A Terraform module that creates multi-region KMS keys and the key alias resources on AWS Cloud.
AWS Key Management Service (KMS) allows you to create and manage cryptographic keys that you can use to encrypt and decrypt data. One of the key features of KMS is the ability to create and manage keys across multiple regions.
There are several benefits to using multi-region KMS keys:
- Redundancy: By creating a key in multiple regions, you can ensure that you have a backup key available in case one region becomes unavailable.
- Latency: By creating a key in the region closest to your users, you can reduce the latency of cryptographic operations.
- Compliance: Some compliance requirements mandate that cryptographic keys must be stored in specific regions. By creating keys in multiple regions, you can ensure that you are compliant with these requirements.
Once the key is created, you can use it to encrypt and decrypt data in any of the specified regions.
It's important to note that multi-region KMS keys are regional resources, which means that each region has its own version of the key. This means that the key material, policies, and metadata for the key may be different in each region.
See the example directory.
- This module can replicate the KMS key to only two regions.
| Name | Version |
|---|---|
| aws | >= 3.64.2 |
| Name | Version |
|---|---|
| aws | >= 3.64.2 |
| aws.first_replica | >= 3.64.2 |
| aws.second_replica | >= 3.64.2 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.first_replica | resource |
| aws_kms_alias.primary | resource |
| aws_kms_alias.second_replica | resource |
| aws_kms_key.primary | resource |
| aws_kms_replica_key.first_replica | resource |
| aws_kms_replica_key.second_replica | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alias | The display name of the key. | string |
n/a | yes |
| deletion_window_in_days | (optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. | number |
30 |
no |
| description | The description of the key as viewed in AWS console. | string |
n/a | yes |
| is_enabled | Specifies whether the key is enabled. | bool |
true |
no |
| key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1 | string |
"SYMMETRIC_DEFAULT" |
no |
| replica | (optional) describe your variable | object({ |
n/a | yes |
| rotation_enabled | Specifies whether key rotation is enabled. | bool |
true |
no |
| tags | A map of tags to assign to the key. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| key_arn | The Amazon Resource Name (ARN) of the key. |
Module is maintained by Waleed. Here's a blog link about it.
Apache 2 Licensed. See LICENSE for full details.