Skip to content
/ terraform-aws-shared-kms-key Public

A KMS Key that can be used with multiple services

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dod-iac/terraform-aws-shared-kms-key

BranchesTags

Repository files navigation

Usage

Creates a KMS Key shared by multiple services to encrypt data at-rest.

module "shared_kms_key" {
  source = "dod-iac/shared-kms-key/aws"

  name = format("alias/app-%s-shared-%s", var.application, var.environment)
  description = format("A shared key used to encrypt data at rest for %s:%s.", var.application, var.environment)
  tags = {
    Application = var.application
    Environment = var.environment
    Automation  = "Terraform"
  }
  allow_lambda = true
  allow_s3 = true
}

Terraform Version

Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.

Terraform 0.11 and 0.12 are not supported.

License

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

Requirements

Name Version
terraform >= 0.13
aws >= 3.0, < 5.0

Providers

Name Version
aws >= 3.0, < 5.0

Modules

No modules.

Resources

Name Type
aws_kms_alias.main resource
aws_kms_key.main resource
aws_caller_identity.current data source
aws_iam_policy_document.main data source
aws_iam_role.imagebuilder data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
allow_cloudwatch Allow the KMS key to be used to encrypt Cloudwatch logs. bool false no
allow_ebs Allow the KMS key to be used to encrypt EBS volumes. bool false no
allow_eventbridge Allow the KMS key to be used to encrypt EventBridge events. bool false no
allow_image_builder Allow EC2 Image Builder to send messages to SNS topics encrypted with the KMS key. The allow_sns variable must be set, too. bool false no
allow_lambda Allow the KMS key to be used to encrypt Lambda environment variables. bool false no
allow_s3 Allow the KMS key to be used to encrypt S3 buckets. bool false no
allow_snow_family Allow the KMS key to be used to encrypt the unlock code for your Snow Family job. bool false no
allow_sns Allow the KMS key to be used to encrypt SNS topics. bool false no
allow_sqs Allow the KMS key to be used to encrypt SQS queues. bool false no
description n/a string "A KMS key shared by multiple services to encrypt data at-rest." no
key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. string 30 no
name The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/). string n/a yes
tags Tags applied to the KMS key. map(string) {} no

Outputs

Name Description
aws_kms_alias_arn The Amazon Resource Name (ARN) of the key alias.
aws_kms_alias_name The display name of the alias.
aws_kms_key_arn The Amazon Resource Name (ARN) of the key.

About

A KMS Key that can be used with multiple services

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages