kms

package
v6.53.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2024 License: Apache-2.0 Imports: 7 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Alias

type Alias struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the key alias.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
	Name pulumi.StringOutput `pulumi:"name"`
	// Creates an unique alias beginning with the specified prefix.
	// The name must start with the word "alias" followed by a forward slash (alias/).  Conflicts with `name`.
	NamePrefix pulumi.StringOutput `pulumi:"namePrefix"`
	// The Amazon Resource Name (ARN) of the target key identifier.
	TargetKeyArn pulumi.StringOutput `pulumi:"targetKeyArn"`
	// Identifier for the key for which the alias is for, can be either an ARN or key_id.
	TargetKeyId pulumi.StringOutput `pulumi:"targetKeyId"`
}

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence this provider too) allows you to create as many aliases as the [account limits](http://docs.aws.amazon.com/kms/latest/developerguide/limits.html) allow you.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		a, err := kms.NewKey(ctx, "a", nil)
		if err != nil {
			return err
		}
		_, err = kms.NewAlias(ctx, "a", &kms.AliasArgs{
			Name:        pulumi.String("alias/my-key-alias"),
			TargetKeyId: a.KeyId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS aliases using the `name`. For example:

```sh $ pulumi import aws:kms/alias:Alias a alias/my-key-alias ```

func GetAlias

func GetAlias(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AliasState, opts ...pulumi.ResourceOption) (*Alias, error)

GetAlias gets an existing Alias resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAlias

func NewAlias(ctx *pulumi.Context,
	name string, args *AliasArgs, opts ...pulumi.ResourceOption) (*Alias, error)

NewAlias registers a new resource with the given unique name, arguments, and options.

func (*Alias) ElementType

func (*Alias) ElementType() reflect.Type

func (*Alias) ToAliasOutput

func (i *Alias) ToAliasOutput() AliasOutput

func (*Alias) ToAliasOutputWithContext

func (i *Alias) ToAliasOutputWithContext(ctx context.Context) AliasOutput

type AliasArgs

type AliasArgs struct {
	// The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
	Name pulumi.StringPtrInput
	// Creates an unique alias beginning with the specified prefix.
	// The name must start with the word "alias" followed by a forward slash (alias/).  Conflicts with `name`.
	NamePrefix pulumi.StringPtrInput
	// Identifier for the key for which the alias is for, can be either an ARN or key_id.
	TargetKeyId pulumi.StringInput
}

The set of arguments for constructing a Alias resource.

func (AliasArgs) ElementType

func (AliasArgs) ElementType() reflect.Type

type AliasArray

type AliasArray []AliasInput

func (AliasArray) ElementType

func (AliasArray) ElementType() reflect.Type

func (AliasArray) ToAliasArrayOutput

func (i AliasArray) ToAliasArrayOutput() AliasArrayOutput

func (AliasArray) ToAliasArrayOutputWithContext

func (i AliasArray) ToAliasArrayOutputWithContext(ctx context.Context) AliasArrayOutput

type AliasArrayInput

type AliasArrayInput interface {
	pulumi.Input

	ToAliasArrayOutput() AliasArrayOutput
	ToAliasArrayOutputWithContext(context.Context) AliasArrayOutput
}

AliasArrayInput is an input type that accepts AliasArray and AliasArrayOutput values. You can construct a concrete instance of `AliasArrayInput` via:

AliasArray{ AliasArgs{...} }

type AliasArrayOutput

type AliasArrayOutput struct{ *pulumi.OutputState }

func (AliasArrayOutput) ElementType

func (AliasArrayOutput) ElementType() reflect.Type

func (AliasArrayOutput) Index

func (AliasArrayOutput) ToAliasArrayOutput

func (o AliasArrayOutput) ToAliasArrayOutput() AliasArrayOutput

func (AliasArrayOutput) ToAliasArrayOutputWithContext

func (o AliasArrayOutput) ToAliasArrayOutputWithContext(ctx context.Context) AliasArrayOutput

type AliasInput

type AliasInput interface {
	pulumi.Input

	ToAliasOutput() AliasOutput
	ToAliasOutputWithContext(ctx context.Context) AliasOutput
}

type AliasMap

type AliasMap map[string]AliasInput

func (AliasMap) ElementType

func (AliasMap) ElementType() reflect.Type

func (AliasMap) ToAliasMapOutput

func (i AliasMap) ToAliasMapOutput() AliasMapOutput

func (AliasMap) ToAliasMapOutputWithContext

func (i AliasMap) ToAliasMapOutputWithContext(ctx context.Context) AliasMapOutput

type AliasMapInput

type AliasMapInput interface {
	pulumi.Input

	ToAliasMapOutput() AliasMapOutput
	ToAliasMapOutputWithContext(context.Context) AliasMapOutput
}

AliasMapInput is an input type that accepts AliasMap and AliasMapOutput values. You can construct a concrete instance of `AliasMapInput` via:

AliasMap{ "key": AliasArgs{...} }

type AliasMapOutput

type AliasMapOutput struct{ *pulumi.OutputState }

func (AliasMapOutput) ElementType

func (AliasMapOutput) ElementType() reflect.Type

func (AliasMapOutput) MapIndex

func (AliasMapOutput) ToAliasMapOutput

func (o AliasMapOutput) ToAliasMapOutput() AliasMapOutput

func (AliasMapOutput) ToAliasMapOutputWithContext

func (o AliasMapOutput) ToAliasMapOutputWithContext(ctx context.Context) AliasMapOutput

type AliasOutput

type AliasOutput struct{ *pulumi.OutputState }

func (AliasOutput) Arn

The Amazon Resource Name (ARN) of the key alias.

func (AliasOutput) ElementType

func (AliasOutput) ElementType() reflect.Type

func (AliasOutput) Name

func (o AliasOutput) Name() pulumi.StringOutput

The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)

func (AliasOutput) NamePrefix

func (o AliasOutput) NamePrefix() pulumi.StringOutput

Creates an unique alias beginning with the specified prefix. The name must start with the word "alias" followed by a forward slash (alias/). Conflicts with `name`.

func (AliasOutput) TargetKeyArn

func (o AliasOutput) TargetKeyArn() pulumi.StringOutput

The Amazon Resource Name (ARN) of the target key identifier.

func (AliasOutput) TargetKeyId

func (o AliasOutput) TargetKeyId() pulumi.StringOutput

Identifier for the key for which the alias is for, can be either an ARN or key_id.

func (AliasOutput) ToAliasOutput

func (o AliasOutput) ToAliasOutput() AliasOutput

func (AliasOutput) ToAliasOutputWithContext

func (o AliasOutput) ToAliasOutputWithContext(ctx context.Context) AliasOutput

type AliasState

type AliasState struct {
	// The Amazon Resource Name (ARN) of the key alias.
	Arn pulumi.StringPtrInput
	// The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
	Name pulumi.StringPtrInput
	// Creates an unique alias beginning with the specified prefix.
	// The name must start with the word "alias" followed by a forward slash (alias/).  Conflicts with `name`.
	NamePrefix pulumi.StringPtrInput
	// The Amazon Resource Name (ARN) of the target key identifier.
	TargetKeyArn pulumi.StringPtrInput
	// Identifier for the key for which the alias is for, can be either an ARN or key_id.
	TargetKeyId pulumi.StringPtrInput
}

func (AliasState) ElementType

func (AliasState) ElementType() reflect.Type

type Ciphertext

type Ciphertext struct {
	pulumi.CustomResourceState

	// Base64 encoded ciphertext
	CiphertextBlob pulumi.StringOutput `pulumi:"ciphertextBlob"`
	// An optional mapping that makes up the encryption context.
	Context pulumi.StringMapOutput `pulumi:"context"`
	// Globally unique key ID for the customer master key.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
	Plaintext pulumi.StringOutput `pulumi:"plaintext"`
}

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the `kms.Ciphertext` data source.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		oauthConfig, err := kms.NewKey(ctx, "oauth_config", &kms.KeyArgs{
			Description: pulumi.String("oauth config"),
			IsEnabled:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCiphertext(ctx, "oauth", &kms.CiphertextArgs{
			KeyId:     oauthConfig.KeyId,
			Plaintext: pulumi.String("{\n  \"client_id\": \"e587dbae22222f55da22\",\n  \"client_secret\": \"8289575d00000ace55e1815ec13673955721b8a5\"\n}\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

func GetCiphertext

func GetCiphertext(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *CiphertextState, opts ...pulumi.ResourceOption) (*Ciphertext, error)

GetCiphertext gets an existing Ciphertext resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewCiphertext

func NewCiphertext(ctx *pulumi.Context,
	name string, args *CiphertextArgs, opts ...pulumi.ResourceOption) (*Ciphertext, error)

NewCiphertext registers a new resource with the given unique name, arguments, and options.

func (*Ciphertext) ElementType

func (*Ciphertext) ElementType() reflect.Type

func (*Ciphertext) ToCiphertextOutput

func (i *Ciphertext) ToCiphertextOutput() CiphertextOutput

func (*Ciphertext) ToCiphertextOutputWithContext

func (i *Ciphertext) ToCiphertextOutputWithContext(ctx context.Context) CiphertextOutput

type CiphertextArgs

type CiphertextArgs struct {
	// An optional mapping that makes up the encryption context.
	Context pulumi.StringMapInput
	// Globally unique key ID for the customer master key.
	KeyId pulumi.StringInput
	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
	Plaintext pulumi.StringInput
}

The set of arguments for constructing a Ciphertext resource.

func (CiphertextArgs) ElementType

func (CiphertextArgs) ElementType() reflect.Type

type CiphertextArray

type CiphertextArray []CiphertextInput

func (CiphertextArray) ElementType

func (CiphertextArray) ElementType() reflect.Type

func (CiphertextArray) ToCiphertextArrayOutput

func (i CiphertextArray) ToCiphertextArrayOutput() CiphertextArrayOutput

func (CiphertextArray) ToCiphertextArrayOutputWithContext

func (i CiphertextArray) ToCiphertextArrayOutputWithContext(ctx context.Context) CiphertextArrayOutput

type CiphertextArrayInput

type CiphertextArrayInput interface {
	pulumi.Input

	ToCiphertextArrayOutput() CiphertextArrayOutput
	ToCiphertextArrayOutputWithContext(context.Context) CiphertextArrayOutput
}

CiphertextArrayInput is an input type that accepts CiphertextArray and CiphertextArrayOutput values. You can construct a concrete instance of `CiphertextArrayInput` via:

CiphertextArray{ CiphertextArgs{...} }

type CiphertextArrayOutput

type CiphertextArrayOutput struct{ *pulumi.OutputState }

func (CiphertextArrayOutput) ElementType

func (CiphertextArrayOutput) ElementType() reflect.Type

func (CiphertextArrayOutput) Index

func (CiphertextArrayOutput) ToCiphertextArrayOutput

func (o CiphertextArrayOutput) ToCiphertextArrayOutput() CiphertextArrayOutput

func (CiphertextArrayOutput) ToCiphertextArrayOutputWithContext

func (o CiphertextArrayOutput) ToCiphertextArrayOutputWithContext(ctx context.Context) CiphertextArrayOutput

type CiphertextInput

type CiphertextInput interface {
	pulumi.Input

	ToCiphertextOutput() CiphertextOutput
	ToCiphertextOutputWithContext(ctx context.Context) CiphertextOutput
}

type CiphertextMap

type CiphertextMap map[string]CiphertextInput

func (CiphertextMap) ElementType

func (CiphertextMap) ElementType() reflect.Type

func (CiphertextMap) ToCiphertextMapOutput

func (i CiphertextMap) ToCiphertextMapOutput() CiphertextMapOutput

func (CiphertextMap) ToCiphertextMapOutputWithContext

func (i CiphertextMap) ToCiphertextMapOutputWithContext(ctx context.Context) CiphertextMapOutput

type CiphertextMapInput

type CiphertextMapInput interface {
	pulumi.Input

	ToCiphertextMapOutput() CiphertextMapOutput
	ToCiphertextMapOutputWithContext(context.Context) CiphertextMapOutput
}

CiphertextMapInput is an input type that accepts CiphertextMap and CiphertextMapOutput values. You can construct a concrete instance of `CiphertextMapInput` via:

CiphertextMap{ "key": CiphertextArgs{...} }

type CiphertextMapOutput

type CiphertextMapOutput struct{ *pulumi.OutputState }

func (CiphertextMapOutput) ElementType

func (CiphertextMapOutput) ElementType() reflect.Type

func (CiphertextMapOutput) MapIndex

func (CiphertextMapOutput) ToCiphertextMapOutput

func (o CiphertextMapOutput) ToCiphertextMapOutput() CiphertextMapOutput

func (CiphertextMapOutput) ToCiphertextMapOutputWithContext

func (o CiphertextMapOutput) ToCiphertextMapOutputWithContext(ctx context.Context) CiphertextMapOutput

type CiphertextOutput

type CiphertextOutput struct{ *pulumi.OutputState }

func (CiphertextOutput) CiphertextBlob

func (o CiphertextOutput) CiphertextBlob() pulumi.StringOutput

Base64 encoded ciphertext

func (CiphertextOutput) Context

An optional mapping that makes up the encryption context.

func (CiphertextOutput) ElementType

func (CiphertextOutput) ElementType() reflect.Type

func (CiphertextOutput) KeyId

Globally unique key ID for the customer master key.

func (CiphertextOutput) Plaintext

func (o CiphertextOutput) Plaintext() pulumi.StringOutput

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

func (CiphertextOutput) ToCiphertextOutput

func (o CiphertextOutput) ToCiphertextOutput() CiphertextOutput

func (CiphertextOutput) ToCiphertextOutputWithContext

func (o CiphertextOutput) ToCiphertextOutputWithContext(ctx context.Context) CiphertextOutput

type CiphertextState

type CiphertextState struct {
	// Base64 encoded ciphertext
	CiphertextBlob pulumi.StringPtrInput
	// An optional mapping that makes up the encryption context.
	Context pulumi.StringMapInput
	// Globally unique key ID for the customer master key.
	KeyId pulumi.StringPtrInput
	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
	Plaintext pulumi.StringPtrInput
}

func (CiphertextState) ElementType

func (CiphertextState) ElementType() reflect.Type

type CustomKeyStore

type CustomKeyStore struct {
	pulumi.CustomResourceState

	// Cluster ID of CloudHSM.
	CloudHsmClusterId pulumi.StringOutput `pulumi:"cloudHsmClusterId"`
	// Unique name for Custom Key Store.
	CustomKeyStoreName pulumi.StringOutput `pulumi:"customKeyStoreName"`
	// Password for `kmsuser` on CloudHSM.
	KeyStorePassword pulumi.StringOutput `pulumi:"keyStorePassword"`
	// Customer certificate used for signing on CloudHSM.
	TrustAnchorCertificate pulumi.StringOutput `pulumi:"trustAnchorCertificate"`
}

Resource for managing an AWS KMS (Key Management) Custom Key Store.

## Example Usage

### Basic Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "anchor-certificate.crt",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCustomKeyStore(ctx, "test", &kms.CustomKeyStoreArgs{
			CloudHsmClusterId:      pulumi.Any(cloudHsmClusterId),
			CustomKeyStoreName:     pulumi.String("kms-custom-key-store-test"),
			KeyStorePassword:       pulumi.String("noplaintextpasswords1"),
			TrustAnchorCertificate: pulumi.String(invokeFile.Result),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS (Key Management) Custom Key Store using the `id`. For example:

```sh $ pulumi import aws:kms/customKeyStore:CustomKeyStore example cks-5ebd4ef395a96288e ```

func GetCustomKeyStore

func GetCustomKeyStore(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *CustomKeyStoreState, opts ...pulumi.ResourceOption) (*CustomKeyStore, error)

GetCustomKeyStore gets an existing CustomKeyStore resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewCustomKeyStore

func NewCustomKeyStore(ctx *pulumi.Context,
	name string, args *CustomKeyStoreArgs, opts ...pulumi.ResourceOption) (*CustomKeyStore, error)

NewCustomKeyStore registers a new resource with the given unique name, arguments, and options.

func (*CustomKeyStore) ElementType

func (*CustomKeyStore) ElementType() reflect.Type

func (*CustomKeyStore) ToCustomKeyStoreOutput

func (i *CustomKeyStore) ToCustomKeyStoreOutput() CustomKeyStoreOutput

func (*CustomKeyStore) ToCustomKeyStoreOutputWithContext

func (i *CustomKeyStore) ToCustomKeyStoreOutputWithContext(ctx context.Context) CustomKeyStoreOutput

type CustomKeyStoreArgs

type CustomKeyStoreArgs struct {
	// Cluster ID of CloudHSM.
	CloudHsmClusterId pulumi.StringInput
	// Unique name for Custom Key Store.
	CustomKeyStoreName pulumi.StringInput
	// Password for `kmsuser` on CloudHSM.
	KeyStorePassword pulumi.StringInput
	// Customer certificate used for signing on CloudHSM.
	TrustAnchorCertificate pulumi.StringInput
}

The set of arguments for constructing a CustomKeyStore resource.

func (CustomKeyStoreArgs) ElementType

func (CustomKeyStoreArgs) ElementType() reflect.Type

type CustomKeyStoreArray

type CustomKeyStoreArray []CustomKeyStoreInput

func (CustomKeyStoreArray) ElementType

func (CustomKeyStoreArray) ElementType() reflect.Type

func (CustomKeyStoreArray) ToCustomKeyStoreArrayOutput

func (i CustomKeyStoreArray) ToCustomKeyStoreArrayOutput() CustomKeyStoreArrayOutput

func (CustomKeyStoreArray) ToCustomKeyStoreArrayOutputWithContext

func (i CustomKeyStoreArray) ToCustomKeyStoreArrayOutputWithContext(ctx context.Context) CustomKeyStoreArrayOutput

type CustomKeyStoreArrayInput

type CustomKeyStoreArrayInput interface {
	pulumi.Input

	ToCustomKeyStoreArrayOutput() CustomKeyStoreArrayOutput
	ToCustomKeyStoreArrayOutputWithContext(context.Context) CustomKeyStoreArrayOutput
}

CustomKeyStoreArrayInput is an input type that accepts CustomKeyStoreArray and CustomKeyStoreArrayOutput values. You can construct a concrete instance of `CustomKeyStoreArrayInput` via:

CustomKeyStoreArray{ CustomKeyStoreArgs{...} }

type CustomKeyStoreArrayOutput

type CustomKeyStoreArrayOutput struct{ *pulumi.OutputState }

func (CustomKeyStoreArrayOutput) ElementType

func (CustomKeyStoreArrayOutput) ElementType() reflect.Type

func (CustomKeyStoreArrayOutput) Index

func (CustomKeyStoreArrayOutput) ToCustomKeyStoreArrayOutput

func (o CustomKeyStoreArrayOutput) ToCustomKeyStoreArrayOutput() CustomKeyStoreArrayOutput

func (CustomKeyStoreArrayOutput) ToCustomKeyStoreArrayOutputWithContext

func (o CustomKeyStoreArrayOutput) ToCustomKeyStoreArrayOutputWithContext(ctx context.Context) CustomKeyStoreArrayOutput

type CustomKeyStoreInput

type CustomKeyStoreInput interface {
	pulumi.Input

	ToCustomKeyStoreOutput() CustomKeyStoreOutput
	ToCustomKeyStoreOutputWithContext(ctx context.Context) CustomKeyStoreOutput
}

type CustomKeyStoreMap

type CustomKeyStoreMap map[string]CustomKeyStoreInput

func (CustomKeyStoreMap) ElementType

func (CustomKeyStoreMap) ElementType() reflect.Type

func (CustomKeyStoreMap) ToCustomKeyStoreMapOutput

func (i CustomKeyStoreMap) ToCustomKeyStoreMapOutput() CustomKeyStoreMapOutput

func (CustomKeyStoreMap) ToCustomKeyStoreMapOutputWithContext

func (i CustomKeyStoreMap) ToCustomKeyStoreMapOutputWithContext(ctx context.Context) CustomKeyStoreMapOutput

type CustomKeyStoreMapInput

type CustomKeyStoreMapInput interface {
	pulumi.Input

	ToCustomKeyStoreMapOutput() CustomKeyStoreMapOutput
	ToCustomKeyStoreMapOutputWithContext(context.Context) CustomKeyStoreMapOutput
}

CustomKeyStoreMapInput is an input type that accepts CustomKeyStoreMap and CustomKeyStoreMapOutput values. You can construct a concrete instance of `CustomKeyStoreMapInput` via:

CustomKeyStoreMap{ "key": CustomKeyStoreArgs{...} }

type CustomKeyStoreMapOutput

type CustomKeyStoreMapOutput struct{ *pulumi.OutputState }

func (CustomKeyStoreMapOutput) ElementType

func (CustomKeyStoreMapOutput) ElementType() reflect.Type

func (CustomKeyStoreMapOutput) MapIndex

func (CustomKeyStoreMapOutput) ToCustomKeyStoreMapOutput

func (o CustomKeyStoreMapOutput) ToCustomKeyStoreMapOutput() CustomKeyStoreMapOutput

func (CustomKeyStoreMapOutput) ToCustomKeyStoreMapOutputWithContext

func (o CustomKeyStoreMapOutput) ToCustomKeyStoreMapOutputWithContext(ctx context.Context) CustomKeyStoreMapOutput

type CustomKeyStoreOutput

type CustomKeyStoreOutput struct{ *pulumi.OutputState }

func (CustomKeyStoreOutput) CloudHsmClusterId

func (o CustomKeyStoreOutput) CloudHsmClusterId() pulumi.StringOutput

Cluster ID of CloudHSM.

func (CustomKeyStoreOutput) CustomKeyStoreName

func (o CustomKeyStoreOutput) CustomKeyStoreName() pulumi.StringOutput

Unique name for Custom Key Store.

func (CustomKeyStoreOutput) ElementType

func (CustomKeyStoreOutput) ElementType() reflect.Type

func (CustomKeyStoreOutput) KeyStorePassword

func (o CustomKeyStoreOutput) KeyStorePassword() pulumi.StringOutput

Password for `kmsuser` on CloudHSM.

func (CustomKeyStoreOutput) ToCustomKeyStoreOutput

func (o CustomKeyStoreOutput) ToCustomKeyStoreOutput() CustomKeyStoreOutput

func (CustomKeyStoreOutput) ToCustomKeyStoreOutputWithContext

func (o CustomKeyStoreOutput) ToCustomKeyStoreOutputWithContext(ctx context.Context) CustomKeyStoreOutput

func (CustomKeyStoreOutput) TrustAnchorCertificate

func (o CustomKeyStoreOutput) TrustAnchorCertificate() pulumi.StringOutput

Customer certificate used for signing on CloudHSM.

type CustomKeyStoreState

type CustomKeyStoreState struct {
	// Cluster ID of CloudHSM.
	CloudHsmClusterId pulumi.StringPtrInput
	// Unique name for Custom Key Store.
	CustomKeyStoreName pulumi.StringPtrInput
	// Password for `kmsuser` on CloudHSM.
	KeyStorePassword pulumi.StringPtrInput
	// Customer certificate used for signing on CloudHSM.
	TrustAnchorCertificate pulumi.StringPtrInput
}

func (CustomKeyStoreState) ElementType

func (CustomKeyStoreState) ElementType() reflect.Type

type ExternalKey

type ExternalKey struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the key.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrOutput `pulumi:"deletionWindowInDays"`
	// Description of the key.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolOutput `pulumi:"enabled"`
	// Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.
	ExpirationModel pulumi.StringOutput `pulumi:"expirationModel"`
	// Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrOutput `pulumi:"keyMaterialBase64"`
	// The state of the CMK.
	KeyState pulumi.StringOutput `pulumi:"keyState"`
	// The cryptographic operations for which you can use the CMK.
	KeyUsage pulumi.StringOutput `pulumi:"keyUsage"`
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolOutput `pulumi:"multiRegion"`
	// A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
	Policy pulumi.StringOutput `pulumi:"policy"`
	// A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapOutput `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapOutput `pulumi:"tagsAll"`
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrOutput `pulumi:"validTo"`
}

Manages a single-Region or multi-Region primary KMS key that uses external key material. To instead manage a single-Region or multi-Region primary KMS key where AWS automatically generates and potentially rotates key material, see the `kms.Key` resource.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewExternalKey(ctx, "example", &kms.ExternalKeyArgs{
			Description: pulumi.String("KMS EXTERNAL for AMI encryption"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS External Keys using the `id`. For example:

```sh $ pulumi import aws:kms/externalKey:ExternalKey a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab ```

func GetExternalKey

func GetExternalKey(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ExternalKeyState, opts ...pulumi.ResourceOption) (*ExternalKey, error)

GetExternalKey gets an existing ExternalKey resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewExternalKey

func NewExternalKey(ctx *pulumi.Context,
	name string, args *ExternalKeyArgs, opts ...pulumi.ResourceOption) (*ExternalKey, error)

NewExternalKey registers a new resource with the given unique name, arguments, and options.

func (*ExternalKey) ElementType

func (*ExternalKey) ElementType() reflect.Type

func (*ExternalKey) ToExternalKeyOutput

func (i *ExternalKey) ToExternalKeyOutput() ExternalKeyOutput

func (*ExternalKey) ToExternalKeyOutputWithContext

func (i *ExternalKey) ToExternalKeyOutputWithContext(ctx context.Context) ExternalKeyOutput

type ExternalKeyArgs

type ExternalKeyArgs struct {
	// Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// Description of the key.
	Description pulumi.StringPtrInput
	// Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolPtrInput
	// Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrInput
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolPtrInput
	// A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
	Policy pulumi.StringPtrInput
	// A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrInput
}

The set of arguments for constructing a ExternalKey resource.

func (ExternalKeyArgs) ElementType

func (ExternalKeyArgs) ElementType() reflect.Type

type ExternalKeyArray

type ExternalKeyArray []ExternalKeyInput

func (ExternalKeyArray) ElementType

func (ExternalKeyArray) ElementType() reflect.Type

func (ExternalKeyArray) ToExternalKeyArrayOutput

func (i ExternalKeyArray) ToExternalKeyArrayOutput() ExternalKeyArrayOutput

func (ExternalKeyArray) ToExternalKeyArrayOutputWithContext

func (i ExternalKeyArray) ToExternalKeyArrayOutputWithContext(ctx context.Context) ExternalKeyArrayOutput

type ExternalKeyArrayInput

type ExternalKeyArrayInput interface {
	pulumi.Input

	ToExternalKeyArrayOutput() ExternalKeyArrayOutput
	ToExternalKeyArrayOutputWithContext(context.Context) ExternalKeyArrayOutput
}

ExternalKeyArrayInput is an input type that accepts ExternalKeyArray and ExternalKeyArrayOutput values. You can construct a concrete instance of `ExternalKeyArrayInput` via:

ExternalKeyArray{ ExternalKeyArgs{...} }

type ExternalKeyArrayOutput

type ExternalKeyArrayOutput struct{ *pulumi.OutputState }

func (ExternalKeyArrayOutput) ElementType

func (ExternalKeyArrayOutput) ElementType() reflect.Type

func (ExternalKeyArrayOutput) Index

func (ExternalKeyArrayOutput) ToExternalKeyArrayOutput

func (o ExternalKeyArrayOutput) ToExternalKeyArrayOutput() ExternalKeyArrayOutput

func (ExternalKeyArrayOutput) ToExternalKeyArrayOutputWithContext

func (o ExternalKeyArrayOutput) ToExternalKeyArrayOutputWithContext(ctx context.Context) ExternalKeyArrayOutput

type ExternalKeyInput

type ExternalKeyInput interface {
	pulumi.Input

	ToExternalKeyOutput() ExternalKeyOutput
	ToExternalKeyOutputWithContext(ctx context.Context) ExternalKeyOutput
}

type ExternalKeyMap

type ExternalKeyMap map[string]ExternalKeyInput

func (ExternalKeyMap) ElementType

func (ExternalKeyMap) ElementType() reflect.Type

func (ExternalKeyMap) ToExternalKeyMapOutput

func (i ExternalKeyMap) ToExternalKeyMapOutput() ExternalKeyMapOutput

func (ExternalKeyMap) ToExternalKeyMapOutputWithContext

func (i ExternalKeyMap) ToExternalKeyMapOutputWithContext(ctx context.Context) ExternalKeyMapOutput

type ExternalKeyMapInput

type ExternalKeyMapInput interface {
	pulumi.Input

	ToExternalKeyMapOutput() ExternalKeyMapOutput
	ToExternalKeyMapOutputWithContext(context.Context) ExternalKeyMapOutput
}

ExternalKeyMapInput is an input type that accepts ExternalKeyMap and ExternalKeyMapOutput values. You can construct a concrete instance of `ExternalKeyMapInput` via:

ExternalKeyMap{ "key": ExternalKeyArgs{...} }

type ExternalKeyMapOutput

type ExternalKeyMapOutput struct{ *pulumi.OutputState }

func (ExternalKeyMapOutput) ElementType

func (ExternalKeyMapOutput) ElementType() reflect.Type

func (ExternalKeyMapOutput) MapIndex

func (ExternalKeyMapOutput) ToExternalKeyMapOutput

func (o ExternalKeyMapOutput) ToExternalKeyMapOutput() ExternalKeyMapOutput

func (ExternalKeyMapOutput) ToExternalKeyMapOutputWithContext

func (o ExternalKeyMapOutput) ToExternalKeyMapOutputWithContext(ctx context.Context) ExternalKeyMapOutput

type ExternalKeyOutput

type ExternalKeyOutput struct{ *pulumi.OutputState }

func (ExternalKeyOutput) Arn

The Amazon Resource Name (ARN) of the key.

func (ExternalKeyOutput) BypassPolicyLockoutSafetyCheck

func (o ExternalKeyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`.

func (ExternalKeyOutput) DeletionWindowInDays

func (o ExternalKeyOutput) DeletionWindowInDays() pulumi.IntPtrOutput

Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`.

func (ExternalKeyOutput) Description

func (o ExternalKeyOutput) Description() pulumi.StringPtrOutput

Description of the key.

func (ExternalKeyOutput) ElementType

func (ExternalKeyOutput) ElementType() reflect.Type

func (ExternalKeyOutput) Enabled

func (o ExternalKeyOutput) Enabled() pulumi.BoolOutput

Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired.

func (ExternalKeyOutput) ExpirationModel

func (o ExternalKeyOutput) ExpirationModel() pulumi.StringOutput

Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.

func (ExternalKeyOutput) KeyMaterialBase64

func (o ExternalKeyOutput) KeyMaterialBase64() pulumi.StringPtrOutput

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

func (ExternalKeyOutput) KeyState

func (o ExternalKeyOutput) KeyState() pulumi.StringOutput

The state of the CMK.

func (ExternalKeyOutput) KeyUsage

func (o ExternalKeyOutput) KeyUsage() pulumi.StringOutput

The cryptographic operations for which you can use the CMK.

func (ExternalKeyOutput) MultiRegion

func (o ExternalKeyOutput) MultiRegion() pulumi.BoolOutput

Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.

func (ExternalKeyOutput) Policy

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

func (ExternalKeyOutput) Tags

A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.

func (ExternalKeyOutput) TagsAll deprecated

A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.

Deprecated: Please use `tags` instead.

func (ExternalKeyOutput) ToExternalKeyOutput

func (o ExternalKeyOutput) ToExternalKeyOutput() ExternalKeyOutput

func (ExternalKeyOutput) ToExternalKeyOutputWithContext

func (o ExternalKeyOutput) ToExternalKeyOutputWithContext(ctx context.Context) ExternalKeyOutput

func (ExternalKeyOutput) ValidTo

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)

type ExternalKeyState

type ExternalKeyState struct {
	// The Amazon Resource Name (ARN) of the key.
	Arn pulumi.StringPtrInput
	// Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// Description of the key.
	Description pulumi.StringPtrInput
	// Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolPtrInput
	// Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.
	ExpirationModel pulumi.StringPtrInput
	// Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrInput
	// The state of the CMK.
	KeyState pulumi.StringPtrInput
	// The cryptographic operations for which you can use the CMK.
	KeyUsage pulumi.StringPtrInput
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolPtrInput
	// A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
	Policy pulumi.StringPtrInput
	// A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapInput
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrInput
}

func (ExternalKeyState) ElementType

func (ExternalKeyState) ElementType() reflect.Type

type GetCipherTextArgs

type GetCipherTextArgs struct {
	// An optional mapping that makes up the encryption context.
	Context map[string]string `pulumi:"context"`
	// Globally unique key ID for the customer master key.
	KeyId string `pulumi:"keyId"`
	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
	Plaintext string `pulumi:"plaintext"`
}

A collection of arguments for invoking getCipherText.

type GetCipherTextOutputArgs

type GetCipherTextOutputArgs struct {
	// An optional mapping that makes up the encryption context.
	Context pulumi.StringMapInput `pulumi:"context"`
	// Globally unique key ID for the customer master key.
	KeyId pulumi.StringInput `pulumi:"keyId"`
	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
	Plaintext pulumi.StringInput `pulumi:"plaintext"`
}

A collection of arguments for invoking getCipherText.

func (GetCipherTextOutputArgs) ElementType

func (GetCipherTextOutputArgs) ElementType() reflect.Type

type GetCipherTextResult

type GetCipherTextResult struct {
	// Base64 encoded ciphertext
	CiphertextBlob string            `pulumi:"ciphertextBlob"`
	Context        map[string]string `pulumi:"context"`
	// The provider-assigned unique ID for this managed resource.
	Id        string `pulumi:"id"`
	KeyId     string `pulumi:"keyId"`
	Plaintext string `pulumi:"plaintext"`
}

A collection of values returned by getCipherText.

func GetCipherText

func GetCipherText(ctx *pulumi.Context, args *GetCipherTextArgs, opts ...pulumi.InvokeOption) (*GetCipherTextResult, error)

The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this data source changes every apply. For a stable ciphertext value, see the `kms.Ciphertext` resource.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		oauthConfig, err := kms.NewKey(ctx, "oauth_config", &kms.KeyArgs{
			Description: pulumi.String("oauth config"),
			IsEnabled:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_ = kms.GetCipherTextOutput(ctx, kms.GetCipherTextOutputArgs{
			KeyId:     oauthConfig.KeyId,
			Plaintext: pulumi.String("{\n  \"client_id\": \"e587dbae22222f55da22\",\n  \"client_secret\": \"8289575d00000ace55e1815ec13673955721b8a5\"\n}\n"),
		}, nil)
		return nil
	})
}

