7.4 KiB
7.4 KiB
CustomerManagedKmsKeys
Module to create the following CMKs:
- allpurpose
- storage
- database
- secrets
- backup
- log
- notify
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| aws | n/a |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_iam_service_linked_role.autoscaling | resource |
| aws_kms_alias.allpurpose | resource |
| aws_kms_alias.backup | resource |
| aws_kms_alias.database | resource |
| aws_kms_alias.eks_ebs | resource |
| aws_kms_alias.log | resource |
| aws_kms_alias.notify | resource |
| aws_kms_alias.secret | resource |
| aws_kms_alias.storage | resource |
| aws_kms_key.allpurpose | resource |
| aws_kms_key.backup | resource |
| aws_kms_key.database | resource |
| aws_kms_key.eks_ebs | resource |
| aws_kms_key.log | resource |
| aws_kms_key.notify | resource |
| aws_kms_key.secret | resource |
| aws_kms_key.storage | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.UseOfKeyByAll | data source |
| aws_iam_policy_document.backup | data source |
| aws_iam_policy_document.base | data source |
| aws_iam_policy_document.eksebs | data source |
| aws_iam_policy_document.log | data source |
| aws_iam_policy_document.notify | data source |
| aws_iam_policy_document.rds | data source |
| aws_iam_policy_document.storage | data source |
| aws_iam_roles.autoscaling | data source |
| aws_region.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bypass_policy_lockout_safety_check | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable | bool |
false |
no |
| create-allpurpose-key | Create a CMK for general use | bool |
n/a | yes |
| create-backup-key | Create a CMK for use with AWS backup | bool |
n/a | yes |
| create-database-key | Create a CMK for use with databases such as RDS, DynamoDB, Redis | bool |
n/a | yes |
| create-eksebs-key | Create a CMK for use with ENS volumes on EKS nodes | bool |
n/a | yes |
| create-log-key | Create a CMK for use with logging such as CloudwatchLogs and Cloudtrail | bool |
n/a | yes |
| create-notify-key | Create a CMK for use with notification and events | bool |
n/a | yes |
| create-secret-key | Create a CMK for use with secretsmanager | bool |
n/a | yes |
| create-storage-key | Create a CMK for use with storage such as EBS, S3, EFS | bool |
n/a | yes |
| create_asg_role | Create service linked role for autoscaling, required in key policy | bool |
true |
no |
| customer_master_key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT |
string |
"SYMMETRIC_DEFAULT" |
no |
| deletion_window_in_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30 |
number |
30 |
no |
| description | The description of the key as viewed in AWS console | string |
null |
no |
| enable_default_policy | Specifies whether to enable the default key policy. Defaults to true |
bool |
true |
no |
| enable_key_rotation | Specifies whether key rotation is enabled. Defaults to true |
bool |
true |
no |
| grants | A map of grant definitions to create | any |
{} |
no |
| is_enabled | Specifies whether the key is enabled. Defaults to true |
bool |
true |
no |
| key_administrator_arn | IAM user/group/role with highest permissions. If none is specified, access will be granted to this account | string |
null |
no |
| key_usage | Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT |
string |
"ENCRYPT_DECRYPT" |
no |
| multi_region | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false |
bool |
false |
no |
| name-prefix | Assign a name prefix for key alias | string |
null |
no |
| policy | A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used |
string |
null |
no |
| rotation_period_in_days | rotation period in days | number |
365 |
no |
Outputs
| Name | Description |
|---|---|
| cmks | Customer managed KMS key arns |
| debug | n/a |
Authorship
This module was developed by xpk.