Terraform resource: aws kms key
Jump to navigation
Jump to search
aws_kms_key https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
deletion_window_in_days: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days safety measure to delay key deletion, this waiting can be defined between 7 and 30 days
Official example
resource "aws_kms_key" "a" {
description = "KMS key 1"
deletion_window_in_days = 10
}
Multi region official example
data "aws_caller_identity" "current" {}
resource "aws_kms_key" "example" {
description = "An example multi-Region primary key"
multi_region = true
enable_key_rotation = true
deletion_window_in_days = 10
policy = jsonencode({
Version = "2012-10-17"
Id = "key-default-1"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow administration of the key"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Alice"
},
Action = [
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
Resource = "*"
},
{
Sid = "Allow use of the key"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Bob"
},
Action = [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
Resource = "*"
}
]
})
}
key_idpolicy(optional) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#policy
Errors
Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.Error: "kms_key_id" (arn:::aws) is an invalid ARN: arn: not enough sectionsError: updating KMS Key
Related
See also
Advertising:
