Schema for KMS
| Property | Type | Required | Description |
|---|---|---|---|
flavor |
string | Yes | Implementation selector for the resource. e.g. for a resource type ingress, default, aws_alb, gcp_alb etc. |
kind |
string | Yes | Describes the type of resource. e.g. ingress, application, mysql etc. If not specified, fallback is the folder_name/instances |
metadata |
object | Yes | Metadata related to the resource |
version |
string | Yes | This field can be used to pin to a particular version |
advanced |
object | No | Additional fields if any for a particular implementation of a resource |
conditional_on_intent |
string | No | Flag to enable the resource based on intent availability. eg mysql if mysql dashboard is required to be deployed. Note: Need to have the instance running beforehand to avail. |
depends_on |
No | Dependencies on other resources. e.g. application x may depend on mysql | |
disabled |
boolean | No | Flag to disable the resource |
lifecycle |
string | No | This field describes the phase in which the resource has to be invoked (ENVIRONMENT_BOOTSTRAP) Possible values are: ENVIRONMENT_BOOTSTRAP, ENVIRONMENT. |
out |
object | No | Output given by the resource for others to refer. |
provided |
boolean | No | Flag to tell if the resource should not be provisioned by facets |
spec |
object | No | Specification as per resource types schema |
Additional fields if any for a particular implementation of a resource
| Property | Type | Required | Description | |———-|——|———-|————-|
Metadata related to the resource
| Property | Type | Required | Description |
|---|---|---|---|
name |
string | No | Name of the resource |
- if not specified, fallback is the filename |
Output given by the resource for others to refer.
| Property | Type | Required | Description |
|---|---|---|---|
attributes |
object | No |
| Property | Type | Required | Description |
|---|---|---|---|
kms_aliases |
string | No | Aliases of the KMS key |
kms_external_key_expiration_model |
string | No | Expiration model of the KMS key |
kms_external_key_state |
string | No | State of the KMS key |
kms_external_key_usage |
string | No | Usage of the KMS key |
kms_grants |
string | No | Grants of the KMS key |
kms_key_arn |
string | No | ARN of the KMS key |
kms_key_id |
string | No | ID of the KMS key |
kms_key_policy |
string | No | Policy of the KMS key |
Specification as per resource types schema
| Property | Type | Required | Description |
|---|---|---|---|
aliases_use_name_prefix |
boolean | No | Determines whether the alias name is used as a prefix |
aliases |
string[] | No | A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values |
bypass_policy_lockout_safety_check |
boolean or null | No | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable |
computed_aliases |
object | No | A map of aliases to create. Values provided via the name key of the map can be computed from upstream resources |
create_external |
boolean | No | Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material) |
create_replica_external |
boolean | No | Whether to create an external replica KMS key |
create_replica |
boolean | No | Determines whether a replica standard CMK will be created (AWS provided material) |
custom_key_store_id |
string or null | No | ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM). |
customer_master_key_spec |
string or null | No | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT Possible values are: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1. |
deletion_window_in_days |
integer | No | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30 |
description |
string | No | The description of the key as viewed in AWS console |
enable_default_policy |
boolean | No | Specifies whether to enable the default key policy. Defaults to true |
enable_key_rotation |
boolean | No | Specifies whether key rotation is enabled. Defaults to true |
enable_route53_dnssec |
boolean | No | Specifies whether Route53 DNSSEC signing is enabled |
grants |
object | No | A map of grant definitions to create |
is_enabled |
boolean | No | Specifies whether the key is enabled. Defaults to true |
key_administrators |
string[] | No | A list of IAM ARNs for key administrators |
key_asymmetric_public_encryption_users |
string[] | No | A list of IAM ARNs for those who will have key usage permissions for asymmetric public encryption |
key_asymmetric_sign_verify_users |
string[] | No | A list of IAM ARNs for key asymmetric sign and verify users |
key_hmac_users |
string[] | No | A list of IAM ARNs for key HMAC users |
key_material_base64 |
string or null | No | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only |
key_owners |
string[] | No | A list of IAM ARNs for those who will have full key permissions (kms:*) |
key_service_roles_for_autoscaling |
string[] | No | A list of IAM ARNs for AWSServiceRoleForAutoScaling roles |
key_service_users |
string[] | No | A list of IAM ARNs for key service users |
key_statements |
object | No | A map of IAM policy statements for custom permission usage |
key_symmetric_encryption_users |
string[] | No | A list of IAM ARNs for key symmetric encryption users |
key_usage |
string or null | No | Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT Possible values are: ENCRYPT_DECRYPT, SIGN_VERIFY. |
key_users |
string[] | No | A list of IAM ARNs for key users |
multi_region |
boolean | No | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false |
override_policy_documents |
string[] | No | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid |
policy |
string or null | No | A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used |
primary_external_key_arn |
string or null | No | Determines whether a replica external CMK will be created (externally provided material) |
primary_key_arn |
string or null | No | The primary key arn of a multi-region replica key |
rotation_period_in_days |
integer | No | Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive) |
route53_dnssec_sources |
string[] | No | Determines whether the KMS policy used for Route53 DNSSEC signing is enabled |
source_policy_documents |
string[] | No | List of IAM policy documents that are merged together into the exported document. Statements must have unique sids |
valid_to |
string or null | No | Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire |
A map of aliases to create. Values provided via the name key of the map can be computed from upstream resources
| Property | Type | Required | Description | |———-|——|———-|————-|
A map of grant definitions to create
| Property | Type | Required | Description | |———-|——|———-|————-|
A map of IAM policy statements for custom permission usage
| Property | Type | Required | Description | |———-|——|———-|————-|