Skip to content

terraform-aws-arc-kms

Latest Release Last Updated Terraform GitHub Actions

Quality gate

snyk

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing KMS.

Usage

To see a full example, check out the main.tf file in the example folder. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
module "kms" {
  source                  = "sourcefuse/arc-kms/aws"
  version                 = "1.0.0"
  enabled                 = var.enabled
  deletion_window_in_days = var.deletion_window_in_days
  enable_key_rotation     = var.enable_key_rotation
  alias                   = var.alias
  tags                    = module.tags.tags
  policy                  = var.policy
}

Requirements

Name Version
terraform ~> 1.4
aws ~> 4.0

Providers

Name Version
aws 4.67.0

Modules

No modules.

Resources

Name Type
aws_kms_alias.default resource
aws_kms_key.default resource

Inputs

Name Description Type Default Required
alias The display name of the alias. The name must start with the word alias followed by a forward slash. If not specified, the alias name will be auto-generated. string n/a yes
customer_master_key_spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. string "SYMMETRIC_DEFAULT" no
deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource number 10 no
description The description of the key as viewed in AWS console string "KMS master key" no
enable_key_rotation Specifies whether key rotation is enabled bool true no
enabled Set to false to prevent the module from creating any resources bool true no
key_usage Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. string "ENCRYPT_DECRYPT" no
multi_region Indicates whether the KMS key is a multi-Region (true) or regional (false) key. bool false no
policy A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. string n/a yes
tags tags to add to your resources map(string) {} no

Outputs

Name Description
alias_arn Alias ARN
alias_name Alias name
key_arn Key ARN
key_id Key ID

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test
    1
    go test -timeout  30m

Authors

This project is authored by: - SourceFuse ARC Team