39 lines
1.5 KiB
HCL
39 lines
1.5 KiB
HCL
resource "oci_kms_vault" "vault" {
|
|
count = var.create_vault ? 1 : 0
|
|
|
|
compartment_id = oci_identity_compartment.compartment.id
|
|
display_name = join("", [var.prefix, "vault"])
|
|
vault_type = "DEFAULT"
|
|
freeform_tags = local.freeform_tags
|
|
}
|
|
|
|
resource "oci_kms_key" "key" {
|
|
for_each = var.create_vault ? var.use_kms : {}
|
|
|
|
compartment_id = oci_identity_compartment.compartment.id
|
|
management_endpoint = oci_kms_vault.vault[0].management_endpoint
|
|
display_name = join("", [var.prefix, each.key, "-key"])
|
|
desired_state = "ENABLED"
|
|
protection_mode = "HSM"
|
|
key_shape {
|
|
algorithm = "AES"
|
|
length = 32
|
|
}
|
|
freeform_tags = local.freeform_tags
|
|
}
|
|
|
|
resource "oci_identity_policy" "kms_service_policy" {
|
|
compartment_id = oci_identity_compartment.compartment.id
|
|
name = "kms-service-policy"
|
|
description = "kms service policy"
|
|
statements = [
|
|
!var.use_kms.volume ? "" :
|
|
"allow service blockstorage to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["volume"].id}'",
|
|
!var.use_kms.object ? "" :
|
|
"allow service objectstorage-${var.oci_region} to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["object"].id}'",
|
|
!var.use_kms.database ? "" :
|
|
"allow service dbcs to use keys in compartment '${oci_identity_compartment.compartment.name}' where target.key.id='${oci_kms_key.key["database"].id}'",
|
|
]
|
|
freeform_tags = local.freeform_tags
|
|
}
|