This topic describes how to use Terraform to purchase and enable an instance of the software key management type.
Overview
When you purchase and enable a Key Management Service (KMS) instance of the software key management type, you must associate a virtual private cloud (VPC) and vSwitches with the KMS instance. You can also associate multiple VPCs with the KMS instance. After you configure settings for the KMS instance, a certificate authority (CA) certificate is generated. We recommend that you properly store the CA certificate, which is required when your application accesses the KMS instance.
For more information about how to configure an instance of the software key management type, see alicloud_kms_instance.
Limits
The Terraform version must be 0.14.0 or later. We recommend that you use the latest version. You can go to the Terraform official website to download the latest version.
You can use Terraform to purchase and enable only instances of the software key management type. You cannot use Terraform to purchase and enable instances of the hardware key management type.
Prerequisites
A Resource Access Management (RAM) user is created, and the AliyunKMSFullAccess, AliyunVPCFullAccess, and AliyunBSSFullAccess policies are attached to the RAM user. The condition is used when a RAM user is used to log on to Terraform. The AliyunKMSFullAccess policy grants permissions to manage KMS resources, the AliyunVPCFullAccess policy grants permissions to manage VPC resources, and the AliyunBSSFullAccess policy grants permissions to manage Billing Management resources. For more information, see Grant permissions to RAM users.
Procedure
Create a working directory and a file named
main.tfin the directory.main.tf: This file is the main file of Terraform and defines the resources that you want to deploy.
// Create a VPC. resource "alicloud_vpc" "example" { vpc_name = "terraform-example" cidr_block = "172.16.XX.XX/16" } // Create a vSwitch. resource "alicloud_vswitch" "example1" { vpc_id = alicloud_vpc.example.id cidr_block = "172.16.XX.XX/24" zone_id = "cn-chengdu-a" vswitch_name = "terraform-example-1" } // Create another vSwitch. resource "alicloud_vswitch" "example2" { vpc_id = alicloud_vpc.example.id cidr_block = "172.16.XX.XX/24" zone_id = "cn-chengdu-b" vswitch_name = "terraform-example-2" } // Create an instance of the software key management type and configure network parameters to enable the instance. resource "alicloud_kms_instance" "software_instance_example" { // The instance of the software key management type. product_version = "3" // The computing performance, number of keys, number of secrets, and access management quota. spec = "1000" key_num = "1000" secret_num = "2000" vpc_num = "3" // The auto-renewal status and auto-renewal period. Unit: months. renew_status = "AutoRenewal" renew_period = "3" // Configure network parameters for the instance. vpc_id = alicloud_vpc.example.id zone_ids = [alicloud_vswitch.example1.zone_id, alicloud_vswitch.example2.zone_id] vswitch_ids = [alicloud_vswitch.example1.id,alicloud_vswitch.example2.id] // Associate a different VPC with the instance. // If the two VPCs belong to different Alibaba Cloud accounts, you must first share the vSwitch in the second VPC to the first VPC. bind_vpcs { vpc_id = "vpc-j6cy0l32yz9ttxfy6****" vswitch_id = "vsw-j6cv7rd1nz8x13ram****" region_id = "cn-hangzhou" vpc_owner_id = "119285303511****" } bind_vpcs { vpc_id = "vpc-j6cy0l32yz9ttd7g3****" vswitch_id = "vsw-3h4yrd1nz8x13ram****" region_id = "cn-hangzhou" vpc_owner_id = "119285303511****" } } // Save the CA certificate of the instance to a local file. resource "local_file" "ca_certificate_chain_pem" { content = alicloud_kms_instance.default.ca_certificate_chain_pem filename = "ca.pem" }Run the
terraform initcommand to initialize the runtime environment for Terraform.Run the
terraform plancommand to create an execution plan.Run the
terraform applycommand.