terraform-aws-kms

Terraform module to configure a KMS Customer Master Key (CMK) and its alias.

Terraform versions

Terraform 0.12 and provider version < 3.53.0. Pin module version to ~> v1.0. For Terraform 0.12 with provider version >= 3.53.0. Pin module version to ~> v2.0. Submit pull-requests to main branch.

Usage

module "kms" {
  source = "umotif-public/kms/aws"
  version = "~> 2.0.0"

  enabled = true
  description             = "KMS test description"
  alias_name              = "test-key"
  deletion_window_in_days = 7
  enable_key_rotation     = true

  tags = {
    Environment = "dev"
  }
}

Assumptions

Module is to be used with Terraform > 0.12.

Examples

• KMS

Authors

Module managed by uMotif.

Requirements

Name	Version
terraform	>= 1.0.11
aws	>= 3.64.0

Providers

Name	Version
aws	>= 3.64.0

Modules

No modules.

Resources

Name	Type
aws_kms_alias.main	resource
aws_kms_key.main	resource

Inputs

Name	Description	Type	Default	Required
alias_name	The display name of the alias.	string	n/a	yes
bypass_policy_lockout_safety_check	Specifies whether to disable the policy lockout check performed when creating or updating the key's policy.	bool	false	no
customer_master_key_spec	Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT.	string	"SYMMETRIC_DEFAULT"	no
deletion_window_in_days	Duration in days after which the key is deleted after destruction of the resource.	number	10	no
description	The description of the key as viewed in AWS console.	string	"Parameter Store KMS master key"	no
enable_key_rotation	Specifies whether key rotation is enabled.	bool	true	no
enabled	Specifies whether to create resources within this module.	bool	true	no
is_enabled	Specifies whether the key is enabled.	bool	true	no
key_usage	Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.	string	"ENCRYPT_DECRYPT"	no
multi_region	Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false	bool	false	no
policy	A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform.	string	""	no
tags	Mapping of additional tags.	map(string)	{}	no

Outputs

Name	Description
alias_arn	KMS Key Alias ARN.
alias_name	KMS Key Alias name.
key_arn	KMS Key ARN.
key_id	KMS Key ID.

License

See LICENSE for full details.

Pre-commit hooks

Install dependencies

• pre-commit
• terraform-docs required for terraform_docs hooks.
• TFLint required for terraform_tflint hook.

MacOS

brew install pre-commit terraform-docs tflint

brew tap git-chglog/git-chglog
brew install git-chglog