Complete AWS KMS Example

Configuration in this directory creates:

• Complete KMS key example with key policy, aliases, and grants
• External KMS key example
• Default KMS key example with default policy
• Disable KMS key example

Usage

To run this example you need to execute:

$ terraform init
$ terraform plan
$ terraform apply

Note that this example may create resources which will incur monetary charges on your AWS bill. Run terraform destroy when you no longer need these resources.

Requirements

Name	Version
terraform	>= 1.3
aws	>= 5.49

Providers

Name	Version
aws	>= 5.49

Modules

Name	Source	Version
kms_complete	../..	n/a
kms_default	../..	n/a
kms_disabled	../..	n/a
kms_dnssec_signing	../..	n/a
kms_external	../..	n/a
kms_primary	../..	n/a
kms_primary_external	../..	n/a
kms_replica	../..	n/a
kms_replica_external	../..	n/a

Resources

Name	Type
aws_iam_role.lambda	resource
aws_caller_identity.current	data source
aws_region.current	data source

Inputs

No inputs.

Outputs

Name	Description
complete_aliases	A map of aliases created and their attributes
complete_external_key_expiration_model	Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE
complete_external_key_state	The state of the CMK
complete_external_key_usage	The cryptographic operations for which you can use the CMK
complete_grants	A map of grants created and their attributes
complete_key_arn	The Amazon Resource Name (ARN) of the key
complete_key_id	The globally unique identifier for the key
complete_key_policy	The IAM resource policy set on the key
default_aliases	A map of aliases created and their attributes
default_external_key_expiration_model	Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE
default_external_key_state	The state of the CMK
default_external_key_usage	The cryptographic operations for which you can use the CMK
default_grants	A map of grants created and their attributes
default_key_arn	The Amazon Resource Name (ARN) of the key
default_key_id	The globally unique identifier for the key
default_key_policy	The IAM resource policy set on the key
external_aliases	A map of aliases created and their attributes
external_external_key_expiration_model	Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE
external_external_key_state	The state of the CMK
external_external_key_usage	The cryptographic operations for which you can use the CMK
external_grants	A map of grants created and their attributes
external_key_arn	The Amazon Resource Name (ARN) of the key
external_key_id	The globally unique identifier for the key
external_key_policy	The IAM resource policy set on the key
replica_aliases	A map of aliases created and their attributes
replica_external_aliases	A map of aliases created and their attributes
replica_external_arn	The Amazon Resource Name (ARN) of the key
replica_external_grants	A map of grants created and their attributes
replica_external_key_expiration_model	Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE
replica_external_key_id	The globally unique identifier for the key
replica_external_key_policy	The IAM resource policy set on the key
replica_external_key_state	The state of the CMK
replica_external_key_usage	The cryptographic operations for which you can use the CMK
replica_grants	A map of grants created and their attributes
replica_key_arn	The Amazon Resource Name (ARN) of the key
replica_key_expiration_model	Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE
replica_key_id	The globally unique identifier for the key
replica_key_policy	The IAM resource policy set on the key
replica_key_state	The state of the CMK
replica_key_usage	The cryptographic operations for which you can use the CMK

Apache-2.0 Licensed. See LICENSE.