```

type GetCipherTextResultOutput

type GetCipherTextResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getCipherText.

func (GetCipherTextResultOutput) CiphertextBlob

func (o GetCipherTextResultOutput) CiphertextBlob() pulumi.StringOutput

Base64 encoded ciphertext

func (GetCipherTextResultOutput) Context

func (GetCipherTextResultOutput) ElementType

func (GetCipherTextResultOutput) ElementType() reflect.Type

func (GetCipherTextResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetCipherTextResultOutput) KeyId

func (GetCipherTextResultOutput) Plaintext

func (GetCipherTextResultOutput) ToGetCipherTextResultOutput

func (o GetCipherTextResultOutput) ToGetCipherTextResultOutput() GetCipherTextResultOutput

func (GetCipherTextResultOutput) ToGetCipherTextResultOutputWithContext

func (o GetCipherTextResultOutput) ToGetCipherTextResultOutputWithContext(ctx context.Context) GetCipherTextResultOutput

type GetKeyMultiRegionConfiguration

type GetKeyMultiRegionConfiguration struct {
	// Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.
	MultiRegionKeyType string `pulumi:"multiRegionKeyType"`
	// The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
	PrimaryKeys []GetKeyMultiRegionConfigurationPrimaryKey `pulumi:"primaryKeys"`
	// The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
	ReplicaKeys []GetKeyMultiRegionConfigurationReplicaKey `pulumi:"replicaKeys"`
}

type GetKeyMultiRegionConfigurationArgs

type GetKeyMultiRegionConfigurationArgs struct {
	// Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.
	MultiRegionKeyType pulumi.StringInput `pulumi:"multiRegionKeyType"`
	// The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
	PrimaryKeys GetKeyMultiRegionConfigurationPrimaryKeyArrayInput `pulumi:"primaryKeys"`
	// The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
	ReplicaKeys GetKeyMultiRegionConfigurationReplicaKeyArrayInput `pulumi:"replicaKeys"`
}

func (GetKeyMultiRegionConfigurationArgs) ElementType

func (GetKeyMultiRegionConfigurationArgs) ToGetKeyMultiRegionConfigurationOutput

func (i GetKeyMultiRegionConfigurationArgs) ToGetKeyMultiRegionConfigurationOutput() GetKeyMultiRegionConfigurationOutput

func (GetKeyMultiRegionConfigurationArgs) ToGetKeyMultiRegionConfigurationOutputWithContext

func (i GetKeyMultiRegionConfigurationArgs) ToGetKeyMultiRegionConfigurationOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationOutput

type GetKeyMultiRegionConfigurationArray

type GetKeyMultiRegionConfigurationArray []GetKeyMultiRegionConfigurationInput

func (GetKeyMultiRegionConfigurationArray) ElementType

func (GetKeyMultiRegionConfigurationArray) ToGetKeyMultiRegionConfigurationArrayOutput

func (i GetKeyMultiRegionConfigurationArray) ToGetKeyMultiRegionConfigurationArrayOutput() GetKeyMultiRegionConfigurationArrayOutput

func (GetKeyMultiRegionConfigurationArray) ToGetKeyMultiRegionConfigurationArrayOutputWithContext

func (i GetKeyMultiRegionConfigurationArray) ToGetKeyMultiRegionConfigurationArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationArrayOutput

type GetKeyMultiRegionConfigurationArrayInput

type GetKeyMultiRegionConfigurationArrayInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationArrayOutput() GetKeyMultiRegionConfigurationArrayOutput
	ToGetKeyMultiRegionConfigurationArrayOutputWithContext(context.Context) GetKeyMultiRegionConfigurationArrayOutput
}

GetKeyMultiRegionConfigurationArrayInput is an input type that accepts GetKeyMultiRegionConfigurationArray and GetKeyMultiRegionConfigurationArrayOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationArrayInput` via:

GetKeyMultiRegionConfigurationArray{ GetKeyMultiRegionConfigurationArgs{...} }

type GetKeyMultiRegionConfigurationArrayOutput

type GetKeyMultiRegionConfigurationArrayOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationArrayOutput) ElementType

func (GetKeyMultiRegionConfigurationArrayOutput) Index

func (GetKeyMultiRegionConfigurationArrayOutput) ToGetKeyMultiRegionConfigurationArrayOutput

func (o GetKeyMultiRegionConfigurationArrayOutput) ToGetKeyMultiRegionConfigurationArrayOutput() GetKeyMultiRegionConfigurationArrayOutput

func (GetKeyMultiRegionConfigurationArrayOutput) ToGetKeyMultiRegionConfigurationArrayOutputWithContext

func (o GetKeyMultiRegionConfigurationArrayOutput) ToGetKeyMultiRegionConfigurationArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationArrayOutput

type GetKeyMultiRegionConfigurationInput

type GetKeyMultiRegionConfigurationInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationOutput() GetKeyMultiRegionConfigurationOutput
	ToGetKeyMultiRegionConfigurationOutputWithContext(context.Context) GetKeyMultiRegionConfigurationOutput
}

GetKeyMultiRegionConfigurationInput is an input type that accepts GetKeyMultiRegionConfigurationArgs and GetKeyMultiRegionConfigurationOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationInput` via:

GetKeyMultiRegionConfigurationArgs{...}

type GetKeyMultiRegionConfigurationOutput

type GetKeyMultiRegionConfigurationOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationOutput) ElementType

func (GetKeyMultiRegionConfigurationOutput) MultiRegionKeyType

Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.

func (GetKeyMultiRegionConfigurationOutput) PrimaryKeys

The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.

func (GetKeyMultiRegionConfigurationOutput) ReplicaKeys

The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.

func (GetKeyMultiRegionConfigurationOutput) ToGetKeyMultiRegionConfigurationOutput

func (o GetKeyMultiRegionConfigurationOutput) ToGetKeyMultiRegionConfigurationOutput() GetKeyMultiRegionConfigurationOutput

func (GetKeyMultiRegionConfigurationOutput) ToGetKeyMultiRegionConfigurationOutputWithContext

func (o GetKeyMultiRegionConfigurationOutput) ToGetKeyMultiRegionConfigurationOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationOutput

type GetKeyMultiRegionConfigurationPrimaryKey

type GetKeyMultiRegionConfigurationPrimaryKey struct {
	// The key ARN of a primary or replica key of a multi-Region key.
	Arn string `pulumi:"arn"`
	// The AWS Region of a primary or replica key in a multi-Region key.
	Region string `pulumi:"region"`
}

type GetKeyMultiRegionConfigurationPrimaryKeyArgs

type GetKeyMultiRegionConfigurationPrimaryKeyArgs struct {
	// The key ARN of a primary or replica key of a multi-Region key.
	Arn pulumi.StringInput `pulumi:"arn"`
	// The AWS Region of a primary or replica key in a multi-Region key.
	Region pulumi.StringInput `pulumi:"region"`
}

func (GetKeyMultiRegionConfigurationPrimaryKeyArgs) ElementType

func (GetKeyMultiRegionConfigurationPrimaryKeyArgs) ToGetKeyMultiRegionConfigurationPrimaryKeyOutput

func (i GetKeyMultiRegionConfigurationPrimaryKeyArgs) ToGetKeyMultiRegionConfigurationPrimaryKeyOutput() GetKeyMultiRegionConfigurationPrimaryKeyOutput

func (GetKeyMultiRegionConfigurationPrimaryKeyArgs) ToGetKeyMultiRegionConfigurationPrimaryKeyOutputWithContext

func (i GetKeyMultiRegionConfigurationPrimaryKeyArgs) ToGetKeyMultiRegionConfigurationPrimaryKeyOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationPrimaryKeyOutput

type GetKeyMultiRegionConfigurationPrimaryKeyArray

type GetKeyMultiRegionConfigurationPrimaryKeyArray []GetKeyMultiRegionConfigurationPrimaryKeyInput

func (GetKeyMultiRegionConfigurationPrimaryKeyArray) ElementType

func (GetKeyMultiRegionConfigurationPrimaryKeyArray) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

func (i GetKeyMultiRegionConfigurationPrimaryKeyArray) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutput() GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

func (GetKeyMultiRegionConfigurationPrimaryKeyArray) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutputWithContext

func (i GetKeyMultiRegionConfigurationPrimaryKeyArray) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

type GetKeyMultiRegionConfigurationPrimaryKeyArrayInput

type GetKeyMultiRegionConfigurationPrimaryKeyArrayInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutput() GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput
	ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutputWithContext(context.Context) GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput
}

GetKeyMultiRegionConfigurationPrimaryKeyArrayInput is an input type that accepts GetKeyMultiRegionConfigurationPrimaryKeyArray and GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationPrimaryKeyArrayInput` via:

GetKeyMultiRegionConfigurationPrimaryKeyArray{ GetKeyMultiRegionConfigurationPrimaryKeyArgs{...} }

type GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

type GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) ElementType

func (GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) Index

func (GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

func (o GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutput() GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

func (GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutputWithContext

func (o GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationPrimaryKeyArrayOutput

type GetKeyMultiRegionConfigurationPrimaryKeyInput

type GetKeyMultiRegionConfigurationPrimaryKeyInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationPrimaryKeyOutput() GetKeyMultiRegionConfigurationPrimaryKeyOutput
	ToGetKeyMultiRegionConfigurationPrimaryKeyOutputWithContext(context.Context) GetKeyMultiRegionConfigurationPrimaryKeyOutput
}

GetKeyMultiRegionConfigurationPrimaryKeyInput is an input type that accepts GetKeyMultiRegionConfigurationPrimaryKeyArgs and GetKeyMultiRegionConfigurationPrimaryKeyOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationPrimaryKeyInput` via:

GetKeyMultiRegionConfigurationPrimaryKeyArgs{...}

type GetKeyMultiRegionConfigurationPrimaryKeyOutput

type GetKeyMultiRegionConfigurationPrimaryKeyOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationPrimaryKeyOutput) Arn

The key ARN of a primary or replica key of a multi-Region key.

func (GetKeyMultiRegionConfigurationPrimaryKeyOutput) ElementType

func (GetKeyMultiRegionConfigurationPrimaryKeyOutput) Region

The AWS Region of a primary or replica key in a multi-Region key.

func (GetKeyMultiRegionConfigurationPrimaryKeyOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyOutput

func (o GetKeyMultiRegionConfigurationPrimaryKeyOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyOutput() GetKeyMultiRegionConfigurationPrimaryKeyOutput

func (GetKeyMultiRegionConfigurationPrimaryKeyOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyOutputWithContext

func (o GetKeyMultiRegionConfigurationPrimaryKeyOutput) ToGetKeyMultiRegionConfigurationPrimaryKeyOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationPrimaryKeyOutput

type GetKeyMultiRegionConfigurationReplicaKey

type GetKeyMultiRegionConfigurationReplicaKey struct {
	// The key ARN of a primary or replica key of a multi-Region key.
	Arn string `pulumi:"arn"`
	// The AWS Region of a primary or replica key in a multi-Region key.
	Region string `pulumi:"region"`
}

type GetKeyMultiRegionConfigurationReplicaKeyArgs

type GetKeyMultiRegionConfigurationReplicaKeyArgs struct {
	// The key ARN of a primary or replica key of a multi-Region key.
	Arn pulumi.StringInput `pulumi:"arn"`
	// The AWS Region of a primary or replica key in a multi-Region key.
	Region pulumi.StringInput `pulumi:"region"`
}

func (GetKeyMultiRegionConfigurationReplicaKeyArgs) ElementType

func (GetKeyMultiRegionConfigurationReplicaKeyArgs) ToGetKeyMultiRegionConfigurationReplicaKeyOutput

func (i GetKeyMultiRegionConfigurationReplicaKeyArgs) ToGetKeyMultiRegionConfigurationReplicaKeyOutput() GetKeyMultiRegionConfigurationReplicaKeyOutput

func (GetKeyMultiRegionConfigurationReplicaKeyArgs) ToGetKeyMultiRegionConfigurationReplicaKeyOutputWithContext

func (i GetKeyMultiRegionConfigurationReplicaKeyArgs) ToGetKeyMultiRegionConfigurationReplicaKeyOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationReplicaKeyOutput

type GetKeyMultiRegionConfigurationReplicaKeyArray

type GetKeyMultiRegionConfigurationReplicaKeyArray []GetKeyMultiRegionConfigurationReplicaKeyInput

func (GetKeyMultiRegionConfigurationReplicaKeyArray) ElementType

func (GetKeyMultiRegionConfigurationReplicaKeyArray) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutput

func (i GetKeyMultiRegionConfigurationReplicaKeyArray) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutput() GetKeyMultiRegionConfigurationReplicaKeyArrayOutput

func (GetKeyMultiRegionConfigurationReplicaKeyArray) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutputWithContext

func (i GetKeyMultiRegionConfigurationReplicaKeyArray) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationReplicaKeyArrayOutput

type GetKeyMultiRegionConfigurationReplicaKeyArrayInput

type GetKeyMultiRegionConfigurationReplicaKeyArrayInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutput() GetKeyMultiRegionConfigurationReplicaKeyArrayOutput
	ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutputWithContext(context.Context) GetKeyMultiRegionConfigurationReplicaKeyArrayOutput
}

GetKeyMultiRegionConfigurationReplicaKeyArrayInput is an input type that accepts GetKeyMultiRegionConfigurationReplicaKeyArray and GetKeyMultiRegionConfigurationReplicaKeyArrayOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationReplicaKeyArrayInput` via:

GetKeyMultiRegionConfigurationReplicaKeyArray{ GetKeyMultiRegionConfigurationReplicaKeyArgs{...} }

type GetKeyMultiRegionConfigurationReplicaKeyArrayOutput

type GetKeyMultiRegionConfigurationReplicaKeyArrayOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) ElementType

func (GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) Index

func (GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutput

func (o GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutput() GetKeyMultiRegionConfigurationReplicaKeyArrayOutput

func (GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutputWithContext

func (o GetKeyMultiRegionConfigurationReplicaKeyArrayOutput) ToGetKeyMultiRegionConfigurationReplicaKeyArrayOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationReplicaKeyArrayOutput

type GetKeyMultiRegionConfigurationReplicaKeyInput

type GetKeyMultiRegionConfigurationReplicaKeyInput interface {
	pulumi.Input

	ToGetKeyMultiRegionConfigurationReplicaKeyOutput() GetKeyMultiRegionConfigurationReplicaKeyOutput
	ToGetKeyMultiRegionConfigurationReplicaKeyOutputWithContext(context.Context) GetKeyMultiRegionConfigurationReplicaKeyOutput
}

GetKeyMultiRegionConfigurationReplicaKeyInput is an input type that accepts GetKeyMultiRegionConfigurationReplicaKeyArgs and GetKeyMultiRegionConfigurationReplicaKeyOutput values. You can construct a concrete instance of `GetKeyMultiRegionConfigurationReplicaKeyInput` via:

GetKeyMultiRegionConfigurationReplicaKeyArgs{...}

type GetKeyMultiRegionConfigurationReplicaKeyOutput

type GetKeyMultiRegionConfigurationReplicaKeyOutput struct{ *pulumi.OutputState }

func (GetKeyMultiRegionConfigurationReplicaKeyOutput) Arn

The key ARN of a primary or replica key of a multi-Region key.

