You can use Terraform to create and manage application access points (AAPs). This topic describes how to create an AAP.
Overview
Before your self-managed applications perform cryptographic operations or retrieve secrets, the applications must use the client key of the required AAP to access your Key Management Service (KMS) instance. For more information about how to configure Terraform to manage AAPs, see alicloud_kms_application_access_point.
If you use keys in a KMS instance for server-side encryption in Alibaba Cloud services or call KMS SDK to use secrets, you do not need to create an AAP. If you want to call KMS Instance SDK to use a key or a secret in a KMS instance, you must create an AAP.
Limits
The Terraform version must be 0.14.0 or later. We recommend that you use the latest version. You can go to the Terraform official website to download the latest version.
Prerequisites
A Resource Access Management (RAM) user is created, and the AliyunKMSFullAccess policy is attached to the RAM user. The condition is used when you log on to Terraform as a RAM user. The AliyunKMSFullAccess policy grants permissions to manage KMS resources. For more information, see Grant permissions to RAM users.
Procedure
Create a working directory and a file named
main.tf
in the directory.main.tf: This file is the main file of Terraform and defines the resources that you want to deploy.
/* 1. Create network access rules. 2. Create permission policies. 3. Create an AAP. 4. Create a client key. */ resource "alicloud_kms_network_rule" "network_rule_example"{ network_rule_name = "sample_network_rule" description = "description_test_module" source_private_ip = ["10.10.XX.XX/16","192.168.XX.XX/8"] } resource "alicloud_kms_policy" "policy_example"{ policy_name = "sample_policy" description = "description_test_module" permissions = ["RbacPermission/Template/CryptoServiceKeyUser","RbacPermission/Template/CryptoServiceSecretUser"] resources = ["key/*","secret/*"] kms_instance_id = "kst-hzz634e67d126u9p9****" access_control_rules = <<EOF { "NetworkRules":[ "alicloud_kms_network_rule.network_rule_example.network_rule_name" ] } EOF } resource "alicloud_kms_application_access_point" "application_access_point_example"{ application_access_point_name = "sample_aap" policies = [alicloud_kms_policy.policy_example.policy_name] description = "aap_description" } resource "alicloud_kms_client_key" "client_key"{ aap_name = alicloud_kms_application_access_point.application_access_point_example.application_access_point_name password = "Kwcn0B****" not_before = "2023-09-01T14:11:22Z" not_after = "2032-09-01T14:11:22Z" // Specify the path of the local file that stores the client key. private_key_data_file = "./client_key.json" }
ImportantAfter the AAP is created, you must obtain the client key by using the local file path and store the client key in a secure location.
You can configure the password parameter by using sensitive inputs of Terraform.
Run the
terraform init
command to initialize the runtime environment for Terraform.Run the
terraform plan
command to create an execution plan.Run the
terraform apply
command.