84 lines
2.9 KiB
Markdown
84 lines
2.9 KiB
Markdown
# Google KMS Module
|
|
|
|
Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
|
|
|
|
The `protected` flag in the `key_attributes` variable sets the `prevent_destroy` lifecycle argument on an a per-key basis.
|
|
|
|
## Examples
|
|
|
|
### Minimal example
|
|
|
|
```hcl
|
|
module "kms" {
|
|
source = "../modules/kms"
|
|
project_id = "my-project"
|
|
keyring = "test"
|
|
location = "europe"
|
|
keys = ["key-a", "key-b"]
|
|
}
|
|
```
|
|
|
|
### Granting access to keys via IAM
|
|
|
|
```hcl
|
|
module "kms" {
|
|
source = "../modules/kms"
|
|
project_id = "my-project"
|
|
keyring = "test"
|
|
location = "europe"
|
|
keys = ["key-a", "key-b"]
|
|
iam_roles = {
|
|
key-a = ["roles/cloudkms.cryptoKeyDecrypter"]
|
|
}
|
|
iam_members = {
|
|
key-a = {
|
|
"roles/cloudkms.cryptoKeyDecrypter" = ["user:me@example.org"]
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---: |:---:|:---:|
|
|
| keyring | Keyring name. | <code title="">string</code> | ✓ | |
|
|
| location | Location for the keyring. | <code title="">string</code> | ✓ | |
|
|
| project_id | Project id where the keyring will be created. | <code title="">string</code> | ✓ | |
|
|
| *iam_members* | IAM members keyed by key name and role. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
|
| *iam_roles* | IAM roles keyed by key name. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
| *key_attributes* | Optional key attributes per key. | <code title="map(object({ protected = bool rotation_period = string }))">map(object({...}))</code> | | <code title="">{}</code> |
|
|
| *key_defaults* | Key attribute defaults. | <code title="object({ protected = bool rotation_period = string })">object({...})</code> | | <code title="{ protected = true rotation_period = "100000s" }">...</code> |
|
|
| *keys* | Key names. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| key_self_links | Key self links. | |
|
|
| keyring | Keyring resource. | |
|
|
| keys | Key resources. | |
|
|
| location | Keyring self link. | |
|
|
| name | Keyring self link. | |
|
|
| self_link | Keyring self link. | |
|
|
<!-- END TFDOC -->
|
|
|
|
## Requirements
|
|
|
|
These sections describe requirements for using this module.
|
|
|
|
### IAM
|
|
|
|
The following roles must be used to provision the resources of this module:
|
|
|
|
- Cloud KMS Admin: `roles/cloudkms.admin` or
|
|
- Owner: `roles/owner`
|
|
|
|
### APIs
|
|
|
|
A project with the following APIs enabled must be used to host the
|
|
resources of this module:
|
|
|
|
- Google Cloud Key Management Service: `cloudkms.googleapis.com`
|