Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for KMS Multi-Region Keys #19896

Closed
CarterSheehan opened this issue Jun 19, 2021 · 12 comments · Fixed by #20533
Closed

Support for KMS Multi-Region Keys #19896

CarterSheehan opened this issue Jun 19, 2021 · 12 comments · Fixed by #20533
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/kms Issues and PRs that pertain to the kms service.
Milestone

Comments

@CarterSheehan
Copy link

CarterSheehan commented Jun 19, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

KMS now supports multi-region keys, please add support for this in the provider

New or Affected Resource(s)

Affected Resource: aws_kms_key (For enabling multi-region support)
New resource: aws_kms_key_replica (Create a replica key)

References

https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/replicate-key.html

@CarterSheehan CarterSheehan added the enhancement Requests to existing resources that expand the functionality or scope. label Jun 19, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jun 19, 2021
@triwats
Copy link

triwats commented Jun 21, 2021

Keen for this to compliment event-based architectures where our third parties in a different region use a KMS key to publish into our queues via a KMS key.

@ewbankkit ewbankkit added service/kms Issues and PRs that pertain to the kms service. and removed needs-triage Waiting for first response or review from a maintainer. labels Jun 25, 2021
@ewbankkit
Copy link
Contributor

AWS Developer Guide.

@cageyv
Copy link
Contributor

cageyv commented Aug 16, 2021

If anyone ever needed a temporary and potentially dangerous solution:

  • aws kms create-key --multi-region
  • terraform import aws_kms_key.example __KEY_ID__
resource "aws_kms_key" "example" {
  lifecycle {
    prevent_destroy = true
  }
}

@ewbankkit
Copy link
Contributor

Addressing this is on the roadmap for this quarter.

@bshelton
Copy link
Contributor

bshelton commented Sep 5, 2021

Do we think this should require a new resource?

@lorengordon
Copy link
Contributor

Do we think this should require a new resource?

@bshelton That's a good question... Seems a little tricky to model, since a replica key can become a primary key using UpdatePrimaryRegion. But also, each key, replica or primary, gets its own distinct policy and tags and so needs its own set of inputs.

@giovannifl
Copy link

Any update ?

@ewbankkit
Copy link
Contributor

AWS::KMS::ReplicaKey CloudFormation resource.

@cageyv
Copy link
Contributor

cageyv commented Oct 19, 2021

At the moment, this problem can be solved through the awscc provider:

resource "awscc_kms_key" "example_demo" {
  description            = "Key for Demo"
  key_usage              = "ENCRYPT_DECRYPT"
  key_spec               = "SYMMETRIC_DEFAULT"
  key_policy             = data.aws_iam_policy_document.example_demo.json
  pending_window_in_days = 7
  enabled                = true
  enable_key_rotation    = true
  multi_region           = true
  tags                   = module.tags.result_awscc
}

resource "aws_kms_alias" "example_demo" {
  target_key_id = awscc_kms_key.example_demo.key_id
  name          = "alias/example_demo"
}

P.S. The only thing it uses is a slightly different tag format, but the tag-generator module already supports this format.

Please also read Security in AWS Cloud Control API for understand the limitations
https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/security.html

@ewbankkit
Copy link
Contributor

Our intention is two add two new resources, aws_kms_replica_key (very similar to the AWS::KMS::ReplicaKey CloudFormation resource) and aws_kms_replica_external_key (to handle importing key material for a replica key).
This means that it will not be possible to change the primary key of a multi-Region key.
Such functionality would require the addition of something like an aws_kms_multi_region_key resource which represents both primary and replica keys.

@github-actions github-actions bot added this to the v3.64.0 milestone Oct 25, 2021
@github-actions
Copy link

github-actions bot commented Nov 4, 2021

This functionality has been released in v3.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/kms Issues and PRs that pertain to the kms service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants