kms-key

Category Security
Latest Version 0.1.0current

Terraform module for kms-key on aws

Add to your Terraform configuration
module "kms_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "0.1.0"

  # Required inputs
  alias = "..."
}

Overview

The kms-key module creates AWS KMS customer managed keys with production-ready defaults including:

  • Configurable key policies with fine-grained access control
  • Automatic annual key rotation for enhanced security
  • Multi-region replication support for disaster recovery
  • Alias management for friendly key naming
  • CloudTrail integration for audit logging

Category: Security Provider: AWS Latest Version: 1.0.0

Quick Start

module "encryption_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/app-encryption"
  description = "Encryption key for application data"
}

Key Features

Automatic Key Rotation

Keys are automatically rotated annually by default, meeting compliance requirements without manual intervention:

module "compliant_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias              = "alias/compliant-encryption"
  description        = "Encryption key with annual rotation"
  enable_key_rotation = true  # Default
}

S3 Bucket Encryption

Encrypt S3 bucket data using customer managed keys:

module "s3_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/s3-encryption"
  description = "Encryption key for S3 bucket data"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = module.s3_key.key_arn
      sse_algorithm     = "aws:kms"
    }
  }
}

Configurable Deletion Window

Control the waiting period before key deletion for safety:

module "short_deletion_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias                   = "alias/dev-encryption"
  description             = "Development encryption key"
  deletion_window_in_days = 7  # Minimum 7, maximum 30
}

Documentation

Registry

View specification on Registry

Inputs

description
string

Description of the KMS key. Include purpose and which services or applications use it.

alias Required
string

Alias for the KMS key. Must start with 'alias/' (e.g., alias/my-app-encryption).

enable_key_rotation
bool Default: true

Whether to enable automatic key rotation. AWS rotates the key material annually when enabled.

deletion_window_in_days
number Default: 30

Duration in days before the key is deleted. Minimum 7, maximum 30.

tags
map(string)

Tags to apply to all resources

publish_ssm_parameters
bool Default: true

Publish KMS key metadata to SSM Parameter Store for discovery by other modules

Outputs

key_id

ID of the KMS key.

key_arn

ARN of the KMS key.

alias_arn

ARN of the KMS key alias.

alias_name

Name of the KMS key alias.

ssm_parameter_paths

SSM parameter paths where KMS key metadata is published

Related Resources
Inputs Reference Outputs Reference Examples Changelog