Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.
FedRAMP Compliance: High
module "kms" {
source = "github.com/Coalfire-CF/terraform-gcp-kms"
project_id = "project-id"
location = var.region
keyring = "${var.keyring_prefix}-cmeks"
keys = local.cmeks
key_rotation_period = "31536000s"
depends_on = [
time_sleep.wait
]
}
No requirements.
| Name | Version |
|---|---|
| n/a |
No modules.
| Name | Type |
|---|---|
| google_kms_crypto_key.key | resource |
| google_kms_key_ring.key_ring | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | string |
"GOOGLE_SYMMETRIC_ENCRYPTION" |
no |
| key_protection_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | string |
"SOFTWARE" |
no |
| key_rotation_period | Generate a new key every time this period passes. | string |
"100000s" |
no |
| keyring | Keyring name. | string |
n/a | yes |
| keys | Key names. | list(string) |
[] |
no |
| labels | Labels, provided as a map | map(string) |
{} |
no |
| location | Location for the keyring. | string |
n/a | yes |
| project_id | Project id where the keyring will be created. | string |
n/a | yes |
| purpose | The immutable purpose of the CryptoKey. Possible values are ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, and ASYMMETRIC_DECRYPT. | string |
"ENCRYPT_DECRYPT" |
no |
| Name | Description |
|---|---|
| keyring | Self link of the keyring. |
| keyring_name | Name of the keyring. |
| keyring_resource | Keyring resource. |
| keys | Map of key name => key self link. |