Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for kms decrypt with asymmetric keys #21054

Closed
wants to merge 1 commit into from
Closed

Add support for kms decrypt with asymmetric keys #21054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions internal/service/kms/secrets_data_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/kms"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/hashicorp/terraform-provider-aws/internal/conns"
)

Expand All @@ -29,11 +30,20 @@ func DataSourceSecrets() *schema.Resource {
Type: schema.TypeString,
Required: true,
},
"algorithm": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice(kms.EncryptionAlgorithmSpec_Values(), false),
},
"context": {
Type: schema.TypeMap,
Optional: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"key_id": {
Type: schema.TypeString,
Optional: true,
},
"grant_tokens": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -71,12 +81,18 @@ func dataSourceSecretsRead(d *schema.ResourceData, meta interface{}) error {
params := &kms.DecryptInput{
CiphertextBlob: payload,
}
if algorithm, ok := d.GetOk("algorithm"); ok {
params.EncryptionAlgorithm = aws.String(algorithm.(string))
}
if context, exists := secret["context"]; exists {
params.EncryptionContext = make(map[string]*string)
for k, v := range context.(map[string]interface{}) {
params.EncryptionContext[k] = aws.String(v.(string))
}
}
if keyID, ok := d.GetOk("key_id"); ok {
params.KeyId = aws.String(keyID.(string))
}
if grant_tokens, exists := secret["grant_tokens"]; exists {
params.GrantTokens = make([]*string, 0)
for _, v := range grant_tokens.([]interface{}) {
Expand Down
2 changes: 2 additions & 0 deletions website/docs/d/kms_secrets.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ Each `secret` supports the following arguments:

* `name` - (Required) The name to export this secret under in the attributes.
* `payload` - (Required) Base64 encoded payload, as returned from a KMS encrypt operation.
* `algorithm` - (Optional) Algorithm used for decrypting the secret.
* `context` - (Optional) An optional mapping that makes up the Encryption Context for the secret.
* `key_id` - (Optional) The KMS key id or arn for decrypting the secret.
* `grant_tokens` (Optional) An optional list of Grant Tokens for the secret.

For more information on `context` and `grant_tokens` see the [KMS
Expand Down