You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+124-1
Original file line number
Diff line number
Diff line change
@@ -129,7 +129,7 @@ Before you begin using this Terraform module, ensure you meet the following prer
129
129
| ebs\_volume\_size | The size of the EBS volumes, used by the GraphDB nodes. |`number`|`500`| no |
130
130
| ebs\_volume\_throughput | Throughput for the EBS volumes, used by the GraphDB nodes. |`number`|`250`| no |
131
131
| ebs\_volume\_iops | IOPS for the EBS volumes, used by the GraphDB nodes. |`number`|`8000`| no |
132
-
| ebs\_kms\_key\_arn| KMS key used for ebs volume encryption. |`string`|`"alias/aws/ebs"`| no |
132
+
| ebs\_default\_kms\_key | KMS key used for ebs volume encryption. |`string`|`"alias/aws/ebs"`| no |
133
133
| prevent\_resource\_deletion | Defines if applicable resources should be protected from deletion or not |`bool`|`true`| no |
134
134
| graphdb\_license\_path | Local path to a file, containing a GraphDB Enterprise license. |`string`|`null`| no |
135
135
| graphdb\_admin\_password | Password for the 'admin' user in GraphDB. |`string`|`null`| no |
@@ -163,6 +163,57 @@ Before you begin using this Terraform module, ensure you meet the following prer
163
163
| asg\_enable\_instance\_refresh | Enables instance refresh for the GraphDB Auto scaling group. A refresh is started when any of the following Auto Scaling Group properties change: launch\_configuration, launch\_template, mixed\_instances\_policy |`bool`|`false`| no |
164
164
| asg\_instance\_refresh\_checkpoint\_delay | Number of seconds to wait after a checkpoint. |`number`|`3600`| no |
165
165
| graphdb\_enable\_userdata\_scripts\_on\_reboot | (Experimental) Modifies cloud-config to always run user data scripts on EC2 boot |`bool`|`false`| no |
166
+
| create\_s3\_kms\_key | Enable creation of KMS key for S3 bucket encryption |`bool`|`false`| no |
167
+
| s3\_kms\_key\_admin\_arn | ARN of the role or user granted administrative access to the S3 KMS key. |`string`|`""`| no |
168
+
| s3\_key\_rotation\_enabled | Specifies whether key rotation is enabled. |`bool`|`true`| no |
| s3\_cmk\_alias | The alias for the CMK key. |`string`|`"alias/graphdb-s3-cmk-key"`| no |
171
+
| s3\_kms\_key\_enabled | Specifies whether the key is enabled. |`bool`|`true`| no |
172
+
| s3\_key\_specification | Specification of the Key. |`string`|`"SYMMETRIC_DEFAULT"`| no |
173
+
| s3\_key\_deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). |`number`|`30`| no |
174
+
| s3\_cmk\_description | Description for the KMS Key |`string`|`"KMS key for S3 bucket encryption."`| no |
175
+
| s3\_external\_kms\_key\_arn | Externally provided KMS CMK |`string`|`""`| no |
176
+
| create\_parameter\_store\_kms\_key | Enable creation of KMS key for Parameter Store encryption |`bool`|`false`| no |
177
+
| parameter\_store\_key\_admin\_arn | ARN of the key administrator role for Parameter Store |`string`|`""`| no |
178
+
| parameter\_store\_key\_tags | A map of tags to assign to the resources. |`map(string)`|`{}`| no |
179
+
| parameter\_store\_key\_rotation\_enabled | Specifies whether key rotation is enabled. |`bool`|`true`| no |
180
+
| parameter\_store\_cmk\_alias | The alias for the CMK key. |`string`|`"alias/graphdb-param-cmk-key"`| no |
181
+
| parameter\_store\_key\_enabled | Specifies whether the key is enabled. |`bool`|`true`| no |
182
+
| parameter\_store\_key\_spec | Specification of the Key. |`string`|`"SYMMETRIC_DEFAULT"`| no |
183
+
| parameter\_store\_key\_deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). |`number`|`30`| no |
184
+
| parameter\_store\_cmk\_description | Description for the KMS Key |`string`|`"KMS key for Parameter Store bucket encryption."`| no |
185
+
| graphdb\_parameter\_store\_key\_admin\_arn | ARN of the key administrator role for Parameter Store |`string`|`""`| no |
186
+
| graphdb\_parameter\_store\_key\_tags | A map of tags to assign to the resources. |`map(string)`|`{}`| no |
187
+
| graphdb\_parameter\_store\_key\_rotation\_enabled | Specifies whether key rotation is enabled. |`bool`|`true`| no |
188
+
| graphdb\_parameter\_store\_default\_key | Define default key for parameter store if no KMS key is used |`string`|`"alias/aws/ssm"`| no |
189
+
| graphdb\_parameter\_store\_key\_enabled | Specifies whether the key is enabled. |`bool`|`true`| no |
190
+
| graphdb\_parameter\_store\_key\_spec | Specification of the Key. |`string`|`"SYMMETRIC_DEFAULT"`| no |
191
+
| graphdb\_parameter\_store\_key\_deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). |`number`|`30`| no |
192
+
| graphdb\_parameter\_store\_cmk\_description | Description for the KMS Key |`string`|`"KMS key for Parameter Store bucket encryption."`| no |
193
+
| create\_graphdb\_parameter\_store\_kms\_key | Enable creation of KMS key for Parameter Store encryption |`bool`|`false`| no |
