I would like to use the IBM Terraform provider to provision a KeyProtect instance containing a standard key.
Getting a KeyProtect instance is easy: Use a service instance of type kms.
Does Terraform offer a way of inserting a specified key in the KeyProtect instance?
Not tested, but should work... ;-)
The IBM Terraform provider is only for the cloud resources, not for "application data". However, there is a REST API Provider which allows to execute calls to REST APIs.
IBM Cloud Key Protect provides such an interface and allows to either create or import a key. This toolchain deploy script shows an automated way of provisioning Key Protect and creating a new root key (read the security tutorial here). You basically need to code something similar to obtain the necessary token and other metadata:
curl -s -X POST $KP_MANAGEMENT_URL \
--header "Authorization: Bearer $KP_ACCESS_TOKEN" \
--header "Bluemix-Instance: $KP_GUID" \
--header "Content-Type: application/vnd.ibm.kms.key+json" -d @scripts/root-enckey.json
The Terraform provider has ibm_kms_key and some other resources now. It allows to import existing keys into either Key Protect or Hyper Protect Crypto Services.