Cloud KMS

Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. You can use these keys and perform these operations by using Cloud KMS directly, by using Cloud HSM or Cloud External Key Manager, or by using Customer-Managed Encryption Keys (CMEK) integrations within other Google Cloud services.

This module create a key ring with a list of crypto keys with these possibilities :

  • Create a KeyRing.

  • Configure the IAM policy for the newly created key ring.

  • Create a map of crypto keys.

  • Configure the IAM policy for the newly created crypto keys.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRing will remove it from state but will not delete the resource from the project. See Documentation.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

Requirements

Name

Version

terraform

>= 1.0

google

>= 4.75.0

Providers

Name

Version

google

>= 4.75.0

Modules

No modules.

Resources

Name

Type

google_kms_crypto_key.keys

resource

google_kms_crypto_key_iam_member.crypto_key_roles

resource

google_kms_key_ring.key_ring

resource

google_kms_key_ring_iam_member.key_ring_role

resource

google_client_config.current

data source

Inputs

Name

Description

Type

Default

Required

crypto_keys

Map of crypto keys representing a logical key that can be used for cryptographic operations. The valid parameters are defined in Crypto key in Terraform. In addition, a map of roles, of type “map(set(string))”, can be defined for each crypto key, ex: “roles = {“roles/cloudkms.cryptoKeyEncrypter” = [“user:jane@example.com”, “user:david@example.com”]}”.

any

null

no

key_ring_name

The resource name for the KeyRing.

string

n/a

yes

key_ring_roles

Roles to bind to the kKeyRing.

map(set(string))

null

no

labels

Labels with user-defined metadata to apply to crypto keys.

map(string)

null

no

location

The location for the KeyRing. A full list of valid locations can be found by running “gcloud kms locations list”.

string

null

no

Outputs

Name

Description

crypto_key_ids

The Map of the created crypto keys.

crypto_key_roles

The IAM roles for the crypto keys.

key_ring_id

The ID of the KeyRing.

key_ring_location

The location for the KeyRing.

key_ring_name

The resource name for the KeyRing.

key_ring_roles

The IAM roles for the KeyRing.

Examples