789328ff5a
* bump provider versions to 5.0.0 * fix cloud run, logging and vpc-sc * Fix secret manager * fix gke nodepool * fix gke multitenant stage and blueprint * Moving alloydb module to experimental. * Add project to bare resources in examples * tfdoc * fix svpc blueprint test * Revert "fix svpc blueprint test" This reverts commit 14f02659098070136e64ead600580dd52c23c339. * Fix GKE peering project * Disable tests in alloydb module * Bring back secret ids in secret manager tests * Remove duplicate key * last push --------- Co-authored-by: Julio Castillo <jccb@google.com> |
||
---|---|---|
.. | ||
README.md | ||
iam.tf | ||
main.tf | ||
outputs.tf | ||
tags.tf | ||
variables.tf | ||
versions.tf |
README.md
Google KMS Module
This module allows creating and managing KMS crypto keys and IAM bindings at both the keyring and crypto key level. An existing keyring can be used, or a new one can be created and managed by the module if needed.
When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator.
Protecting against destroy
In this module no lifecycle blocks are set on resources to prevent destroy, in order to allow for experimentation and testing where rapid apply
/destroy
cycles are needed. If you plan on using this module to manage non-development resources, clone it and uncomment the lifecycle blocks found in main.tf
.
Examples
Using an existing keyring
module "kms" {
source = "./fabric/modules/kms"
project_id = "my-project"
iam = {
"roles/cloudkms.admin" = ["user:user1@example.com"]
}
keyring = { location = "europe-west1", name = "test" }
keyring_create = false
keys = { key-a = {}, key-b = {}, key-c = {} }
}
# tftest skip (uses data sources)
Keyring creation and crypto key rotation and IAM roles
module "kms" {
source = "./fabric/modules/kms"
project_id = "my-project"
keyring = {
location = "europe-west1"
name = "test"
}
keys = {
key-a = {
iam = {
"roles/cloudkms.admin" = ["user:user3@example.com"]
}
}
key-b = {
rotation_period = "604800s"
iam_bindings_additive = {
key-b-iam1 = {
key = "key-b"
member = "user:am1@example.com"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
}
}
key-c = {
labels = {
env = "test"
}
}
}
}
# tftest modules=1 resources=6 inventory=basic.yaml
Crypto key purpose
module "kms" {
source = "./fabric/modules/kms"
project_id = "my-project"
keyring = {
location = "europe-west1"
name = "test"
}
keys = {
key-a = {
purpose = "ASYMMETRIC_SIGN"
version_template = {
algorithm = "EC_SIGN_P384_SHA384"
protection_level = "HSM"
}
}
}
}
# tftest modules=1 resources=2 inventory=purpose.yaml
Variables
name | description | type | required | default |
---|---|---|---|---|
keyring | Keyring attributes. | object({…}) |
✓ | |
project_id | Project id where the keyring will be created. | string |
✓ | |
iam | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
iam_bindings_additive | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | bool |
true |
|
keys | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) |
{} |
|
tag_bindings | Tag bindings for this keyring, in key => tag value id format. | map(string) |
{} |
Outputs
name | description | sensitive |
---|---|---|
id | Fully qualified keyring id. | |
key_ids | Fully qualified key ids. | |
keyring | Keyring resource. | |
keys | Key resources. | |
location | Keyring location. | |
name | Keyring name. |