Setting up Terraform for Key Protect

Terraform on IBM Cloud® enables predictable and consistent creation of IBM Cloud services so that you can rapidly build complex, multi-tier cloud environments following Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the creation, update, and deletion of your Key Protect instances by using HashiCorp Configuration Language (HCL).

Looking for a managed Terraform on IBM Cloud® solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with, but you don't have to worry about setting up and maintaining the Terraform command line and the IBM Cloud® Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud® catalog.

Installing Terraform and configuring resources for Key Protect

Provisioning a new Key Protect Dedicated instance is available through the IBM Cloud® console UI and the IBM Cloud CLI. Creating new Key Protect Dedicated instances with Terraform is not supported. you can, however, use Terraform to provision resources like keys. To do this, the environment variable IBMCLOUD_KP_API_ENDPOINT must be set to the public or private API endpoint of the specific Key Protect Dedicated instance.

Before you can create an authorization by using Terraform, make sure that you have completed the following:

Make sure that you have the required access to create and work with Key Protect resources.
Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Create a Key Protect instance by using the ibm_resource_instance resource argument in your main.tf file.

The Key Protect instance in the following example is named my_kp and is created with the tiered pricing plan in the us-south region. The user@ibm.com is assigned the Manager role in the IAM access policy. For other supported regions, see Regions and endpoints.

resource "ibm_resource_instance" "kms_instance" {
  name     = "my_kp"
  service  = "kms"
  plan     = "tiered-pricing"
  location = "us-south"
}

resource "ibm_iam_user_policy" "policy" {
  ibm_id = "user@ibm.com"
  roles  = ["Manager"]

  resources {
    service              = "kms"
    resource_instance_id = element(split(":", ibm_resource_instance.kms_instance.id), 7)
  }
}

After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```
From the IBM Cloud resource list, select the Key Protect instance that you created and note the instance ID.
Verify that the access policy is successfully assigned. For more information, see Reviewing assigned access in the console.

What's next?

Now that you successfully created your first Key Protect service instance with Terraform on IBM Cloud, you can choose between the following tasks: