Skip to main content
Security Modules 0.71.0Last updated in version 0.70.0

AWS KMS Grants

View SourceRelease Notes

This repo contains a Module for creating and managing KMS grants for managing permissions to use CMKs.


  • Create KMS Grants for different regions in one module



This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.


Non-production deployment (quick start for learning)

If you just want to try this out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).


Sample Usage

# ------------------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------------------

module "kms_grant_multi_region" {

source = ""

# ----------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------

# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>

# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = <map(string)>

# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = <map(object(
kms_cmk_arn = string
grantee_principal = string
granted_operations = list(string)

# ----------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------

# Create a dependency between the resources in this module to the interpolated
# values in this list (and thus the source resources). In other words, the
# resources in this module will now depend on the resources backing the values
# in this list such that those resources need to be created before the
# resources in this module, and the resources in this module need to be
# destroyed before the resources in the list.
dependencies = []