Resource: awsRoute53KeySigningKey

Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the awsRoute53HostedZoneDnssec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.provider.AwsProvider(this, "aws", {
  region: "us-east-1",
});
new aws.kmsKey.KmsKey(this, "example", {
  customerMasterKeySpec: "ECC_NIST_P256",
  deletionWindowInDays: 7,
  keyUsage: "SIGN_VERIFY",
  policy:
    '${jsonencode({\n    Statement = [\n      {\n        Action = [\n          "kms:DescribeKey",\n          "kms:GetPublicKey",\n          "kms:Sign",\n        ],\n        Effect = "Allow"\n        Principal = {\n          Service = "dnssec-route53.amazonaws.com"\n        }\n        Sid      = "Allow Route 53 DNSSEC Service",\n        Resource = "*"\n        Condition = {\n          StringEquals = {\n            "aws:SourceAccount" = data.aws_caller_identity.current.account_id\n          }\n          ArnLike = {\n            "aws:SourceArn" = "arn:aws:route53:::hostedzone/*"\n          }\n        }\n      },\n      {\n        Action = "kms:CreateGrant",\n        Effect = "Allow"\n        Principal = {\n          Service = "dnssec-route53.amazonaws.com"\n        }\n        Sid      = "Allow Route 53 DNSSEC Service to CreateGrant",\n        Resource = "*"\n        Condition = {\n          Bool = {\n            "kms:GrantIsForAWSResource" = "true"\n          }\n        }\n      },\n      {\n        Action = "kms:*"\n        Effect = "Allow"\n        Principal = {\n          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"\n        }\n        Resource = "*"\n        Sid      = "Enable IAM User Permissions"\n      },\n    ]\n    Version = "2012-10-17"\n  })}',
});
const awsRoute53KeySigningKeyExample =
  new aws.route53KeySigningKey.Route53KeySigningKey(this, "example_2", {
    hostedZoneId: "${aws_route53_zone.test.id}",
    keyManagementServiceArn: "${aws_kms_key.test.arn}",
    name: "example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53KeySigningKeyExample.overrideLogicalId("example");
const awsRoute53ZoneExample = new aws.route53Zone.Route53Zone(
  this,
  "example_3",
  {
    name: "example.com",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53ZoneExample.overrideLogicalId("example");
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const awsRoute53HostedZoneDnssecExample =
  new aws.route53HostedZoneDnssec.Route53HostedZoneDnssec(this, "example_5", {
    depends_on: [`\${${awsRoute53KeySigningKeyExample.fqn}}`],
    hostedZoneId: awsRoute53KeySigningKeyExample.hostedZoneId,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53HostedZoneDnssecExample.overrideLogicalId("example");

Argument Reference

The following arguments are required:

hostedZoneId - (Required) Identifier of the Route 53 Hosted Zone.
keyManagementServiceArn - (Required) Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the usEast1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
name - (Required) Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

The following arguments are optional:

status - (Optional) Status of the key-signing key (KSK). Valid values: active, inactive. Defaults to active.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

digestAlgorithmMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestAlgorithmType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestValue - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
dnskeyRecord - A string that represents a DNSKEY record.
dsRecord - A string that represents a delegation signer (DS) record.
flag - An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
id - Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,).
keyTag - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
publicKey - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
signingAlgorithmMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
signingAlgorithmType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.

Import

awsRoute53KeySigningKey resources can be imported by using the Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,), e.g.,

$ terraform import aws_route53_key_signing_key.example Z1D633PJN98FT9,example