Managing KMS keys with Hashicorp Terraform
The Terraform provider for Yandex.Cloud supports the use of KMS keys.
Adding keys
You can add a KMS key using the yandex_kms_symmetric_key block:
resource "yandex_kms_symmetric_key" "kms-key" {
lifecycle {
prevent_destroy = true
}
name = "example-symetric-key"
description = "description for key"
default_algorithm = "AES_256"
rotation_period = "8760h" // equal to 1 year
}
Warning
Deleting a KMS key destroys all data encrypted with that key: the data becomes unrecoverable after the key is deleted. The lifecycle block is necessary to prevent users from destroying keys (with the terraform destroy command, for example).
Managing key access
To manage access to keys in Terraform, assign the necessary roles for the folder that contains the key.
For example, assign a role for the service account, which grants the permission to encrypt and decrypt data with keys from a specific folder:
data "yandex_iam_policy" "encrypter_decrypter_iam_policy" {
binding {
role = "kms.keys.encrypterDecrypter"
members = [
"serviceAccount:<service account ID>",
]
}
}
resource "yandex_resourcemanager_folder_iam_policy" "folder_iam_policy" {
folder_id = "<folder ID>"
policy_data = "${data.yandex_iam_policy.encrypter_decrypter_iam_policy.policy_data}"
}