Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The resources/services/activations/deletions that this module will create/trigger are:
- Create a KMS keyring in the provided project
- Create zero or more keys in the keyring
- Create IAM role bindings for owners, encrypters, decrypters
data "google_storage_project_service_account" "gcs_account" {
project = var.project_id
}
module "kms" {
source = "nephosolutions/kms/google"
version = "1.0.0"
project_id = data.google_storage_project_service_account.gcs_account.project
keyring = "kr-example"
location = "europe"
crypto_keys = ["cmek-example"]
rotation_period = var.key_rotation_period
crypto_key_encrypters = { cmek-example = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
] }
crypto_key_decrypters = { cmek-example = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
] }
}Copyright 2023 NephoSolutions srl, Sebastian Trebitz
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| >= 3.53, < 6.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| crypto_key | ./modules/crypto_key | n/a |
| keyring | ./modules/key_ring | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| crypto_key_admins | List of IAM principals to grant roles/cloudkms.admin on the key. |
map(list(string)) |
{} |
no |
| crypto_key_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | string |
"GOOGLE_SYMMETRIC_ENCRYPTION" |
no |
| crypto_key_decrypters | List of IAM principals to grant roles/cloudkms.cryptoKeyDecrypter on the key. |
map(list(string)) |
{} |
no |
| crypto_key_encrypters | List of IAM principals to grant roles/cloudkms.cryptoKeyEncrypter on the key. |
map(list(string)) |
{} |
no |
| crypto_key_protection_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | string |
"SOFTWARE" |
no |
| crypto_key_viewers | List of IAM principals to grant roles/cloudkms.viewer on the key. |
map(list(string)) |
{} |
no |
| crypto_keys | n/a | set(string) |
n/a | yes |
| keyring | Name for the keyring. | string |
n/a | yes |
| keyring_admins | List of IAM principals to grant roles/cloudkms.admin on the keyring. |
list(string) |
[] |
no |
| keyring_viewers | List of IAM principals to grant roles/cloudkms.viewer on the keyring. |
list(string) |
[] |
no |
| labels | Labels, provided as a map | map(string) |
{} |
no |
| location | Location for the keyring. | string |
n/a | yes |
| prevent_destroy | Set the prevent_destroy lifecycle attribute on the keys. | bool |
true |
no |
| project_id | Project ID where the keyring will be created. | string |
n/a | yes |
| purpose | The immutable purpose of the CryptoKeys. See the purpose reference for possible inputs. | string |
"ENCRYPT_DECRYPT" |
no |
| rotation_period | Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits. It must be greater than a day (ie, 86400). | number |
2592000 |
no |
| Name | Description |
|---|---|
| crypto_key_ids | Map of key name => key self link. |
| crypto_key_purposes | Map of key name => key purpose. |
| keyring_id | The identifier of the KeyRing. |
| keyring_name | The resource name for the KeyRing. |
| location | The location of the KeyRing. |
| project | The ID of the project in which the keyring belongs. |