Terraform is an open source infrastructure-as-code tool for provisioning and managing cloud resources in a repeatable, version-controlled way. This page covers the KMS resources supported by the Alibaba Cloud Terraform provider and walks you through the initial setup.
Introduction to Terraform
Terraform supports automated orchestration of IT infrastructure and allows you to use code to manage and maintain IT resources. For more information, see What is Terraform?
Terraform provides an easy-to-use CLI that lets you deploy configuration files on Alibaba Cloud and third-party cloud workloads, and manage their versions. You can define infrastructure resources — such as virtual machines (VMs), storage accounts, and network interfaces — directly in configuration files.
Terraform integrates with the Alibaba Cloud provider to support new infrastructures, enabling you to define, preview, and deploy cloud infrastructure on Alibaba Cloud.
Terraform supports creating, modifying, and deleting resources for multiple Alibaba Cloud services, including Elastic Compute Services (ECS), Virtual Private Cloud (VPC), ApsaraDB RDS, and Server Load Balancer (SLB).
Supported resources
KMS supports the following Terraform resources. Check the minimum provider version before you start — some resources require version 1.210.0 or later.
| Resource | Description | Minimum provider version |
|---|---|---|
alicloud_kms_alias | Manage key aliases | 1.77.0 |
alicloud_kms_secret | Manage secrets. See Create a secret. | 1.76.0 |
alicloud_kms_key | Manage keys. See Create a key. | 1.85.0 |
alicloud_kms_key_version | Manage key versions | 1.85.0 |
alicloud_kms_instance | Purchase and enable KMS instances (software key management type only). See Purchase and enable a KMS instance. | 1.210.0 |
alicloud_kms_application_access_point | Manage application access points (AAPs). See Create an AAP. | 1.210.0 |
alicloud_kms_client_key | Manage client keys. See Create an AAP. | 1.210.0 |
alicloud_kms_network_rule | Manage network access rules. See Create an AAP. | 1.210.0 |
alicloud_kms_policy | Manage permission policies. See Create an AAP. | 1.210.0 |
Terraform can only provision software key management instances. Hardware key management instances cannot be purchased or enabled using Terraform.
Prerequisites
Before you begin, ensure that you have:
Terraform 0.14.0 or later. Run
terraform --versionto check.An Alibaba Cloud account with permissions to manage KMS resources
A RAM user named Terraform with the
AliyunKMSFullAccesspolicy attached, and an AccessKey pair for that user. See Create a RAM user and Grant permissions to a RAM user.
Set up Terraform for KMS
Step 1: Install Terraform
Choose one of the following installation methods:
Cloud Shell (no local setup required): Use Terraform in Cloud Shell
Local machine: Install and configure Terraform on your computer
After installation, run the following command to confirm the version:
terraform --versionIf the version is earlier than 0.14.0, reinstall Terraform with a supported version.
Step 2: Configure authentication
Store your credentials as environment variables to keep them out of your configuration files:
export ALICLOUD_ACCESS_KEY="<your-access-key-id>"
export ALICLOUD_SECRET_KEY="<your-access-key-secret>"
export ALICLOUD_REGION="<region-id>"Alternatively, specify credentials directly in the provider block. Avoid this in production — credentials in configuration files can be accidentally committed to version control.
provider "alicloud" {
access_key = "<your-access-key-id>"
secret_key = "<your-access-key-secret>"
region = "<region-id>"
}For instructions on setting environment variables on Linux, macOS, and Windows, see Configure environment variables.
Step 3: Check and upgrade the provider version
Query the current provider version:
terraform -versionIf the version is earlier than the minimum required for the resources you're using, upgrade it:
terraform init -upgrade