Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/terraform-ibm-modules/terraform-ibm-key-protect

Terraform module to create and work with IBM Key Protect
https://github.com/terraform-ibm-modules/terraform-ibm-key-protect

core-team graduated ibm-cloud key-protect kms supported terraform terraform-module

Last synced: about 1 month ago
JSON representation

Terraform module to create and work with IBM Key Protect

Awesome Lists containing this project

README 

        
# Key Protect module

[![Graduated (Supported)](https://img.shields.io/badge/Status-Graduated%20(Supported)-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)

[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)

[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)

[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-key-protect?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-key-protect/releases/latest)

[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)



This module supports:



- Creating a [Key Protect instance](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about)

- Enabling a [rotation policy](https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy) for the instance

- Enabling a [dual authorization policy](https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-dual-auth) for the instance

- Enabling a [metrics policy](https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-monitor-metrics) for the instance

- Enabling a [key create and import access policy](https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess) for the instance



## Overview

* [terraform-ibm-key-protect](#terraform-ibm-key-protect)

* [Examples](./examples)

    * [Advanced private example](./examples/advanced)

    * [Basic example](./examples/basic)

* [Contributing](#contributing)



## terraform-ibm-key-protect



### Usage



```hcl

provider "ibm" {

  ibmcloud_api_key = "XXXXXXXXXX"

  region           = "us-south"

}



module "key_protect_module" {

  source            = "terraform-ibm-modules/key-protect/ibm"

  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

  key_protect_name  = "my-key-protect-instance"

  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"

  region            = "us-south"

}

```

### Required IAM access policies



- Account Management

    - **Resource Group** service

        - `Viewer` platform access

- IAM Services

    - **Key Protect** service

        - `Editor` platform access

        - `Manager` platform access (required to enable metrics)



To attach access management tags to resources in this module, you need the following permissions.



- IAM Services

    - **Tagging** service

        - `Administrator` platform access



### Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.9.0 |

|  [ibm](#requirement\_ibm) | >= 1.70.0, < 2.0.0 |



### Modules



| Name | Source | Version |

|------|--------|---------|

|  [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |



### Resources



| Name | Type |

|------|------|

| [ibm_kms_instance_policies.key_protect_instance_policies](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kms_instance_policies) | resource |

| [ibm_resource_instance.key_protect_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |

| [ibm_resource_tag.key_protect_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource |



### Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [access\_tags](#input\_access\_tags) | A list of access tags to apply to the Key Protect instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |

|  [allowed\_network](#input\_allowed\_network) | Types of the allowed networks to be set for the Key Protect instance. Possible values are 'private-only' or 'public-and-private' | `string` | `"public-and-private"` | no |

|  [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of context-based restrictions rules to create | 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
 | `[]` | no |

|  [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. | `bool` | `false` | no |

|  [key\_create\_import\_access\_enabled](#input\_key\_create\_import\_access\_enabled) | If set to true, Key Protect enables a key create import access policy on the instance | `bool` | `true` | no |

|  [key\_create\_import\_access\_settings](#input\_key\_create\_import\_access\_settings) | Key create import access policy settings to configure if var.enable\_key\_create\_import\_access\_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | 
object({
    create_root_key     = optional(bool, true)
    create_standard_key = optional(bool, true)
    import_root_key     = optional(bool, true)
    import_standard_key = optional(bool, true)
    enforce_token       = optional(bool, false)
  })
 | `{}` | no |

|  [key\_protect\_name](#input\_key\_protect\_name) | The name to give the Key Protect instance that will be provisioned | `string` | n/a | yes |

|  [metrics\_enabled](#input\_metrics\_enabled) | If set to true, Key Protect enables metrics on the Key Protect instance. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |

|  [plan](#input\_plan) | Plan for the Key Protect instance. Valid plans are 'tiered-pricing' and 'cross-region-resiliency', for more information on these plans see [Key Protect pricing plan](https://cloud.ibm.com/docs/key-protect?topic=key-protect-pricing-plan). | `string` | `"tiered-pricing"` | no |

|  [region](#input\_region) | Region where the Key Protect instance will be provisioned | `string` | n/a | yes |

|  [resource\_group\_id](#input\_resource\_group\_id) | Resource Group ID where the Key Protect instance will be provisioned | `string` | n/a | yes |

|  [rotation\_enabled](#input\_rotation\_enabled) | If set to true, Key Protect enables a rotation policy on the Key Protect instance. | `bool` | `true` | no |

|  [rotation\_interval\_month](#input\_rotation\_interval\_month) | Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. | `number` | `1` | no |

|  [tags](#input\_tags) | List of tags to associate with the Key Protect instance | `list(string)` | `[]` | no |



### Outputs



| Name | Description |

|------|-------------|

|  [cbr\_rule\_ids](#output\_cbr\_rule\_ids) | CBR rule ids created to restrict Key Protect |

|  [key\_protect\_account\_id](#output\_key\_protect\_account\_id) | The account ID of the Key Protect instance. |

|  [key\_protect\_crn](#output\_key\_protect\_crn) | CRN of the Key Protect instance |

|  [key\_protect\_guid](#output\_key\_protect\_guid) | GUID of the Key Protect instance |

|  [key\_protect\_id](#output\_key\_protect\_id) | ID of the Key Protect instance |

|  [key\_protect\_instance\_policies](#output\_key\_protect\_instance\_policies) | Instance Polices of the Key Protect instance |

|  [key\_protect\_name](#output\_key\_protect\_name) | Name of the Key Protect instance |

|  [kp\_private\_endpoint](#output\_kp\_private\_endpoint) | Instance private endpoint URL |

|  [kp\_public\_endpoint](#output\_kp\_public\_endpoint) | Instance public endpoint URL |



## Contributing



You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).



To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.