AWS KMS Encryption Key

Creates a multi-region KMS key used for encryption. Provides the ability to assign users and administrators of the key.

Providers

The following providers are needed by this module:

aws (5.39.1)

Required Inputs

The following input variables are required:

description

Description: The description of the KMS key.

Type: string

name

Description: The name of the KMS key.

Type: string

Optional Inputs

The following input variables are optional (have default values):

admin_iam_arns

Description: List of IAM arns for key admins.

Type: list(string)

Default: []

log_delivery_enabled

Description: Whether to allow the delivery.logs.amazonaws.com service to use the key

Type: bool

Default: false

reader_iam_arns

Description: List of IAM arns for users who can use the key for encryption and decryption.

Type: list(string)

Default: []

replication_enabled

Description: Whether to replicate the key to another region

Type: bool

Default: true

restricted_reader_iam_arns

Description: List of IAM arns for users who can only view the key.

Type: list(string)

Default: []

superuser_iam_arns

Description: List of IAM arns for key superusers.

Type: list(string)

Default: []

Outputs

The following outputs are exported:

alias_arn

Description: n/a

arn

Description: The ARN of the KMS key

arn2

Description: The ARN of the backup key

id

Description: n/a

Usage

The keys provisioned by this module must be manually deleted as deletion prevention in terraform is enabled.
This is a multi-region module so it requires the secondary aws provider to be enabled. This is to keep everything in sync.