Skip to content

Terraform module to create and work with IBM Key Protect

License

Notifications You must be signed in to change notification settings

terraform-ibm-modules/terraform-ibm-key-protect

Repository files navigation

Key Protect module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

This module supports:

Overview

terraform-ibm-key-protect

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX"
  region           = "us-south"
}

module "key_protect_module" {
  source            = "terraform-ibm-modules/key-protect/ibm"
  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  key_protect_name  = "my-key-protect-instance"
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region            = "us-south"
}

Required IAM access policies

  • Account Management
    • Resource Group service
      • Viewer platform access
  • IAM Services
    • Key Protect service
      • Editor platform access
      • Manager platform access (required to enable metrics)

To attach access management tags to resources in this module, you need the following permissions.

  • IAM Services
    • Tagging service
      • Administrator platform access

Requirements

Name Version
terraform >= 1.0.0
ibm >= 1.70.0, < 2.0.0

Modules

Name Source Version
cbr_rule terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module 1.28.1

Resources

Name Type
ibm_kms_instance_policies.key_protect_instance_policies resource
ibm_resource_instance.key_protect_instance resource
ibm_resource_tag.key_protect_tag resource

Inputs

Name Description Type Default Required
access_tags A list of access tags to apply to the Key Protect instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. list(string) [] no
allowed_network Types of the allowed networks to be set for the Key Protect instance. Possible values are 'private-only' or 'public-and-private' string "public-and-private" no
cbr_rules (Optional, list) List of context-based restrictions rules to create
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
}))
[] no
dual_auth_delete_enabled If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. bool false no
key_create_import_access_enabled If set to true, Key Protect enables a key create import access policy on the instance bool true no
key_create_import_access_settings Key create import access policy settings to configure if var.enable_key_create_import_access_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess
object({
create_root_key = optional(bool, true)
create_standard_key = optional(bool, true)
import_root_key = optional(bool, true)
import_standard_key = optional(bool, true)
enforce_token = optional(bool, false)
})
{} no
key_protect_name The name to give the Key Protect instance that will be provisioned string n/a yes
metrics_enabled If set to true, Key Protect enables metrics on the Key Protect instance. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. bool true no
plan Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported string "tiered-pricing" no
region Region where the Key Protect instance will be provisioned string n/a yes
resource_group_id Resource Group ID where the Key Protect instance will be provisioned string n/a yes
rotation_enabled If set to true, Key Protect enables a rotation policy on the Key Protect instance. bool true no
rotation_interval_month Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. number 1 no
tags List of tags to associate with the Key Protect instance list(string) [] no

Outputs

Name Description
cbr_rule_ids CBR rule ids created to restrict Key Protect
key_protect_crn CRN of the Key Protect instance
key_protect_guid GUID of the Key Protect instance
key_protect_id ID of the Key Protect instance
key_protect_instance_policies Instance Polices of the Key Protect instance
key_protect_name Name of the Key Protect instance
kp_private_endpoint Instance private endpoint URL
kp_public_endpoint Instance public endpoint URL

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.