Terraform建立KMS key的範例如下。
範例環境
- AWS CLI 2.2.44
- Terraform v1.0.10
事前要求
設定AWS CLI的存取密鑰。
建立配置
在任意資料夾新增一個Terraform配置文件main.tf內容如下。此文件用來設定terraform配置、provider aws及KMS key resource。
main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
required_version = ">= 1.1.0"
}
provider "aws" {
profile = "default"
region = "ap-northeast-1" // Tokyo
}
// KMS key configs
resource "aws_kms_key" "demo_key" {
description = "terraform demo key"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
deletion_window_in_days = 7
}
resource "aws_kms_alias" "demo_key_alias" {
name = "alias/TerraformDemoKey"
target_key_id = aws_kms_key.demo_key.key_id
}
檢驗配置
輸入terraform init將此目錄初始化為Terraform工作目錄及依配置下載aws provider。
輸入terraform fmt配置文件自動排版。
輸入terraform validate檢驗配置文件語法是否正確。
套用配置
輸入terraform apply執行配置計畫。
~/../terraform-demo$ terraform apply
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_kms_alias.demo_key_alias will be created
+ resource "aws_kms_alias" "demo_key_alias" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "alias/TerraformDemoKey"
+ name_prefix = (known after apply)
+ target_key_arn = (known after apply)
+ target_key_id = (known after apply)
}
# aws_kms_key.demo_key will be created
+ resource "aws_kms_key" "demo_key" {
+ arn = (known after apply)
+ bypass_policy_lockout_safety_check = false
+ customer_master_key_spec = "SYMMETRIC_DEFAULT"
+ deletion_window_in_days = 7
+ description = "terraform demo key"
+ enable_key_rotation = false
+ id = (known after apply)
+ is_enabled = true
+ key_id = (known after apply)
+ key_usage = "ENCRYPT_DECRYPT"
+ multi_region = (known after apply)
+ policy = (known after apply)
+ tags_all = (known after apply)
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_kms_key.demo_key: Creating...
aws_kms_key.demo_key: Creation complete after 1s [id=55e1b6e0-3576-450a-873d-608aa73b8283]
aws_kms_alias.demo_key_alias: Creating...
aws_kms_alias.demo_key_alias: Creation complete after 0s [id=alias/TerraformDemoKey]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
確認KMS key已建立
在AWS console的KMS的Customer managed keys確認key已建立,可看到Terraform建立的key TerraformDemoKey。
由於沒設定policy,所以預設為AWS賬戶擁有者可存取及使用。
TerraformDemoKey Key policy
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::400361196721:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
沒有留言:
張貼留言