1.0 Introduction
The Fortanix-Data-Security-Manager (DSM) Terraform Provider transforms the functionality of the Fortanix DSM RESTful API into easy to consume human-readable configuration files. Using the Fortanix DSM Terraform Provider, you can eliminate the need to understand how to consume raw Fortanix Data Security Manager APIs.
2.0 Download
The Fortanix DSM Terraform Provider is available here.
3.0 Features
The Fortanix DSM Terraform Provider SDK supports the following operations:
Where, "Manage" = Create, Update, and Delete operations.
3.1 Authentication
Supports the following authentication methods for users:
Username and Password
Admin API Key
LDAP
3.2 Accounts
Create Quorum Policy for Accounts - This operation allows you to create a Quorum approval policy for DSM accounts. The policy approval will be done outside the Terraform Provider.
Delete the Quorum approval policy.
3.3 Users
Create an assignment of a DSM group role to a user. This assignment is linked to a specific group.
3.4 Groups
Manage group - This operation allows you to create, update, and delete a Fortanix DSM group.
Manage AWS group - This operation allows you to create, update, and delete an AWS KMS group in Fortanix DSM.
Manage Azure group - This operation allows you to create, update, and delete an Azure KMS group in Fortanix DSM.
AWS Key links - When a source key is copied from a regular Fortanix DSM group to an AWS group, the source key will appear as a key link in the KEY LINKS tab in the detailed view of the copied key.
Create Quorum Policy for Groups - This operation allows you to create a Quorum approval policy for DSM groups. The policy approval will be done outside the Terraform Provider.
Add users to a group - This operation allows adding users to a group after group creation.
Create and update - This operation allows creating and updating Cryptographic policy for DSM accounts and groups.
Add plugin to a group - This operation allows creating and associating a plugin to a DSM group.
Assign multiple groups to an app with the Authentication method as "Google Service Account".
Copy the key from the Fortanix DSM group to the GCP (CDC) group.
Add, update, and delete the Key Undo policy for a DSM group.
3.5 Applications (Apps)
Manage app - This operation allows you to create, update, and delete a Fortanix DSM app. It also allows you to assign apps to groups.
Manage Google Cloud Platform EKM - This operation allows you to create, update, and delete a Google EKM App in Fortanix DSM.
Create an administrator (admin) application (app).
Assign a new or existing group to an existing app.
3.6 Security Objects
Manage security object - This operation allows you to create, update, and delete a Fortanix DSM security object. It also allows you to assign security objects to groups, and specify key links, key ops, and key states.
Rotate security object - This operation allows you to rotate a Fortanix DSM key using the Fortanix DSM Key Rotation feature. A key can be rotated when you want to retire an encryption key and replace that key by generating a new cryptographic key. For more details, refer to the User's Guide: Key Lifecycle Management.
Key Rotation Policy - This operation allows a Fortanix DSM key rotation to be scheduled for a future time to be done automatically by setting a key rotation policy. For more details, refer to the User's Guide: Key Lifecycle Management.
Secret rotation - This operation allows you to rotate a security object of type "Secret".
Return public keys in PEM format - This operation allows returning public keys in PEM format.
Import keys, upload a signed certificate and private key, and delete the expired certificate.
Key Access Justification Policy - This policy allows you to create and update the key access justification reasons for a security object for Google Cloud External Key Manager.
Create a security object of type “Tokenization”.
Delete the Key Access Justification (KAJ) policy for a security object.
Generate keys of type BLS and LMS.
Import keys of type AES, DES, DES3, HMAC, RSA, EC, DSA, Opaque, Certificate, BIP32, ARIA, KCDSA, EC-KCDSA, BLS, SEED, and BLS.
Key move and Copy a key support
3.6.1 AWS Security Objects
Manage AWS security object - This operation allows you to create, update, and delete a Fortanix DSM security object in the AWS KMS group. It also allows you to specify group, key links, key ops, and key states.
Rotate AWS security object - This operation allows:
Rotating an AWS native key with another native key.
Rotating a Fortanix DSM source key that has linked keys belonging to an AWS group.
Rotate an AWS native key to a Fortanix DSM Owned key.
For more details, refer to the User's Guide: AWS External KMS.
AWS Tags - This operation allows you to create, update, and delete AWS key tags.
AWS Aliases - This operation allows you to create, update, and delete AWS key aliases.
AWS Key Policy - This operation allows you to create, update, and delete the AWS Key policy. The AWS Policy is the primary way to control access to KMS keys.
AWS Schedule Key Deletion - This operation allows you to schedule a key for deletion in the configured AWS KMS.
Delete AWS-backed keys.
3.6.2 Azure Security Objects
Manage Azure security object - This operation allows you to create, update, and delete a Fortanix DSM security object in the Azure KMS group. It also allows you to specify group, key links, key ops, and key states.
Rotate Azure-backed keys.
Delete Azure-backed keys.
3.6.3 GCP Security Objects
Manage GCP security object - This operation allows you to create and update a Fortanix DSM security object in the GCP BYOK group.
3.7 Certificate Signing Request (CSR) Generation
CSR Generation - This operation allows you to generate CSR signed by the DSM security object.
4.0 References
For a more detailed guide, refer to the Fortanix Terraform Provider documentation.