### Terraform: Complete KMS Key Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/examples/complete/README.md This example demonstrates a comprehensive AWS KMS key setup using the Terraform AWS KMS module. It includes configurations for key policy, aliases, and grants, providing a fully featured KMS key. ```terraform module "kms_complete" { source = "../.." } ``` -------------------------------- ### Terraform: Initialize, Plan, and Apply Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/examples/complete/README.md This snippet shows the basic Terraform commands required to initialize the project, plan the infrastructure changes, and apply them. It assumes you have Terraform installed and configured for AWS access. Note that applying these changes may incur AWS charges. ```bash terraform init terraform plan terraform apply ``` -------------------------------- ### Terraform KMS Module: Before v3.x Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/docs/UPGRADE-4.0.md This HCL code snippet demonstrates the configuration of the Terraform AWS KMS module using version ~> 3.0. It includes examples of key statements with conditions and grants with constraints. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 3.0" # Only the affected attributes are shown key_statements = [ { sid = "CloudWatchLogs" actions = [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ] resources = ["*"] principals = [ { type = "Service" identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] } ] conditions = [ { test = "ArnLike" variable = "kms:EncryptionContext:aws:logs:arn" values = [ "arn:aws:logs:${local.region}:${data.aws_caller_identity.current.account_id}:log-group:*", ] } ] } ] # Grants grants = { lambda = { grantee_principal = aws_iam_role.lambda.arn operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = { encryption_context_equals = { Department = "Finance" } } } } tags = local.tags } ``` -------------------------------- ### Terraform: Default KMS Key Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/examples/complete/README.md This example demonstrates the creation of a default AWS KMS key with its default policy using the Terraform AWS KMS module. This is a simpler configuration for basic KMS key needs. ```terraform module "kms_default" { source = "../.." } ``` -------------------------------- ### Terraform: External KMS Key Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/examples/complete/README.md This example shows how to configure an external AWS KMS key using the Terraform AWS KMS module. This is useful for managing keys that are not directly created or managed by AWS KMS. ```terraform module "kms_external" { source = "../.." } ``` -------------------------------- ### Configure Comprehensive KMS Key with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md This example showcases a comprehensive AWS KMS key configuration using Terraform, covering various settings such as deletion window, key rotation, enablement status, key usage, multi-region settings, default policy, detailed policy assignments for different user types, aliases, computed aliases, grants, and tags. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" description = "Complete key example showing various configurations available" deletion_window_in_days = 7 enable_key_rotation = true is_enabled = true key_usage = "ENCRYPT_DECRYPT" multi_region = false # Policy enable_default_policy = true key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] key_service_users = ["arn:aws:iam::012345678901:role/ec2-role"] key_symmetric_encryption_users = ["arn:aws:iam::012345678901:role/symmetric-user"] key_hmac_users = ["arn:aws:iam::012345678901:role/hmac-user"] key_asymmetric_public_encryption_users = ["arn:aws:iam::012345678901:role/asymmetric-public-user"] key_asymmetric_sign_verify_users = ["arn:aws:iam::012345678901:role/sign-verify-user"] # Aliases aliases = ["one", "foo/bar"] # accepts static strings only computed_aliases = { ex = { # Sometimes you want to pass in an upstream attribute as the name and # that conflicts with using `for_each over a `toset()` since the value is not # known until after applying. Instead, we can use `computed_aliases` to work # around this limitation # Reference: https://github.com/hashicorp/terraform/issues/30937 name = aws_iam_role.lambda.name } } aliases_use_name_prefix = true # Grants grants = { lambda = { grantee_principal = "arn:aws:iam::012345678901:role/lambda-function" operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = { encryption_context_equals = { Department = "Finance" } } } } tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Customize KMS Key Policy with Statements and Conditions using Terraform Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This example demonstrates advanced KMS key policy customization using `key_statements`. It adds custom IAM policy statements with conditions, granting CloudWatch Logs service access with encryption context restrictions. The module requires specifying the region and account ID. ```hcl locals { region = "us-east-1" account_id = "012345678901" } module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "Key with custom policy statements" deletion_window_in_days = 7 enable_key_rotation = true enable_default_policy = true key_owners = ["arn:aws:iam::${local.account_id}:role/owner"] key_administrators = ["arn:aws:iam::${local.account_id}:role/admin"] # Custom policy statements key_statements = [ { sid = "CloudWatchLogs" actions = [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ] resources = ["*"] principals = [ { type = "Service" identifiers = ["logs.