{} |
|
| key_attributes | Optional key attributes per key. | map(object({...})) |
{} |
|
| key_defaults | Key attribute defaults. | object({...}) |
... |
|
| keys | Key names. | list(string) |
[] |
Outputs
| name | description | sensitive |
|---|---|---|
| key_self_links | Key self links. | |
| keyring | Keyring resource. | |
| keys | Key resources. | |
| location | Keyring self link. | |
| name | Keyring self link. | |
| self_link | Keyring self link. |
Requirements
These sections describe requirements for using this module.
IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com