Terraform module to provision a KMS key with alias.
It's 100% Open Source and licensed under the APACHE2.
- Based on terraform-aws-kms-key by "Cloud Posse"
- Includes unaccepted PR code by @alexjurkiewicz
Example:
module "kms_key" {
source = "../../"
description = "Test KMS key"
deletion_window_in_days = 7
enable_key_rotation = false
alias = "testkeyjja"
tags = {
ntt_monitoring = "1"
ntt_owner = "Juanje"
}
}| Name | Version |
|---|---|
| terraform | >= 0.12.26 |
| aws | >= 3.0 |
| local | >= 1.3 |
| null | >= 2.0 |
| Name | Version |
|---|---|
| aws | >= 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.default | resource |
| aws_kms_key.default | resource |
| aws_caller_identity.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alias | The display name of the alias. | string |
n/a | yes |
| customer_master_key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. |
string |
"SYMMETRIC_DEFAULT" |
no |
| deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource | number |
10 |
no |
| description | The description of the key as viewed in AWS console | string |
"Parameter Store KMS master key" |
no |
| enable_key_rotation | Specifies whether key rotation is enabled | bool |
true |
no |
| key_usage | Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. |
string |
"ENCRYPT_DECRYPT" |
no |
| policy | A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. This variable takes precedence over other 'policy_*' variables. |
string |
"" |
no |
| policy_extra_statements | A list of additional IAM policy statements to attach to the key policy. These statements should be in JSON (string) format. This variable is ignored if the 'policy' variable is set. |
list(string) |
[] |
no |
| policy_key_admins | A list of AWS principals allowed to administer this key. You can specify ARNs of IAM users/roles, and AWS account IDs. If you do not provide any value for this variable, access will be granted to the entire account. If you do not want any principal to have this access, specify []. This variable is ignored if the 'policy' variable is set. |
list(string) |
null |
no |
| policy_key_aws_services | A list of AWS services allowed to use this key. This variable is ignored if the 'policy' variable is set. |
list(string) |
[] |
no |
| policy_key_grantors | A list of AWS principals allowed to grant use of this key to AWS resources. You can specify ARNs of IAM users/roles, and AWS account IDs. If you do not provide any value for this variable, access will be granted to the entire account. If you do not want any principal to have this access, specify []. This variable is ignored if the 'policy' variable is set. |
list(string) |
null |
no |
| policy_key_users | A list of AWS principals allowed to use this key for cryptographic operations. You can specify ARNs of IAM users/roles, and AWS account IDs. If you do not provide any value for this variable, access will be granted to the entire account. If you do not want any principal to have this access, specify []. This variable is ignored if the 'policy' variable is set. |
list(string) |
null |
no |
| tags | Tags associated with the resources. | map |
{} |
no |
| Name | Description |
|---|---|
| alias_arn | Alias ARN |
| alias_name | Alias name |
| key_arn | Key ARN |
| key_id | Key ID |
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.