Skip to content

Resource: awsKmsCiphertext

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the awsKmsCiphertext data source.

\~> Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyOauthConfig = new aws.kmsKey.KmsKey(this, "oauth_config", {
  description: "oauth config",
  isEnabled: true,
});
new aws.kmsCiphertext.KmsCiphertext(this, "oauth", {
  keyId: awsKmsKeyOauthConfig.keyId,
  plaintext:
    '{\n  "client_id": "e587dbae22222f55da22",\n  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"\n}\n',
});

Argument Reference

The following arguments are supported:

  • plaintext - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
  • keyId - (Required) Globally unique key ID for the customer master key.
  • context - (Optional) An optional mapping that makes up the encryption context.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • ciphertextBlob - Base64 encoded ciphertext