Module to create CMK with either AWS generated key material or imported key material (BYOK).
For usage instructions see examples/simple.
| Name | Version |
|---|---|
| terraform | >= 0.12.21 |
| aws | >= 2.70 |
| Name | Version |
|---|---|
| aws | >= 2.70 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.this | resource |
| aws_kms_external_key.this | resource |
| aws_kms_key.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alias | The display name of the alias. Leave an empty string to avoid creating an alias | string |
"" |
no |
| customer_master_key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports | string |
null |
no |
| deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource | number |
30 |
no |
| description | Description of the Key | string |
null |
no |
| enable_key_rotation | Specifies whether key rotation is enabled | bool |
null |
no |
| enabled | Specifies whether the key is enabled | bool |
true |
no |
| key_material_base64 | WARNING: if specified, it will be stored in plaintext in the raw state. Base64 encoded 256-bit symmetric encryption key material to impor | string |
null |
no |
| key_usage | Specifies the intended use of the key | string |
null |
no |
| policy | A valid policy JSON document | string |
null |
no |
| tags | A map of tags to add to the key | map(string) |
{} |
no |
| use_aws_key_material | Whether to use AWS generated key material or BYOK (eg. using CloudHSM or a physical HSM) | bool |
true |
no |
| valid_to | Time at which the imported key material expires. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ) | string |
null |
no |
| Name | Description |
|---|---|
| alias_arn | n/a |
| arn | n/a |
| expiration_model | n/a |
| key_id | n/a |
| key_state | n/a |
| key_usage | n/a |