~/codewithstu

// open_source

AWS KMS Key

OpenTofu module for provisioning AWS KMS keys with alias, anti-lockout policy, custom key policies, rotation, and multi-region support

View on GitHub

Overview

This module creates an AWS KMS key with alias and configurable key policy. It includes an anti-lockout policy granting root account access and management permissions for an InfrastructureDeployer role.

Key Features

  • KMS key creation with automatic alias
  • Built-in anti-lockout policy (root account access)
  • InfrastructureDeployer role management permissions
  • Custom key policy merging for service/application access
  • Configurable key rotation, deletion window, and key spec
  • Multi-region key support

Usage

module "kms_key" {
  source = "git::https://github.com/Im5tu/opentofu-aws-kms-key.git?ref=main"
 
  name   = "my-application-key"
  policy = data.aws_iam_policy_document.kms_usage.json
}