func (GetKeyMultiRegionConfigurationReplicaKeyOutput) ElementType

func (GetKeyMultiRegionConfigurationReplicaKeyOutput) Region

The AWS Region of a primary or replica key in a multi-Region key.

func (GetKeyMultiRegionConfigurationReplicaKeyOutput) ToGetKeyMultiRegionConfigurationReplicaKeyOutput

func (o GetKeyMultiRegionConfigurationReplicaKeyOutput) ToGetKeyMultiRegionConfigurationReplicaKeyOutput() GetKeyMultiRegionConfigurationReplicaKeyOutput

func (GetKeyMultiRegionConfigurationReplicaKeyOutput) ToGetKeyMultiRegionConfigurationReplicaKeyOutputWithContext

func (o GetKeyMultiRegionConfigurationReplicaKeyOutput) ToGetKeyMultiRegionConfigurationReplicaKeyOutputWithContext(ctx context.Context) GetKeyMultiRegionConfigurationReplicaKeyOutput

type GetKeyXksKeyConfiguration

type GetKeyXksKeyConfiguration struct {
	// The globally unique identifier for the key
	Id string `pulumi:"id"`
}

type GetKeyXksKeyConfigurationArgs

type GetKeyXksKeyConfigurationArgs struct {
	// The globally unique identifier for the key
	Id pulumi.StringInput `pulumi:"id"`
}

func (GetKeyXksKeyConfigurationArgs) ElementType

func (GetKeyXksKeyConfigurationArgs) ToGetKeyXksKeyConfigurationOutput

func (i GetKeyXksKeyConfigurationArgs) ToGetKeyXksKeyConfigurationOutput() GetKeyXksKeyConfigurationOutput

func (GetKeyXksKeyConfigurationArgs) ToGetKeyXksKeyConfigurationOutputWithContext

func (i GetKeyXksKeyConfigurationArgs) ToGetKeyXksKeyConfigurationOutputWithContext(ctx context.Context) GetKeyXksKeyConfigurationOutput

type GetKeyXksKeyConfigurationArray

type GetKeyXksKeyConfigurationArray []GetKeyXksKeyConfigurationInput

func (GetKeyXksKeyConfigurationArray) ElementType

func (GetKeyXksKeyConfigurationArray) ToGetKeyXksKeyConfigurationArrayOutput

func (i GetKeyXksKeyConfigurationArray) ToGetKeyXksKeyConfigurationArrayOutput() GetKeyXksKeyConfigurationArrayOutput

func (GetKeyXksKeyConfigurationArray) ToGetKeyXksKeyConfigurationArrayOutputWithContext

func (i GetKeyXksKeyConfigurationArray) ToGetKeyXksKeyConfigurationArrayOutputWithContext(ctx context.Context) GetKeyXksKeyConfigurationArrayOutput

type GetKeyXksKeyConfigurationArrayInput

type GetKeyXksKeyConfigurationArrayInput interface {
	pulumi.Input

	ToGetKeyXksKeyConfigurationArrayOutput() GetKeyXksKeyConfigurationArrayOutput
	ToGetKeyXksKeyConfigurationArrayOutputWithContext(context.Context) GetKeyXksKeyConfigurationArrayOutput
}

GetKeyXksKeyConfigurationArrayInput is an input type that accepts GetKeyXksKeyConfigurationArray and GetKeyXksKeyConfigurationArrayOutput values. You can construct a concrete instance of `GetKeyXksKeyConfigurationArrayInput` via:

GetKeyXksKeyConfigurationArray{ GetKeyXksKeyConfigurationArgs{...} }

type GetKeyXksKeyConfigurationArrayOutput

type GetKeyXksKeyConfigurationArrayOutput struct{ *pulumi.OutputState }

func (GetKeyXksKeyConfigurationArrayOutput) ElementType

func (GetKeyXksKeyConfigurationArrayOutput) Index

func (GetKeyXksKeyConfigurationArrayOutput) ToGetKeyXksKeyConfigurationArrayOutput

func (o GetKeyXksKeyConfigurationArrayOutput) ToGetKeyXksKeyConfigurationArrayOutput() GetKeyXksKeyConfigurationArrayOutput

func (GetKeyXksKeyConfigurationArrayOutput) ToGetKeyXksKeyConfigurationArrayOutputWithContext

func (o GetKeyXksKeyConfigurationArrayOutput) ToGetKeyXksKeyConfigurationArrayOutputWithContext(ctx context.Context) GetKeyXksKeyConfigurationArrayOutput

type GetKeyXksKeyConfigurationInput

type GetKeyXksKeyConfigurationInput interface {
	pulumi.Input

	ToGetKeyXksKeyConfigurationOutput() GetKeyXksKeyConfigurationOutput
	ToGetKeyXksKeyConfigurationOutputWithContext(context.Context) GetKeyXksKeyConfigurationOutput
}

GetKeyXksKeyConfigurationInput is an input type that accepts GetKeyXksKeyConfigurationArgs and GetKeyXksKeyConfigurationOutput values. You can construct a concrete instance of `GetKeyXksKeyConfigurationInput` via:

GetKeyXksKeyConfigurationArgs{...}

type GetKeyXksKeyConfigurationOutput

type GetKeyXksKeyConfigurationOutput struct{ *pulumi.OutputState }

func (GetKeyXksKeyConfigurationOutput) ElementType

func (GetKeyXksKeyConfigurationOutput) Id

The globally unique identifier for the key

func (GetKeyXksKeyConfigurationOutput) ToGetKeyXksKeyConfigurationOutput

func (o GetKeyXksKeyConfigurationOutput) ToGetKeyXksKeyConfigurationOutput() GetKeyXksKeyConfigurationOutput

func (GetKeyXksKeyConfigurationOutput) ToGetKeyXksKeyConfigurationOutputWithContext

func (o GetKeyXksKeyConfigurationOutput) ToGetKeyXksKeyConfigurationOutputWithContext(ctx context.Context) GetKeyXksKeyConfigurationOutput

type GetPublicKeyArgs

type GetPublicKeyArgs struct {
	// List of grant tokens
	GrantTokens []string `pulumi:"grantTokens"`
	// Key identifier which can be one of the following format:
	// * Key ID. E.g - `1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Key ARN. E.g. - `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Alias name. E.g. - `alias/my-key`
	// * Alias ARN - E.g. - `arn:aws:kms:us-east-1:111122223333:alias/my-key`
	KeyId string `pulumi:"keyId"`
}

A collection of arguments for invoking getPublicKey.

type GetPublicKeyOutputArgs

type GetPublicKeyOutputArgs struct {
	// List of grant tokens
	GrantTokens pulumi.StringArrayInput `pulumi:"grantTokens"`
	// Key identifier which can be one of the following format:
	// * Key ID. E.g - `1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Key ARN. E.g. - `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Alias name. E.g. - `alias/my-key`
	// * Alias ARN - E.g. - `arn:aws:kms:us-east-1:111122223333:alias/my-key`
	KeyId pulumi.StringInput `pulumi:"keyId"`
}

A collection of arguments for invoking getPublicKey.

func (GetPublicKeyOutputArgs) ElementType

func (GetPublicKeyOutputArgs) ElementType() reflect.Type

type GetPublicKeyResult

type GetPublicKeyResult struct {
	// Key ARN of the asymmetric CMK from which the public key was downloaded.
	Arn string `pulumi:"arn"`
	// Type of the public key that was downloaded.
	CustomerMasterKeySpec string `pulumi:"customerMasterKeySpec"`
	// Encryption algorithms that AWS KMS supports for this key. Only set when the `keyUsage` of the public key is `ENCRYPT_DECRYPT`.
	EncryptionAlgorithms []string `pulumi:"encryptionAlgorithms"`
	GrantTokens          []string `pulumi:"grantTokens"`
	// The provider-assigned unique ID for this managed resource.
	Id    string `pulumi:"id"`
	KeyId string `pulumi:"keyId"`
	// Permitted use of the public key. Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`
	KeyUsage string `pulumi:"keyUsage"`
	// Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in [RFC 5280](https://tools.ietf.org/html/rfc5280). The value is Base64-encoded.
	PublicKey string `pulumi:"publicKey"`
	// Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
	PublicKeyPem string `pulumi:"publicKeyPem"`
	// Signing algorithms that AWS KMS supports for this key. Only set when the `keyUsage` of the public key is `SIGN_VERIFY`.
	SigningAlgorithms []string `pulumi:"signingAlgorithms"`
}

A collection of values returned by getPublicKey.

func GetPublicKey

func GetPublicKey(ctx *pulumi.Context, args *GetPublicKeyArgs, opts ...pulumi.InvokeOption) (*GetPublicKeyResult, error)

Use this data source to get the public key about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
			KeyId: "alias/my-key",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
			KeyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
			KeyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
			KeyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetPublicKeyResultOutput

type GetPublicKeyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getPublicKey.

func (GetPublicKeyResultOutput) Arn

Key ARN of the asymmetric CMK from which the public key was downloaded.

func (GetPublicKeyResultOutput) CustomerMasterKeySpec

func (o GetPublicKeyResultOutput) CustomerMasterKeySpec() pulumi.StringOutput

Type of the public key that was downloaded.

func (GetPublicKeyResultOutput) ElementType

func (GetPublicKeyResultOutput) ElementType() reflect.Type

func (GetPublicKeyResultOutput) EncryptionAlgorithms

func (o GetPublicKeyResultOutput) EncryptionAlgorithms() pulumi.StringArrayOutput

Encryption algorithms that AWS KMS supports for this key. Only set when the `keyUsage` of the public key is `ENCRYPT_DECRYPT`.

func (GetPublicKeyResultOutput) GrantTokens

func (GetPublicKeyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetPublicKeyResultOutput) KeyId

func (GetPublicKeyResultOutput) KeyUsage

Permitted use of the public key. Valid values are `ENCRYPT_DECRYPT` or `SIGN_VERIFY`

func (GetPublicKeyResultOutput) PublicKey

Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in [RFC 5280](https://tools.ietf.org/html/rfc5280). The value is Base64-encoded.

func (GetPublicKeyResultOutput) PublicKeyPem

func (o GetPublicKeyResultOutput) PublicKeyPem() pulumi.StringOutput

Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.

func (GetPublicKeyResultOutput) SigningAlgorithms

func (o GetPublicKeyResultOutput) SigningAlgorithms() pulumi.StringArrayOutput

Signing algorithms that AWS KMS supports for this key. Only set when the `keyUsage` of the public key is `SIGN_VERIFY`.

func (GetPublicKeyResultOutput) ToGetPublicKeyResultOutput

func (o GetPublicKeyResultOutput) ToGetPublicKeyResultOutput() GetPublicKeyResultOutput

func (GetPublicKeyResultOutput) ToGetPublicKeyResultOutputWithContext

func (o GetPublicKeyResultOutput) ToGetPublicKeyResultOutputWithContext(ctx context.Context) GetPublicKeyResultOutput

type GetSecretArgs

type GetSecretArgs struct {
	Secrets []GetSecretSecret `pulumi:"secrets"`
}

A collection of arguments for invoking getSecret.

type GetSecretOutputArgs

type GetSecretOutputArgs struct {
	Secrets GetSecretSecretArrayInput `pulumi:"secrets"`
}

A collection of arguments for invoking getSecret.

func (GetSecretOutputArgs) ElementType

func (GetSecretOutputArgs) ElementType() reflect.Type

type GetSecretResult

type GetSecretResult struct {
	// The provider-assigned unique ID for this managed resource.
	Id      string            `pulumi:"id"`
	Secrets []GetSecretSecret `pulumi:"secrets"`
}

A collection of values returned by getSecret.

func GetSecret

func GetSecret(ctx *pulumi.Context, args *GetSecretArgs, opts ...pulumi.InvokeOption) (*GetSecretResult, error)

type GetSecretResultOutput

type GetSecretResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getSecret.

func (GetSecretResultOutput) ElementType

func (GetSecretResultOutput) ElementType() reflect.Type

func (GetSecretResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetSecretResultOutput) Secrets

func (GetSecretResultOutput) ToGetSecretResultOutput

func (o GetSecretResultOutput) ToGetSecretResultOutput() GetSecretResultOutput

func (GetSecretResultOutput) ToGetSecretResultOutputWithContext

func (o GetSecretResultOutput) ToGetSecretResultOutputWithContext(ctx context.Context) GetSecretResultOutput

type GetSecretSecret

type GetSecretSecret struct {
	Context     map[string]string `pulumi:"context"`
	GrantTokens []string          `pulumi:"grantTokens"`
	Name        string            `pulumi:"name"`
	Payload     string            `pulumi:"payload"`
}

type GetSecretSecretArgs

type GetSecretSecretArgs struct {
	Context     pulumi.StringMapInput   `pulumi:"context"`
	GrantTokens pulumi.StringArrayInput `pulumi:"grantTokens"`
	Name        pulumi.StringInput      `pulumi:"name"`
	Payload     pulumi.StringInput      `pulumi:"payload"`
}

func (GetSecretSecretArgs) ElementType

func (GetSecretSecretArgs) ElementType() reflect.Type

func (GetSecretSecretArgs) ToGetSecretSecretOutput

func (i GetSecretSecretArgs) ToGetSecretSecretOutput() GetSecretSecretOutput

func (GetSecretSecretArgs) ToGetSecretSecretOutputWithContext

func (i GetSecretSecretArgs) ToGetSecretSecretOutputWithContext(ctx context.Context) GetSecretSecretOutput

type GetSecretSecretArray

type GetSecretSecretArray []GetSecretSecretInput

func (GetSecretSecretArray) ElementType

func (GetSecretSecretArray) ElementType() reflect.Type

func (GetSecretSecretArray) ToGetSecretSecretArrayOutput

func (i GetSecretSecretArray) ToGetSecretSecretArrayOutput() GetSecretSecretArrayOutput

func (GetSecretSecretArray) ToGetSecretSecretArrayOutputWithContext

func (i GetSecretSecretArray) ToGetSecretSecretArrayOutputWithContext(ctx context.Context) GetSecretSecretArrayOutput

type GetSecretSecretArrayInput

type GetSecretSecretArrayInput interface {
	pulumi.Input

	ToGetSecretSecretArrayOutput() GetSecretSecretArrayOutput
	ToGetSecretSecretArrayOutputWithContext(context.Context) GetSecretSecretArrayOutput
}

GetSecretSecretArrayInput is an input type that accepts GetSecretSecretArray and GetSecretSecretArrayOutput values. You can construct a concrete instance of `GetSecretSecretArrayInput` via:

GetSecretSecretArray{ GetSecretSecretArgs{...} }

type GetSecretSecretArrayOutput

type GetSecretSecretArrayOutput struct{ *pulumi.OutputState }

func (GetSecretSecretArrayOutput) ElementType

func (GetSecretSecretArrayOutput) ElementType() reflect.Type

func (GetSecretSecretArrayOutput) Index

func (GetSecretSecretArrayOutput) ToGetSecretSecretArrayOutput

func (o GetSecretSecretArrayOutput) ToGetSecretSecretArrayOutput() GetSecretSecretArrayOutput

func (GetSecretSecretArrayOutput) ToGetSecretSecretArrayOutputWithContext

func (o GetSecretSecretArrayOutput) ToGetSecretSecretArrayOutputWithContext(ctx context.Context) GetSecretSecretArrayOutput

type GetSecretSecretInput

type GetSecretSecretInput interface {
	pulumi.Input

	ToGetSecretSecretOutput() GetSecretSecretOutput
	ToGetSecretSecretOutputWithContext(context.Context) GetSecretSecretOutput
}

GetSecretSecretInput is an input type that accepts GetSecretSecretArgs and GetSecretSecretOutput values. You can construct a concrete instance of `GetSecretSecretInput` via:

GetSecretSecretArgs{...}

type GetSecretSecretOutput

type GetSecretSecretOutput struct{ *pulumi.OutputState }

func (GetSecretSecretOutput) Context

func (GetSecretSecretOutput) ElementType

func (GetSecretSecretOutput) ElementType() reflect.Type

func (GetSecretSecretOutput) GrantTokens

func (GetSecretSecretOutput) Name

func (GetSecretSecretOutput) Payload

func (GetSecretSecretOutput) ToGetSecretSecretOutput

func (o GetSecretSecretOutput) ToGetSecretSecretOutput() GetSecretSecretOutput

func (GetSecretSecretOutput) ToGetSecretSecretOutputWithContext

func (o GetSecretSecretOutput) ToGetSecretSecretOutputWithContext(ctx context.Context) GetSecretSecretOutput

type GetSecretsArgs

type GetSecretsArgs struct {
	// One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
	Secrets []GetSecretsSecret `pulumi:"secrets"`
}

A collection of arguments for invoking getSecrets.

type GetSecretsOutputArgs

type GetSecretsOutputArgs struct {
	// One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
	Secrets GetSecretsSecretArrayInput `pulumi:"secrets"`
}

A collection of arguments for invoking getSecrets.

func (GetSecretsOutputArgs) ElementType

func (GetSecretsOutputArgs) ElementType() reflect.Type

type GetSecretsResult

type GetSecretsResult struct {
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// Map containing each `secret` `name` as the key with its decrypted plaintext value
	Plaintext map[string]string  `pulumi:"plaintext"`
	Secrets   []GetSecretsSecret `pulumi:"secrets"`
}

A collection of values returned by getSecrets.

func GetSecrets

func GetSecrets(ctx *pulumi.Context, args *GetSecretsArgs, opts ...pulumi.InvokeOption) (*GetSecretsResult, error)

Decrypt multiple secrets from data encrypted with the AWS KMS service.

