Support: Policies in KMS

Author: kavya498

README.md

@@ -49,6 +49,7 @@ module "kms_key" {
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

examples/import-key/README.md

@@ -46,6 +46,7 @@ module "kms_key" {
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

examples/instance/README.md

@@ -31,6 +31,7 @@ module "kms_instance" {
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

examples/instance/main.tf

@@ -2,6 +2,7 @@
 # IBM Cloud Key Management Services Provisioning and Managing Keys
 # Copyright 2021 IBM
 #########################################################################################
+
 data "ibm_resource_group" "resource_group" {
   name = var.resource_group
 }

examples/key/README.md

@@ -45,6 +45,7 @@ module "kms_key" {
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

examples/key/versions.tf

@@ -5,7 +5,7 @@
 terraform {
   required_providers {
     ibm = {
-      source  = "IBM-Cloud/ibm"
+      source = "IBM-Cloud/ibm"
     }
   }
 }

modules/instance/README.md

@@ -38,6 +38,7 @@ module "kms_instance" {
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

modules/key/README.md

@@ -10,6 +10,14 @@ module "kms_key" {
   standard_key_type      = var.standard_key_type
   force_delete           = var.force_delete
   network_access_allowed = var.network_access_allowed
+  policies = {
+    rotation = {
+      interval_month = 1
+    }
+    dual_auth_delete = {
+      enabled = false
+    }
+  }
 }
 
 ```
@@ -28,6 +36,25 @@ module "kms_key" {
 | encrypted_nonce          | Encrypted Nonce. Only for imported root key.                   |`string`| n/a     | no      |
 | iv_value                 | IV Value. Only for imported root key.                          |`string`| n/a     | no      |
 | expiration_date          | Expination Date.                                               |`string`| n/a     | no      |
+| policies                 | Set policies for a key.                                        |`list(map)`| n/a  | no      |
+
+## policies Inputs
+
+| Name                     | Description                                                    | Type   |Default  |Required |
+|--------------------------|-------------------------------------------------------|:-------|:--------|:--------|
+| rotation                 | Specifies the key rotation time interval in months    |`map(string)`| n/a| Atleast one of rotation/dual_auth_delete|
+| dual_auth_delete         | Data associated with the dual authorization delete policy.|`map(string)`| n/a | Atleast one of rotation/dual_auth_delete|
+
+## rotation Inputs
+
+| Name                     | Description                                                    | Type   |Default  |Required |
+|--------------------------|----------------------------------------------------------------|:-------|:--------|:--------|
+| interval_month        | Specifies the key rotation time interval in months                |`int`| n/a     | yes     |
+## dual_auth_delete Inputs
+
+| Name                     | Description                                                    | Type   |Default  |Required |
+|--------------------------|----------------------------------------------------------------|:-------|:--------|:--------|
+| enabled        | If set to true, Key Protect enables a dual authorization policy on a single key.      |`bool`| n/a     | yes     |
 
 Note: 
 * If the following attributes [`standard_key_type`, `force_delete`,`network_access_allowed`] are set to null then default values will be taken..
@@ -39,6 +66,7 @@ Note:
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## NOTE: If we want to make use of a particular version of module, then set the argument "version" to respective module version.
 ## Usage
 
 To run this example you need to execute:

modules/key/main.tf

@@ -13,4 +13,23 @@ resource "ibm_kms_key" "key" {
   encrypted_nonce = (var.encrypted_nonce != null ? var.encrypted_nonce : null)
   iv_value        = (var.iv_value != null ? var.iv_value : null)
   expiration_date = (var.expiration_date != null ? var.expiration_date : null)
+  dynamic "policies" {
+    for_each = length(keys(var.policies)) == 0 ? [] : [var.policies]
+
+    content {
+      dynamic "rotation" {
+        for_each = length(keys(lookup(policies.value, "rotation", {}))) == 0 ? [] : [lookup(policies.value, "rotation", {})]
+
+        content {
+          interval_month = lookup(rotation.value, "interval_month", null)
+        }
+      }
+      dynamic "dual_auth_delete" {
+        for_each = length(keys(lookup(policies.value, "dual_auth_delete", {}))) == 0 ? [] : [lookup(policies.value, "dual_auth_delete", {})]
+        content {
+          enabled = lookup(dual_auth_delete.value, "enabled", null)
+        }
+      }
+    }
+  }
 }

modules/key/outputs.tf

@@ -3,5 +3,5 @@
 # Copyright 2021 IBM
 #########################################################################################
 output "kms_key_output" {
-  value=ibm_kms_key.key
+  value = ibm_kms_key.key
 }