[Yandex Cloud documentation](../../index.md) > [Tutorials](../index.md) > [Security](index.md) > Managing KMS keys with Hashicorp Terraform

# Managing Yandex Key Management Service keys with Hashicorp Terraform

The [Terraform provider](../../terraform/index.md) for Yandex Cloud supports the use of Yandex Key Management Service keys.

## Adding keys {#add}

To create a key:

1. Describe the parameters of the `yandex_kms_symmetric_key` resource in the configuration file:

   ```hcl
   resource "yandex_kms_symmetric_key" "key-a" {
     name                = "<key_name>"
     description         = "<key_description>"
     default_algorithm   = "AES_128"
     rotation_period     = "8760h"
     deletion_protection = true
     lifecycle {
       prevent_destroy = true
     }
   }
   ```

   Where:

   * `name`: Key name. The name format is as follows:

      * Length: between 3 and 63 characters.
      * It can only contain lowercase Latin letters, numbers, and hyphens.
      * It must start with a letter and cannot end with a hyphen.

   * `description`: Key description.
   * `default_algorithm`: Encryption algorithm. The possible values are `AES-128`, `AES-192`, or `AES-256`.
   * `rotation_period`: [Rotation](../../kms/concepts/version.md#rotate-key) period (how often to change key versions). To create a key without automatic rotation, do not specify the `rotation_period` parameter.
   * `deletion_protection`: Key deletion protection. To create a key without deletion protection, do not specify the `deletion_protection` parameter.
   * `lifecycle.prevent_destroy`: Key deletion protection when running Terraform commands. To create a key without such protection, do not specify the `lifecycle` section.

   {% note warning %}

   Deleting a KMS key destroys all data encrypted with that key: the data becomes unrecoverable after the key is deleted. The `deletion_protection` parameter and the `lifecycle` section are required to prevent the deletion of the key (e.g., with the `terraform destroy` command).

   {% endnote %}

   For more information about resource parameters in Terraform, see the [provider documentation](../../terraform/resources/kms_symmetric_key.md).

1. Check the configuration using this command:

   ```bash
   terraform validate
   ```

   If the configuration is correct, you will get this message:

   ```text
   Success! The configuration is valid.
   ```

1. Run this command:

   ```bash
   terraform plan
   ```

   The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

1. Apply the configuration changes:

   ```bash
   terraform apply
   ```

1. Confirm the changes: type `yes` into the terminal and press **Enter**.

   This will create all the resources you need in the specified folder. You can check the new resources and their configuration using the [management console](https://console.yandex.cloud) or these [CLI](../../cli/quickstart.md) commands:

   ```bash
   yc kms symmetric-key list
   ```

## Managing key access {#security}

To manage access to keys in Terraform, assign the necessary roles for the folder that contains the key. 

For example, [assign](../../iam/operations/sa/assign-role-for-sa.md) the `kms.keys.encrypterDecrypter` role to the service account permitting it to encrypt and decrypt data with keys from a specific folder:

```hcl
resource "yandex_resourcemanager_folder_iam_member" "admin" {
  folder_id = "<folder_ID>"
  role      = "kms.keys.encrypterDecrypter"
  member    = "serviceAccount:<service_account_ID>"
}
```

## See also {#see-also}

* [Getting started with Terraform](../infrastructure-management/terraform-quickstart.md).
* [Access management in Key Management Service](../../kms/security/index.md).
* [Yandex Cloud provider documentation](../../terraform/index.md).
* [Encrypting data using the Yandex Cloud](../../kms/operations/key.md) CLI and API.