All Products
Search
Document Center

Key Management Service:Overview

Last Updated:Jun 19, 2024

Terraform is an open source tool that allows you to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. This topic provides an overview of Terraform and explores its use cases in Key Management Service (KMS).

Introduction to Terraform

Terraform is a tool that supports the automated orchestration of IT infrastructure. Terraform allows you to use code to manage and maintain IT resources. For more information, see What is Terraform?

  • Terraform provides an easy-to-use CLI that allows you to deploy configuration files on the workloads of Alibaba Cloud services or third-party cloud services and manage the versions of the configuration files. Terraform allows you to define the infrastructure resources that are required to build cloud topologies in configuration files. The resources include virtual machines (VMs), storage accounts, and network interfaces.

  • Terraform can be integrated with the Alibaba Cloud provider to support new infrastructures. You can use a template to configure the Alibaba Cloud provider to define, preview, and deploy cloud infrastructure on Alibaba Cloud.

  • Terraform allows you to create, modify, and delete the resources of multiple Alibaba Cloud services, such as Elastic Compute Services (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, and Server Load Balancer (SLB).

Use Terraform to manage KMS resources

KMS allows you to manage the following resources by using Terraform.

Resource

Description

Provider version

alicloud_kms_alias

Create and manage aliases.

1.77.0 and later

alicloud_kms_application_access_point

Create and manage application access points (AAPs). For more information, see Create an AAP.

1.210.0 and later

alicloud_kms_client_key

Create and manage client keys. For more information, see Create an AAP.

1.210.0 and later

alicloud_kms_instance

Purchase and enable instances of the software key management type. For more information, see Purchase and enable a KMS instance of the software key management type.

Important

You can use Terraform to purchase and enable only instances of the software key management type. You cannot use Terraform to purchase and enable instance of the hardware key management type.

1.210.0 and later

alicloud_kms_key

Create and manage keys. For more information, see Create a key.

1.85.0 and later

alicloud_kms_key_version

Create and manage key versions.

1.85.0 and later

alicloud_kms_network_rule

Create and manage network access rules. For more information, see Create an AAP.

1.210.0 and later

alicloud_kms_policy

Create and manage permission policies. For more information, see Create an AAP.

1.210.0 and later

alicloud_kms_secret

Create and manage secrets. For more information, see Create a secret.

1.76.0 and later

Use Terraform

  1. Install Terraform 0.14.0 or later.

  2. Note

    After Terraform is installed, you can run the terraform --version command to check the version of Terraform. If the version of Terraform is earlier than 0.14.0, install a required version to overwrite Terraform.

  3. Configure the information about your Alibaba Cloud account.

    Note

    To improve the flexibility and security of permission management, we recommend that you create a Resource Access Management (RAM) user named Terraform, create an AccessKey pair for the RAM user, and then grant the AliyunKMSFullAccess permission to the RAM user. For more information, see Create a RAM user and Grant permissions to a RAM user.

    You can select an Alibaba Cloud authentication method to provide the authentication information required by Terraform.

    • (Recommended) Method 1: Configure environment variables to store authentication information.

      The method that is used to configure environment variables varies based on the operating system. For more information, see Configure environment variables in Linux, macOS, and Windows.

      export ALICLOUD_ACCESS_KEY="******"
      export ALICLOUD_SECRET_KEY="******"
      export ALICLOUD_REGION="******"
    • Method 2: Specify authentication information in the provider code block of the configuration file.

      provider "alicloud" {
        access_key = "******"
        secret_key = "******"
        region     = "******"
      }
  4. Check whether the provider version needs to be upgraded.

    • Query the provider version.

      terraform -version 
    • Upgrade the provider version.

      terraform init -upgrade