See variables.tf for all the variables you can set on this module.
What is Cloud KMS?
Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic
keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048,
RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.
Cloud KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and
monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in
Google Cloud Platform.
Managing Key IAM bindings
The predefined roles allow for a separation of duties, where it is needed.
This module declares three levels of access to the keys. For encryption keys (both symmetric and asymmetric), you can
declare the following access levels:
Key Admin: is meant for users who manage the keys but not use them.
Key Encrypter: is meant for users who can use a key to encrypt data, but not decrypt or manage keys.
Key Decrypter: is meant for users who can use a key to decrypt data, but not encrypt or manage keys.
For signing keys, the access levels are:
Key Admin: is meant for users who manage the keys but not use them.
Key Signers: is meant for users who can use a key to sign data, but not verify or manage keys.
Key Verifiers: is meant for users who can use a key to sign and verify data, but not manage keys.
See the following example to learn how to set the IAM bindings.
Key ring and key resources CANNOT be deleted. Key versions also cannot be deleted, but key version material can be
destroyed so that the resources can no longer be used. The inability to delete key rings, keys, and key versions ensures
a key version resource identifier always points to only its original key material.
Key rings and keys do not have billable costs or quota limitations, so their continued existence does not impact costs or production limits.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"ad6dccabb00d88484e182b046e3ba8c277d74377"}]},{"name":".editorconfig","path":".editorconfig","sha":"cfe72e78040977e5b15e145e5cb1fe08fa214e2c"},{"name":".gitignore","path":".gitignore","sha":"5bfe11614975f1ce3009cfa38dfae9aa72a775bc"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"a231a87f4d53a3db368ba9a52c2ce4c72665be6c"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"e47d027ad15beb415e4f619397c8a3ef1ccd2497"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"785ed629a5b32c775adad13c8d9fbdbf5789410a"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"d645695673349e3947e8e5ae42332d0ac3164cd7"},{"name":"NOTICE","path":"NOTICE","sha":"98ad9351850a669809f0da1c6c537ed0a92fc6f6"},{"name":"README.md","path":"README.md","sha":"eb43f2fb5691840f423c20e97a52aea02c36a5f0"},{"name":"examples","children":[{"name":"cloud-kms","children":[{"name":"README.md","path":"examples/cloud-kms/README.md","sha":"35493afb75a93dc527c7eb36764a7a4ecca58eac"}]}]},{"name":"main.tf","path":"main.tf","sha":"f18bc0180cb5cfd00ec6042ef255424a375d89c8"},{"name":"modules","children":[{"name":"cloud-kms","children":[{"name":"README.md","path":"modules/cloud-kms/README.md","sha":"4a08c0945435ce7c06edecf703f67629492f4fb4","toggled":true},{"name":"locals.tf","path":"modules/cloud-kms/locals.tf","sha":"2f707bf36d66fa72ea3a78b5002d19f40a0ad477"},{"name":"main.tf","path":"modules/cloud-kms/main.tf","sha":"8987a60b61dcfd095840ac651a101da1c14ac731"},{"name":"outputs.tf","path":"modules/cloud-kms/outputs.tf","sha":"574c5d8cbbd128a40edee85dc037651ae2405953"},{"name":"variables.tf","path":"modules/cloud-kms/variables.tf","sha":"3197d8e2eb71a69b995dbbf14b9e9d59c270bd42"}],"toggled":true}],"toggled":true},{"name":"outputs.tf","path":"outputs.tf","sha":"e3df8371df36fcad228e20c9fb784e7d1495e08d"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"5907068578b96b170821121cdeea8d7aad7ea2e5"},{"name":"cloud_kms_test.go","path":"test/cloud_kms_test.go","sha":"452b1251a5b68dcd259b001f5b721669c6bf8ff5"},{"name":"go.mod","path":"test/go.mod","sha":"5a2947e0bffd9eb6f886bf8566abd8db98acb37d"},{"name":"go.sum","path":"test/go.sum","sha":"daa4aa8e6c9ad6141987ce90e6c380686c505087"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"a755f16ada2039875cd0f7f0d5cc93c79d93747e"},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"e4bf1bd9d870bfb5436a7a0840d96a0e9a36a233"}]}]},{"name":"variables.tf","path":"variables.tf","sha":"89ce3576507de674ef97c2f358b7e6c19538a226"}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"cloud-kms-module\">Cloud KMS Module</h1><div class=\"preview__body--border\"></div><p>This Terraform Module creates a new Cloud KMS keyring, KMS keys and IAM role bindings to control access to the keys.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.2.0/terraform-google-security/README.md\" class=\"preview__body--description--blue\">root README</a> for instructions on using Terraform modules.</li>\n<li>See the <a href=\"/repos/v0.2.0/terraform-google-security/examples/cloud-kms\" class=\"preview__body--description--blue\">cloud-kms example</a> for an example.</li>\n<li>See <a href=\"/repos/v0.2.0/terraform-google-security/modules/cloud-kms/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a> for all the variables you can set on this module.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"what-is-cloud-kms\">What is Cloud KMS?</h2>\n<p><a href=\"https://cloud.google.com/kms/\" class=\"preview__body--description--blue\" target=\"_blank\">Cloud KMS</a> is a cloud-hosted key management service that lets you manage cryptographic\nkeys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048,\nRSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.</p>\n<p>Cloud KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and\nmonitor how these are used. Use Cloud KMS to protect secrets and other sensitive data that you need to store in\nGoogle Cloud Platform.</p>\n<h2 class=\"preview__body--subtitle\" id=\"managing-key-iam-bindings\">Managing Key IAM bindings</h2>\n<p>The predefined roles allow for a separation of duties, where it is needed.</p>\n<p>This module declares three levels of access to the keys. For encryption keys (both symmetric and asymmetric), you can\ndeclare the following access levels:</p>\n<ol>\n<li>\n<p><strong>Key Admin:</strong> is meant for users who manage the keys but not use them.</p>\n</li>\n<li>\n<p><strong>Key Encrypter:</strong> is meant for users who can use a key to encrypt data, but not decrypt or manage keys.</p>\n</li>\n<li>\n<p><strong>Key Decrypter:</strong> is meant for users who can use a key to decrypt data, but not encrypt or manage keys.</p>\n</li>\n</ol>\n<p>For signing keys, the access levels are:</p>\n<ol>\n<li>\n<p><strong>Key Admin:</strong> is meant for users who manage the keys but not use them.</p>\n</li>\n<li>\n<p><strong>Key Signers:</strong> is meant for users who can use a key to sign data, but not verify or manage keys.</p>\n</li>\n<li>\n<p><strong>Key Verifiers:</strong> is meant for users who can use a key to sign and verify data, but not manage keys.</p>\n</li>\n</ol>\n<p>See the following example to learn how to set the IAM bindings.</p>\n<h2 class=\"preview__body--subtitle\" id=\"key-configuration-example\">Key configuration example</h2>\n<pre> ...\n\n <span class=\"hljs-attr\">symmetric_keys</span> = {\n <span class=\"hljs-attr\">my-symmetric-key</span> = {\n <span class=\"hljs-attr\">protection_level</span> = <span class=\"hljs-string\">\"SOFTWARE\"</span>\n // Automatic key rotation only supported for symmetric keys\n <span class=\"hljs-attr\">rotation_period</span> = <span class=\"hljs-string\">\"90000s\"</span>\n <span class=\"hljs-attr\">admins</span> = [<span class=\"hljs-string\">\"user:adminuser@acme.org\"</span>]\n <span class=\"hljs-attr\">encrypters</span> = [<span class=\"hljs-string\">\"group:encrypters@acme.org\"</span>]\n <span class=\"hljs-attr\">decrypters</span> = [<span class=\"hljs-string\">\"serviceAccount:sa@acme.org\"</span>]\n <span class=\"hljs-attr\">labels</span> = {\n <span class=\"hljs-attr\">org-unit</span> = <span class=\"hljs-string\">\"Acme\"</span>\n }\n },\n }\n\n <span class=\"hljs-attr\">asymmetric_keys</span> = {\n <span class=\"hljs-attr\">my-asymmetric-key</span> = {\n <span class=\"hljs-attr\">protection_level</span> = <span class=\"hljs-string\">\"SOFTWARE\"</span>\n <span class=\"hljs-attr\">algorithm</span> = <span class=\"hljs-string\">\"RSA_DECRYPT_OAEP_3072_SHA256\"</span>\n <span class=\"hljs-attr\">admins</span> = [<span class=\"hljs-string\">\"user:adminuser@acme.org\"</span>]\n <span class=\"hljs-attr\">encrypters</span> = [<span class=\"hljs-string\">\"group:encrypters@acme.org\"</span>]\n <span class=\"hljs-attr\">decrypters</span> = [<span class=\"hljs-string\">\"serviceAccount:sa@acme.org\"</span>]\n <span class=\"hljs-attr\">labels</span> = {}\n },\n }\n\n <span class=\"hljs-attr\">signing_keys</span> = {\n <span class=\"hljs-attr\">my-signin-key</span> = {\n <span class=\"hljs-attr\">algorithm</span> = <span class=\"hljs-string\">\"RSA_SIGN_PSS_3072_SHA256\"</span>\n <span class=\"hljs-attr\">protection_level</span> = <span class=\"hljs-string\">\"HSM\"</span>\n <span class=\"hljs-attr\">admins</span> = [<span class=\"hljs-string\">\"user:adminuser@acme.com\"</span>]\n <span class=\"hljs-attr\">signers</span> = [<span class=\"hljs-string\">\"group:signers@acme.com\"</span>]\n <span class=\"hljs-attr\">verifiers</span> = [<span class=\"hljs-string\">\"group:verifiers@acme.com\"</span>]\n <span class=\"hljs-attr\">labels</span> = {}\n },\n }\n\n ...\n\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"lifetime-of-objects\">Lifetime of objects</h2>\n<p>Key ring and key resources CANNOT be deleted. Key versions also cannot be deleted, but key version material can be\ndestroyed so that the resources can no longer be used. The inability to delete key rings, keys, and key versions ensures\na key version resource identifier always points to only its original key material.</p>\n<p>Key rings and keys do not have billable costs or quota limitations, so their continued existence does not impact costs or production limits.</p>\n","repoName":"terraform-google-security","repoRef":"v0.3.0","serviceDescriptor":{"serviceName":"KMS","serviceRepoName":"terraform-google-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/cloud-kms","cloudProviders":["gcp"],"description":"Encrypt and decrypt secrets using Google's Key Management Service (KMS).","imageUrl":"grunt.png","licenseType":"open-source","technologies":["Terraform","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Secrets management","fileName":"README.md","filePath":"/modules/cloud-kms","title":"Repo Browser: KMS","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}