All Products
Document Center

Key Management Service:Overview

Last Updated:Nov 07, 2023

Terraform is an open source tool that allows you to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. This topic provides an overview of Terraform and explores its use cases in Key Management Service.

Introduction to Terraform

Terraform is a tool that supports the automated orchestration of IT infrastructure. Terraform allows you to use code to manage and maintain IT resources. For more information, see What is Terraform?

  • Terraform provides an easy-to-use CLI that allows you to deploy configuration files on the workloads of Alibaba Cloud services or third-party cloud services and manage the versions of the configuration files. Terraform allows you to define the infrastructure resources that are required to build cloud topologies in configuration files. The resources include virtual machines (VMs), storage accounts, and network interfaces.

  • Terraform can be integrated with the Alibaba Cloud provider to support new infrastructures. You can use a template to configure the Alibaba Cloud provider to define, preview, and deploy cloud infrastructure on Alibaba Cloud.

  • Terraform allows you to create, modify, and delete the resources of multiple Alibaba Cloud services, such as Elastic Compute Services (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, and Server Load Balancer (SLB).

Use Terraform to manage KMS resources

KMS allows you to manage the following resources by using Terraform.



Provider version


Create and manage aliases.

1.77.0 and later


Create and manage application access points (AAPs). For more information, see Create an AAP.

1.210.0 and later


Create and manage client keys. For more information, see Create an AAP.

1.210.0 and later


Purchase and enable instances of the software key management type. For more information, see Purchase and enable a KMS instance of the software key management type.


You can use Terraform to purchase and enable only instances of the software key management type. You cannot use Terraform to purchase and enable instance of the hardware key management type.

1.210.0 and later


Create and manage keys. For more information, see Create a key.

1.85.0 and later


Create and manage key versions.

1.85.0 and later


Create and manage network access rules. For more information, see Create an AAP.

1.210.0 and later


Create and manage permission policies. For more information, see Create an AAP.

1.210.0 and later


Create and manage secrets. For more information, see Create a secret.

1.76.0 and later

Use Terraform

  1. Install Terraform 0.14.0 or later.

  2. Note

    After Terraform is installed, you can run the terraform --version command to check the version of Terraform. If the version of Terraform is earlier than 0.14.0, install a required version to overwrite Terraform.

  3. Configure the information about your Alibaba Cloud account.


    To improve the flexibility and security of permission management, we recommend that you create a Resource Access Management (RAM) user named Terraform, create an AccessKey pair for the RAM user, and then grant the AliyunKMSFullAccess permission to the RAM user. For more information, see Create a RAM user and Grant permissions to a RAM user.

    You can select an Alibaba Cloud authentication method to provide the authentication information required by Terraform.

    • (Recommended) Method 1: Configure environment variables to store authentication information.

      export ALICLOUD_ACCESS_KEY="******"
      export ALICLOUD_SECRET_KEY="******"
      export ALICLOUD_REGION="******"
    • Method 2: Specify authentication information in the provider code block of the configuration file.

      provider "alicloud" {
        access_key = "******"
        secret_key = "******"
        region     = "******"
  4. Check whether the provider version needs to be upgraded.

    • Query the provider version.

      terraform -version 
    • Upgrade the provider version.

      terraform init -upgrade