terraform.examples/modules/security_identity_compliance/CustomerManagedKmsKeys

Requirements

No requirements.

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_kms_alias.allpurpose	resource
aws_kms_alias.backup	resource
aws_kms_alias.database	resource
aws_kms_alias.log	resource
aws_kms_alias.notify	resource
aws_kms_alias.secret	resource
aws_kms_alias.storage	resource
aws_kms_key.allpurpose	resource
aws_kms_key.backup	resource
aws_kms_key.database	resource
aws_kms_key.eks_ebs	resource
aws_kms_key.log	resource
aws_kms_key.notify	resource
aws_kms_key.secret	resource
aws_kms_key.storage	resource
aws_caller_identity.current	data source
aws_iam_policy_document.UseOfKeyByAll	data source
aws_iam_policy_document.base	data source
aws_iam_policy_document.eksebs	data source
aws_iam_policy_document.log	data source
aws_iam_policy_document.notify	data source
aws_iam_policy_document.rds	data source
aws_iam_policy_document.storage	data source
aws_iam_role.asg-service-linked-role	data source
aws_region.this	data source

Inputs

Name	Description	Type	Default	Required
bypass_policy_lockout_safety_check	A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable	bool	false	no
create-allpurpose-key	Create a CMK for general use	bool	n/a	yes
create-backup-key	Create a CMK for use with AWS backup	bool	n/a	yes
create-database-key	Create a CMK for use with databases such as RDS, DynamoDB, Redis	bool	n/a	yes
create-eksebs-key	Create a CMK for use with ENS volumes on EKS nodes	bool	n/a	yes
create-log-key	Create a CMK for use with logging such as CloudwatchLogs and Cloudtrail	bool	n/a	yes
create-notify-key	Create a CMK for use with notification and events	bool	n/a	yes
create-secret-key	Create a CMK for use with secretsmanager	bool	n/a	yes
create-storage-key	Create a CMK for use with storage such as EBS, S3, EFS	bool	n/a	yes
customer_master_key_spec	Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT	string	"SYMMETRIC_DEFAULT"	no
deletion_window_in_days	The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30	number	30	no
description	The description of the key as viewed in AWS console	string	null	no
enable_default_policy	Specifies whether to enable the default key policy. Defaults to true	bool	true	no
enable_key_rotation	Specifies whether key rotation is enabled. Defaults to true	bool	true	no
grants	A map of grant definitions to create	any	{}	no
is_enabled	Specifies whether the key is enabled. Defaults to true	bool	true	no
key_administrator_arn	IAM user/group/role with highest permissions. If none is specified, access will be granted to this account	string	null	no
key_usage	Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT	string	"ENCRYPT_DECRYPT"	no
multi_region	Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false	bool	false	no
name-prefix	Assign a name prefix for key alias	string	null	no
policy	A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used	string	null	no
rotation_period_in_days	rotation period in days	number	365	no

Outputs

Name	Description
cmks	Customer managed KMS key arns

---

Authorship

This module was developed by xpk.