## Example Usage

If you do not already have a `CiphertextBlob` from encrypting a KMS secret, you can use the below commands to obtain one using the [AWS CLI kms encrypt](https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html) command. This requires you to have your AWS CLI setup correctly and replace the `--key-id` with your own. Alternatively you can use `--plaintext 'master-password'` (CLIv1) or `--plaintext fileb://<(echo -n 'master-password')` (CLIv2) instead of reading from a file.

> If you have a newline character at the end of your file, it will be decrypted with this newline character intact. For most use cases this is undesirable and leads to incorrect passwords or invalid values, as well as possible changes in the plan. Be sure to use `echo -n` if necessary. If you are using asymmetric keys ensure you are using the right encryption algorithm when you encrypt and decrypt else you will get IncorrectKeyException during the decrypt phase.

That encrypted output can now be inserted into provider configurations without exposing the plaintext secret directly.

type GetSecretsResultOutput

type GetSecretsResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getSecrets.

func (GetSecretsResultOutput) ElementType

func (GetSecretsResultOutput) ElementType() reflect.Type

func (GetSecretsResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (GetSecretsResultOutput) Plaintext

Map containing each `secret` `name` as the key with its decrypted plaintext value

func (GetSecretsResultOutput) Secrets

func (GetSecretsResultOutput) ToGetSecretsResultOutput

func (o GetSecretsResultOutput) ToGetSecretsResultOutput() GetSecretsResultOutput

func (GetSecretsResultOutput) ToGetSecretsResultOutputWithContext

func (o GetSecretsResultOutput) ToGetSecretsResultOutputWithContext(ctx context.Context) GetSecretsResultOutput

type GetSecretsSecret

type GetSecretsSecret struct {
	// An optional mapping that makes up the Encryption Context for the secret.
	Context map[string]string `pulumi:"context"`
	// The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
	EncryptionAlgorithm *string `pulumi:"encryptionAlgorithm"`
	// An optional list of Grant Tokens for the secret.
	GrantTokens []string `pulumi:"grantTokens"`
	// Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.
	//
	// For more information on `context` and `grantTokens` see the [KMS
	// Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
	KeyId *string `pulumi:"keyId"`
	// Name to export this secret under in the attributes.
	Name string `pulumi:"name"`
	// Base64 encoded payload, as returned from a KMS encrypt operation.
	Payload string `pulumi:"payload"`
}

type GetSecretsSecretArgs

type GetSecretsSecretArgs struct {
	// An optional mapping that makes up the Encryption Context for the secret.
	Context pulumi.StringMapInput `pulumi:"context"`
	// The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
	EncryptionAlgorithm pulumi.StringPtrInput `pulumi:"encryptionAlgorithm"`
	// An optional list of Grant Tokens for the secret.
	GrantTokens pulumi.StringArrayInput `pulumi:"grantTokens"`
	// Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.
	//
	// For more information on `context` and `grantTokens` see the [KMS
	// Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
	KeyId pulumi.StringPtrInput `pulumi:"keyId"`
	// Name to export this secret under in the attributes.
	Name pulumi.StringInput `pulumi:"name"`
	// Base64 encoded payload, as returned from a KMS encrypt operation.
	Payload pulumi.StringInput `pulumi:"payload"`
}

func (GetSecretsSecretArgs) ElementType

func (GetSecretsSecretArgs) ElementType() reflect.Type

func (GetSecretsSecretArgs) ToGetSecretsSecretOutput

func (i GetSecretsSecretArgs) ToGetSecretsSecretOutput() GetSecretsSecretOutput

func (GetSecretsSecretArgs) ToGetSecretsSecretOutputWithContext

func (i GetSecretsSecretArgs) ToGetSecretsSecretOutputWithContext(ctx context.Context) GetSecretsSecretOutput

type GetSecretsSecretArray

type GetSecretsSecretArray []GetSecretsSecretInput

func (GetSecretsSecretArray) ElementType

func (GetSecretsSecretArray) ElementType() reflect.Type

func (GetSecretsSecretArray) ToGetSecretsSecretArrayOutput

func (i GetSecretsSecretArray) ToGetSecretsSecretArrayOutput() GetSecretsSecretArrayOutput

func (GetSecretsSecretArray) ToGetSecretsSecretArrayOutputWithContext

func (i GetSecretsSecretArray) ToGetSecretsSecretArrayOutputWithContext(ctx context.Context) GetSecretsSecretArrayOutput

type GetSecretsSecretArrayInput

type GetSecretsSecretArrayInput interface {
	pulumi.Input

	ToGetSecretsSecretArrayOutput() GetSecretsSecretArrayOutput
	ToGetSecretsSecretArrayOutputWithContext(context.Context) GetSecretsSecretArrayOutput
}

GetSecretsSecretArrayInput is an input type that accepts GetSecretsSecretArray and GetSecretsSecretArrayOutput values. You can construct a concrete instance of `GetSecretsSecretArrayInput` via:

GetSecretsSecretArray{ GetSecretsSecretArgs{...} }

type GetSecretsSecretArrayOutput

type GetSecretsSecretArrayOutput struct{ *pulumi.OutputState }

func (GetSecretsSecretArrayOutput) ElementType

func (GetSecretsSecretArrayOutput) Index

func (GetSecretsSecretArrayOutput) ToGetSecretsSecretArrayOutput

func (o GetSecretsSecretArrayOutput) ToGetSecretsSecretArrayOutput() GetSecretsSecretArrayOutput

func (GetSecretsSecretArrayOutput) ToGetSecretsSecretArrayOutputWithContext

func (o GetSecretsSecretArrayOutput) ToGetSecretsSecretArrayOutputWithContext(ctx context.Context) GetSecretsSecretArrayOutput

type GetSecretsSecretInput

type GetSecretsSecretInput interface {
	pulumi.Input

	ToGetSecretsSecretOutput() GetSecretsSecretOutput
	ToGetSecretsSecretOutputWithContext(context.Context) GetSecretsSecretOutput
}

GetSecretsSecretInput is an input type that accepts GetSecretsSecretArgs and GetSecretsSecretOutput values. You can construct a concrete instance of `GetSecretsSecretInput` via:

GetSecretsSecretArgs{...}

type GetSecretsSecretOutput

type GetSecretsSecretOutput struct{ *pulumi.OutputState }

func (GetSecretsSecretOutput) Context

An optional mapping that makes up the Encryption Context for the secret.

func (GetSecretsSecretOutput) ElementType

func (GetSecretsSecretOutput) ElementType() reflect.Type

func (GetSecretsSecretOutput) EncryptionAlgorithm

func (o GetSecretsSecretOutput) EncryptionAlgorithm() pulumi.StringPtrOutput

The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE

func (GetSecretsSecretOutput) GrantTokens

An optional list of Grant Tokens for the secret.

func (GetSecretsSecretOutput) KeyId

Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

For more information on `context` and `grantTokens` see the [KMS Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)

func (GetSecretsSecretOutput) Name

Name to export this secret under in the attributes.

func (GetSecretsSecretOutput) Payload

Base64 encoded payload, as returned from a KMS encrypt operation.

func (GetSecretsSecretOutput) ToGetSecretsSecretOutput

func (o GetSecretsSecretOutput) ToGetSecretsSecretOutput() GetSecretsSecretOutput

func (GetSecretsSecretOutput) ToGetSecretsSecretOutputWithContext

func (o GetSecretsSecretOutput) ToGetSecretsSecretOutputWithContext(ctx context.Context) GetSecretsSecretOutput

type Grant

type Grant struct {
	pulumi.CustomResourceState

	// A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
	Constraints GrantConstraintArrayOutput `pulumi:"constraints"`
	// A list of grant tokens to be used when creating the grant. See [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) for more information about grant tokens.
	GrantCreationTokens pulumi.StringArrayOutput `pulumi:"grantCreationTokens"`
	// The unique identifier for the grant.
	GrantId pulumi.StringOutput `pulumi:"grantId"`
	// The grant token for the created grant. For more information, see [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
	GrantToken pulumi.StringOutput `pulumi:"grantToken"`
	// The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	GranteePrincipal pulumi.StringOutput `pulumi:"granteePrincipal"`
	// The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// A friendly name for identifying the grant.
	Name pulumi.StringOutput `pulumi:"name"`
	// A list of operations that the grant permits. The permitted values are: `Decrypt`, `Encrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `Sign`, `Verify`, `GetPublicKey`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, or `GenerateDataKeyPairWithoutPlaintext`.
	Operations pulumi.StringArrayOutput `pulumi:"operations"`
	// If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
	// See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.
	RetireOnDelete pulumi.BoolPtrOutput `pulumi:"retireOnDelete"`
	// The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	RetiringPrincipal pulumi.StringPtrOutput `pulumi:"retiringPrincipal"`
}

Provides a resource-based access control mechanism for a KMS customer master key.

> **Note:** All arguments including the grant token will be stored in the raw state as plain-text. ## Import

