Skip to content

Deploys KMS Autokey resource to simplify creation and management of customer encryption keys (CMEK) by automating provisioning and assignment.

License

Notifications You must be signed in to change notification settings

GoogleCloudPlatform/terraform-google-autokey

Repository files navigation

Cloud Auto KMS Terraform Module

Autokey simplifies creating and managing customer encryption keys (CMEK) by automating provisioning and assignment. With Autokey, your key rings, keys, and service accounts do not need to be pre-planned and provisioned. Instead, they are generated on demand as part of resource creation. This module makes it easy to set up Auto KMS.

How to set up KMS Autokey:

  • Choose an existing folder or create a new folder. You will be creating or using an existing key projects in this folder. All of the resources created in these projects can use Autokey.
  • Choose the parent for the resource folder, either it can be root of the organization or any existing folder
  • Enable Cloud KMS API in the Autokey project.
  • Create and assign the Autokey service agent.
  • Associate the Autokey folder with the Key project, through an Autokey configuration setting.
  • The Auto key is ready to be used in resource projects.

Usage

# Configure Cloud KMS Autokey
module "autokey" {
  source                              = "GoogleCloudPlatform/terraform-google-autokey"
  #source                         = "../../"
  billing_account                = ""
  organization_id                = ""
  parent_folder_id               = ""                                       # update folder_id
  parent_is_folder               = false                                    ## set to 'false' to use org as parent
  create_new_folder              = true                                     ## set to false to use existing folder
  folder_id                      = ""                                       ## provide folder_id if using existing folder
  autokey_folder_name            = "autokey folder"                         ## applicable only if creating new folder, otherwise declare null
  create_new_autokey_key_project = true                                     ## set to false to use existing project
  autokey_key_project_name       = "autokey-project"                        ## must be 6 to 30 letters, digits, hyphens and start with a letter.; applicable only if creating new folder, otherwise declare null
  autokey_key_project_id         = ""                                       ## update if using existing project
  autokey_folder_admins          = ["user:foo@example.com"] ## List the users who should have the authority to enable and configure Autokey at a folder level;  example user listing ["user:foo@example.com", "user:bar@example.com"]
  autokey_folder_users           = ["user:user:bar@example.com"] ## List the users who should have the authority to protect their resources with Autokey;  example user listing ["user:foo@example.com", "user:bar@example.com"]
  autokey_project_kms_admins     = ["user:user:bar@example.com"] ## List the users who should have the authority to manage crypto operations in the Key Management Project; example user listing ["user:foo@example.com", "user:bar@example.com"]
}

Inputs

Name Description Type Default Required
autokey_folder_admins List the users who should have the authority to enable and configure Autokey at a folder level list(string) n/a yes
autokey_folder_name Resource folders should use KMS Autokey string "autokey folder" no
autokey_folder_users List the users who should have the authority to protect their resources with Autokey list(string) n/a yes
autokey_key_project_id Project name to deploy resources string null no
autokey_key_project_name Project name to deploy resources string "autokey-project" no
autokey_project_kms_admins List the users who should have the authority to manage crypto operations in the Key Management Project set(string) n/a yes
billing_account billing account required string n/a yes
create_new_autokey_key_project If true, the Terraform will create a new project for autokey key. If false, will use an existing project bool true no
create_new_folder If true, the Terraform will create a new folder. If false, will use an existing folder bool true no
folder_id Resource folders should use KMS Autokey string null no
organization_id Organization ID to add tags at Org level string n/a yes
parent_folder_id Folder ID to create child folder for autokey string n/a yes
parent_is_folder Folder ID to create child folder for autokey bool true no
skip_delete If true, the Terraform resource can be deleted without deleting the Project via the Google API. string "false" no

Outputs

Name Description
autokey_config KMS Autokey config
key_project_id key_project_id
random_id random id

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

  • [Terraform][terraform] v1.3
  • [Terraform Provider for GCP][terraform-provider-gcp] plugin v3.53

Service Account and User Permissions

A service account with the following roles must be used to provision the resources of this module:

  • KMS Service Agent : roles/cloudkms.admin
  • Key admins to use Autokey at folder level: roles/cloudkms.autokeyAdmin
  • key admins to use Autokey in this project: roles/cloudkms.admin
  • Users to protect resources with Autokey: roles/cloudkms.autokeyUser

The [Project Factory module][project-factory-module] and the [IAM module][iam-module] may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Cloud KMS API: cloudkms.googleapis.com

The [Project Factory module][project-factory-module] can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.