Data Encryption Workshop (DEW) KMS (Key Management Service) key is a key management function provided by the DEW service, used to create and manage encryption keys, providing encryption protection for cloud data and applications. By creating KMS keys, you can generate and manage keys for data encryption, support multiple encryption algorithms and key types, achieve encrypted storage and transmission of data, and ensure data security. Automating KMS key creation through Terraform can ensure standardized and consistent key configuration, improving operational efficiency. This best practice will introduce how to use Terraform to automatically create KMS keys.
Related Resources/Data Sources
This best practice involves the following main resources:
Prepare the TF file (e.g., main.tf) in the specified workspace for writing the current best practice script, ensuring that it (or other TF files in the same directory) contains the provider version declaration and Huawei Cloud authentication information required for deploying resources. Refer to the "Preparation Before Deploying Huawei Cloud Resources" document for configuration introduction.
2. Create KMS Key Resource
Add the following script to the TF file (e.g., main.tf) to instruct Terraform to create a KMS key resource:
variable"key_name"{description ="The alias name of the KMS key"type =string}variable"key_algorithm"{description ="The generation algorithm of the KMS key"type =stringdefault ="AES_256"}variable"key_usage"{description ="The usage of the KMS key"type =stringdefault ="ENCRYPT_DECRYPT"}variable"key_source"{description ="The source of the KMS key"type =stringdefault ="kms"}variable"key_description"{description ="The description of the KMS key"type =stringdefault =""}variable"enterprise_project_id"{description ="The ID of the enterprise project to which the KMS key belongs"type =stringdefault =null}variable"key_tags"{description ="The key/value pairs to associate with the KMS key"type =map(string)default ={}}variable"key_schedule_time"{description ="The number of days after which the KMS key is scheduled to be deleted"type =stringdefault ="7"}# Create KMS key resource in the specified region (defaults to the region specified in the provider block when region parameter is omitted)resource"huaweicloud_kms_key""test"{key_alias =var.key_namekey_algorithm =var.key_algorithmkey_usage =var.key_usageorigin =var.key_sourcekey_description =var.key_descriptionenterprise_project_id =var.enterprise_project_idtags =var.key_tagspending_days =var.key_schedule_time}
Parameter Description:
key_alias: The key alias, assigned by referencing the input variable key_name
key_algorithm: The key generation algorithm, assigned by referencing the input variable key_algorithm, default value is "AES_256" (AES-256 algorithm)
key_usage: The key usage, assigned by referencing the input variable key_usage, default value is "ENCRYPT_DECRYPT" (encrypt and decrypt)
origin: The key source, assigned by referencing the input variable key_source, default value is "kms" (generated by KMS)
key_description: The key description, assigned by referencing the input variable key_description, optional parameter, default value is empty string
enterprise_project_id: The enterprise project ID to which the key belongs, assigned by referencing the input variable enterprise_project_id, optional parameter, default value is null
tags: The key tags, assigned by referencing the input variable key_tags, optional parameter, default value is empty map
pending_days: The number of days after which the key is scheduled to be deleted, assigned by referencing the input variable key_schedule_time, default value is "7" (delete after 7 days)
3. Preset Input Parameters Required for Resource Deployment (Optional)
In this practice, some resources use input variables to assign configuration content. These input parameters need to be manually entered during subsequent deployment. At the same time, Terraform provides a method to preset these configurations through tfvars files, which can avoid repeated input during each execution.
Create a terraform.tfvars file in the working directory with the following example content:
Usage:
Save the above content as a terraform.tfvars file in the working directory (this filename allows users to automatically import the content of this tfvars file when executing terraform commands. For other naming, you need to add .auto before tfvars, such as variables.auto.tfvars)
Modify parameter values according to actual needs
When executing terraform plan or terraform apply, Terraform will automatically read the variable values in this file
In addition to using the terraform.tfvars file, you can also set variable values in the following ways:
Command line parameters: terraform apply -var="key_name=my_kms_key" -var="key_algorithm=AES_256"
Environment variables: export TF_VAR_key_name=my_kms_key and export TF_VAR_key_algorithm=AES_256
Custom named variable file: terraform apply -var-file="custom.tfvars"
Note: If the same variable is set through multiple methods, Terraform will use variable values according to the following priority: command line parameters > variable file > environment variables > default values.
4. Initialize and Apply Terraform Configuration
After completing the above script configuration, execute the following steps to create a KMS key:
Run terraform init to initialize the environment
Run terraform plan to view the resource creation plan
After confirming that the resource plan is correct, run terraform apply to start creating the KMS key
Run terraform show to view the details of the created KMS key
Note: After the KMS key is created, it can be used to encrypt and decrypt data. Keys support multiple encryption algorithms, such as AES_256, SM4, etc. Keys support scheduled deletion function, allowing keys to be automatically deleted after a specified number of days. Key tags can help you categorize and manage keys. Please ensure that key information is properly kept and do not commit sensitive information to version control systems.