datasource/aws_kms_alias: Add target_key_arn attribute

[bflad]

This is an alternate implementation to #2224. Closes #2009.

KMS keys and aliases are bound to the same AWS partition, account, and region so it is safe to assemble the target key ARN from the alias ARN and target key ID. Reference: http://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.CreateAlias

The alias and the CMK it is mapped to must be in the same AWS account and the same region. You cannot perform this operation on an alias in a different AWS account.

make testacc TEST=./aws TESTARGS='-run=TestAccDataSourceAwsKmsAlias'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccDataSourceAwsKmsAlias -timeout 120m
=== RUN   TestAccDataSourceAwsKmsAlias
--- PASS: TestAccDataSourceAwsKmsAlias (41.76s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	41.791s

[handlerbot]

@bflad Thank you so so much for this! I was meaning to add it myself after the second time I had to hand-assemble the target key ARN in my configs. :-D

[radeksimko]

This looks overall good - just one nitpick about readability/cleanliness of the check.

Also do you mind resolving conflicts in the docs?

Thanks.

[radeksimko]

How do you feel about regexp matching with $ here? It seems that would be a little bit cleaner approach compared to modification of the original attribute.

[starlton-eb]

This would be awesome to have right now. I racked by brain all day wondering why my aws_efs_file_system instances were being recreated and discovered that it was due to a recent update to our stack that includes looking up a kms key:

resource "aws_efs_file_system" "efs" {
  creation_token = "${local.dbcluster}-efs-${var.env}"
  encrypted      = true
  kms_key_id     = "${data.aws_kms_alias.efs.arn}"

  tags {
    Name        = "${local.dbcluster}-efs-${var.env}"
    Environment = "${var.env}"
    Terraform   = "true"
  }
}

Learning more about this, what we really need is the target key's arn and not the alias

[bflad]

I'll update and merge this PR after we release v1.7.1 (hopefully tomorrow). 🚀

[bflad]

Rebased and updated if you'd like to give another look

make testacc TEST=./aws TESTARGS='-run=TestAccDataSourceAwsKmsAlias'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccDataSourceAwsKmsAlias -timeout 120m
=== RUN   TestAccDataSourceAwsKmsAlias
--- PASS: TestAccDataSourceAwsKmsAlias (40.72s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	40.769s

[ColinHebert]

Helps/fixes #3019

[bflad]

This has been released in terraform-provider-aws version 1.8.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!