Using `pulumi import`, import KMS Grants using the Key ID and Grant ID separated by a colon (`:`). For example:

```sh $ pulumi import aws:kms/grant:Grant test 1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514 ```

func GetGrant

func GetGrant(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *GrantState, opts ...pulumi.ResourceOption) (*Grant, error)

GetGrant gets an existing Grant resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewGrant

func NewGrant(ctx *pulumi.Context,
	name string, args *GrantArgs, opts ...pulumi.ResourceOption) (*Grant, error)

NewGrant registers a new resource with the given unique name, arguments, and options.

func (*Grant) ElementType

func (*Grant) ElementType() reflect.Type

func (*Grant) ToGrantOutput

func (i *Grant) ToGrantOutput() GrantOutput

func (*Grant) ToGrantOutputWithContext

func (i *Grant) ToGrantOutputWithContext(ctx context.Context) GrantOutput

type GrantArgs

type GrantArgs struct {
	// A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
	Constraints GrantConstraintArrayInput
	// A list of grant tokens to be used when creating the grant. See [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) for more information about grant tokens.
	GrantCreationTokens pulumi.StringArrayInput
	// The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	GranteePrincipal pulumi.StringInput
	// The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
	KeyId pulumi.StringInput
	// A friendly name for identifying the grant.
	Name pulumi.StringPtrInput
	// A list of operations that the grant permits. The permitted values are: `Decrypt`, `Encrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `Sign`, `Verify`, `GetPublicKey`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, or `GenerateDataKeyPairWithoutPlaintext`.
	Operations pulumi.StringArrayInput
	// If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
	// See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.
	RetireOnDelete pulumi.BoolPtrInput
	// The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	RetiringPrincipal pulumi.StringPtrInput
}

The set of arguments for constructing a Grant resource.

func (GrantArgs) ElementType

func (GrantArgs) ElementType() reflect.Type

type GrantArray

type GrantArray []GrantInput

func (GrantArray) ElementType

func (GrantArray) ElementType() reflect.Type

func (GrantArray) ToGrantArrayOutput

func (i GrantArray) ToGrantArrayOutput() GrantArrayOutput

func (GrantArray) ToGrantArrayOutputWithContext

func (i GrantArray) ToGrantArrayOutputWithContext(ctx context.Context) GrantArrayOutput

type GrantArrayInput

type GrantArrayInput interface {
	pulumi.Input

	ToGrantArrayOutput() GrantArrayOutput
	ToGrantArrayOutputWithContext(context.Context) GrantArrayOutput
}

GrantArrayInput is an input type that accepts GrantArray and GrantArrayOutput values. You can construct a concrete instance of `GrantArrayInput` via:

GrantArray{ GrantArgs{...} }

type GrantArrayOutput

type GrantArrayOutput struct{ *pulumi.OutputState }

func (GrantArrayOutput) ElementType

func (GrantArrayOutput) ElementType() reflect.Type

func (GrantArrayOutput) Index

func (GrantArrayOutput) ToGrantArrayOutput

func (o GrantArrayOutput) ToGrantArrayOutput() GrantArrayOutput

func (GrantArrayOutput) ToGrantArrayOutputWithContext

func (o GrantArrayOutput) ToGrantArrayOutputWithContext(ctx context.Context) GrantArrayOutput

type GrantConstraint

type GrantConstraint struct {
	// A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with `encryptionContextSubset`.
	EncryptionContextEquals map[string]string `pulumi:"encryptionContextEquals"`
	// A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with `encryptionContextEquals`.
	EncryptionContextSubset map[string]string `pulumi:"encryptionContextSubset"`
}

type GrantConstraintArgs

type GrantConstraintArgs struct {
	// A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with `encryptionContextSubset`.
	EncryptionContextEquals pulumi.StringMapInput `pulumi:"encryptionContextEquals"`
	// A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with `encryptionContextEquals`.
	EncryptionContextSubset pulumi.StringMapInput `pulumi:"encryptionContextSubset"`
}

func (GrantConstraintArgs) ElementType

func (GrantConstraintArgs) ElementType() reflect.Type

func (GrantConstraintArgs) ToGrantConstraintOutput

func (i GrantConstraintArgs) ToGrantConstraintOutput() GrantConstraintOutput

func (GrantConstraintArgs) ToGrantConstraintOutputWithContext

func (i GrantConstraintArgs) ToGrantConstraintOutputWithContext(ctx context.Context) GrantConstraintOutput

type GrantConstraintArray

type GrantConstraintArray []GrantConstraintInput

func (GrantConstraintArray) ElementType

func (GrantConstraintArray) ElementType() reflect.Type

func (GrantConstraintArray) ToGrantConstraintArrayOutput

func (i GrantConstraintArray) ToGrantConstraintArrayOutput() GrantConstraintArrayOutput

func (GrantConstraintArray) ToGrantConstraintArrayOutputWithContext

func (i GrantConstraintArray) ToGrantConstraintArrayOutputWithContext(ctx context.Context) GrantConstraintArrayOutput

type GrantConstraintArrayInput

type GrantConstraintArrayInput interface {
	pulumi.Input

	ToGrantConstraintArrayOutput() GrantConstraintArrayOutput
	ToGrantConstraintArrayOutputWithContext(context.Context) GrantConstraintArrayOutput
}

GrantConstraintArrayInput is an input type that accepts GrantConstraintArray and GrantConstraintArrayOutput values. You can construct a concrete instance of `GrantConstraintArrayInput` via:

GrantConstraintArray{ GrantConstraintArgs{...} }

type GrantConstraintArrayOutput

type GrantConstraintArrayOutput struct{ *pulumi.OutputState }

func (GrantConstraintArrayOutput) ElementType

func (GrantConstraintArrayOutput) ElementType() reflect.Type

func (GrantConstraintArrayOutput) Index

func (GrantConstraintArrayOutput) ToGrantConstraintArrayOutput

func (o GrantConstraintArrayOutput) ToGrantConstraintArrayOutput() GrantConstraintArrayOutput

func (GrantConstraintArrayOutput) ToGrantConstraintArrayOutputWithContext

func (o GrantConstraintArrayOutput) ToGrantConstraintArrayOutputWithContext(ctx context.Context) GrantConstraintArrayOutput

type GrantConstraintInput

type GrantConstraintInput interface {
	pulumi.Input

	ToGrantConstraintOutput() GrantConstraintOutput
	ToGrantConstraintOutputWithContext(context.Context) GrantConstraintOutput
}

GrantConstraintInput is an input type that accepts GrantConstraintArgs and GrantConstraintOutput values. You can construct a concrete instance of `GrantConstraintInput` via:

GrantConstraintArgs{...}

type GrantConstraintOutput

type GrantConstraintOutput struct{ *pulumi.OutputState }

func (GrantConstraintOutput) ElementType

func (GrantConstraintOutput) ElementType() reflect.Type

func (GrantConstraintOutput) EncryptionContextEquals

func (o GrantConstraintOutput) EncryptionContextEquals() pulumi.StringMapOutput

A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with `encryptionContextSubset`.

func (GrantConstraintOutput) EncryptionContextSubset

func (o GrantConstraintOutput) EncryptionContextSubset() pulumi.StringMapOutput

A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with `encryptionContextEquals`.

func (GrantConstraintOutput) ToGrantConstraintOutput

func (o GrantConstraintOutput) ToGrantConstraintOutput() GrantConstraintOutput

func (GrantConstraintOutput) ToGrantConstraintOutputWithContext

func (o GrantConstraintOutput) ToGrantConstraintOutputWithContext(ctx context.Context) GrantConstraintOutput

type GrantInput

type GrantInput interface {
	pulumi.Input

	ToGrantOutput() GrantOutput
	ToGrantOutputWithContext(ctx context.Context) GrantOutput
}

type GrantMap

type GrantMap map[string]GrantInput

func (GrantMap) ElementType

func (GrantMap) ElementType() reflect.Type

func (GrantMap) ToGrantMapOutput

func (i GrantMap) ToGrantMapOutput() GrantMapOutput

func (GrantMap) ToGrantMapOutputWithContext

func (i GrantMap) ToGrantMapOutputWithContext(ctx context.Context) GrantMapOutput

type GrantMapInput

type GrantMapInput interface {
	pulumi.Input

	ToGrantMapOutput() GrantMapOutput
	ToGrantMapOutputWithContext(context.Context) GrantMapOutput
}

GrantMapInput is an input type that accepts GrantMap and GrantMapOutput values. You can construct a concrete instance of `GrantMapInput` via:

GrantMap{ "key": GrantArgs{...} }

type GrantMapOutput

type GrantMapOutput struct{ *pulumi.OutputState }

func (GrantMapOutput) ElementType

func (GrantMapOutput) ElementType() reflect.Type

func (GrantMapOutput) MapIndex

func (GrantMapOutput) ToGrantMapOutput

func (o GrantMapOutput) ToGrantMapOutput() GrantMapOutput

func (GrantMapOutput) ToGrantMapOutputWithContext

func (o GrantMapOutput) ToGrantMapOutputWithContext(ctx context.Context) GrantMapOutput

type GrantOutput

type GrantOutput struct{ *pulumi.OutputState }

func (GrantOutput) Constraints

func (o GrantOutput) Constraints() GrantConstraintArrayOutput

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).

func (GrantOutput) ElementType

func (GrantOutput) ElementType() reflect.Type

func (GrantOutput) GrantCreationTokens

func (o GrantOutput) GrantCreationTokens() pulumi.StringArrayOutput

A list of grant tokens to be used when creating the grant. See [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) for more information about grant tokens.

func (GrantOutput) GrantId

func (o GrantOutput) GrantId() pulumi.StringOutput

The unique identifier for the grant.

func (GrantOutput) GrantToken

func (o GrantOutput) GrantToken() pulumi.StringOutput

The grant token for the created grant. For more information, see [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).

func (GrantOutput) GranteePrincipal

func (o GrantOutput) GranteePrincipal() pulumi.StringOutput

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

func (GrantOutput) KeyId

func (o GrantOutput) KeyId() pulumi.StringOutput

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

func (GrantOutput) Name

func (o GrantOutput) Name() pulumi.StringOutput

A friendly name for identifying the grant.

func (GrantOutput) Operations

func (o GrantOutput) Operations() pulumi.StringArrayOutput

A list of operations that the grant permits. The permitted values are: `Decrypt`, `Encrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `Sign`, `Verify`, `GetPublicKey`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, or `GenerateDataKeyPairWithoutPlaintext`.

func (GrantOutput) RetireOnDelete

func (o GrantOutput) RetireOnDelete() pulumi.BoolPtrOutput

If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.

func (GrantOutput) RetiringPrincipal

func (o GrantOutput) RetiringPrincipal() pulumi.StringPtrOutput

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

func (GrantOutput) ToGrantOutput

func (o GrantOutput) ToGrantOutput() GrantOutput

func (GrantOutput) ToGrantOutputWithContext

func (o GrantOutput) ToGrantOutputWithContext(ctx context.Context) GrantOutput

type GrantState

type GrantState struct {
	// A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
	Constraints GrantConstraintArrayInput
	// A list of grant tokens to be used when creating the grant. See [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) for more information about grant tokens.
	GrantCreationTokens pulumi.StringArrayInput
	// The unique identifier for the grant.
	GrantId pulumi.StringPtrInput
	// The grant token for the created grant. For more information, see [Grant Tokens](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
	GrantToken pulumi.StringPtrInput
	// The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	GranteePrincipal pulumi.StringPtrInput
	// The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
	KeyId pulumi.StringPtrInput
	// A friendly name for identifying the grant.
	Name pulumi.StringPtrInput
	// A list of operations that the grant permits. The permitted values are: `Decrypt`, `Encrypt`, `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext`, `ReEncryptFrom`, `ReEncryptTo`, `Sign`, `Verify`, `GetPublicKey`, `CreateGrant`, `RetireGrant`, `DescribeKey`, `GenerateDataKeyPair`, or `GenerateDataKeyPairWithoutPlaintext`.
	Operations pulumi.StringArrayInput
	// If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
	// See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.
	RetireOnDelete pulumi.BoolPtrInput
	// The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.
	RetiringPrincipal pulumi.StringPtrInput
}

func (GrantState) ElementType

func (GrantState) ElementType() reflect.Type

type Key

type Key struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the key.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM).
	CustomKeyStoreId pulumi.StringPtrOutput `pulumi:"customKeyStoreId"`
	// Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
	// Valid values: `SYMMETRIC_DEFAULT`,  `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html).
	CustomerMasterKeySpec pulumi.StringPtrOutput `pulumi:"customerMasterKeySpec"`
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	// If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
	DeletionWindowInDays pulumi.IntPtrOutput `pulumi:"deletionWindowInDays"`
	// The description of the key as viewed in AWS console.
	Description pulumi.StringOutput `pulumi:"description"`
	// Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to `false`.
	EnableKeyRotation pulumi.BoolPtrOutput `pulumi:"enableKeyRotation"`
	// Specifies whether the key is enabled. Defaults to `true`.
	IsEnabled pulumi.BoolPtrOutput `pulumi:"isEnabled"`
	// The globally unique identifier for the key.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`.
	// Defaults to `ENCRYPT_DECRYPT`.
	KeyUsage pulumi.StringPtrOutput `pulumi:"keyUsage"`
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolOutput `pulumi:"multiRegion"`
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringOutput `pulumi:"policy"`
	// Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
	RotationPeriodInDays pulumi.IntOutput `pulumi:"rotationPeriodInDays"`
	// A map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapOutput `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapOutput `pulumi:"tagsAll"`
	// Identifies the external key that serves as key material for the KMS key in an external key store.
	XksKeyId pulumi.StringPtrOutput `pulumi:"xksKeyId"`
}

Manages a single-Region or multi-Region primary KMS key.

> **NOTE on KMS Key Policy:** KMS Key Policy can be configured in either the standalone resource `kms.KeyPolicy` or with the parameter `policy` in this resource. Configuring with both will cause inconsistencies and may overwrite configuration.

## Example Usage

### Symmetric Encryption KMS Key

```go package main

import (

"encoding/json"
"fmt"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Id":      "key-default-1",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid":    "Enable IAM User Permissions",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
					},
					"Action":   "kms:*",
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow administration of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
					},
					"Action": []string{
						"kms:ReplicateKey",
						"kms:Create*",
						"kms:Describe*",
						"kms:Enable*",
						"kms:List*",
						"kms:Put*",
						"kms:Update*",
						"kms:Revoke*",
						"kms:Disable*",
						"kms:Get*",
						"kms:Delete*",
						"kms:ScheduleKeyDeletion",
						"kms:CancelKeyDeletion",
					},
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow use of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
					},
					"Action": []string{
						"kms:DescribeKey",
						"kms:Encrypt",
						"kms:Decrypt",
						"kms:ReEncrypt*",
						"kms:GenerateDataKey",
						"kms:GenerateDataKeyWithoutPlaintext",
					},
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description:          pulumi.String("An example symmetric encryption KMS key"),
			EnableKeyRotation:    pulumi.Bool(true),
			DeletionWindowInDays: pulumi.Int(20),
			Policy:               pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Symmetric Encryption KMS Key With Standalone Policy Resource

```go package main

import (

"encoding/json"
"fmt"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description:          pulumi.String("An example symmetric encryption KMS key"),
			EnableKeyRotation:    pulumi.Bool(true),
			DeletionWindowInDays: pulumi.Int(20),
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Id":      "key-default-1",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Sid":    "Enable IAM User Permissions",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
					},
					"Action":   "kms:*",
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKeyPolicy(ctx, "example", &kms.KeyPolicyArgs{
			KeyId:  example.ID(),
			Policy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Asymmetric KMS Key

```go package main

import (

"encoding/json"
"fmt"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Id":      "key-default-1",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid":    "Enable IAM User Permissions",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
					},
					"Action":   "kms:*",
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow administration of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
					},
					"Action": []string{
						"kms:Create*",
						"kms:Describe*",
						"kms:Enable*",
						"kms:List*",
						"kms:Put*",
						"kms:Update*",
						"kms:Revoke*",
						"kms:Disable*",
						"kms:Get*",
						"kms:Delete*",
						"kms:ScheduleKeyDeletion",
						"kms:CancelKeyDeletion",
					},
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow use of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
					},
					"Action": []string{
						"kms:Sign",
						"kms:Verify",
						"kms:DescribeKey",
					},
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description:           pulumi.String("RSA-3072 asymmetric KMS key for signing and verification"),
			CustomerMasterKeySpec: pulumi.String("RSA_3072"),
			KeyUsage:              pulumi.String("SIGN_VERIFY"),
			EnableKeyRotation:     pulumi.Bool(false),
			Policy:                pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### HMAC KMS key

```go package main

import (

"encoding/json"
"fmt"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Id":      "key-default-1",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid":    "Enable IAM User Permissions",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
					},
					"Action":   "kms:*",
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow administration of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
					},
					"Action": []string{
						"kms:Create*",
						"kms:Describe*",
						"kms:Enable*",
						"kms:List*",
						"kms:Put*",
						"kms:Update*",
						"kms:Revoke*",
						"kms:Disable*",
						"kms:Get*",
						"kms:Delete*",
						"kms:ScheduleKeyDeletion",
						"kms:CancelKeyDeletion",
					},
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow use of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
					},
					"Action": []string{
						"kms:GenerateMac",
						"kms:VerifyMac",
						"kms:DescribeKey",
					},
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description:           pulumi.String("HMAC_384 key for tokens"),
			CustomerMasterKeySpec: pulumi.String("HMAC_384"),
			KeyUsage:              pulumi.String("GENERATE_VERIFY_MAC"),
			EnableKeyRotation:     pulumi.Bool(false),
			Policy:                pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Multi-Region Primary Key

```go package main

import (

"encoding/json"
"fmt"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Id":      "key-default-1",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid":    "Enable IAM User Permissions",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
					},
					"Action":   "kms:*",
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow administration of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
					},
					"Action": []string{
						"kms:ReplicateKey",
						"kms:Create*",
						"kms:Describe*",
						"kms:Enable*",
						"kms:List*",
						"kms:Put*",
						"kms:Update*",
						"kms:Revoke*",
						"kms:Disable*",
						"kms:Get*",
						"kms:Delete*",
						"kms:ScheduleKeyDeletion",
						"kms:CancelKeyDeletion",
					},
					"Resource": "*",
				},
				map[string]interface{}{
					"Sid":    "Allow use of the key",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
					},
					"Action": []string{
						"kms:DescribeKey",
						"kms:Encrypt",
						"kms:Decrypt",
						"kms:ReEncrypt*",
						"kms:GenerateDataKey",
						"kms:GenerateDataKeyWithoutPlaintext",
					},
					"Resource": "*",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description:          pulumi.String("An example multi-Region primary key"),
			MultiRegion:          pulumi.Bool(true),
			EnableKeyRotation:    pulumi.Bool(true),
			DeletionWindowInDays: pulumi.Int(10),
			Policy:               pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS Keys using the `id`. For example:

```sh $ pulumi import aws:kms/key:Key a 1234abcd-12ab-34cd-56ef-1234567890ab ```

func GetKey

func GetKey(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *KeyState, opts ...pulumi.ResourceOption) (*Key, error)

GetKey gets an existing Key resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewKey

func NewKey(ctx *pulumi.Context,
	name string, args *KeyArgs, opts ...pulumi.ResourceOption) (*Key, error)

NewKey registers a new resource with the given unique name, arguments, and options.

func (*Key) ElementType

func (*Key) ElementType() reflect.Type

func (*Key) ToKeyOutput

func (i *Key) ToKeyOutput() KeyOutput

func (*Key) ToKeyOutputWithContext

func (i *Key) ToKeyOutputWithContext(ctx context.Context) KeyOutput

type KeyArgs

type KeyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM).
	CustomKeyStoreId pulumi.StringPtrInput
	// Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
	// Valid values: `SYMMETRIC_DEFAULT`,  `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html).
	CustomerMasterKeySpec pulumi.StringPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	// If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
	DeletionWindowInDays pulumi.IntPtrInput
	// The description of the key as viewed in AWS console.
	Description pulumi.StringPtrInput
	// Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to `false`.
	EnableKeyRotation pulumi.BoolPtrInput
	// Specifies whether the key is enabled. Defaults to `true`.
	IsEnabled pulumi.BoolPtrInput
	// Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`.
	// Defaults to `ENCRYPT_DECRYPT`.
	KeyUsage pulumi.StringPtrInput
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolPtrInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringPtrInput
	// Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
	RotationPeriodInDays pulumi.IntPtrInput
	// A map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// Identifies the external key that serves as key material for the KMS key in an external key store.
	XksKeyId pulumi.StringPtrInput
}

The set of arguments for constructing a Key resource.

func (KeyArgs) ElementType

func (KeyArgs) ElementType() reflect.Type

type KeyArray

type KeyArray []KeyInput

func (KeyArray) ElementType

func (KeyArray) ElementType() reflect.Type

func (KeyArray) ToKeyArrayOutput

func (i KeyArray) ToKeyArrayOutput() KeyArrayOutput

func (KeyArray) ToKeyArrayOutputWithContext

func (i KeyArray) ToKeyArrayOutputWithContext(ctx context.Context) KeyArrayOutput

type KeyArrayInput

type KeyArrayInput interface {
	pulumi.Input

	ToKeyArrayOutput() KeyArrayOutput
	ToKeyArrayOutputWithContext(context.Context) KeyArrayOutput
}

KeyArrayInput is an input type that accepts KeyArray and KeyArrayOutput values. You can construct a concrete instance of `KeyArrayInput` via:

KeyArray{ KeyArgs{...} }

type KeyArrayOutput

type KeyArrayOutput struct{ *pulumi.OutputState }

func (KeyArrayOutput) ElementType

func (KeyArrayOutput) ElementType() reflect.Type

func (KeyArrayOutput) Index

func (KeyArrayOutput) ToKeyArrayOutput

func (o KeyArrayOutput) ToKeyArrayOutput() KeyArrayOutput

func (KeyArrayOutput) ToKeyArrayOutputWithContext

func (o KeyArrayOutput) ToKeyArrayOutputWithContext(ctx context.Context) KeyArrayOutput

type KeyInput

type KeyInput interface {
	pulumi.Input

	ToKeyOutput() KeyOutput
	ToKeyOutputWithContext(ctx context.Context) KeyOutput
}

type KeyMap

type KeyMap map[string]KeyInput

func (KeyMap) ElementType

func (KeyMap) ElementType() reflect.Type

func (KeyMap) ToKeyMapOutput

func (i KeyMap) ToKeyMapOutput() KeyMapOutput

func (KeyMap) ToKeyMapOutputWithContext

func (i KeyMap) ToKeyMapOutputWithContext(ctx context.Context) KeyMapOutput

type KeyMapInput

type KeyMapInput interface {
	pulumi.Input

	ToKeyMapOutput() KeyMapOutput
	ToKeyMapOutputWithContext(context.Context) KeyMapOutput
}

KeyMapInput is an input type that accepts KeyMap and KeyMapOutput values. You can construct a concrete instance of `KeyMapInput` via:

KeyMap{ "key": KeyArgs{...} }

type KeyMapOutput

type KeyMapOutput struct{ *pulumi.OutputState }

func (KeyMapOutput) ElementType

func (KeyMapOutput) ElementType() reflect.Type

func (KeyMapOutput) MapIndex

func (o KeyMapOutput) MapIndex(k pulumi.StringInput) KeyOutput

func (KeyMapOutput) ToKeyMapOutput

func (o KeyMapOutput) ToKeyMapOutput() KeyMapOutput

func (KeyMapOutput) ToKeyMapOutputWithContext

func (o KeyMapOutput) ToKeyMapOutputWithContext(ctx context.Context) KeyMapOutput

type KeyOutput

type KeyOutput struct{ *pulumi.OutputState }

func (KeyOutput) Arn

func (o KeyOutput) Arn() pulumi.StringOutput

The Amazon Resource Name (ARN) of the key.

func (KeyOutput) BypassPolicyLockoutSafetyCheck

func (o KeyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput

A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_. The default value is `false`.

func (KeyOutput) CustomKeyStoreId

func (o KeyOutput) CustomKeyStoreId() pulumi.StringPtrOutput

ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM).

func (KeyOutput) CustomerMasterKeySpec

func (o KeyOutput) CustomerMasterKeySpec() pulumi.StringPtrOutput

Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html).

func (KeyOutput) DeletionWindowInDays

func (o KeyOutput) DeletionWindowInDays() pulumi.IntPtrOutput

The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.

func (KeyOutput) Description

func (o KeyOutput) Description() pulumi.StringOutput

The description of the key as viewed in AWS console.

func (KeyOutput) ElementType

func (KeyOutput) ElementType() reflect.Type

func (KeyOutput) EnableKeyRotation

func (o KeyOutput) EnableKeyRotation() pulumi.BoolPtrOutput

Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to `false`.

func (KeyOutput) IsEnabled

func (o KeyOutput) IsEnabled() pulumi.BoolPtrOutput

Specifies whether the key is enabled. Defaults to `true`.

func (KeyOutput) KeyId

func (o KeyOutput) KeyId() pulumi.StringOutput

The globally unique identifier for the key.

func (KeyOutput) KeyUsage

func (o KeyOutput) KeyUsage() pulumi.StringPtrOutput

Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`. Defaults to `ENCRYPT_DECRYPT`.

func (KeyOutput) MultiRegion

func (o KeyOutput) MultiRegion() pulumi.BoolOutput

Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.

func (KeyOutput) Policy

func (o KeyOutput) Policy() pulumi.StringOutput

A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used.

> **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

func (KeyOutput) RotationPeriodInDays added in v6.36.0

func (o KeyOutput) RotationPeriodInDays() pulumi.IntOutput

Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).

func (KeyOutput) Tags

func (o KeyOutput) Tags() pulumi.StringMapOutput

A map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.

func (KeyOutput) TagsAll deprecated

func (o KeyOutput) TagsAll() pulumi.StringMapOutput

A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.

Deprecated: Please use `tags` instead.

func (KeyOutput) ToKeyOutput

func (o KeyOutput) ToKeyOutput() KeyOutput

func (KeyOutput) ToKeyOutputWithContext

func (o KeyOutput) ToKeyOutputWithContext(ctx context.Context) KeyOutput

func (KeyOutput) XksKeyId added in v6.18.2

func (o KeyOutput) XksKeyId() pulumi.StringPtrOutput

Identifies the external key that serves as key material for the KMS key in an external key store.

type KeyPolicy

type KeyPolicy struct {
	pulumi.CustomResourceState

	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringOutput `pulumi:"policy"`
}

Attaches a policy to a KMS Key.

## Example Usage

```go package main

import (

"encoding/json"

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
			Description: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Id": "example",
			"Statement": []map[string]interface{}{
				map[string]interface{}{
					"Action": "kms:*",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": "*",
					},
					"Resource": "*",
					"Sid":      "Enable IAM User Permissions",
				},
			},
			"Version": "2012-10-17",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = kms.NewKeyPolicy(ctx, "example", &kms.KeyPolicyArgs{
			KeyId:  example.ID(),
			Policy: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS Key Policies using the `key_id`. For example:

```sh $ pulumi import aws:kms/keyPolicy:KeyPolicy a 1234abcd-12ab-34cd-56ef-1234567890ab ```

func GetKeyPolicy

func GetKeyPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *KeyPolicyState, opts ...pulumi.ResourceOption) (*KeyPolicy, error)

GetKeyPolicy gets an existing KeyPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewKeyPolicy

func NewKeyPolicy(ctx *pulumi.Context,
	name string, args *KeyPolicyArgs, opts ...pulumi.ResourceOption) (*KeyPolicy, error)

NewKeyPolicy registers a new resource with the given unique name, arguments, and options.

func (*KeyPolicy) ElementType

func (*KeyPolicy) ElementType() reflect.Type

func (*KeyPolicy) ToKeyPolicyOutput

func (i *KeyPolicy) ToKeyPolicyOutput() KeyPolicyOutput

func (*KeyPolicy) ToKeyPolicyOutputWithContext

func (i *KeyPolicy) ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput

type KeyPolicyArgs

type KeyPolicyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringInput
}

The set of arguments for constructing a KeyPolicy resource.

func (KeyPolicyArgs) ElementType

func (KeyPolicyArgs) ElementType() reflect.Type

type KeyPolicyArray

type KeyPolicyArray []KeyPolicyInput

func (KeyPolicyArray) ElementType

func (KeyPolicyArray) ElementType() reflect.Type

func (KeyPolicyArray) ToKeyPolicyArrayOutput

func (i KeyPolicyArray) ToKeyPolicyArrayOutput() KeyPolicyArrayOutput

func (KeyPolicyArray) ToKeyPolicyArrayOutputWithContext

func (i KeyPolicyArray) ToKeyPolicyArrayOutputWithContext(ctx context.Context) KeyPolicyArrayOutput

type KeyPolicyArrayInput

type KeyPolicyArrayInput interface {
	pulumi.Input

	ToKeyPolicyArrayOutput() KeyPolicyArrayOutput
	ToKeyPolicyArrayOutputWithContext(context.Context) KeyPolicyArrayOutput
}

KeyPolicyArrayInput is an input type that accepts KeyPolicyArray and KeyPolicyArrayOutput values. You can construct a concrete instance of `KeyPolicyArrayInput` via:

KeyPolicyArray{ KeyPolicyArgs{...} }

type KeyPolicyArrayOutput

type KeyPolicyArrayOutput struct{ *pulumi.OutputState }

func (KeyPolicyArrayOutput) ElementType

func (KeyPolicyArrayOutput) ElementType() reflect.Type

func (KeyPolicyArrayOutput) Index

func (KeyPolicyArrayOutput) ToKeyPolicyArrayOutput

func (o KeyPolicyArrayOutput) ToKeyPolicyArrayOutput() KeyPolicyArrayOutput

func (KeyPolicyArrayOutput) ToKeyPolicyArrayOutputWithContext

func (o KeyPolicyArrayOutput) ToKeyPolicyArrayOutputWithContext(ctx context.Context) KeyPolicyArrayOutput

type KeyPolicyInput

type KeyPolicyInput interface {
	pulumi.Input

	ToKeyPolicyOutput() KeyPolicyOutput
	ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput
}

type KeyPolicyMap

type KeyPolicyMap map[string]KeyPolicyInput

func (KeyPolicyMap) ElementType

func (KeyPolicyMap) ElementType() reflect.Type

func (KeyPolicyMap) ToKeyPolicyMapOutput

func (i KeyPolicyMap) ToKeyPolicyMapOutput() KeyPolicyMapOutput

func (KeyPolicyMap) ToKeyPolicyMapOutputWithContext

func (i KeyPolicyMap) ToKeyPolicyMapOutputWithContext(ctx context.Context) KeyPolicyMapOutput

type KeyPolicyMapInput

type KeyPolicyMapInput interface {
	pulumi.Input

	ToKeyPolicyMapOutput() KeyPolicyMapOutput
	ToKeyPolicyMapOutputWithContext(context.Context) KeyPolicyMapOutput
}

KeyPolicyMapInput is an input type that accepts KeyPolicyMap and KeyPolicyMapOutput values. You can construct a concrete instance of `KeyPolicyMapInput` via:

KeyPolicyMap{ "key": KeyPolicyArgs{...} }

type KeyPolicyMapOutput

type KeyPolicyMapOutput struct{ *pulumi.OutputState }

func (KeyPolicyMapOutput) ElementType

func (KeyPolicyMapOutput) ElementType() reflect.Type

func (KeyPolicyMapOutput) MapIndex

func (KeyPolicyMapOutput) ToKeyPolicyMapOutput

func (o KeyPolicyMapOutput) ToKeyPolicyMapOutput() KeyPolicyMapOutput

func (KeyPolicyMapOutput) ToKeyPolicyMapOutputWithContext

func (o KeyPolicyMapOutput) ToKeyPolicyMapOutputWithContext(ctx context.Context) KeyPolicyMapOutput

type KeyPolicyOutput

type KeyPolicyOutput struct{ *pulumi.OutputState }

func (KeyPolicyOutput) BypassPolicyLockoutSafetyCheck

func (o KeyPolicyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput

A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.

func (KeyPolicyOutput) ElementType

func (KeyPolicyOutput) ElementType() reflect.Type

func (KeyPolicyOutput) KeyId

The ID of the KMS Key to attach the policy.

func (KeyPolicyOutput) Policy

func (o KeyPolicyOutput) Policy() pulumi.StringOutput

A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.

> **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

func (KeyPolicyOutput) ToKeyPolicyOutput

func (o KeyPolicyOutput) ToKeyPolicyOutput() KeyPolicyOutput

func (KeyPolicyOutput) ToKeyPolicyOutputWithContext

func (o KeyPolicyOutput) ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput

type KeyPolicyState

type KeyPolicyState struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringPtrInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringPtrInput
}

func (KeyPolicyState) ElementType

func (KeyPolicyState) ElementType() reflect.Type

type KeyState

type KeyState struct {
	// The Amazon Resource Name (ARN) of the key.
	Arn pulumi.StringPtrInput
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM).
	CustomKeyStoreId pulumi.StringPtrInput
	// Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
	// Valid values: `SYMMETRIC_DEFAULT`,  `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html).
	CustomerMasterKeySpec pulumi.StringPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	// If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
	DeletionWindowInDays pulumi.IntPtrInput
	// The description of the key as viewed in AWS console.
	Description pulumi.StringPtrInput
	// Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to `false`.
	EnableKeyRotation pulumi.BoolPtrInput
	// Specifies whether the key is enabled. Defaults to `true`.
	IsEnabled pulumi.BoolPtrInput
	// The globally unique identifier for the key.
	KeyId pulumi.StringPtrInput
	// Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`.
	// Defaults to `ENCRYPT_DECRYPT`.
	KeyUsage pulumi.StringPtrInput
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
	MultiRegion pulumi.BoolPtrInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringPtrInput
	// Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
	RotationPeriodInDays pulumi.IntPtrInput
	// A map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapInput
	// Identifies the external key that serves as key material for the KMS key in an external key store.
	XksKeyId pulumi.StringPtrInput
}

func (KeyState) ElementType

func (KeyState) ElementType() reflect.Type

type LookupAliasArgs

type LookupAliasArgs struct {
	// Display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
	Name string `pulumi:"name"`
}

A collection of arguments for invoking getAlias.

type LookupAliasOutputArgs

type LookupAliasOutputArgs struct {
	// Display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
	Name pulumi.StringInput `pulumi:"name"`
}

A collection of arguments for invoking getAlias.

func (LookupAliasOutputArgs) ElementType

func (LookupAliasOutputArgs) ElementType() reflect.Type

type LookupAliasResult

type LookupAliasResult struct {
	// Amazon Resource Name(ARN) of the key alias.
	Arn string `pulumi:"arn"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// Name of the alias
	Name string `pulumi:"name"`
	// ARN pointed to by the alias.
	TargetKeyArn string `pulumi:"targetKeyArn"`
	// Key identifier pointed to by the alias.
	TargetKeyId string `pulumi:"targetKeyId"`
}

A collection of values returned by getAlias.

func LookupAlias

func LookupAlias(ctx *pulumi.Context, args *LookupAliasArgs, opts ...pulumi.InvokeOption) (*LookupAliasResult, error)

Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having to hard code the ARN as input.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.LookupAlias(ctx, &kms.LookupAliasArgs{
			Name: "alias/aws/s3",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAliasResultOutput

type LookupAliasResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAlias.

func (LookupAliasResultOutput) Arn

Amazon Resource Name(ARN) of the key alias.

func (LookupAliasResultOutput) ElementType

func (LookupAliasResultOutput) ElementType() reflect.Type

func (LookupAliasResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupAliasResultOutput) Name

Name of the alias

func (LookupAliasResultOutput) TargetKeyArn

func (o LookupAliasResultOutput) TargetKeyArn() pulumi.StringOutput

ARN pointed to by the alias.

func (LookupAliasResultOutput) TargetKeyId

Key identifier pointed to by the alias.

func (LookupAliasResultOutput) ToLookupAliasResultOutput

func (o LookupAliasResultOutput) ToLookupAliasResultOutput() LookupAliasResultOutput

func (LookupAliasResultOutput) ToLookupAliasResultOutputWithContext

func (o LookupAliasResultOutput) ToLookupAliasResultOutputWithContext(ctx context.Context) LookupAliasResultOutput

type LookupCustomKeyStoreArgs

type LookupCustomKeyStoreArgs struct {
	// The ID for the custom key store.
	CustomKeyStoreId *string `pulumi:"customKeyStoreId"`
	// The user-specified friendly name for the custom key store.
	CustomKeyStoreName *string `pulumi:"customKeyStoreName"`
}

A collection of arguments for invoking getCustomKeyStore.

type LookupCustomKeyStoreOutputArgs

type LookupCustomKeyStoreOutputArgs struct {
	// The ID for the custom key store.
	CustomKeyStoreId pulumi.StringPtrInput `pulumi:"customKeyStoreId"`
	// The user-specified friendly name for the custom key store.
	CustomKeyStoreName pulumi.StringPtrInput `pulumi:"customKeyStoreName"`
}

A collection of arguments for invoking getCustomKeyStore.

func (LookupCustomKeyStoreOutputArgs) ElementType

type LookupCustomKeyStoreResult

type LookupCustomKeyStoreResult struct {
	CloudHsmClusterId string `pulumi:"cloudHsmClusterId"`
	// Indicates whether the custom key store is connected to its CloudHSM cluster.
	ConnectionState string `pulumi:"connectionState"`
	// The date and time when the custom key store was created.
	CreationDate       string `pulumi:"creationDate"`
	CustomKeyStoreId   string `pulumi:"customKeyStoreId"`
	CustomKeyStoreName string `pulumi:"customKeyStoreName"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// The trust anchor certificate of the associated CloudHSM cluster.
	TrustAnchorCertificate string `pulumi:"trustAnchorCertificate"`
}

A collection of values returned by getCustomKeyStore.

func LookupCustomKeyStore

func LookupCustomKeyStore(ctx *pulumi.Context, args *LookupCustomKeyStoreArgs, opts ...pulumi.InvokeOption) (*LookupCustomKeyStoreResult, error)

Use this data source to get the metadata KMS custom key store. By using this data source, you can reference KMS custom key store without having to hard code the ID as input.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.LookupCustomKeyStore(ctx, &kms.LookupCustomKeyStoreArgs{
			CustomKeyStoreName: pulumi.StringRef("my_cloudhsm"),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupCustomKeyStoreResultOutput

type LookupCustomKeyStoreResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getCustomKeyStore.

func (LookupCustomKeyStoreResultOutput) CloudHsmClusterId

func (LookupCustomKeyStoreResultOutput) ConnectionState

Indicates whether the custom key store is connected to its CloudHSM cluster.

func (LookupCustomKeyStoreResultOutput) CreationDate

The date and time when the custom key store was created.

func (LookupCustomKeyStoreResultOutput) CustomKeyStoreId

func (LookupCustomKeyStoreResultOutput) CustomKeyStoreName

func (o LookupCustomKeyStoreResultOutput) CustomKeyStoreName() pulumi.StringOutput

func (LookupCustomKeyStoreResultOutput) ElementType

func (LookupCustomKeyStoreResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupCustomKeyStoreResultOutput) ToLookupCustomKeyStoreResultOutput

func (o LookupCustomKeyStoreResultOutput) ToLookupCustomKeyStoreResultOutput() LookupCustomKeyStoreResultOutput

func (LookupCustomKeyStoreResultOutput) ToLookupCustomKeyStoreResultOutputWithContext

func (o LookupCustomKeyStoreResultOutput) ToLookupCustomKeyStoreResultOutputWithContext(ctx context.Context) LookupCustomKeyStoreResultOutput

func (LookupCustomKeyStoreResultOutput) TrustAnchorCertificate

func (o LookupCustomKeyStoreResultOutput) TrustAnchorCertificate() pulumi.StringOutput

The trust anchor certificate of the associated CloudHSM cluster.

type LookupKeyArgs

type LookupKeyArgs struct {
	// List of grant tokens
	GrantTokens []string `pulumi:"grantTokens"`
	// Key identifier which can be one of the following format:
	// * Key ID. E.g: `1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Key ARN. E.g.: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Alias name. E.g.: `alias/my-key`
	// * Alias ARN: E.g.: `arn:aws:kms:us-east-1:111122223333:alias/my-key`
	KeyId string `pulumi:"keyId"`
}

A collection of arguments for invoking getKey.

type LookupKeyOutputArgs

type LookupKeyOutputArgs struct {
	// List of grant tokens
	GrantTokens pulumi.StringArrayInput `pulumi:"grantTokens"`
	// Key identifier which can be one of the following format:
	// * Key ID. E.g: `1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Key ARN. E.g.: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
	// * Alias name. E.g.: `alias/my-key`
	// * Alias ARN: E.g.: `arn:aws:kms:us-east-1:111122223333:alias/my-key`
	KeyId pulumi.StringInput `pulumi:"keyId"`
}

A collection of arguments for invoking getKey.

func (LookupKeyOutputArgs) ElementType

func (LookupKeyOutputArgs) ElementType() reflect.Type

type LookupKeyResult

type LookupKeyResult struct {
	// The key ARN of a primary or replica key of a multi-Region key.
	Arn string `pulumi:"arn"`
	// The twelve-digit account ID of the AWS account that owns the key
	AwsAccountId string `pulumi:"awsAccountId"`
	// The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
	CloudHsmClusterId string `pulumi:"cloudHsmClusterId"`
	// The date and time when the key was created
	CreationDate string `pulumi:"creationDate"`
	// A unique identifier for the custom key store that contains the KMS key.
	CustomKeyStoreId string `pulumi:"customKeyStoreId"`
	// Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
	CustomerMasterKeySpec string `pulumi:"customerMasterKeySpec"`
	// The date and time after which AWS KMS deletes the key. This value is present only when `keyState` is `PendingDeletion`, otherwise this value is 0
	DeletionDate string `pulumi:"deletionDate"`
	// The description of the key.
	Description string `pulumi:"description"`
	// Specifies whether the key is enabled. When `keyState` is `Enabled` this value is true, otherwise it is false
	Enabled bool `pulumi:"enabled"`
	// Specifies whether the Key's key material expires. This value is present only when `origin` is `EXTERNAL`, otherwise this value is empty
	ExpirationModel string   `pulumi:"expirationModel"`
	GrantTokens     []string `pulumi:"grantTokens"`
	// The provider-assigned unique ID for this managed resource.
	Id    string `pulumi:"id"`
	KeyId string `pulumi:"keyId"`
	// The key's manager
	KeyManager string `pulumi:"keyManager"`
	// Describes the type of key material in the KMS key.
	KeySpec string `pulumi:"keySpec"`
	// The state of the key
	KeyState string `pulumi:"keyState"`
	// Specifies the intended use of the key
	KeyUsage string `pulumi:"keyUsage"`
	// Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key.
	MultiRegion bool `pulumi:"multiRegion"`
	// Lists the primary and replica keys in same multi-Region key. Present only when the value of `multiRegion` is `true`.
	MultiRegionConfigurations []GetKeyMultiRegionConfiguration `pulumi:"multiRegionConfigurations"`
	// When this value is `AWS_KMS`, AWS KMS created the key material. When this value is `EXTERNAL`, the key material was imported from your existing key management infrastructure or the CMK lacks key material
	Origin string `pulumi:"origin"`
	// The waiting period before the primary key in a multi-Region key is deleted.
	PendingDeletionWindowInDays int `pulumi:"pendingDeletionWindowInDays"`
	// The time at which the imported key material expires. This value is present only when `origin` is `EXTERNAL` and whose `expirationModel` is `KEY_MATERIAL_EXPIRES`, otherwise this value is 0
	ValidTo string `pulumi:"validTo"`
	// Information about the external key that is associated with a KMS key in an external key store.
	XksKeyConfigurations []GetKeyXksKeyConfiguration `pulumi:"xksKeyConfigurations"`
}

A collection of values returned by getKey.

func LookupKey

func LookupKey(ctx *pulumi.Context, args *LookupKeyArgs, opts ...pulumi.InvokeOption) (*LookupKeyResult, error)

Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.LookupKey(ctx, &kms.LookupKeyArgs{
			KeyId: "alias/my-key",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
			KeyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
			KeyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
			KeyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupKeyResultOutput

type LookupKeyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getKey.

func (LookupKeyResultOutput) Arn

The key ARN of a primary or replica key of a multi-Region key.

func (LookupKeyResultOutput) AwsAccountId

func (o LookupKeyResultOutput) AwsAccountId() pulumi.StringOutput

The twelve-digit account ID of the AWS account that owns the key

func (LookupKeyResultOutput) CloudHsmClusterId

func (o LookupKeyResultOutput) CloudHsmClusterId() pulumi.StringOutput

The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.

func (LookupKeyResultOutput) CreationDate

func (o LookupKeyResultOutput) CreationDate() pulumi.StringOutput

The date and time when the key was created

func (LookupKeyResultOutput) CustomKeyStoreId

func (o LookupKeyResultOutput) CustomKeyStoreId() pulumi.StringOutput

A unique identifier for the custom key store that contains the KMS key.

func (LookupKeyResultOutput) CustomerMasterKeySpec

func (o LookupKeyResultOutput) CustomerMasterKeySpec() pulumi.StringOutput

Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports

func (LookupKeyResultOutput) DeletionDate

func (o LookupKeyResultOutput) DeletionDate() pulumi.StringOutput

The date and time after which AWS KMS deletes the key. This value is present only when `keyState` is `PendingDeletion`, otherwise this value is 0

func (LookupKeyResultOutput) Description

func (o LookupKeyResultOutput) Description() pulumi.StringOutput

The description of the key.

func (LookupKeyResultOutput) ElementType

func (LookupKeyResultOutput) ElementType() reflect.Type

func (LookupKeyResultOutput) Enabled

Specifies whether the key is enabled. When `keyState` is `Enabled` this value is true, otherwise it is false

func (LookupKeyResultOutput) ExpirationModel

func (o LookupKeyResultOutput) ExpirationModel() pulumi.StringOutput

Specifies whether the Key's key material expires. This value is present only when `origin` is `EXTERNAL`, otherwise this value is empty

func (LookupKeyResultOutput) GrantTokens

func (LookupKeyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupKeyResultOutput) KeyId

func (LookupKeyResultOutput) KeyManager

func (o LookupKeyResultOutput) KeyManager() pulumi.StringOutput

The key's manager

func (LookupKeyResultOutput) KeySpec

Describes the type of key material in the KMS key.

func (LookupKeyResultOutput) KeyState

The state of the key

func (LookupKeyResultOutput) KeyUsage

Specifies the intended use of the key

func (LookupKeyResultOutput) MultiRegion

func (o LookupKeyResultOutput) MultiRegion() pulumi.BoolOutput

Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key.

func (LookupKeyResultOutput) MultiRegionConfigurations

Lists the primary and replica keys in same multi-Region key. Present only when the value of `multiRegion` is `true`.

func (LookupKeyResultOutput) Origin

When this value is `AWS_KMS`, AWS KMS created the key material. When this value is `EXTERNAL`, the key material was imported from your existing key management infrastructure or the CMK lacks key material

func (LookupKeyResultOutput) PendingDeletionWindowInDays

func (o LookupKeyResultOutput) PendingDeletionWindowInDays() pulumi.IntOutput

The waiting period before the primary key in a multi-Region key is deleted.

func (LookupKeyResultOutput) ToLookupKeyResultOutput

func (o LookupKeyResultOutput) ToLookupKeyResultOutput() LookupKeyResultOutput

func (LookupKeyResultOutput) ToLookupKeyResultOutputWithContext

func (o LookupKeyResultOutput) ToLookupKeyResultOutputWithContext(ctx context.Context) LookupKeyResultOutput

func (LookupKeyResultOutput) ValidTo

The time at which the imported key material expires. This value is present only when `origin` is `EXTERNAL` and whose `expirationModel` is `KEY_MATERIAL_EXPIRES`, otherwise this value is 0

func (LookupKeyResultOutput) XksKeyConfigurations

Information about the external key that is associated with a KMS key in an external key store.

type ReplicaExternalKey

type ReplicaExternalKey struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrOutput `pulumi:"deletionWindowInDays"`
	// A description of the KMS key.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolOutput `pulumi:"enabled"`
	// Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.
	ExpirationModel pulumi.StringOutput `pulumi:"expirationModel"`
	// The key ID of the replica key. Related multi-Region keys have the same key ID.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be [reimported](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material), but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrOutput `pulumi:"keyMaterialBase64"`
	// The state of the replica key.
	KeyState pulumi.StringOutput `pulumi:"keyState"`
	// The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.
	KeyUsage pulumi.StringOutput `pulumi:"keyUsage"`
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringOutput `pulumi:"policy"`
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringOutput `pulumi:"primaryKeyArn"`
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapOutput `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapOutput `pulumi:"tagsAll"`
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrOutput `pulumi:"validTo"`
}

Manages a KMS multi-Region replica key that uses external key material. See the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html) for more information on importing key material into multi-Region keys.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewExternalKey(ctx, "primary", &kms.ExternalKeyArgs{
			Description:          pulumi.String("Multi-Region primary key"),
			DeletionWindowInDays: pulumi.Int(30),
			MultiRegion:          pulumi.Bool(true),
			Enabled:              pulumi.Bool(true),
			KeyMaterialBase64:    pulumi.String("..."),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewReplicaExternalKey(ctx, "replica", &kms.ReplicaExternalKeyArgs{
			Description:          pulumi.String("Multi-Region replica key"),
			DeletionWindowInDays: pulumi.Int(7),
			PrimaryKeyArn:        pulumi.Any(primaryAwsKmsExternal.Arn),
			KeyMaterialBase64:    pulumi.String("..."),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS multi-Region replica keys using the `id`. For example:

