Bootstrap FreeKB - Amazon Web Services (AWS) - Create Update or Delete a Key Management Service (KMS) Keys using Terraform
Amazon Web Services (AWS) - Create Update or Delete a Key Management Service (KMS) Keys using Terraform
Updated:   |  Amazon Web Services (AWS) articles

Let's say you have the following files on your Terraform server.

├── required_providers.tf
├── key_management_services (directory)
│   ├── data.tf
│   ├── outputs.tf
│   ├── provider.tf
│   ├── resources.tf

 

required_providers.tf will almost always have this.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }
}

 

Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.

provider "aws" {
  alias   = "default"
  profile = "default"
  region  = "default"
}

 

And resources.tf could have something like this.

resource "aws_kms_key" "my-kms-key" {
  description = "default KMS key"
}

 

You may need to reissue the terraform init command.

~]# terraform init
Initializing the backend...
Initializing modules...
Initializing provider plugins...
Terraform has been successfully initialized!

 

The terraform plan command can be used to see what Terraform will try to do.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.key_management_services.aws_kms_key.my-kms-key will be created
  + resource "aws_kms_key" "my-kms-key" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "default KMS key"
      + enable_key_rotation                = false
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

 

By default, the terraform.tfstate file should be found in your root module directory (/usr/local/terraform/aws in this example).

  • If the KMS does not exist and the terraform.tfstate file does not contain the KMS, Terraform will create the KMS.
  • If the KMS exists and the terraform.tfstate file contains the KMS and a difference is found between the kms.tf file and the terraform.tfstate file, Terraform will update the KMS.
  • If the KMS exists and the terraform.tfstate file contains the KMS and the KMS is removed from the kms.tf file, Terraform will destroy (delete) the KMS.

The terraform apply command can be used to create, update or delete the KMS.

~]# terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.key_management_services.aws_kms_key.my-kms-key will be created
  + resource "aws_kms_key" "my-kms-key" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "default KMS key"
      + enable_key_rotation                = false
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + tags_all                           = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.key_management_services.aws_kms_key.my-kms-key: Creating...
module.key_management_services.aws_kms_key.my-kms-key: Creation complete after 1s [id=18747cf6-f02e-4ab5-8406-c5be1dd4aec0]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 7b4b65 in the box below so that we can be sure you are a human.