variable "create-allpurpose-key" { description = "Create a CMK for general use" type = bool } variable "create-storage-key" { description = "Create a CMK for use with storage such as EBS, S3, EFS" type = bool } variable "create-eksebs-key" { description = "Create a CMK for use with ENS volumes on EKS nodes" type = bool } variable "create-database-key" { description = "Create a CMK for use with databases such as RDS, DynamoDB, Redis" type = bool } variable "create-backup-key" { description = "Create a CMK for use with AWS backup" type = bool } variable "create-secret-key" { description = "Create a CMK for use with secretsmanager" type = bool } variable "create-log-key" { description = "Create a CMK for use with logging such as CloudwatchLogs and Cloudtrail" type = bool } variable "create-notify-key" { description = "Create a CMK for use with notification and events" type = bool } variable "name-prefix" { description = "Assign a name prefix for key alias" type = string default = null } variable "bypass_policy_lockout_safety_check" { description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable" type = bool default = false } variable "customer_master_key_spec" { description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`" type = string default = "SYMMETRIC_DEFAULT" } variable "deletion_window_in_days" { description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`" type = number default = 30 } variable "description" { description = "The description of the key as viewed in AWS console" type = string default = null } variable "enable_key_rotation" { description = "Specifies whether key rotation is enabled. Defaults to `true`" type = bool default = true } variable "is_enabled" { description = "Specifies whether the key is enabled. Defaults to `true`" type = bool default = true } variable "key_usage" { description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT`" type = string default = "ENCRYPT_DECRYPT" } variable "multi_region" { description = "Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`" type = bool default = false } variable "policy" { description = "A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used" type = string default = null } variable "enable_default_policy" { description = "Specifies whether to enable the default key policy. Defaults to `true`" type = bool default = true } variable "key_administrator_arn" { description = "IAM user/group/role with highest permissions. If none is specified, access will be granted to this account" type = string default = null } ################################################################################ # Grant ################################################################################ variable "grants" { description = "A map of grant definitions to create" type = any default = {} } variable "rotation_period_in_days" { description = "rotation period in days" type = number default = 365 }