The goals of this code pattern are to
- Given a service IBM Cloud Object Storage that stores data at rest, integrate it with Key Protect and assign a key for encryption
- Demonstrate the architecture using IBM Key Protext to manage your BYOK when encrypting data at rest
- Demonastrate the IBM Cloud terraform provider-based scripts used to deploy and configure the architecture
This code pattern provides the necessary scripts to provision a service (IBM COS and a bucket) to store data at rest and a key Protext instance with access control policies for ICOS Bucket to read from Key protextr. Then a Key is created and used by the ICOS bucket.
This terraform script:
- Gets an IAM Auth Token with iam_auth_token.tf
- Creates a Key Protect resource
- Creates a root certificate for the Key Protect instance with key_protect_certificate.tf
- Creates a Cloud Object Storage resource
- Creates an IAM Policy to let COS read from Key Protect
- Creates a COS Bucket using the KMS Root key
- Deletes the root certificate with key_protect_certificate.tf when the Key Protect resource is destroyed