This module supports:
- Creating a Key Protect instance
- Enabling a rotation policy for the instance
- Enabling a dual authorization policy for the instance
- Enabling a metrics policy for the instance
- Enabling a key create and import access policy for the instance
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXX"
region = "us-south"
}
module "key_protect_module" {
source = "terraform-ibm-modules/key-protect/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
key_protect_name = "my-key-protect-instance"
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
}
- Account Management
- Resource Group service
Viewer
platform access
- Resource Group service
- IAM Services
- Key Protect service
Editor
platform accessManager
platform access (required to enable metrics)
- Key Protect service
To attach access management tags to resources in this module, you need the following permissions.
- IAM Services
- Tagging service
Administrator
platform access
- Tagging service
Name | Version |
---|---|
terraform | >= 1.0.0 |
ibm | >= 1.70.0, < 2.0.0 |
Name | Source | Version |
---|---|---|
cbr_rule | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.1 |
Name | Type |
---|---|
ibm_kms_instance_policies.key_protect_instance_policies | resource |
ibm_resource_instance.key_protect_instance | resource |
ibm_resource_tag.key_protect_tag | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_tags | A list of access tags to apply to the Key Protect instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | list(string) |
[] |
no |
allowed_network | Types of the allowed networks to be set for the Key Protect instance. Possible values are 'private-only' or 'public-and-private' | string |
"public-and-private" |
no |
cbr_rules | (Optional, list) List of context-based restrictions rules to create | list(object({ |
[] |
no |
dual_auth_delete_enabled | If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. | bool |
false |
no |
key_create_import_access_enabled | If set to true, Key Protect enables a key create import access policy on the instance | bool |
true |
no |
key_create_import_access_settings | Key create import access policy settings to configure if var.enable_key_create_import_access_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | object({ |
{} |
no |
key_protect_name | The name to give the Key Protect instance that will be provisioned | string |
n/a | yes |
metrics_enabled | If set to true, Key Protect enables metrics on the Key Protect instance. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | bool |
true |
no |
plan | Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported | string |
"tiered-pricing" |
no |
region | Region where the Key Protect instance will be provisioned | string |
n/a | yes |
resource_group_id | Resource Group ID where the Key Protect instance will be provisioned | string |
n/a | yes |
rotation_enabled | If set to true, Key Protect enables a rotation policy on the Key Protect instance. | bool |
true |
no |
rotation_interval_month | Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. | number |
1 |
no |
tags | List of tags to associate with the Key Protect instance | list(string) |
[] |
no |
Name | Description |
---|---|
cbr_rule_ids | CBR rule ids created to restrict Key Protect |
key_protect_crn | CRN of the Key Protect instance |
key_protect_guid | GUID of the Key Protect instance |
key_protect_id | ID of the Key Protect instance |
key_protect_instance_policies | Instance Polices of the Key Protect instance |
key_protect_name | Name of the Key Protect instance |
kp_private_endpoint | Instance private endpoint URL |
kp_public_endpoint | Instance public endpoint URL |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.