How to Create KMS Keys in GCP with Terraform?

Reading Time: 4 minutes

In this blog, we will be learning about KMS keys for encryption in google cloud and how we can provision them with terraform.

What is KMS?

KMS is a key management service in google cloud where we can create key rings and keys for encryption By default every resource in GCP is encrypted with google managed encryption keys but with the help of this KMS, we can create customer-managed encryption keys.

Pre-requisite:

Make sure the Cloud Key Management Service (KMS) API is enabled
make sure your service account has proper permission for KMS resources
terraform installed
Gcloud cli

Add Provider in terraform

provider "google" {

credentials = file("~/gcp/access-keys.json")

project = var.project_id

region = var.region

}

Creating a Keyring Resource

First of all, let’s understand what is a key ring, A Keyring is a top-level logical grouping of CryptoKeys it organizes keys in a Specific google cloud location and allows us to manage access control on groups of keys.

To Create a Keyring we will use the resource “google_kms_key_ring“

resource "google_kms_key_ring" "default" {

  name = var.ring_name

  location = var.region

}

Here in this resource, we have defined a key ring resource and under that we have specified two fields i.e name of the key ring and its location.

Creating a Key Resource

Now in order to use the keyring, we have to create a key inside this key ring. So to create a crypto key we will use this resource google_kms_crypto_key

resource "google_kms_crypto_key" "key" {

  name = var.key_name

  key_ring = google_kms_key_ring.keyring.id

  rotation_period = var.rotation_period


  version_template {

    algorithm = var.algorithm

  }


  lifecycle {

    prevent_destroy = false

  }

}

Here as you can see we have defined the following arguments:

name – The name of the crypto key that will be created inside the key ring. Also remember it is a required field.
key_ring – It is also required and denotes the keyring that this key will belong to, In our case, we have attached it to the key ring we created earlier.
rotation_period – (optional) Every time this period passes, a new key is generated with a new crypto key version and it is set as the primary.
version_template – (optional) a template describing settings for new crypto key versions. in the version template we get a parameter algorithm that is required and this is used to define the algorithm to use when creating a version based on this.

Next after creating this key ring and key, we have to give permissions to a google identity who can use this key or encryption and decryption i.e it will be a service account and you can also choose to give it anyone permission either encrypt or decrypt or maybe both.

Giving permission to Service account to use key

resource "google_kms_crypto_key_iam_binding" "crypto_key" {

  crypto_key_id = google_kms_crypto_key.key.id

  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

  members       = [
     "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",

  ]

}

Every resource in GCP has service agent which is usually of this type

service-[PROJECT-NUMBER]@[Service-name].gserviceaccount.com

Firstly with this resource we are binding the key we created with this service account and it will have a role to encrypt and decrypt it. Here we are using a resource google_kms_crypto_key_iam_binding and under that, we have given the crypto id.

Also in the above resource, you might have noticed “${data.google_project.project.number}”, this is being used for getting the project number, so in order to get this make sure you add this data in your main.tf

data “google_project” “project” {}

It will help to read the project number and you can pass the service account.

Creating a Var.tf file

Now create the var.tf and add the variables

variable "key_name" {

  description = "Name of the KMS key"

  type = string

}

variable "keyring_name" {

  description = "Name of the KMS Keyring"

  type = string

}

variable "algorithm" {

  description = "Algorithm for the KMS key"


  type = string

}

variable "region" {

  description = "Region for the KMS key"

  type = string

}

variable "rotation_period" {

  description = "Time in seconds to rotate key"

  type = string


}

variable "project_id" {

  type = string

}

Creating a Terraform.tfvars file

Now Create a terraform.tfvars file and pass all the variables

project_id = "neon-semiotics-351410"

keyring_name  = "knoldus_keyring_east1"

key_name = "crypto-knoldus"

rotation_period = "2592000s" //30 days [its the default]

region = "us-east1"

algorithm = "GOOGLE_SYMMETRIC_ENCRYPTION"

Let’s Run and create this resources

terraform init

Obviously that the terraform init is successful, now let’s run plan

terraform plan

Indeed the terraform plan is also successful, so you can run apply to create the resources

terraform apply

after running apply you will be prompted to ask if you want to perform the actions, enter yes

Finally you can see it has created the resource and to verify that , you can visit the console

Here you can see it has created a key ring named knoldus_keyring_east1 and inside that key ring it has created a key named crypto-knoldus. Additionally, it has a software protection level and it has also a rotation period. If you want to change any parameter. Moreover, You can directly change it in the terraform code and run the plan and apply it, it will be updated.

Conclusion:

This was all about how you can create and manage KMS in google cloud. You use it for encrypting and decrypting purposes. If you liked this blog please do like and share and comment. Lastly, If you want to explore more about the resources, You can visit this resource1 resource2

Happy Learning!!