feat: Add variables to configure key_algorithm and key_protection_lev…

…el (#27)
terraform-google-modules · May 26, 2020 · 3f01a09 · 3f01a09
1 parent 94c9445
commit 3f01a09
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -45,6 +45,8 @@ Functional examples are included in the
 |------|-------------|:----:|:-----:|:-----:|
 | decrypters | List of comma-separated owners for each key declared in set_decrypters_for. | list(string) | `<list>` | no |
 | encrypters | List of comma-separated owners for each key declared in set_encrypters_for. | list(string) | `<list>` | no |
+| key\_algorithm | The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs. | string | `"GOOGLE_SYMMETRIC_ENCRYPTION"` | no |
+| key\_protection\_level | The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"] | string | `"SOFTWARE"` | no |
 | key\_rotation\_period |  | string | `"100000s"` | no |
 | keyring | Keyring name. | string | n/a | yes |
 | keys | Key names. | list(string) | `<list>` | no |

diff --git a/main.tf b/main.tf
@@ -33,6 +33,11 @@ resource "google_kms_crypto_key" "key" {
   lifecycle {
     prevent_destroy = true
   }
+
+  version_template {
+    algorithm        = var.key_algorithm
+    protection_level = var.key_protection_level
+  }
 }
 
 resource "google_kms_crypto_key" "key_ephemeral" {
@@ -44,6 +49,11 @@ resource "google_kms_crypto_key" "key_ephemeral" {
   lifecycle {
     prevent_destroy = false
   }
+
+  version_template {
+    algorithm        = var.key_algorithm
+    protection_level = var.key_protection_level
+  }
 }
 
 resource "google_kms_crypto_key_iam_binding" "owners" {

diff --git a/variables.tf b/variables.tf
@@ -82,3 +82,14 @@ variable "key_rotation_period" {
   default = "100000s"
 }
 
+variable "key_algorithm" {
+  type        = string
+  description = "The algorithm to use when creating a version based on this template. See the https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm for possible inputs."
+  default     = "GOOGLE_SYMMETRIC_ENCRYPTION"
+}
+
+variable "key_protection_level" {
+  type        = string
+  description = "The protection level to use when creating a version based on this template. Default value: \"SOFTWARE\" Possible values: [\"SOFTWARE\", \"HSM\"]"
+  default     = "SOFTWARE"
+}