Skip to content

Resource: awsCloudhsmV2Cluster

Creates an Amazon CloudHSM v2 cluster.

For information about CloudHSM v2, see the AWS CloudHSM User Guide and the Amazon CloudHSM API Reference.

\~> NOTE: A CloudHSM Cluster can take several minutes to set up. Practically no single attribute can be updated, except for tags. If you need to delete a cluster, you have to remove its HSM modules first. To initialize cluster, you have to add an HSM instance to the cluster, then sign CSR and upload it.

Example Usage

The following example below creates a CloudHSM cluster.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.provider.AwsProvider(this, "aws", {
  region: "${var.aws_region}",
});
const awsVpcCloudhsmV2Vpc = new aws.vpc.Vpc(this, "cloudhsm_v2_vpc", {
  cidrBlock: "10.0.0.0/16",
  tags: {
    Name: "example-aws_cloudhsm_v2_cluster",
  },
});
const dataAwsAvailabilityZonesAvailable =
  new aws.dataAwsAvailabilityZones.DataAwsAvailabilityZones(
    this,
    "available",
    {}
  );
const awsSubnetCloudhsmV2Subnets = new aws.subnet.Subnet(
  this,
  "cloudhsm_v2_subnets",
  {
    availabilityZone: `\${element(${dataAwsAvailabilityZonesAvailable.names}, count.index)}`,
    cidrBlock: "${element(var.subnets, count.index)}",
    mapPublicIpOnLaunch: false,
    tags: {
      Name: "example-aws_cloudhsm_v2_cluster",
    },
    vpcId: awsVpcCloudhsmV2Vpc.id,
  }
);
/*In most cases loops should be handled in the programming language context and 
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
awsSubnetCloudhsmV2Subnets.addOverride("count", 2);
new aws.cloudhsmV2Cluster.CloudhsmV2Cluster(this, "cloudhsm_v2_cluster", {
  hsmType: "hsm1.medium",
  subnetIds: `\${${awsSubnetCloudhsmV2Subnets.fqn}[*].id}`,
  tags: {
    Name: "example-aws_cloudhsm_v2_cluster",
  },
});

Argument Reference

The following arguments are supported:

  • sourceBackupIdentifier - (Optional) ID of Cloud HSM v2 cluster backup to be restored.
  • hsmType - (Required) The type of HSM module in the cluster. Currently, only hsm1Medium is supported.
  • subnetIds - (Required) The IDs of subnets in which cluster will operate.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • clusterId - The id of the CloudHSM cluster.
  • clusterState - The state of the CloudHSM cluster.
  • vpcId - The id of the VPC that the CloudHSM cluster resides in.
  • securityGroupId - The ID of the security group associated with the CloudHSM cluster.
  • clusterCertificates - The list of cluster certificates.
  • clusterCertificates0ClusterCertificate - The cluster certificate issued (signed) by the issuing certificate authority (CA) of the cluster's owner.
  • clusterCertificates0ClusterCsr - The certificate signing request (CSR). Available only in uninitialized state after an HSM instance is added to the cluster.
  • clusterCertificates0AwsHardwareCertificate - The HSM hardware certificate issued (signed) by AWS CloudHSM.
  • clusterCertificates0HsmCertificate - The HSM certificate issued (signed) by the HSM hardware.
  • clusterCertificates0ManufacturerHardwareCertificate - The HSM hardware certificate issued (signed) by the hardware manufacturer.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

CloudHSM v2 Clusters can be imported using the clusterId, e.g.,

$ terraform import aws_cloudhsm_v2_cluster.test_cluster cluster-aeb282a201