Key Protect all inclusive module
This module combines the following Key Protect modules to create a full end-to-end key infrastructure:
The module takes a map, called key_map
, that supports hierarchical "key rings" for a single Key Protect instance. Because access to key rings is managed in Key Protect, you can comply with controls around least privilege (for example, NIST AC-6) and can reduce the number of access groups you need to assign. For more information about key rings, see Grouping keys together using key rings.
The following example shows a typical topology for a Key Protect instance:
├── cos-key-ring
│ ├── root-key-cos-bucket-1
│ ├── root-key-cos-bucket-2
│ ├── root-key-cos-bucket-...
├── ocp-key-ring
│ ├── root-key-ocp-cluster-1
│ ├── root-key-ocp-cluster-2
│ ├── root-key-ocp-cluster-...
Multiple Key Protect instances, and potential future directions for this module
The strings cos-bucket
and ocp-cluster
are the cluster IDs for Cloud Object Storage and for the OpenShift Container Platform.
The module supports only a single Key Protect instance and creates the key topology in that instance. It doesn't create multiple Key Protect instances. However, in a typical production environment, services might need multiple Key Protect instances for compliance reasons.
For example, you might need isolation between regulatory boundaries (for example, between FedRamp and everything else). Or you might be required to isolate keys that are used by a service's control plane from the data plane (for example, with IBM Cloud Databases (ICD) services).
To achieve compliance, you can write logic to call the module multiple times to create multiple Key Protect instances.
One emerging pattern is to create one Key Protect instance per VPC. All workloads in the VPC access the Key Protect instance through a VPE binding. This simple approach ensures network segmentation. A drawback is that this approach creates more Key Protect instances than necessary, in some case.
Overview
terraform-ibm-key-protect-all-inclusive
Usage
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXX"
region = "us-south"
}
module "key_protect_all_inclusive" {
# Replace "main" with a GIT release version to lock into a specific release
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=main"
key_protect_instance_name = "my-key-protect-instance"
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
key_map = {
"example-key-ring-1" = ["example-key-1", "example-key-2"]
"example-key-ring-2" = ["example-key-3", "example-key-4"]
}
}
Required IAM access policies
You need the following permissions to run this module.
- Account Management
- Resource Group service
Viewer
platform access
- Resource Group service
- IAM Services
- Key Protect service
Editor
platform accessManager
service access
- Key Protect service
Requirements
Name | Version |
---|---|
terraform | >= 1.0.0, <1.6.0 |
ibm | >= 1.58.0 |
Modules
Resources
No resources.
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_tags | A list of access tags to apply to the Key Protect instance created by the module. | list(string) |
[] |
no |
create_key_protect_instance | A flag to control whether a Key Protect instance is created, defaults to true. | bool |
true |
no |
dual_auth_delete_enabled | If set to true, Key Protect enables a dual authorization policy on the instance. Note: Once the dual authorization policy is set on the instance, it cannot be reverted. An instance with dual authorization policy enabled cannot be destroyed using Terraform. | bool |
false |
no |
enable_metrics | Set to true to enable metrics on the Key Protect instance (ignored is value for 'existing_key_protect_instance_guid' is passed). In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | bool |
true |
no |
existing_key_map | Use this variable if you wish to create new keys inside already existing Key Ring(s). The map should contain the existing Key Ring name as the keys of the map, and a list of desired Key Protect Key names to create as the values for each existing Key Ring. | map(list(string)) |
{} |
no |
existing_key_protect_instance_guid | The GUID of an existing Key Protect instance, required if 'var.create_key_protect_instance' is false. | string |
null |
no |
force_delete | Allow keys to be force deleted, even if key is in use | bool |
true |
no |
force_delete_key_ring | Set to true to force delete key ring or false if not |
bool |
true |
no |
key_create_import_access_enabled | If set to true, Key Protect enables a key create import access policy on the instance | bool |
true |
no |
key_create_import_access_settings | Key create import access policy settings to configure if var.enable_key_create_import_access_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | object({ |
{} |
no |
key_endpoint_type | The type of endpoint to be used for creating keys. Accepts 'public' or 'private' | string |
"public" |
no |
key_map | Use this variable if you wish to create both a new key ring and new key. The map should contain the desired Key Ring name as the keys of the map, and a list of desired Key Protect Key names to create as the values for each Key Ring. | map(list(string)) |
{} |
no |
key_protect_endpoint_type | The type of the service endpoints to be set for the Key Protect instance. Possible values are 'public', 'private', or 'public-and-private'. Ignored is value for 'existing_key_protect_instance_guid' is passed. | string |
"public-and-private" |
no |
key_protect_instance_name | The name to give the Key Protect instance that will be provisioned by this module. Only used if 'create_key_protect_instance' is true | string |
null |
no |
key_protect_plan | Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported. Only used if 'create_key_protect_instance' is true | string |
"tiered-pricing" |
no |
key_ring_endpoint_type | The type of endpoint to be used for creating key rings. Accepts 'public' or 'private' | string |
"public" |
no |
region | The IBM Cloud region where all resources will be provisioned. | string |
n/a | yes |
resource_group_id | The name of the Resource Group to provision all resources in. | string |
n/a | yes |
resource_tags | Optional list of tags to be added to the Key Protect instance. Only used if 'create_key_protect_instance' is true. | list(string) |
[] |
no |
rotation_enabled | If set to true, Key Protect enables a rotation policy on the Key Protect instance. | bool |
true |
no |
rotation_interval_month | Specifies the key rotation time interval in months. Must be between 1 and 12 inclusive. | number |
1 |
no |
Outputs
Name | Description |
---|---|
existing_key_ring_keys | IDs of Keys created by the module in existing Key Rings |
key_protect_guid | Key Protect GUID |
key_protect_id | Key Protect service instance ID when an instance is created, otherwise null |
key_protect_instance_policies | Instance Polices of the Key Protect instance |
key_protect_name | Key Protect Name |
key_rings | IDs of new Key Rings created by the module |
keys | IDs of new Keys created by the module |
Contributing
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.