Difference between revisions of "Terraform resource: aws kms key"

From wikieduonline
Jump to navigation Jump to search
Line 9: Line 9:
 
   [[deletion_window_in_days]] = 10
 
   [[deletion_window_in_days]] = 10
 
  }
 
  }
 +
 +
 +
== Multi region official example ==
 +
<pre>
 +
data "aws_caller_identity" "current" {}
 +
 +
resource "aws_kms_key" "example" {
 +
  description            = "An example multi-Region primary key"
 +
  multi_region            = true
 +
  enable_key_rotation    = true
 +
  deletion_window_in_days = 10
 +
  policy = jsonencode({
 +
    Version = "2012-10-17"
 +
    Id      = "key-default-1"
 +
    Statement = [
 +
      {
 +
        Sid    = "Enable IAM User Permissions"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
 +
        },
 +
        Action  = "kms:*"
 +
        Resource = "*"
 +
      },
 +
      {
 +
        Sid    = "Allow administration of the key"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
 +
        },
 +
        Action = [
 +
          "kms:ReplicateKey",
 +
          "kms:Create*",
 +
          "kms:Describe*",
 +
          "kms:Enable*",
 +
          "kms:List*",
 +
          "kms:Put*",
 +
          "kms:Update*",
 +
          "kms:Revoke*",
 +
          "kms:Disable*",
 +
          "kms:Get*",
 +
          "kms:Delete*",
 +
          "kms:ScheduleKeyDeletion",
 +
          "kms:CancelKeyDeletion"
 +
        ],
 +
        Resource = "*"
 +
      },
 +
      {
 +
        Sid    = "Allow use of the key"
 +
        Effect = "Allow"
 +
        Principal = {
 +
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
 +
        },
 +
        Action = [
 +
          "kms:DescribeKey",
 +
          "kms:Encrypt",
 +
          "kms:Decrypt",
 +
          "kms:ReEncrypt*",
 +
          "kms:GenerateDataKey",
 +
          "kms:GenerateDataKeyWithoutPlaintext"
 +
        ],
 +
        Resource = "*"
 +
      }
 +
    ]
 +
  })
 +
}
 +
</pre>
  
  

Revision as of 08:16, 8 July 2024

aws_kms_key https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key


Official example

resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}


Multi region official example

data "aws_caller_identity" "current" {}

resource "aws_kms_key" "example" {
  description             = "An example multi-Region primary key"
  multi_region            = true
  enable_key_rotation     = true
  deletion_window_in_days = 10
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow administration of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
        },
        Action = [
          "kms:ReplicateKey",
          "kms:Create*",
          "kms:Describe*",
          "kms:Enable*",
          "kms:List*",
          "kms:Put*",
          "kms:Update*",
          "kms:Revoke*",
          "kms:Disable*",
          "kms:Get*",
          "kms:Delete*",
          "kms:ScheduleKeyDeletion",
          "kms:CancelKeyDeletion"
        ],
        Resource = "*"
      },
      {
        Sid    = "Allow use of the key"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
        },
        Action = [
          "kms:DescribeKey",
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey",
          "kms:GenerateDataKeyWithoutPlaintext"
        ],
        Resource = "*"
      }
    ]
  })
}


Errors

Related

See also

Advertising: