Simple Cloud KMS module that allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys.
The resources/services/activations/deletions that this module will create/trigger are:
- Create a KMS keyring in the provided project
- Create zero or more keys in the keyring
- Create IAM role bindings for owners, encrypters, decrypters
Basic usage of this module is as follows:
module "kms" {
source = "terraform-google-modules/kms/google"
version = "~> 0.1"
project_id = "<PROJECT ID>"
location = "europe"
name = "sample-keyring"
keys = ["foo", "spam"]
set_owners_for = ["foo", "spam"]
owners = [
"group:one@example.com,group:two@example.com",
"group:one@example.com",
]
}Functional examples are included in the examples directory.
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.11
- Terraform Provider for GCP plugin v2.0
A service account with one of the following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.