Skip to content

terraform-ibm-modules/terraform-ibm-kms-key

Repository files navigation

KMS key module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

This module supports creating a standard or root key in an existing key ring and KMS instance. KMS can be Key Protect or Hyper Protect Crypto Services (HPCS) Standard plan instance. You can specify rotation and deletion policies for the keys.

Overview

terraform-ibm-kms-key

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX"
  # Must be the same region the KMS instance is in
  region           = "us-south"
}

# KMS root key
module "kms_root_key" {
  source          = "terraform-ibm-modules/kms-key/ibm"
  version         = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  kms_instance_id = "XXxxXXxx-xxxx-XXXX-xxxx-XXxxXXxx"
  key_name        = "my-root-key"
}

# KMS standard key
module "kms_standard_key" {
  source          = "terraform-ibm-modules/kms-key/ibm"
  version         = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  kms_instance_id = "XXxxXXxx-xxxx-XXXX-xxxx-XXxxXXxx"
  key_name        = "my-standard-key"
  standard_key    = true
}

Required IAM access policies

You need the following permissions to run this module.

  • Account Management
    • Resource Group service
      • Viewer platform access
  • IAM Services
    • KMS service
      • Viewer platform access
      • Manager service access

Requirements

Name Version
terraform >= 1.3.0
ibm >= 1.69.0, < 2.0.0

Modules

No modules.

Resources

Name Type
ibm_kms_key.key resource
ibm_kms_key_policies.root_key_policy resource
ibm_kms_key_policies.standard_key_policy resource
ibm_kms_kmip_adapter.kmip_adapter resource
ibm_kms_kmip_client_cert.kmip_cert resource

Inputs

Name Description Type Default Required
dual_auth_delete_enabled If set to true, KMS enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform. bool false no
endpoint_type Endpoint to use when creating the Key string "public" no
force_delete Set as true to enable forcing deletion even if key is in use bool false no
key_name Name to give the key string n/a yes
kmip Allows a key to utilize the key management interoperability protocol (KMIP), for more information see https://cloud.ibm.com/docs/key-protect?topic=key-protect-kmip
list(object({
name = string
description = optional(string)
certificates = optional(list(object({
name = optional(string)
certificate = string
})))
}))
[] no
kms_instance_id ID or GUID of KMS Instance string n/a yes
kms_key_ring_id The ID of the key ring where you want to add your KMS key string "default" no
rotation_interval_month The key rotation time interval in months. Rotation policy cannot be set for standard key, so value is ignored if var.standard_key is true number 1 no
standard_key Set as true for Standard Key, false for Root Key bool false no

Outputs

Name Description
adapter_ids KMIP Adapter IDs of the associated root key
cert_ids KMIP Cert IDs
crn Key CRN
dual_auth_delete Is Dual Auth Delete Enabled
key_id Key ID
rotation_interval_month Month Interval for Rotation

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.