Difference between revisions of "Terraform resource: aws kms key"

From wikieduonline
Jump to navigation Jump to search
 
(23 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
<code>[[aws_kms_key]]</code> https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
 +
 +
 +
* <code>[[deletion_window_in_days]]</code>: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days safety measure to delay key deletion, this waiting can be defined between 7 and 30 days
 +
 +
== Official example ==
 +
resource "aws_kms_key" "a" {
 +
  description            = "KMS key 1"
 +
  [[deletion_window_in_days]] = 10
 +
}
 +
 +
 +
== Multi region official example ==
 +
<pre>
 +
data "aws_caller_identity" "current" {}
 +
 +
resource "aws_kms_key" "example" {
 +
  description            = "An example multi-Region primary key"
 +
  multi_region            = true
 +
  enable_key_rotation    = true
 +
  deletion_window_in_days = 10
 +
  policy = jsonencode({
 +
    Version = "2012-10-17"
 +
    Id      = "key-default-1"
 +
    Statement = [
 +
      {
 +
        Sid    = "Enable IAM User Permissions"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
 +
        },
 +
        Action  = "kms:*"
 +
        Resource = "*"
 +
      },
 +
      {
 +
        Sid    = "Allow administration of the key"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
 +
        },
 +
        Action = [
 +
          "kms:ReplicateKey",
 +
          "kms:Create*",
 +
          "kms:Describe*",
 +
          "kms:Enable*",
 +
          "kms:List*",
 +
          "kms:Put*",
 +
          "kms:Update*",
 +
          "kms:Revoke*",
 +
          "kms:Disable*",
 +
          "kms:Get*",
 +
          "kms:Delete*",
 +
          "kms:ScheduleKeyDeletion",
 +
          "kms:CancelKeyDeletion"
 +
        ],
 +
        Resource = "*"
 +
      },
 +
      {
 +
        Sid    = "Allow use of the key"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
 +
        },
 +
        Action = [
 +
          "kms:DescribeKey",
 +
          "kms:Encrypt",
 +
          "kms:Decrypt",
 +
          "kms:ReEncrypt*",
 +
          "kms:GenerateDataKey",
 +
          "kms:GenerateDataKeyWithoutPlaintext"
 +
        ],
 +
        Resource = "*"
 +
      }
 +
    ]
 +
  })
 +
}
 +
</pre>
  
* https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
 
  
 
* <code>[[key_id]]</code>
 
* <code>[[key_id]]</code>
 +
* <code>[[policy]]</code> (optional) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#policy
 +
 +
== Errors ==
 +
* <code>[[Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.]]</code>
 +
* <code>[[Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections]]</code>
 +
* <code>[[Error: updating KMS Key]]</code>
 +
 +
== Related ==
 +
* <code>[[aws_kms_alias]]</code>
 +
* [[Terraform EKS module]]
 +
* [[execute_command_configuration]]
 +
* <code>[[kms:]]</code>
 +
* <code>[[aws_kms_replica_key]]</code>
  
 
== See also ==
 
== See also ==
* {{KMS}}
+
* {{aws_kms_key}}
* {{terraform aws resources}}
+
* {{terraform KMS}}
 +
* {{AWS KMS}}
  
 
[[Category:Terraform]]
 
[[Category:Terraform]]
 +
[[Category:AWS]]

Latest revision as of 14:17, 1 August 2024

aws_kms_key https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key


Official example[edit]

resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}


Multi region official example[edit]

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "example" {
  description             = "An example multi-Region primary key"
  multi_region            = true
  enable_key_rotation     = true
  deletion_window_in_days = 10
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow administration of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
        },
        Action = [
          "kms:ReplicateKey",
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion"
        ],
        Resource = "*"
      },
      {
        Sid    = "Allow use of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
        },
        Action = [
          "kms:DescribeKey",
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey",
          "kms:GenerateDataKeyWithoutPlaintext"
        ],
        Resource = "*"
      }
    ]
  })
}


Errors[edit]

Related[edit]

See also[edit]

Advertising: