Skip to content

Latest commit

 

History

History
124 lines (101 loc) · 10 KB

README.md

File metadata and controls

124 lines (101 loc) · 10 KB

Key Protect module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

This module supports:

Overview

terraform-ibm-key-protect

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX"
  region           = "us-south"
}

module "key_protect_module" {
  source            = "terraform-ibm-modules/key-protect/ibm"
  version           = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  key_protect_name  = "my-key-protect-instance"
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region            = "us-south"
}

Required IAM access policies

  • Account Management
    • Resource Group service
      • Viewer platform access
  • IAM Services
    • Key Protect service
      • Editor platform access
      • Manager platform access (required to enable metrics)

To attach access management tags to resources in this module, you need the following permissions.

  • IAM Services
    • Tagging service
      • Administrator platform access

Requirements

Name Version
terraform >= 1.9.0
ibm >= 1.70.0, < 2.0.0

Modules

Name Source Version
cbr_rule terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module 1.29.0

Resources

Name Type
ibm_kms_instance_policies.key_protect_instance_policies resource
ibm_resource_instance.key_protect_instance resource
ibm_resource_tag.key_protect_tag resource

Inputs

Name Description Type Default Required
access_tags A list of access tags to apply to the Key Protect instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. list(string) [] no
allowed_network Types of the allowed networks to be set for the Key Protect instance. Possible values are 'private-only' or 'public-and-private' string "public-and-private" no
cbr_rules (Optional, list) List of context-based restrictions rules to create 
list(object({
    description = string
    account_id  = string
    rule_contexts = list(object({
      attributes = optional(list(object({
        name  = string
        value = string
    }))) }))
    enforcement_mode = string
    operations = optional(list(object({
      api_types = list(object({
        api_type_id = string
      }))
    })))
  }))
 [] no
dual_auth_delete_enabled If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. bool false no
key_create_import_access_enabled If set to true, Key Protect enables a key create import access policy on the instance bool true no
key_create_import_access_settings Key create import access policy settings to configure if var.enable_key_create_import_access_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess 
object({
    create_root_key     = optional(bool, true)
    create_standard_key = optional(bool, true)
    import_root_key     = optional(bool, true)
    import_standard_key = optional(bool, true)
    enforce_token       = optional(bool, false)
  })
 {} no
key_protect_name The name to give the Key Protect instance that will be provisioned string n/a yes
metrics_enabled If set to true, Key Protect enables metrics on the Key Protect instance. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. bool true no
plan Plan for the Key Protect instance. Valid plans are 'tiered-pricing' and 'cross-region-resiliency', for more information on these plans see Key Protect pricing plan. string "tiered-pricing" no
region Region where the Key Protect instance will be provisioned string n/a yes
resource_group_id Resource Group ID where the Key Protect instance will be provisioned string n/a yes
rotation_enabled If set to true, Key Protect enables a rotation policy on the Key Protect instance. bool true no
rotation_interval_month Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. number 1 no
tags List of tags to associate with the Key Protect instance list(string) [] no

Outputs

Name Description
cbr_rule_ids CBR rule ids created to restrict Key Protect
key_protect_account_id The account ID of the Key Protect instance.
key_protect_crn CRN of the Key Protect instance
key_protect_guid GUID of the Key Protect instance
key_protect_id ID of the Key Protect instance
key_protect_instance_policies Instance Polices of the Key Protect instance
key_protect_name Name of the Key Protect instance
kp_private_endpoint Instance private endpoint URL
kp_public_endpoint Instance public endpoint URL

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.