aws_kms

README

AWS KMS Key Provider

[!WARNING] This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code.

This folder contains the code for the AWS KMS Key Provider. The user will be able to provide a reference to an AWS KMS key which can be used to encrypt and decrypt the data.

Configuration

You can configure this key provider by specifying the following options:

terraform {
    encryption {
        key_provider "aws_kms" "myprovider" {
           kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    }
}

Key Provider Options - kms_key_id

The kms_key_id can refer to one of the following:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
• Alias name: alias/ExampleAlias
• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

For more information see https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/kms#GenerateDataKeyInput

State Snapshotting and Key Usage

Overview

OpenTofu generates a new encryption key for every time we store encrypted data, ensuring high security by minimizing key reuse. This has some minor cost implications that should be communicated to the end users, There may be more keys generated than expected as OpenTofu uses a new key for each state snapshot. It is important to generate a new key for each state snapshot to ensure that the state snapshot is encrypted with a unique key instead of reusing the same key for all state snapshots and thus reducing the security of the system.

Documentation

Index

• func New() keyprovider.Descriptor
• type AssumeRole
• type AssumeRoleWithWebIdentity
• type Config
  • func (c Config) Build() (keyprovider.KeyProvider, keyprovider.KeyMeta, error)
• type ConfigEndpoints

Functions

func New

func New() keyprovider.Descriptor

Types

type AssumeRole

type AssumeRole struct {
	RoleARN           string            `hcl:"role_arn"`
	Duration          string            `hcl:"duration,optional"`
	ExternalID        string            `hcl:"external_id,optional"`
	Policy            string            `hcl:"policy,optional"`
	PolicyARNs        []string          `hcl:"policy_arns,optional"`
	SessionName       string            `hcl:"session_name,optional"`
	Tags              map[string]string `hcl:"tags,optional"`
	TransitiveTagKeys []string          `hcl:"transitive_tag_keys,optional"`
}

type AssumeRoleWithWebIdentity

type AssumeRoleWithWebIdentity struct {
	RoleARN              string   `hcl:"role_arn,optional"`
	Duration             string   `hcl:"duration,optional"`
	Policy               string   `hcl:"policy,optional"`
	PolicyARNs           []string `hcl:"policy_arns,optional"`
	SessionName          string   `hcl:"session_name,optional"`
	WebIdentityToken     string   `hcl:"web_identity_token,optional"`
	WebIdentityTokenFile string   `hcl:"web_identity_token_file,optional"`
}

type Config

type Config struct {
	// KeyProvider Config
	KMSKeyID string `hcl:"kms_key_id"`
	KeySpec  string `hcl:"key_spec"`

	// Mirrored S3 Backend Config, mirror any changes
	AccessKey                      string                     `hcl:"access_key,optional"`
	Endpoints                      []ConfigEndpoints          `hcl:"endpoints,block"`
	MaxRetries                     int                        `hcl:"max_retries,optional"`
	Profile                        string                     `hcl:"profile,optional"`
	Region                         string                     `hcl:"region,optional"`
	SecretKey                      string                     `hcl:"secret_key,optional"`
	SkipCredsValidation            bool                       `hcl:"skip_credentials_validation,optional"`
	SkipRequestingAccountId        bool                       `hcl:"skip_requesting_account_id,optional"`
	STSRegion                      string                     `hcl:"sts_region,optional"`
	Token                          string                     `hcl:"token,optional"`
	HTTPProxy                      *string                    `hcl:"http_proxy,optional"`
	HTTPSProxy                     *string                    `hcl:"https_proxy,optional"`
	NoProxy                        string                     `hcl:"no_proxy,optional"`
	Insecure                       bool                       `hcl:"insecure,optional"`
	UseDualStackEndpoint           bool                       `hcl:"use_dualstack_endpoint,optional"`
	UseFIPSEndpoint                bool                       `hcl:"use_fips_endpoint,optional"`
	CustomCABundle                 string                     `hcl:"custom_ca_bundle,optional"`
	EC2MetadataServiceEndpoint     string                     `hcl:"ec2_metadata_service_endpoint,optional"`
	EC2MetadataServiceEndpointMode string                     `hcl:"ec2_metadata_service_endpoint_mode,optional"`
	SkipMetadataAPICheck           *bool                      `hcl:"skip_metadata_api_check,optional"`
	SharedCredentialsFiles         []string                   `hcl:"shared_credentials_files,optional"`
	SharedConfigFiles              []string                   `hcl:"shared_config_files,optional"`
	AssumeRole                     *AssumeRole                `hcl:"assume_role,optional"`
	AssumeRoleWithWebIdentity      *AssumeRoleWithWebIdentity `hcl:"assume_role_with_web_identity,optional"`
	AllowedAccountIds              []string                   `hcl:"allowed_account_ids,optional"`
	ForbiddenAccountIds            []string                   `hcl:"forbidden_account_ids,optional"`
	RetryMode                      string                     `hcl:"retry_mode,optional"`
}

func (Config) Build

func (c Config) Build() (keyprovider.KeyProvider, keyprovider.KeyMeta, error)

type ConfigEndpoints

type ConfigEndpoints struct {
	IAM string `hcl:"iam,optional"`
	STS string `hcl:"sts,optional"`
}