Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terraform-google-modules/terraform-google-kms

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys
https://github.com/terraform-google-modules/terraform-google-kms

cft-terraform security-identity

Last synced: 5 days ago
JSON representation

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys

Host: GitHub
URL: https://github.com/terraform-google-modules/terraform-google-kms
Owner: terraform-google-modules
License: apache-2.0
Created: 2019-05-03T22:37:43.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-10-23T18:57:06.000Z (20 days ago)
Last Synced: 2024-10-31T05:32:02.541Z (12 days ago)
Topics: cft-terraform, security-identity
Language: HCL
Homepage: https://registry.terraform.io/modules/terraform-google-modules/kms/google
Size: 357 KB
Stars: 45
Watchers: 22
Forks: 94
Open Issues: 4
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        # Google KMS Terraform Module

Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.

The resources/services/activations/deletions that this module will create/trigger are:

- Create a KMS keyring in the provided project

- Create zero or more keys in the keyring

- Create IAM role bindings for owners, encrypters, decrypters

## Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.

 If you haven't

[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform

0.12.x-compatible version of this module, the last released version

intended for Terraform 0.12.x is [v1.2.0](https://registry.terraform.io/modules/terraform-google-modules/-kms/google/v1.2.0).

## Usage

Basic usage of this module is as follows:

```hcl

module "kms" {

  source  = "terraform-google-modules/kms/google"

  version = "~> 3.2"

  project_id         = ""

  location           = "europe"

  keyring            = "sample-keyring"

  keys               = ["foo", "spam"]

  set_owners_for     = ["foo", "spam"]

  owners = [

    "group:[email protected],group:[email protected]",

    "group:[email protected]",

  ]

}

```

Functional examples are included in the

[examples](./examples/) directory.

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

| crypto\_key\_backend | (Optional) The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format 'projects//locations//ekmConnections/*' and only applies to 'EXTERNAL\_VPC' keys. | `string` | `null` | no |

| decrypters | List of comma-separated owners for each key declared in set\_decrypters\_for. | `list(string)` | `[]` | no |

| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |

| import\_only | Whether these keys may contain imported versions only. | `bool` | `false` | no |

| key\_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | `string` | `"GOOGLE_SYMMETRIC_ENCRYPTION"` | no |

| key\_destroy\_scheduled\_duration | Set the period of time that versions of keys spend in the DESTROY\_SCHEDULED state before transitioning to DESTROYED. | `string` | `null` | no |

| key\_protection\_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL\_VPC"] | `string` | `"SOFTWARE"` | no |

| key\_rotation\_period | Generate a new key every time this period passes. | `string` | `"7776000s"` | no |

| keyring | Keyring name. | `string` | n/a | yes |

| keys | Key names. | `list(string)` | `[]` | no |

| labels | Labels, provided as a map | `map(string)` | `{}` | no |

| location | Location for the keyring. | `string` | n/a | yes |

| owners | List of comma-separated owners for each key declared in set\_owners\_for. | `list(string)` | `[]` | no |

| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no |

| project\_id | Project id where the keyring will be created. | `string` | n/a | yes |

| purpose | The immutable purpose of the CryptoKey. Default value is ENCRYPT\_DECRYPT. See purpose reference (https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) for possible inputs. | `string` | `"ENCRYPT_DECRYPT"` | no |

| set\_decrypters\_for | Name of keys for which decrypters will be set. | `list(string)` | `[]` | no |

| set\_encrypters\_for | Name of keys for which encrypters will be set. | `list(string)` | `[]` | no |

| set\_owners\_for | Name of keys for which owners will be set. | `list(string)` | `[]` | no |

| skip\_initial\_version\_creation | If set to true, the request will create CryptoKeys without any CryptoKeyVersions. | `bool` | `false` | no |

## Outputs

| Name | Description |

|------|-------------|

| keyring | Self link of the keyring. |

| keyring\_name | Name of the keyring. |

| keyring\_resource | Keyring resource. |

| keys | Map of key name => key self link. |

## Requirements

These sections describe requirements for using this module.

### Software

The following dependencies must be available:

- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0

- [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.0

### Service Account

A service account with one of the following roles must be used to provision

the resources of this module:

- Cloud KMS Admin: `roles/cloudkms.admin` or

- Owner: `roles/owner`

The [Project Factory module][project-factory-module] and the

[IAM module][iam-module] may be used in combination to provision a

service account with the necessary roles applied.

### APIs

A project with the following APIs enabled must be used to host the

resources of this module:

- Google Cloud Key Management Service: `cloudkms.googleapis.com`

The [Project Factory module][project-factory-module] can be used to

provision a project with the necessary APIs enabled.

## Contributing

Refer to the [contribution guidelines](./CONTRIBUTING.md) for

information on contributing to this module.

[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google

[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google

[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html

[terraform]: https://www.terraform.io/downloads.html