Terraform module to create AWS KMS resources 🇺🇦
AWS KMS Terraform module
Terraform module which creates AWS KMS resources.
Usage
See examples directory for working examples to reference:
Autoscaling Service Linked Role
Reference usage for EC2 AutoScaling service linked role to launch encrypted EBS volumes:
module "kms" {
source = "terraform-aws-modules/kms/aws"
description = "EC2 AutoScaling key usage" keyusage = "ENCRYPTDECRYPT"
# Policy key_administrators = ["arn:aws:iam::012345678901:role/admin"] keyservicerolesforautoscaling = ["arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
# Aliases aliases = ["mycompany/ebs"]
tags = { Terraform = "true" Environment = "dev" } }
External Key
Reference usage for external CMK (externally provided encryption material):
module "kms" {
source = "terraform-aws-modules/kms/aws"
description = "External key example" keymaterialbase64 = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=" valid_to = "2085-04-12T23:20:50.52Z"
# Policy key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] keyserviceusers = ["arn:aws:iam::012345678901:role/ec2-role"]
# Aliases aliases = ["mycompany/external"] aliasesusename_prefix = true
# Grants grants = { lambda = { grantee_principal = "arn:aws:iam::012345678901:role/lambda-function" operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = { encryptioncontextequals = { Department = "Finance" } } } }
tags = { Terraform = "true" Environment = "dev" } }
Reference
Reference usage showing available configurations.
module "kms" { source = "terraform-aws-modules/kms/aws"examplesdescription = "Complete key example showing various configurations available" deletionwindowin_days = 7 enablekeyrotation = true is_enabled = true keyusage = "ENCRYPTDECRYPT" multi_region = false
# Policy enabledefaultpolicy = true key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] keyserviceusers = ["arn:aws:iam::012345678901:role/ec2-role"] keysymmetricencryption_users = ["arn:aws:iam::012345678901:role/symmetric-user"] keyhmacusers = ["arn:aws:iam::012345678901:role/hmac-user"] keyasymmetricpublicencryptionusers = ["arn:aws:iam::012345678901:role/asymmetric-public-user"] keyasymmetricsignverifyusers = ["arn:aws:iam::012345678901:role/sign-verify-user"]
# Aliases aliases = ["one", "foo/bar"] # accepts static strings only computed_aliases = { ex = { # Sometimes you want to pass in an upstream attribute as the name and # that conflicts with using
for_each over atoset()since the value is not # known until after applying. Instead, we can usecomputed_aliasesto work # around this limitation # Reference: https://github.com/hashicorp/terraform/issues/30937 name = awsiamrole.lambda.name } } aliasesusename_prefix = true# Grants grants = { lambda = { grantee_principal = "arn:aws:iam::012345678901:role/lambda-function" operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = { encryptioncontextequals = { Department = "Finance" } } } }
tags = { Terraform = "true" Environment = "dev" } }</code></pre>
Examples
are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you! <!-- BEGINTFDOCS -->toset()Requirements
| Name | Version | |------|---------| | <a name="requirementterraform"></a> terraform | >= 1.5.7 | | <a name="requirementaws"></a> aws | >= 6.28 |
Providers
| Name | Version | |------|---------| | <a name="provideraws"></a> aws | >= 6.28 |
Modules
No modules.
Resources
| Name | Type | |------|------| | awskmsalias.this | resource | | awskmsexternalkey.this | resource | | awskmsgrant.this | resource | | awskmskey.this | resource | | awskmsreplicaexternalkey.this | resource | | awskmsreplicakey.this | resource | | awscalleridentity.current | data source | | awsiampolicydocument.this | data source | | awspartition.current | data source |
Inputs
| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | <a name="inputaliases"></a> aliases | A list of aliases to create. Note - due to the use of
, values must be static strings and not computed values |list(string)|[]| no | | <a name="inputaliasesusenameprefix"></a> aliases\use\name\_prefix | Determines whether the alias name is used as a prefix |bool|false| no | | <a name="inputbypasspolicylockoutsafetycheck"></a> bypass\policy\lockout\safety\check | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable |bool|null| no | | <a name="inputcomputedaliases"></a> computed\_aliases | A map of aliases to create. Values provided via thenamekey of the map can be computed from upstream resources | <pre>map(object({<br/> name = string<br/> }))</pre> |{}| no | | <a name="inputcreate"></a> create | Determines whether resources will be created (affects all resources) |bool|true| no | | <a name="inputcreateexternal"></a> create\_external | Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material) |bool|false| no | | <a name="inputcreatereplica"></a> create\_replica | Determines whether a replica standard CMK will be created (AWS provided material) |bool|false| no | | <a name="inputcreatereplicaexternal"></a> create\replica\external | Determines whether a replica external CMK will be created (externally provided material) |bool|false| no | | <a name="inputcustomkeystoreid"></a> custom\key\store\_id | ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM). |string|null| no | | <a name="inputcustomermasterkeyspec"></a> customer\master\key\spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values:SYMMETRICDEFAULT,RSA2048,RSA3072,RSA4096,HMAC256,ECCNISTP256,ECCNISTP384,ECCNISTP521, orECCSECGP256K1. Defaults toSYMMETRIC_DEFAULT|string|null| no | | <a name="inputdeletionwindowindays"></a> deletion\window\in\_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between7and30, inclusive. If you do not specify a value, it defaults to30|number|null| no | | <a name="inputdescription"></a> description | The description of the key as viewed in AWS console |string|null| no | | <a name="inputenabledefaultpolicy"></a> enable\default\policy | Specifies whether to enable the default key policy. Defaults totrue|bool|true| no | | <a name="inputenablekeyrotation"></a> enable\key\rotation | Specifies whether key rotation is enabled. Defaults totrue|bool|true| no | | <a name="inputenableroute53dnssec"></a> enable\route53\dnssec | Determines whether the KMS policy used for Route53 DNSSEC signing is enabled |bool|false| no | | <a name="inputgrants"></a> grants | A map of grant definitions to create | <pre>map(object({<br/> constraints = optional(list(object({<br/> encryptioncontextequals = optional(map(string))<br/> encryptioncontextsubset = optional(map(string))<br/> })))<br/> grantcreationtokens = optional(list(string))<br/> granteeprincipal = string<br/> name = optional(string) # Will fall back to use map key<br/> operations = list(string)<br/> retireondelete = optional(bool)<br/> retiringprincipal = optional(string)<br/> }))</pre> |null| no | | <a name="inputisenabled"></a> is\_enabled | Specifies whether the key is enabled. Defaults totrue|bool|null| no | | <a name="inputkeyadministrators"></a> key\administrators | A list of IAM ARNs for key administrators |list(string)|[]| no | | <a name="inputkeyasymmetricpublicencryptionusers"></a> key\asymmetric\public\encryption\users | A list of IAM ARNs for key asymmetric public encryption users |list(string)|[]| no | | <a name="inputkeyasymmetricsignverifyusers"></a> key\asymmetric\sign\verify\users | A list of IAM ARNs for key asymmetric sign and verify users |list(string)|[]| no | | <a name="inputkeyhmacusers"></a> key\hmac\users | A list of IAM ARNs for key HMAC users |list(string)|[]| no | | <a name="inputkeymaterialbase64"></a> key\material\base64 | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only |string|null| no | | <a name="inputkeyowners"></a> key\_owners | A list of IAM ARNs for those who will have full key permissions (kms:*) |list(string)|[]| no | | <a name="inputkeyservicerolesforautoscaling"></a> key\service\roles\for\autoscaling | A list of IAM ARNs for AWSServiceRoleForAutoScaling roles |list(string)|[]| no | | <a name="inputkeyserviceusers"></a> key\service\users | A list of IAM ARNs for key service users |list(string)|[]| no | | <a name="inputkeyspec"></a> key\spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\DEFAULT, RSA\2048, RSA\3072, RSA\4096, HMAC\224, HMAC\256, HMAC\384, HMAC\512, ECC\NIST\P256, ECC\NIST\P384, ECC\NIST\P521, ECC\SECG\P256K1, ML\DSA\44, ML\DSA\65, ML\DSA\87, or SM2 (China Regions only). Defaults to SYMMETRIC\DEFAULT |string|null| no | | <a name="inputkeystatements"></a> key\statements | A map of IAM policy statements for custom permission usage | <pre>list(object({<br/> sid = optional(string)<br/> actions = optional(list(string))<br/> notactions = optional(list(string))<br/> effect = optional(string)<br/> resources = optional(list(string))<br/> notresources = optional(list(string))<br/> principals = optional(list(object({<br/> type = string<br/> identifiers = list(string)<br/> })))<br/> not_principals = optional(list(object({<br/> type = string<br/> identifiers = list(string)<br/> })))<br/> condition = optional(list(object({<br/> test = string<br/> values = list(string)<br/> variable = string<br/> })))<br/> }))</pre> |null| no | | <a name="inputkeysymmetricencryptionusers"></a> key\symmetric\encryption\users | A list of IAM ARNs for key symmetric encryption users |list(string)|[]| no | | <a name="inputkeyusage"></a> key\usage | Specifies the intended use of the key. Valid values:ENCRYPTDECRYPTorSIGNVERIFY. Defaults toENCRYPTDECRYPT|string|null| no | | <a name="inputkeyusers"></a> key\users | A list of IAM ARNs for key users |list(string)|[]| no | | <a name="inputmultiregion"></a> multi\_region | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults tofalse|bool|false| no | | <a name="inputoverridepolicydocuments"></a> override\policy\documents | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blanksids will override statements with the samesid|list(string)|[]| no | | <a name="inputpolicy"></a> policy | A valid policy JSON document. Although this is a key policy, not an IAM policy, anawsiampolicy_document, in the form that designates a principal, can be used |string|null| no | | <a name="inputprimaryexternalkeyarn"></a> primary\external\key\_arn | The primary external key arn of a multi-region replica external key |string|null| no | | <a name="inputprimarykeyarn"></a> primary\key\arn | The primary key arn of a multi-region replica key |string|null| no | | <a name="inputregion"></a> region | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration |string|null| no | | <a name="inputrotationperiodindays"></a> rotation\period\in\_days | Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive) |number|null| no | | <a name="inputroute53dnssecsources"></a> route53\dnssec\sources | A list of maps containingaccountidsand Route53hostedzonearnthat will be allowed to sign DNSSEC records | <pre>list(object({<br/> accountids = optional(list(string))<br/> hostedzonearn = optional(string)<br/> }))</pre> | null| no | | <a name="inputsourcepolicydocuments"></a> source\policy\documents | List of IAM policy documents that are merged together into the exported document. Statements must have uniquesids |list(string)|[]| no | | <a name="inputtags"></a> tags | A map of tags to add to all resources |map(string)|{}| no | | <a name="inputvalidto"></a> valid\_to | Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire |string|null| no |KEYMATERIALEXPIRESOutputs
| Name | Description | |------|-------------| | <a name="outputaliases"></a> aliases | A map of aliases created and their attributes | | <a name="outputexternalkeyexpirationmodel"></a> external\key\expiration\model | Whether the key material expires. Empty when pending key material import, otherwise
orKEYMATERIALDOESNOT_EXPIRE` | | external\key\state | The state of the CMK | | external\key\usage | The cryptographic operations for which you can use the CMK | | grants | A map of grants created and their attributes | | key\_arn | The Amazon Resource Name (ARN) of the key | | key\_id | The globally unique identifier for the key | | key\_policy | The IAM resource policy set on the key | | key\_region | The region for the key |License
Apache-2.0 Licensed. See LICENSE.