-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for KMS Multi-Region Keys #19896
Comments
Keen for this to compliment event-based architectures where our third parties in a different region use a KMS key to publish into our queues via a KMS key. |
If anyone ever needed a temporary and potentially dangerous solution:
resource "aws_kms_key" "example" {
lifecycle {
prevent_destroy = true
}
} |
Addressing this is on the roadmap for this quarter. |
Do we think this should require a new resource? |
@bshelton That's a good question... Seems a little tricky to model, since a replica key can become a primary key using |
Any update ? |
At the moment, this problem can be solved through the awscc provider: resource "awscc_kms_key" "example_demo" {
description = "Key for Demo"
key_usage = "ENCRYPT_DECRYPT"
key_spec = "SYMMETRIC_DEFAULT"
key_policy = data.aws_iam_policy_document.example_demo.json
pending_window_in_days = 7
enabled = true
enable_key_rotation = true
multi_region = true
tags = module.tags.result_awscc
}
resource "aws_kms_alias" "example_demo" {
target_key_id = awscc_kms_key.example_demo.key_id
name = "alias/example_demo"
} P.S. The only thing it uses is a slightly different tag format, but the tag-generator module already supports this format. Please also read Security in AWS Cloud Control API for understand the limitations |
Our intention is two add two new resources, |
This functionality has been released in v3.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
KMS now supports multi-region keys, please add support for this in the provider
New or Affected Resource(s)
Affected Resource: aws_kms_key (For enabling multi-region support)
New resource: aws_kms_key_replica (Create a replica key)
References
https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/replicate-key.html
The text was updated successfully, but these errors were encountered: