Skip to content

Resource: awsKmsExternalKey

Manages a single-Region or multi-Region primary KMS key that uses external key material. To instead manage a single-Region or multi-Region primary KMS key where AWS automatically generates and potentially rotates key material, see the awsKmsKey resource.

\~> Note: All arguments including the key material will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.kmsExternalKey.KmsExternalKey(this, "example", {
  description: "KMS EXTERNAL for AMI encryption",
});

Argument Reference

The following arguments are supported:

  • bypassPolicyLockoutSafetyCheck - (Optional) Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
  • deletionWindowInDays - (Optional) Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
  • description - (Optional) Description of the key.
  • enabled - (Optional) Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
  • keyMaterialBase64 - (Optional) Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
  • multiRegion - (Optional) Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
  • policy - (Optional) A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
  • tags - (Optional) A key-value map of tags to assign to the key. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • validTo - (Optional) Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (yyyyMmDdthh:mm:ssz)

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The Amazon Resource Name (ARN) of the key.
  • expirationModel - Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
  • id - The unique identifier for the key.
  • keyState - The state of the CMK.
  • keyUsage - The cryptographic operations for which you can use the CMK.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

KMS External Keys can be imported using the id, e.g.,

$ terraform import aws_kms_external_key.a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab