Skip to content

Provision IBM Cloud Object Storage with IBM Key Protect integration.

License

Notifications You must be signed in to change notification settings

Cloud-Schematics/kms-encrypted-cos-bucket

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

IBM Cloud Object Storage bucket with encryption

This module shows how to create a COS bucket encrypted with a KMS key.

KMS Encrypted Bucket


Table of Contents

  1. Setup
  2. Resources

Setup

This module requires an existing Cloud Object Storage and Key Protect instance.


Resources

This module creates three resources, an IAM Authorization Policy, a Key Protect Encryption Key, and a COS Bucket

Authorization Policy

This creates an authorization policy to allow the COS instance to read keys from the Key Protect instance so that the bucket can be encrypted.

Key Protect Key

This creates a key to encrypt the COS bucket. You can bring your own key or have one created for you.

COS Bucket

This creates a COS Bucket with the created key


Module Variables

Variable Type Description Default
ibmcloud_api_key string The IBM Cloud platform API key needed to deploy IAM enabled resources
ibm_region string IBM Cloud region where all resources will be deployed
resource_group string Name for IBM Cloud Resource Group where KMS and COS are deployed
account_id string Account ID where the COS and KMS instances are provisioned. This is required to ensure the authorization policy is created
kms_name string Name of KMS instance where the key will be uploaded
cos_name string COS instance where the bucket will be created
endpoint_type string Endpoint type for Key and COS Bucket. Can be public or private "public"
key_name string Name of the key to be created "test-key"
key_payload string Payload of the key to be created. If you do not want to bring your own key, leave this field blank ""
standard_key bool Set flag true for standard key, and false for root key. Default value is false. false
force_delete bool If set to true, Key Protect forces the deletion of a root or standard key, even if this key is still in use, such as to protect an IBM Cloud Object Storage bucket. Note that the key cannot be deleted if the protected cloud resource is set up with a retention policy. Successful deletion includes the removal of any registrations that are associated with the key. Default value is false. true
bucket_name string Name for the bucket to be created "byok-encrypted-cos-bucket-example"
cross_region_location string Location where the bucket will be provisioned. Currently this is only available in the US geo "us"
bucket_storage_class string The storage class that you want to use for the bucket. Supported values are standard, vault, cold, flex, and smart. "standard"