${local.region}.amazonaws.com"] } ] condition = [ { test = "ArnLike" variable = "kms:EncryptionContext:aws:logs:arn" values = [ "arn:aws:logs:${local.region}:${local.account_id}:log-group:*" ] } ] }, { sid = "AllowLambdaService" actions = ["kms:Decrypt", "kms:GenerateDataKey"] resources = ["*"] principals = [ { type = "Service" identifiers = ["lambda.amazonaws.com"] } ] } ] aliases = ["mycompany/cloudwatch"] tags = { Terraform = "true" } } ``` -------------------------------- ### Generate KMS Key Aliases Dynamically Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This example shows how to create KMS key aliases whose names are determined at apply time by referencing other Terraform resources. It uses the `computed_aliases` argument to define aliases based on dynamically generated values, overcoming limitations with `toset()`. ```hcl resource "aws_iam_role" "application" { name_prefix = "app-role-" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "ec2.amazonaws.com" } }] }) } module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "Key with computed aliases" # Static aliases - values must be known at plan time aliases = ["mycompany/static", "mycompany/backup"] # Computed aliases - values can come from other resources computed_aliases = { app_role = { # Name derived from IAM role (not known until apply) name = aws_iam_role.application.name } unique = { name = "key-${formatdate("YYYY-MM-DD", timestamp())}" } } # Use prefix to avoid alias conflicts aliases_use_name_prefix = true tags = { Terraform = "true" } } output "aliases" { value = module.kms.aliases # Returns map of all created aliases with their attributes } ``` -------------------------------- ### Terraform: Disabled KMS Key Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/examples/complete/README.md This example illustrates how to configure a disabled AWS KMS key using the Terraform AWS KMS module. This configuration is useful for temporarily disabling a key without deleting it. ```terraform module "kms_disabled" { source = "../.." } ``` -------------------------------- ### Manage Multiple S3 Buckets with Terragrunt Layer Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/wrappers/README.md An example HCL configuration for Terragrunt managing multiple S3 buckets using the KMS module wrapper. It specifies default bucket policies and individual bucket configurations, showcasing how to apply different settings to distinct resources. ```hcl terraform { source = "tfr:///terraform-aws-modules/kms/aws//wrappers" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-kms.git//wrappers?ref=master" } inputs = { defaults = { force_destroy = true attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true attach_require_latest_tls_policy = true } items = { bucket1 = { bucket = "my-random-bucket-1" } bucket2 = { bucket = "my-random-bucket-2" tags = { Secure = "probably" } } } } ``` -------------------------------- ### Terraform KMS Module: After v4.x Configuration Example Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/docs/UPGRADE-4.0.md This HCL code snippet shows the updated configuration for the Terraform AWS KMS module using version ~> 4.0. It reflects changes in variable names (e.g., `key_statements.conditions` to `key_statements.condition`) and grant constraints structure. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" key_statements = [ { sid = "CloudWatchLogs" actions = [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ] resources = ["*"] principals = [ { type = "Service" identifiers = ["logs.${local.region}.amazonaws.com"] } ] condition = [ { test = "ArnLike" variable = "kms:EncryptionContext:aws:logs:arn" values = [ "arn:aws:logs:${local.region}:${local.account_id}:log-group:*", ] } ] } ] # Grants grants = { lambda = { grantee_principal = aws_iam_role.lambda.arn operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = [{ encryption_context_equals = { Department = "Finance" } }] } } } ``` -------------------------------- ### Configure KMS Grants for Fine-Grained Access Control with Terraform Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This example demonstrates creating KMS grants to delegate key usage permissions to specific IAM principals. Grants offer temporary, revocable access without altering the main key policy and can include optional encryption context constraints. It requires defining an IAM role for the principal. ```hcl resource "aws_iam_role" "lambda" { name = "lambda-kms-access" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "lambda.amazonaws.com" } }] }) } module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "Key with grants" enable_key_rotation = true key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] # Define grants for specific principals grants = { lambda = { grantee_principal = aws_iam_role.lambda.arn operations = ["Encrypt", "Decrypt", "GenerateDataKey"] # Restrict to specific encryption context constraints = [{ encryption_context_equals = { Department = "Finance" } }] } analytics = { grantee_principal = "arn:aws:iam::012345678901:role/analytics-service" operations = ["Decrypt", "DescribeKey"] retire_on_delete = true } } aliases = ["mycompany/with-grants"] tags = { Terraform = "true" } } # Access grant information output "grants" { value = module.kms.grants sensitive = true } ``` -------------------------------- ### Configure KMS for Encrypted EBS Volumes with EC2 AutoScaling Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This Terraform configuration sets up a KMS key with necessary permissions for EC2 AutoScaling to launch instances with encrypted EBS volumes. It grants the AutoScaling service role administrative access to the key and defines an alias for the key. The example also shows how to use this KMS key in an AWS launch template for encrypted volumes. ```hcl data "aws_caller_identity" "current" {} module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "EC2 AutoScaling key for encrypted EBS volumes" key_usage = "ENCRYPT_DECRYPT" # Grant AutoScaling service role access key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/admin"] key_service_roles_for_autoscaling = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] aliases = ["mycompany/ebs"] tags = { Terraform = "true" Environment = "production" Purpose = "EBS encryption" } } # Use in launch template resource "aws_launch_template" "example" { name_prefix = "encrypted-" image_id = "ami-12345678" instance_type = "t3.micro" block_device_mappings { device_name = "/dev/xvda" ebs { volume_size = 20 encrypted = true kms_key_id = module.kms.key_arn } } } ``` -------------------------------- ### Create Primary and Replica Multi-Region KMS Keys Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This snippet demonstrates how to create a primary multi-region KMS key and a replica key in a secondary region using the terraform-aws-modules/kms/aws module. It configures key properties, aliases, and grants for both primary and replica keys. ```hcl module "kms_primary" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" deletion_window_in_days = 7 description = "Primary multi-region key" enable_key_rotation = false is_enabled = true key_usage = "ENCRYPT_DECRYPT" multi_region = true # Enable multi-region aliases = ["mycompany/primary"] tags = { Terraform = "true" KeyType = "primary" } } # Replica key in secondary region module "kms_replica" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" # Deploy to different region region = local.secondary_region deletion_window_in_days = 7 description = "Replica of primary multi-region key" create_replica = true primary_key_arn = module.kms_primary.key_arn enable_default_policy = true key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] aliases = ["mycompany/replica"] # Grants can be set independently on replica grants = { lambda = { grantee_principal = "arn:aws:iam::012345678901:role/lambda-function" operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = [{ encryption_context_equals = { Department = "Finance" } }] } } tags = { Terraform = "true" KeyType = "replica" } } output "primary_key_arn" { value = module.kms_primary.key_arn } output "replica_key_arn" { value = module.kms_replica.key_arn } output "replica_key_region" { value = module.kms_replica.key_region # => "eu-west-1" } ``` -------------------------------- ### Create Multi-Region Primary and Replica KMS Keys with Terraform Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This configuration demonstrates setting up multi-region KMS keys, including a primary key in one region and its replica in another. Multi-region keys facilitate encryption and decryption operations across different AWS regions without the need to re-encrypt data. It requires defining both primary and secondary regions. ```hcl locals { primary_region = "us-east-1" secondary_region = "eu-west-1" } # The module definition for multi-region keys would follow here, # specifying primary and replica key configurations. ``` -------------------------------- ### Manage Multiple KMS Keys with Wrapper Submodule Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This snippet illustrates how to use the wrapper submodule of the terraform-aws-modules/kms/aws module to define and manage multiple KMS keys efficiently. It applies shared default configurations to all keys while allowing individual overrides for specific settings. ```hcl module "kms_keys" { source = "terraform-aws-modules/kms/aws//wrappers" # Shared defaults for all keys defaults = { deletion_window_in_days = 7 enable_key_rotation = true enable_default_policy = true key_administrators = ["arn:aws:iam::012345678901:role/admin"] tags = { Terraform = "true" ManagedBy = "wrapper" } } # Define multiple keys items = { production = { description = "Production encryption key" aliases = ["mycompany/production"] key_users = ["arn:aws:iam::012345678901:role/prod-app"] tags = { Environment = "production" } } staging = { description = "Staging encryption key" aliases = ["mycompany/staging"] key_users = ["arn:aws:iam::012345678901:role/staging-app"] tags = { Environment = "staging" } } development = { description = "Development encryption key" aliases = ["mycompany/development"] key_users = ["arn:aws:iam::012345678901:role/dev-app"] # Override default deletion window deletion_window_in_days = 30 tags = { Environment = "development" } } } } # Access individual key outputs output "production_key_arn" { value = module.kms_keys.wrapper["production"].key_arn } output "all_key_arns" { value = { for k, v in module.kms_keys.wrapper : k => v.key_arn } } ``` -------------------------------- ### Configure Multiple KMS Keys with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/wrappers/README.md This HCL snippet demonstrates how to utilize the KMS module wrapper within a Terraform configuration. It outlines the structure for defining default settings and individual configurations for multiple KMS keys, enabling centralized management. ```hcl module "wrapper" { source = "terraform-aws-modules/kms/aws//wrappers" defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create Standard KMS Key with Terraform Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This snippet demonstrates how to create a standard AWS-managed KMS key with automatic rotation enabled using the Terraform AWS KMS module. It configures key usage, enables rotation and the key, and assigns roles for ownership and administration. Outputs include the key ARN and ID. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "My application encryption key" deletion_window_in_days = 7 enable_key_rotation = true is_enabled = true key_usage = "ENCRYPT_DECRYPT" multi_region = false # Policy - assign roles enable_default_policy = true key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] # Aliases aliases = ["mycompany/application"] tags = { Terraform = "true" Environment = "production" } } # Outputs output "key_arn" { value = module.kms.key_arn # => "arn:aws:kms:us-east-1:012345678901:key/12345678-1234-1234-1234-123456789012" } output "key_id" { value = module.kms.key_id # => "12345678-1234-1234-1234-123456789012" } ``` -------------------------------- ### Configure Multiple KMS Keys with Terragrunt Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/wrappers/README.md This HCL snippet shows how to use the KMS module wrapper with Terragrunt. It defines default values and specific configurations for multiple KMS keys, allowing for efficient management of several resources from a single Terragrunt file. ```hcl terraform { source = "tfr:///terraform-aws-modules/kms/aws//wrappers" # Alternative source: # source = "git::git@github.com:terraform-aws-modules/terraform-aws-kms.git//wrappers?ref=master" } inputs = { defaults = { # Default values create = true tags = { Terraform = "true" Environment = "dev" } } items = { my-item = { # omitted... can be any argument supported by the module } my-second-item = { # omitted... can be any argument supported by the module } # omitted... } } ``` -------------------------------- ### Create External KMS Key with Customer-Provided Material Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This Terraform snippet illustrates the creation of an external KMS key where the key material is provided by the customer. It includes base64-encoded key material and an optional expiration date. The configuration also assigns roles for key management and specifies aliases. Outputs include the external key state and expiration model. ```hcl module "kms_external" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "External key with imported key material" deletion_window_in_days = 7 create_external = true is_enabled = true # Base64-encoded 256-bit key material (generate with: openssl rand -base64 32) key_material_base64 = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=" # Key material expiration (optional) valid_to = "2025-12-31T23:59:59Z" # Policy key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] key_service_users = ["arn:aws:iam::012345678901:role/ec2-role"] aliases = ["mycompany/external"] aliases_use_name_prefix = true tags = { Terraform = "true" Environment = "production" KeyType = "external" } } # Outputs for external key output "external_key_state" { value = module.kms_external.external_key_state # => "Enabled" } output "expiration_model" { value = module.kms_external.external_key_expiration_model # => "KEY_MATERIAL_EXPIRES" } ``` -------------------------------- ### Create Route53 DNSSEC Signing KMS Key with Terraform Source: https://context7.com/terraform-aws-modules/terraform-aws-kms/llms.txt This module creates an asymmetric KMS key specifically configured for Route53 DNSSEC signing. It requires ECC_NIST_P256 key specifications and SIGN_VERIFY usage. Key rotation is disabled as per DNSSEC requirements, and Route53 DNSSEC policy statements are enabled. ```hcl data "aws_caller_identity" "current" {} module "kms_dnssec" { source = "terraform-aws-modules/kms/aws" version = "~> 4.0" description = "CMK for Route53 DNSSEC signing" key_usage = "SIGN_VERIFY" customer_master_key_spec = "ECC_NIST_P256" # DNSSEC keys cannot be rotated enable_key_rotation = false # Enable Route53 DNSSEC policy statements enable_route53_dnssec = true route53_dnssec_sources = [ { account_ids = [data.aws_caller_identity.current.account_id] hosted_zone_arn = "arn:aws:route53:::hostedzone/*" } ] aliases = ["route53/dnssec"] tags = { Terraform = "true" Purpose = "DNSSEC signing" } } # Use with Route53 DNSSEC resource "aws_route53_key_signing_key" "example" { hosted_zone_id = aws_route53_zone.example.id key_management_service_arn = module.kms_dnssec.key_arn name = "example" } ``` -------------------------------- ### Import Key Material into KMS in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Allows importing pre-generated key material into a KMS Customer Master Key (CMK). The provided `key_material_base64` must be a base64-encoded 256-bit symmetric encryption key. This is used for external key management scenarios. ```terraform key_material_base64 = "YOUR_BASE64_ENCODED_KEY_MATERIAL" ``` -------------------------------- ### Create External KMS Key with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md This Terraform configuration shows how to create an external Customer Master Key (CMK) using externally provided encryption material. It includes settings for key material, validity period, owners, administrators, users, service users, aliases, and grants. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" description = "External key example" key_material_base64 = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=" valid_to = "2085-04-12T23:20:50.52Z" # Policy key_owners = ["arn:aws:iam::012345678901:role/owner"] key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_users = ["arn:aws:iam::012345678901:role/user"] key_service_users = ["arn:aws:iam::012345678901:role/ec2-role"] # Aliases aliases = ["mycompany/external"] aliases_use_name_prefix = true # Grants grants = { lambda = { grantee_principal = "arn:aws:iam::012345678901:role/lambda-function" operations = ["Encrypt", "Decrypt", "GenerateDataKey"] constraints = { encryption_context_equals = { Department = "Finance" } } } } tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Configure Multi-Region KMS Key in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Specifies whether a KMS key should be a multi-Region key or a regional key. Setting `multi_region` to `true` enables the key to be replicated across multiple AWS regions, providing higher availability and disaster recovery capabilities. ```terraform multi_region = true ``` -------------------------------- ### Create KMS Key for EC2 AutoScaling with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md This configuration demonstrates how to create an AWS KMS key specifically for use with EC2 AutoScaling, enabling encrypted EBS volumes. It defines key usage, administrators, service roles for autoscaling, and aliases. ```hcl module "kms" { source = "terraform-aws-modules/kms/aws" description = "EC2 AutoScaling key usage" key_usage = "ENCRYPT_DECRYPT" # Policy key_administrators = ["arn:aws:iam::012345678901:role/admin"] key_service_roles_for_autoscaling = ["arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"] # Aliases aliases = ["mycompany/ebs"] tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Configure KMS Key Usage and Specification in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Configures the primary use and cryptographic specification of an AWS KMS key. Supports encryption/decryption or signing/verification, and various key types like symmetric, RSA, ECC, and HMAC. Essential for setting up keys for specific cryptographic operations. ```terraform key_usage = "ENCRYPT_DECRYPT" key_spec = "SYMMETRIC_DEFAULT" ``` -------------------------------- ### Manage KMS Key Access with IAM ARNs in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Defines lists of IAM ARNs to grant specific access permissions to an AWS KMS key. Supports defining users for asymmetric encryption, signing, HMAC operations, general key usage, and service roles like Auto Scaling. Crucial for managing key access control. ```terraform key_users = [ "arn:aws:iam::111122223333:user/developer", "arn:aws:iam::111122223333:root" ] key_owners = [ "arn:aws:iam::111122223333:user/admin" ] key_service_roles_for_autoscaling = [ "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ] ``` -------------------------------- ### Override KMS Policy Documents in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Provides a mechanism to merge custom IAM policy documents with the generated KMS key policy. Statements with non-blank `sid`s in the `override_policy_documents` will override existing statements with the same `sid` in the base policy. ```terraform override_policy_documents = [ "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"Enable IAM User Permissions\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"}, \"Action\": \"kms:*\", \"Resource\": \"*\" } ] }" ] ``` -------------------------------- ### Define KMS Key Policy Statements in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/README.md Allows defining custom IAM policy statements for KMS key usage. Supports specifying actions, resources, principals, and conditions for fine-grained access control. This is useful for integrating KMS with specific AWS services or user groups. ```terraform key_statements = [ { sid = "AllowS3ServiceToUseKey" effect = "Allow" actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ] resources = ["*"] principals = [ { type = "Service" identifiers = ["s3.amazonaws.com"] } ] } ] ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.