
terraform-aws-arc-kms¶
Module:
sourcefuse/arc-kms/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-kms/aws
Category: Security / Encryption
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶
Creates and manages AWS KMS customer-managed keys (CMKs) with aliases, key policies, and automatic key rotation.
What It Does¶
- KMS CMK with configurable deletion window
- Automatic key rotation
- Key alias management
- Custom key policy support
- Enable/disable key without deletion
Quickstart¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
alias |
string |
KMS key alias (must start with alias/) |
| ## Key Outputs |
| Name | Description |
|---|---|
key_id |
KMS key ID |
key_arn |
KMS key ARN |
alias_arn |
KMS alias ARN |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.4, < 2.0.0 |
| aws | >= 5.0, < 7.0 |
Providers¶
| Name | Version |
|---|---|
| aws | >= 5.0, < 7.0 |
Modules¶
No modules.
Resources¶
| Name | Type |
|---|---|
| aws_kms_alias.default | resource |
| aws_kms_key.default | resource |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alias | The display name of the alias. The name must start with the word alias followed by a forward slash. If not specified, the alias name will be auto-generated. |
string |
n/a | yes |
| customer_master_key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. |
string |
"SYMMETRIC_DEFAULT" |
no |
| deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource | number |
10 |
no |
| description | The description of the key as viewed in AWS console | string |
"KMS master key" |
no |
| enable_key_rotation | Specifies whether key rotation is enabled | bool |
true |
no |
| key_usage | Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. |
string |
"ENCRYPT_DECRYPT" |
no |
| multi_region | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | bool |
false |
no |
| policy | A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string |
n/a | yes |
| tags | tags to add to your resources | map(string) |
{} |
no |
Outputs¶
| Name | Description |
|---|---|
| alias_arn | Alias ARN |
| alias_name | Alias name |
| key_arn | Key ARN |
| key_id | Key ID |
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse ARC Team