Difference between revisions of "Terraform resource: aws kms key"
Jump to navigation
Jump to search
(3 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
[[deletion_window_in_days]] = 10 | [[deletion_window_in_days]] = 10 | ||
} | } | ||
+ | |||
+ | |||
+ | == Multi region official example == | ||
+ | <pre> | ||
+ | data "aws_caller_identity" "current" {} | ||
+ | |||
+ | resource "aws_kms_key" "example" { | ||
+ | description = "An example multi-Region primary key" | ||
+ | multi_region = true | ||
+ | enable_key_rotation = true | ||
+ | deletion_window_in_days = 10 | ||
+ | policy = jsonencode({ | ||
+ | Version = "2012-10-17" | ||
+ | Id = "key-default-1" | ||
+ | Statement = [ | ||
+ | { | ||
+ | Sid = "Enable IAM User Permissions" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" | ||
+ | }, | ||
+ | Action = "kms:*" | ||
+ | Resource = "*" | ||
+ | }, | ||
+ | { | ||
+ | Sid = "Allow administration of the key" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice" | ||
+ | }, | ||
+ | Action = [ | ||
+ | "kms:ReplicateKey", | ||
+ | "kms:Create*", | ||
+ | "kms:Describe*", | ||
+ | "kms:Enable*", | ||
+ | "kms:List*", | ||
+ | "kms:Put*", | ||
+ | "kms:Update*", | ||
+ | "kms:Revoke*", | ||
+ | "kms:Disable*", | ||
+ | "kms:Get*", | ||
+ | "kms:Delete*", | ||
+ | "kms:ScheduleKeyDeletion", | ||
+ | "kms:CancelKeyDeletion" | ||
+ | ], | ||
+ | Resource = "*" | ||
+ | }, | ||
+ | { | ||
+ | Sid = "Allow use of the key" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob" | ||
+ | }, | ||
+ | Action = [ | ||
+ | "kms:DescribeKey", | ||
+ | "kms:Encrypt", | ||
+ | "kms:Decrypt", | ||
+ | "kms:ReEncrypt*", | ||
+ | "kms:GenerateDataKey", | ||
+ | "kms:GenerateDataKeyWithoutPlaintext" | ||
+ | ], | ||
+ | Resource = "*" | ||
+ | } | ||
+ | ] | ||
+ | }) | ||
+ | } | ||
+ | </pre> | ||
Line 17: | Line 84: | ||
* <code>[[Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.]]</code> | * <code>[[Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.]]</code> | ||
* <code>[[Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections]]</code> | * <code>[[Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections]]</code> | ||
− | + | * <code>[[Error: updating KMS Key]]</code> | |
== Related == | == Related == | ||
Line 23: | Line 90: | ||
* [[Terraform EKS module]] | * [[Terraform EKS module]] | ||
* [[execute_command_configuration]] | * [[execute_command_configuration]] | ||
+ | * <code>[[kms:]]</code> | ||
+ | * <code>[[aws_kms_replica_key]]</code> | ||
== See also == | == See also == |
Latest revision as of 14:17, 1 August 2024
aws_kms_key
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
deletion_window_in_days
: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days safety measure to delay key deletion, this waiting can be defined between 7 and 30 days
Official example[edit]
resource "aws_kms_key" "a" { description = "KMS key 1" deletion_window_in_days = 10 }
Multi region official example[edit]
data "aws_caller_identity" "current" {} resource "aws_kms_key" "example" { description = "An example multi-Region primary key" multi_region = true enable_key_rotation = true deletion_window_in_days = 10 policy = jsonencode({ Version = "2012-10-17" Id = "key-default-1" Statement = [ { Sid = "Enable IAM User Permissions" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }, Action = "kms:*" Resource = "*" }, { Sid = "Allow administration of the key" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice" }, Action = [ "kms:ReplicateKey", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], Resource = "*" }, { Sid = "Allow use of the key" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob" }, Action = [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], Resource = "*" } ] }) }
key_id
policy
(optional) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#policy
Errors[edit]
Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections
Error: updating KMS Key
Related[edit]
See also[edit]
Advertising: