Difference between revisions of "Terraform resource: aws kms key"
Jump to navigation
Jump to search
(24 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
+ | <code>[[aws_kms_key]]</code> https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key | ||
+ | |||
+ | |||
+ | * <code>[[deletion_window_in_days]]</code>: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days safety measure to delay key deletion, this waiting can be defined between 7 and 30 days | ||
+ | |||
+ | == Official example == | ||
+ | resource "aws_kms_key" "a" { | ||
+ | description = "KMS key 1" | ||
+ | [[deletion_window_in_days]] = 10 | ||
+ | } | ||
+ | |||
+ | |||
+ | == Multi region official example == | ||
+ | <pre> | ||
+ | data "aws_caller_identity" "current" {} | ||
+ | |||
+ | resource "aws_kms_key" "example" { | ||
+ | description = "An example multi-Region primary key" | ||
+ | multi_region = true | ||
+ | enable_key_rotation = true | ||
+ | deletion_window_in_days = 10 | ||
+ | policy = jsonencode({ | ||
+ | Version = "2012-10-17" | ||
+ | Id = "key-default-1" | ||
+ | Statement = [ | ||
+ | { | ||
+ | Sid = "Enable IAM User Permissions" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" | ||
+ | }, | ||
+ | Action = "kms:*" | ||
+ | Resource = "*" | ||
+ | }, | ||
+ | { | ||
+ | Sid = "Allow administration of the key" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice" | ||
+ | }, | ||
+ | Action = [ | ||
+ | "kms:ReplicateKey", | ||
+ | "kms:Create*", | ||
+ | "kms:Describe*", | ||
+ | "kms:Enable*", | ||
+ | "kms:List*", | ||
+ | "kms:Put*", | ||
+ | "kms:Update*", | ||
+ | "kms:Revoke*", | ||
+ | "kms:Disable*", | ||
+ | "kms:Get*", | ||
+ | "kms:Delete*", | ||
+ | "kms:ScheduleKeyDeletion", | ||
+ | "kms:CancelKeyDeletion" | ||
+ | ], | ||
+ | Resource = "*" | ||
+ | }, | ||
+ | { | ||
+ | Sid = "Allow use of the key" | ||
+ | Effect = "Allow" | ||
+ | Principal = { | ||
+ | AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob" | ||
+ | }, | ||
+ | Action = [ | ||
+ | "kms:DescribeKey", | ||
+ | "kms:Encrypt", | ||
+ | "kms:Decrypt", | ||
+ | "kms:ReEncrypt*", | ||
+ | "kms:GenerateDataKey", | ||
+ | "kms:GenerateDataKeyWithoutPlaintext" | ||
+ | ], | ||
+ | Resource = "*" | ||
+ | } | ||
+ | ] | ||
+ | }) | ||
+ | } | ||
+ | </pre> | ||
− | |||
* <code>[[key_id]]</code> | * <code>[[key_id]]</code> | ||
+ | * <code>[[policy]]</code> (optional) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#policy | ||
+ | |||
+ | == Errors == | ||
+ | * <code>[[Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.]]</code> | ||
+ | * <code>[[Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections]]</code> | ||
+ | * <code>[[Error: updating KMS Key]]</code> | ||
+ | |||
+ | == Related == | ||
+ | * <code>[[aws_kms_alias]]</code> | ||
+ | * [[Terraform EKS module]] | ||
+ | * [[execute_command_configuration]] | ||
+ | * <code>[[kms:]]</code> | ||
+ | * <code>[[aws_kms_replica_key]]</code> | ||
== See also == | == See also == | ||
− | * {{KMS}} | + | * {{aws_kms_key}} |
− | * {{ | + | * {{terraform KMS}} |
+ | * {{AWS KMS}} | ||
+ | |||
+ | [[Category:Terraform]] | ||
+ | [[Category:AWS]] |
Latest revision as of 14:17, 1 August 2024
aws_kms_key
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
deletion_window_in_days
: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days safety measure to delay key deletion, this waiting can be defined between 7 and 30 days
Official example[edit]
resource "aws_kms_key" "a" { description = "KMS key 1" deletion_window_in_days = 10 }
Multi region official example[edit]
data "aws_caller_identity" "current" {} resource "aws_kms_key" "example" { description = "An example multi-Region primary key" multi_region = true enable_key_rotation = true deletion_window_in_days = 10 policy = jsonencode({ Version = "2012-10-17" Id = "key-default-1" Statement = [ { Sid = "Enable IAM User Permissions" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }, Action = "kms:*" Resource = "*" }, { Sid = "Allow administration of the key" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice" }, Action = [ "kms:ReplicateKey", "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], Resource = "*" }, { Sid = "Allow use of the key" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob" }, Action = [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], Resource = "*" } ] }) }
key_id
policy
(optional) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#policy
Errors[edit]
Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sections
Error: updating KMS Key
Related[edit]
See also[edit]
Advertising: