Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
access-control.tf		access-control.tf
main.tf		main.tf
migrations.tf		migrations.tf
outputs.tf		outputs.tf
resource-group.tf		resource-group.tf
variables.tf		variables.tf
versions.tf		versions.tf

README.md

kms-key

This module creates following resources.

aws_kms_key
aws_kms_key_policy (optional)
aws_kms_alias (optional)
aws_kms_grant (optional)

Requirements

Name	Version
terraform	>= 1.12
aws	>= 6.12

Providers

Name	Version
aws	6.16.0

Modules

Name	Source	Version
resource_group	tedilabs/misc/aws//modules/resource-group	~> 0.12.0

Resources

Name	Type
aws_kms_alias.this	resource
aws_kms_grant.this	resource
aws_kms_key.this	resource
aws_kms_key_policy.this	resource
aws_iam_policy_document.predefined	data source
aws_iam_policy_document.this	data source

Inputs

Name	Description	Type	Default	Required
name	(Required) Name of the KMS key.	`string`	n/a	yes
aliases	(Optional) A set of display name of the alias. The name must start with the word `alias/`.	`set(string)`	`[]`	no
bypass_policy_lockout_safety_check	(Optional) Whether to bypass the key policy lockout safety check performed when creating or updating the key's policy. Setting this value to true increases the risk that the CMK becomes unmanageable. Defaults to `false`.	`bool`	`false`	no
custom_key_store	(Optional) The ID of the KMS Custom Key Store where the key will be stored instead of KMS. This parameter is valid only for symmetric encryption KMS keys in a single region.	`string`	`null`	no
deletion_window_in_days	(Optional) Duration in days after which the key is deleted after destruction of the resource. Valid value is between `7` and `30` days. Defaults to `30`.	`number`	`30`	no
description	(Optional) The description of the KMS key.	`string`	`"Managed by Terraform."`	no
enabled	(Optional) Indicates whether the key is enabled. Defaults to `true`.	`bool`	`true`	no
grants	(Optional) A list of grants configuration for granting access to the KMS key. Each item of `grants` as defined below. (Required) `name` - A friendly name for the grant. (Required) `grantee_principal` - The principal that is given permission to perform the operations that the grant permits in ARN format. (Required) `operations` - A set of operations that the grant permits. Valid values are `Encrypt`, `Decrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, `GenerateDataKeyPairWithoutPlaintext`, `GetPublicKey`, `Sign`, `Verify`, `GenerateMac`, `VerifyMac`, or `DeriveSharedSecret`. (Optional) `retiring_principal` - The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. (Optional) `retire_on_delete` - Whether to retire the grant upon deletion. Defaults to `false`. Retire: Grantee returns permissions voluntarily (normal termination) Revoke: Admin forcefully cancels permissions (emergency termination) (Optional) `grant_creation_tokens` - A list of grant tokens to be used when creating the grant. Use grant token for immediate access without waiting for grant propagation (up to 5 min). Required for time-sensitive operations. (Optional) `constraints` - A configuration for grant constraints. `constraints` block as defined below. (Optional) `type` - The type of constraints. Valid values are `ENCRYPTION_CONTEXT_EQUALS` or `ENCRYPTION_CONTEXT_SUBSET`. Defaults to `ENCRYPTION_CONTEXT_SUBSET`. (Optional) `value` - A map of key-value pair to be validated against the encryption context during cryptographic operations.	list(object({ name = string grantee_principal = string operations = set(string) retiring_principal = optional(string) retire_on_delete = optional(bool, false) grant_creation_tokens = optional(list(string)) constraints = optional(object({ type = optional(string, "ENCRYPTION_CONTEXT_SUBSET") value = map(string) })) }))	`[]`	no
key_rotation	(Optional) A configuration for key rotation of the KMS key. This configuration is only applicable for symmetric encryption KMS keys. `key_rotation` block as defined below. (Optional) `enabled` - Whether key rotation is enabled. Defaults to `false`. (Optional) `period_in_days` - The custom period of t ime between each key rotation. Valid value is between `90` and `2560` days (inclusive). Defaults to `365`.	object({ enabled = optional(bool, false) period_in_days = optional(number, 365) })	`{}`	no
module_tags_enabled	(Optional) Whether to create AWS Resource Tags for the module informations.	`bool`	`true`	no
multi_region_enabled	(Optional) Indicates whether the key is a multi-Region (true) or regional (false) key. Defaults to `false`.	`bool`	`false`	no
policy	(Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used.	`string`	`null`	no
predefined_policies	(Optional) A configuration for predefined policies of the KMS key. This configuration will be merged with given `policy` if it is defined. Each item of `predefined_policies` block as defined below. (Required) `role` - The predefined role to be applied to the KMS key. Valid values are `OWNER`, `ADMINISTRATOR`, `USER`, `SERVICE_USER`, `SYMMETRIC_ENCRYPTION`, `ASYMMETRIC_ENCRYPTION`, `ASYMMETRIC_SIGNING`, or `HMAC`. `OWNER` - Full access to the KMS key, including permission to modify the key policy and delete the key. `ADMINISTRATOR` - Administrative access to the KMS key, including permission to modify the key policy, but not permission to delete the key. `USER` - Access to use the KMS key for cryptographic operations, but not administrative permissions. `SERVICE_USER` - Access for AWS services to use the KMS key for cryptographic operations on your behalf. `SYMMETRIC_ENCRYPTION` - Access to use the KMS key for symmetric encryption and decryption operations. `ASYMMETRIC_ENCRYPTION` - Access to use the KMS key for asymmetric encryption and decryption operations. `ASYMMETRIC_SIGNING` - Access to use the KMS key for asymmetric signing and verification operations. `HMAC` - Access to use the KMS key for HMAC generation and verification operations. (Required) `iam_entities` - A set of ARNs of AWS IAM entities who can be permitted to access the KMS key for the predefined role. (Optional) `conditions` - A list of required conditions to be met to allow the predefined role access to the KMS key. Each item of `conditions` block as defined below. (Required) `key` - The key to match a condition for when a policy is in effect. (Required) `condition` - The condition operator to match the condition keys and values in the policy against keys and values in the request context. Examples: `StringEquals`, `StringLike`. (Required) `values` - A list of allowed values of the key to match a condition with condition operator.	list(object({ role = string iam_entities = set(string) conditions = optional(list(object({ key = string condition = string values = list(string) })), []) }))	`[]`	no
region	(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region.	`string`	`null`	no
resource_group	(Optional) A configurations of Resource Group for this module. `resource_group` as defined below. (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`. (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name. (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`.	object({ enabled = optional(bool, true) name = optional(string, "") description = optional(string, "Managed by Terraform.") })	`{}`	no
spec	(Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_224`, `HMAC_256`, `HMAC_384`, `HMAC_512`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, `ECC_SECG_P256K1`, `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`, or `SM2` (China Regions Only). Defaults to `SYMMETRIC_DEFAULT`.	`string`	`"SYMMETRIC_DEFAULT"`	no
tags	(Optional) A map of tags to add to all resources.	`map(string)`	`{}`	no
usage	(Optional) Specifies the intended use of the key. Valid values are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, `GENERATE_VERIFY_MAC`, `KEY_AGREEMENT`. Defaults to `ENCRYPT_DECRYPT`.	`string`	`"ENCRYPT_DECRYPT"`	no
xks_key	(Optional) The ID of the external key that serves as key material for the KMS key in an external key store.	`string`	`null`	no

Outputs

Name	Description
aliases	A collection of aliases of the key.
arn	The ARN of the KMS key.
custom_key_store	The ID of the KMS Custom Key Store where the key will be stored instead of KMS.
deletion_window_in_days	Duration in days after which the key is deleted after destruction of the resource.
description	The description of the KMS key.
enabled	Whether the key is enabled.
grants	A collection of grants for the key.
id	The ID of the KMS key.
key_rotation	The key rotation configuration of the KMS key.
multi_region_enabled	Whether the key is a multi-region key.
name	The KMS Key name.
policy	The Resource Policy for KMS Key.
predefined_policies	The predefined policies that have access to the KMS key.
region	The AWS region this module resources resides in.
resource_group	The resource group created to manage resources in this module.
spec	The specification of KMS key which is the encryption algorithm or signing algorithm.
usage	The usage of the KMS key.
xks_key	The ID of the external key that serves as key material for the KMS key in an external key store.