Difference between revisions of "Terraform resource: aws kms key"

From wikieduonline
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 90: Line 90:
 
* [[Terraform EKS module]]
 
* [[Terraform EKS module]]
 
* [[execute_command_configuration]]
 
* [[execute_command_configuration]]
 +
* <code>[[kms:]]</code>
 +
* <code>[[aws_kms_replica_key]]</code>
  
 
== See also ==
 
== See also ==

Latest revision as of 14:17, 1 August 2024

aws_kms_key https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key


Official example[edit]

resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}


Multi region official example[edit]

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "example" {
  description             = "An example multi-Region primary key"
  multi_region            = true
  enable_key_rotation     = true
  deletion_window_in_days = 10
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow administration of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
        },
        Action = [
          "kms:ReplicateKey",
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion"
        ],
        Resource = "*"
      },
      {
        Sid    = "Allow use of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
        },
        Action = [
          "kms:DescribeKey",
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey",
          "kms:GenerateDataKeyWithoutPlaintext"
        ],
        Resource = "*"
      }
    ]
  })
}


Errors[edit]

Related[edit]

See also[edit]

Advertising: