AWS KMS Encryption Key
Creates a multi-region KMS key used for encryption. Provides the ability to assign users and administrators of the key.
Providers
The following providers are needed by this module:
- aws (5.39.1)
Required Inputs
The following input variables are required:
description
Description: The description of the KMS key.
Type: string
name
Description: The name of the KMS key.
Type: string
Optional Inputs
The following input variables are optional (have default values):
admin_iam_arns
Description: List of IAM arns for key admins.
Type: list(string)
Default: []
log_delivery_enabled
Description: Whether to allow the delivery.logs.amazonaws.com service to use the key
Type: bool
Default: false
reader_iam_arns
Description: List of IAM arns for users who can use the key for encryption and decryption.
Type: list(string)
Default: []
replication_enabled
Description: Whether to replicate the key to another region
Type: bool
Default: true
restricted_reader_iam_arns
Description: List of IAM arns for users who can only view the key.
Type: list(string)
Default: []
superuser_iam_arns
Description: List of IAM arns for key superusers.
Type: list(string)
Default: []
Outputs
The following outputs are exported:
alias_arn
Description: n/a
arn
Description: The ARN of the KMS key
arn2
Description: The ARN of the backup key
id
Description: n/a
Usage
- The keys provisioned by this module must be manually deleted as deletion prevention in terraform is enabled.
- This is a multi-region module so it requires the secondary aws provider to be enabled. This is to keep everything in sync.