Resource: awsKmsReplicaKey
Manages a KMS multi-Region replica key.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsPrimary = new aws.provider.AwsProvider(this, "aws", {
alias: "primary",
region: "us-east-1",
});
new aws.provider.AwsProvider(this, "aws_1", {
region: "us-west-2",
});
const awsKmsKeyPrimary = new aws.kmsKey.KmsKey(this, "primary", {
deletionWindowInDays: 30,
description: "Multi-Region primary key",
multiRegion: true,
provider: `\${${awsPrimary.fqn}}`,
});
new aws.kmsReplicaKey.KmsReplicaKey(this, "replica", {
deletionWindowInDays: 7,
description: "Multi-Region replica key",
primaryKeyArn: awsKmsKeyPrimary.arn,
});
Argument Reference
The following arguments are supported:
bypassPolicyLockoutSafetyCheck
- (Optional) A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value isfalse
.deletionWindowInDays
- (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between7
and30
, inclusive. If you do not specify a value, it defaults to30
.description
- (Optional) A description of the KMS key.enabled
- (Optional) Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value istrue
.policy
- (Optional) The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key. For more information about building policy documents with Terraform, see the AWS IAM Policy Document Guide.primaryKeyArn
- (Required) The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.tags
- (Optional) A map of tags to assign to the replica key. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.keyId
- The key ID of the replica key. Related multi-Region keys have the same key ID.keyRotationEnabled
- A Boolean value that specifies whether key rotation is enabled. This is a shared property of multi-Region keys.keySpec
- The type of key material in the KMS key. This is a shared property of multi-Region keys.keyUsage
- The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
KMS multi-Region replica keys can be imported using the id
, e.g.,