Skip to content

aws.kms-key resource

Description

Key manages a KMS key: the protected key material plus the policy that governs who may use it. The key spec, key usage, custom key store, external key, and multi-Region flag are fixed at create time, so a change to any of them replaces the key; the policy, description, and tags change in place. Whether the key is enabled and whether it rotates are distinct KMS operations with no create-time setting, so they are optional fields applied after the key exists: an unset enable-key or enable-key-rotation leaves the AWS default (created enabled, rotation off), and a set value is reconciled by enabling or disabling the key or its rotation.

Source: internal/service/kms/key_rsrc.go:37

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.kms-key {
    # Set input fields here.
  }
}

Inputs

policy

optional(string)

bypass-policy-lockout-safety-check

optional(boolean)

description

optional(string)

key-spec

optional(string)

key-usage

optional(string)

custom-key-store-id

optional(string)

xks-key-id

optional(string)

multi-region

optional(boolean)

enable-key

optional(boolean)

enable-key-rotation

optional(boolean)

rotation-period-in-days

optional(integer)

tags

map(string)

Input Constraints

Field combinations

Required together: xks-key-id and custom-key-store-id.

Required together: rotation-period-in-days and enable-key-rotation.

Key spec rules

key-spec must be a valid KMS key spec.

Rule logic
When
input.key-spec != null
Require
input.key-spec == 'SYMMETRIC_DEFAULT'
|| input.key-spec == 'RSA_2048'
|| input.key-spec == 'RSA_3072'
|| input.key-spec == 'RSA_4096'
|| input.key-spec == 'ECC_NIST_P256'
|| input.key-spec == 'ECC_NIST_P384'
|| input.key-spec == 'ECC_NIST_P521'
|| input.key-spec == 'ECC_SECG_P256K1'
|| input.key-spec == 'ECC_NIST_EDWARDS25519'
|| input.key-spec == 'HMAC_224'
|| input.key-spec == 'HMAC_256'
|| input.key-spec == 'HMAC_384'
|| input.key-spec == 'HMAC_512'
|| input.key-spec == 'ML_DSA_44'
|| input.key-spec == 'ML_DSA_65'
|| input.key-spec == 'ML_DSA_87'
|| input.key-spec == 'SM2'

Key usage rules

key-usage must be a valid KMS key usage.

Rule logic
When
input.key-usage != null
Require
input.key-usage == 'ENCRYPT_DECRYPT'
|| input.key-usage == 'SIGN_VERIFY'
|| input.key-usage == 'GENERATE_VERIFY_MAC'
|| input.key-usage == 'KEY_AGREEMENT'

Rotation period in days rules

rotation-period-in-days must be between 90 and 2560.

Rule logic
When
input.rotation-period-in-days != null
Require
(input.rotation-period-in-days == null || input.rotation-period-in-days >= 90)
&& (input.rotation-period-in-days == null || input.rotation-period-in-days <= 2560)

Outputs

arn

string

key-id

string