194
+
| parameter\_store\_external\_kms\_key | Externally provided KMS CMK |`string`|`""`| no |
195
+
| graphdb\_ebs\_key\_admin\_arn | ARN of the key administrator role for Parameter Store |`string`|`""`| no |
196
+
| graphdb\_ebs\_key\_tags | A map of tags to assign to the resources. |`map(string)`|`{}`| no |
197
+
| graphdb\_ebs\_key\_rotation\_enabled | Specifies whether key rotation is enabled. |`bool`|`true`| no |
198
+
| graphdb\_default\_ebs\_cmk\_alias | The alias for the default Managed key. |`string`|`"alias/aws/ebs"`| no |
199
+
| graphdb\_ebs\_cmk\_alias | Define custom alias for the CMK Key |`string`|`"alias/graphdb-cmk-ebs-key"`| no |
200
+
| graphdb\_ebs\_key\_enabled | Specifies whether the key is enabled. |`bool`|`true`| no |
201
+
| graphdb\_ebs\_key\_spec | Specification of the Key. |`string`|`"SYMMETRIC_DEFAULT"`| no |
202
+
| graphdb\_ebs\_key\_deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). |`number`|`30`| no |
203
+
| graphdb\_ebs\_cmk\_description | Description for the KMS Key |`string`|`"KMS key for S3 bucket encryption."`| no |
204
+
| graphdb\_ebs\_external\_kms\_key | Externally provided KMS CMK |`string`|`""`| no |
205
+
| ebs\_cmk\_enabled | Enable or disable toggle for ebs volume encryption. |`bool`|`true`| no |
206
+
| create\_graphdb\_ebs\_kms\_key | Creates KMS key for the EBS volumes |`bool`|`false`| no |
207
+
| create\_sns\_kms\_key | Enable Customer managed keys for encryption. If set to false it will use AWS managed key. |`bool`|`false`| no |
208
+
| sns\_cmk\_description | Description for the KMS key for the encryption of SNS |`string`|`"KMS CMK Key to encrypt SNS topics"`| no |
209
+
| sns\_key\_admin\_arn | ARN of the role or user granted administrative access to the SNS KMS key. |`string`|`""`| no |
210
+
| deletion\_window\_in\_days | The waiting period, specified in number of days for AWS to delete the KMS key(Between 7 and 30). |`number`|`30`| no |
211
+
| sns\_external\_kms\_key | ARN of the external KMS key that will be used for encryption of SNS topics |`string`|`""`| no |
212
+
| sns\_cmk\_key\_alias | The alias for the SNS CMK key. |`string`| n/a | yes |
213
+
| sns\_default\_kms\_key | ARN of the default KMS key that will be used for encryption of SNS topics |`string`|`"alias/aws/sns"`| no |
214
+
| key\_spec | Specification of the Key. |`string`|`"SYMMETRIC_DEFAULT"`| no |
215
+
| key\_enabled | Specifies whether the key is enabled. |`bool`|`true`| no |
216
+
| rotation\_enabled | Specifies whether key rotation is enabled. |`bool`|`true`| no |
166
217
<!-- END_TF_DOCS -->
167
218
168
219
## Usage
@@ -310,6 +361,78 @@ deploy_logging_module = true
310
361
vpc_enable_flow_logs = true
311
362
vpc_flow_logs_lifecycle_rule_status = "Enabled"
312
363
```
364
+
#### KMS Encryption using Customer Master Keys
365
+
366
+
**Parameter Store encryption**
367
+
368
+
You can encrypt parameters stored in AWS Systems Manager Parameter Store using KMS CMKs. This ensures that sensitive data, such as configuration secrets, are securely encrypted at rest.
369
+
370
+
##### Keys:
371
+
372
+
To utilize CMK, ensure that **enable_graphdb_parameter_store_kms_key = true** is set. This will generate a new KMS Key.
373
+
374
+
If **enable_graphdb_parameter_store_kms_key = false**, encryption will be disabled.
375
+
376
+
You can also supply your own key using the parameter_store_external_kms_key parameter: **parameter_store_external_kms_key**
You can designate a Key admin by setting the **graphdb_parameter_store_key_admin_arn** parameter, or you can use the current AWS account by leaving this parameter empty.
You can secure EBS volumes using KMS CMKs to encrypt data at rest. This adds an extra layer of protection for data stored on EBS volumes attached to EC2 instances.
393
+
394
+
##### Keys:
395
+
396
+
To use CMK, set **create_graphdb_ebs_kms_key = true**. This will create a new KMS Key.
397
+
398
+
If **create_graphdb_ebs_kms_key = false** the default AWS key encryption will be used.
399
+
400
+
You can provide your own key by using the parameter **ebs_external_kms_key**.
You can specify a Key admin by setting the **graphdb_ebs_key_admin_arn** parameter, or you can use the current AWS account by leaving this parameter empty.
You can encrypt S3 bucket objects using KMS CMKs to ensure that data at rest is secure. This protects the integrity and confidentiality of data stored in S3 buckets.
417
+
418
+
##### Keys
419
+
To use CMK, set **create_s3_kms_key = true**. This will create a new KMS Key.
420
+
421
+
If **create_s3_kms_key = false**, the default AWS key (**alias/aws/s3**) will be used.
422
+
423
+
You can also provide your own key by setting the **s3_external_kms_key_arn** parameter.
0 commit comments