terraform-aws-arc-kms

Module: sourcefuse/arc-kms/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-kms/aws

Category: Security / Encryption

Source: https://github.com/sourcefuse/terraform-aws-arc-kms

Tip

🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓

Overview

Creates and manages AWS KMS customer-managed keys (CMKs) with aliases, key policies, and automatic key rotation.

What It Does

• KMS CMK with configurable deletion window
• Automatic key rotation
• Key alias management
• Custom key policy support
• Enable/disable key without deletion

Quickstart

module "kms" {
  source                  = "sourcefuse/arc-kms/aws"
  version                 = "1.0.0"
  enabled                 = var.enabled
  deletion_window_in_days = var.deletion_window_in_days
  enable_key_rotation     = var.enable_key_rotation
  alias                   = var.alias
  tags                    = module.tags.tags
  policy                  = var.policy
}

Required Inputs

Name	Type	Description
alias	string	KMS key alias (must start with alias/)

Key Outputs

Name	Description
key_id	KMS key ID
key_arn	KMS key ARN
alias_arn	KMS alias ARN

Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name	Version
terraform	>= 1.4, < 2.0.0
aws	>= 5.0, < 7.0

Providers

Name	Version
aws	>= 5.0, < 7.0

Modules

No modules.

Resources

Name	Type
aws_kms_alias.default	resource
aws_kms_key.default	resource

Inputs

Name	Description	Type	Default	Required
alias	The display name of the alias. The name must start with the word alias followed by a forward slash. If not specified, the alias name will be auto-generated.	string	n/a	yes
customer_master_key_spec	Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1.	string	"SYMMETRIC_DEFAULT"	no
deletion_window_in_days	Duration in days after which the key is deleted after destruction of the resource	number	10	no
description	The description of the key as viewed in AWS console	string	"KMS master key"	no
enable_key_rotation	Specifies whether key rotation is enabled	bool	true	no
key_usage	Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY.	string	"ENCRYPT_DECRYPT"	no
multi_region	Indicates whether the KMS key is a multi-Region (true) or regional (false) key.	bool	false	no
policy	A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy.	string	n/a	yes
tags	tags to add to your resources	map(string)	{}	no

Outputs

Name	Description
alias_arn	Alias ARN
alias_name	Alias name
key_arn	Key ARN
key_id	Key ID

AI Assistant Integration (ARC IaC MCP)

The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.

What you can do with it:

• Discover — search and filter modules by keyword or AWS resource type.
• Understand — get inputs, outputs, and resources for any module without leaving your editor.
• Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
• Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
• Compare — diff modules side-by-side to make informed architectural decisions.

Setup (one minute)

The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:

Claude Code CLI:

claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcp

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "arc-iac": {
      "url": "https://arc-iac-mcp.sourcef.us/mcp"
    }
  }
}

Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).

Example prompts to try

• "List all ARC modules sorted by downloads"
• "What inputs does arc-ecs require?"
• "Scaffold a production-ready arc-db Aurora setup with Secrets Manager"
• "Compare arc-eks and arc-ecs for running 10 microservices"
• "Scan this Terraform before I raise a PR: <paste HCL>"

See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by:

• SourceFuse ARC Team