Module to create CMK with either AWS generated key material or imported key material (BYOK).
For usage instructions see examples/simple.
No modules.
Name |
Description |
Type |
Default |
Required |
alias |
The display name of the alias. Leave an empty string to avoid creating an alias |
string |
"" |
no |
customer_master_key_spec |
Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports |
string |
null |
no |
deletion_window_in_days |
Duration in days after which the key is deleted after destruction of the resource |
number |
30 |
no |
description |
Description of the Key |
string |
null |
no |
enable_key_rotation |
Specifies whether key rotation is enabled |
bool |
null |
no |
enabled |
Specifies whether the key is enabled |
bool |
true |
no |
key_material_base64 |
WARNING: if specified, it will be stored in plaintext in the raw state. Base64 encoded 256-bit symmetric encryption key material to impor |
string |
null |
no |
key_usage |
Specifies the intended use of the key |
string |
null |
no |
policy |
A valid policy JSON document |
string |
null |
no |
tags |
A map of tags to add to the key |
map(string) |
{} |
no |
use_aws_key_material |
Whether to use AWS generated key material or BYOK (eg. using CloudHSM or a physical HSM) |
bool |
true |
no |
valid_to |
Time at which the imported key material expires. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ) |
string |
null |
no |