This module supports creating a standard or root key in an existing key ring and KMS instance. KMS can be Key Protect or Hyper Protect Crypto Services (HPCS) Standard plan instance. You can specify rotation and deletion policies for the keys.
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXX"
# Must be the same region the KMS instance is in
region = "us-south"
}
# KMS root key
module "kms_root_key" {
source = "terraform-ibm-modules/kms-key/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
kms_instance_id = "XXxxXXxx-xxxx-XXXX-xxxx-XXxxXXxx"
key_name = "my-root-key"
}
# KMS standard key
module "kms_standard_key" {
source = "terraform-ibm-modules/kms-key/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
kms_instance_id = "XXxxXXxx-xxxx-XXXX-xxxx-XXxxXXxx"
key_name = "my-standard-key"
standard_key = true
}
You need the following permissions to run this module.
- Account Management
- Resource Group service
Viewer
platform access
- Resource Group service
- IAM Services
- KMS service
Viewer
platform accessManager
service access
- KMS service
Name | Version |
---|---|
terraform | >= 1.3.0 |
ibm | >= 1.69.0, < 2.0.0 |
No modules.
Name | Type |
---|---|
ibm_kms_key.key | resource |
ibm_kms_key_policies.root_key_policy | resource |
ibm_kms_key_policies.standard_key_policy | resource |
ibm_kms_kmip_adapter.kmip_adapter | resource |
ibm_kms_kmip_client_cert.kmip_cert | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
dual_auth_delete_enabled | If set to true, KMS enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform. | bool |
false |
no |
endpoint_type | Endpoint to use when creating the Key | string |
"public" |
no |
force_delete | Set as true to enable forcing deletion even if key is in use | bool |
false |
no |
key_name | Name to give the key | string |
n/a | yes |
kmip | Allows a key to utilize the key management interoperability protocol (KMIP), for more information see https://cloud.ibm.com/docs/key-protect?topic=key-protect-kmip | list(object({ |
[] |
no |
kms_instance_id | ID or GUID of KMS Instance | string |
n/a | yes |
kms_key_ring_id | The ID of the key ring where you want to add your KMS key | string |
"default" |
no |
rotation_interval_month | The key rotation time interval in months. Rotation policy cannot be set for standard key, so value is ignored if var.standard_key is true | number |
1 |
no |
standard_key | Set as true for Standard Key, false for Root Key | bool |
false |
no |
Name | Description |
---|---|
adapter_ids | KMIP Adapter IDs of the associated root key |
cert_ids | KMIP Cert IDs |
crn | Key CRN |
dual_auth_delete | Is Dual Auth Delete Enabled |
key_id | Key ID |
rotation_interval_month | Month Interval for Rotation |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.