```sh $ pulumi import aws:kms/replicaExternalKey:ReplicaExternalKey example 1234abcd-12ab-34cd-56ef-1234567890ab ```

func GetReplicaExternalKey

func GetReplicaExternalKey(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ReplicaExternalKeyState, opts ...pulumi.ResourceOption) (*ReplicaExternalKey, error)

GetReplicaExternalKey gets an existing ReplicaExternalKey resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewReplicaExternalKey

func NewReplicaExternalKey(ctx *pulumi.Context,
	name string, args *ReplicaExternalKeyArgs, opts ...pulumi.ResourceOption) (*ReplicaExternalKey, error)

NewReplicaExternalKey registers a new resource with the given unique name, arguments, and options.

func (*ReplicaExternalKey) ElementType

func (*ReplicaExternalKey) ElementType() reflect.Type

func (*ReplicaExternalKey) ToReplicaExternalKeyOutput

func (i *ReplicaExternalKey) ToReplicaExternalKeyOutput() ReplicaExternalKeyOutput

func (*ReplicaExternalKey) ToReplicaExternalKeyOutputWithContext

func (i *ReplicaExternalKey) ToReplicaExternalKeyOutputWithContext(ctx context.Context) ReplicaExternalKeyOutput

type ReplicaExternalKeyArgs

type ReplicaExternalKeyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// A description of the KMS key.
	Description pulumi.StringPtrInput
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolPtrInput
	// Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be [reimported](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material), but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrInput
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringPtrInput
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringInput
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrInput
}

The set of arguments for constructing a ReplicaExternalKey resource.

func (ReplicaExternalKeyArgs) ElementType

func (ReplicaExternalKeyArgs) ElementType() reflect.Type

type ReplicaExternalKeyArray

type ReplicaExternalKeyArray []ReplicaExternalKeyInput

func (ReplicaExternalKeyArray) ElementType

func (ReplicaExternalKeyArray) ElementType() reflect.Type

func (ReplicaExternalKeyArray) ToReplicaExternalKeyArrayOutput

func (i ReplicaExternalKeyArray) ToReplicaExternalKeyArrayOutput() ReplicaExternalKeyArrayOutput

func (ReplicaExternalKeyArray) ToReplicaExternalKeyArrayOutputWithContext

func (i ReplicaExternalKeyArray) ToReplicaExternalKeyArrayOutputWithContext(ctx context.Context) ReplicaExternalKeyArrayOutput

type ReplicaExternalKeyArrayInput

type ReplicaExternalKeyArrayInput interface {
	pulumi.Input

	ToReplicaExternalKeyArrayOutput() ReplicaExternalKeyArrayOutput
	ToReplicaExternalKeyArrayOutputWithContext(context.Context) ReplicaExternalKeyArrayOutput
}

ReplicaExternalKeyArrayInput is an input type that accepts ReplicaExternalKeyArray and ReplicaExternalKeyArrayOutput values. You can construct a concrete instance of `ReplicaExternalKeyArrayInput` via:

ReplicaExternalKeyArray{ ReplicaExternalKeyArgs{...} }

type ReplicaExternalKeyArrayOutput

type ReplicaExternalKeyArrayOutput struct{ *pulumi.OutputState }

func (ReplicaExternalKeyArrayOutput) ElementType

func (ReplicaExternalKeyArrayOutput) Index

func (ReplicaExternalKeyArrayOutput) ToReplicaExternalKeyArrayOutput

func (o ReplicaExternalKeyArrayOutput) ToReplicaExternalKeyArrayOutput() ReplicaExternalKeyArrayOutput

func (ReplicaExternalKeyArrayOutput) ToReplicaExternalKeyArrayOutputWithContext

func (o ReplicaExternalKeyArrayOutput) ToReplicaExternalKeyArrayOutputWithContext(ctx context.Context) ReplicaExternalKeyArrayOutput

type ReplicaExternalKeyInput

type ReplicaExternalKeyInput interface {
	pulumi.Input

	ToReplicaExternalKeyOutput() ReplicaExternalKeyOutput
	ToReplicaExternalKeyOutputWithContext(ctx context.Context) ReplicaExternalKeyOutput
}

type ReplicaExternalKeyMap

type ReplicaExternalKeyMap map[string]ReplicaExternalKeyInput

func (ReplicaExternalKeyMap) ElementType

func (ReplicaExternalKeyMap) ElementType() reflect.Type

func (ReplicaExternalKeyMap) ToReplicaExternalKeyMapOutput

func (i ReplicaExternalKeyMap) ToReplicaExternalKeyMapOutput() ReplicaExternalKeyMapOutput

func (ReplicaExternalKeyMap) ToReplicaExternalKeyMapOutputWithContext

func (i ReplicaExternalKeyMap) ToReplicaExternalKeyMapOutputWithContext(ctx context.Context) ReplicaExternalKeyMapOutput

type ReplicaExternalKeyMapInput

type ReplicaExternalKeyMapInput interface {
	pulumi.Input

	ToReplicaExternalKeyMapOutput() ReplicaExternalKeyMapOutput
	ToReplicaExternalKeyMapOutputWithContext(context.Context) ReplicaExternalKeyMapOutput
}

ReplicaExternalKeyMapInput is an input type that accepts ReplicaExternalKeyMap and ReplicaExternalKeyMapOutput values. You can construct a concrete instance of `ReplicaExternalKeyMapInput` via:

ReplicaExternalKeyMap{ "key": ReplicaExternalKeyArgs{...} }

type ReplicaExternalKeyMapOutput

type ReplicaExternalKeyMapOutput struct{ *pulumi.OutputState }

func (ReplicaExternalKeyMapOutput) ElementType

func (ReplicaExternalKeyMapOutput) MapIndex

func (ReplicaExternalKeyMapOutput) ToReplicaExternalKeyMapOutput

func (o ReplicaExternalKeyMapOutput) ToReplicaExternalKeyMapOutput() ReplicaExternalKeyMapOutput

func (ReplicaExternalKeyMapOutput) ToReplicaExternalKeyMapOutputWithContext

func (o ReplicaExternalKeyMapOutput) ToReplicaExternalKeyMapOutputWithContext(ctx context.Context) ReplicaExternalKeyMapOutput

type ReplicaExternalKeyOutput

type ReplicaExternalKeyOutput struct{ *pulumi.OutputState }

func (ReplicaExternalKeyOutput) Arn

The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.

func (ReplicaExternalKeyOutput) BypassPolicyLockoutSafetyCheck

func (o ReplicaExternalKeyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput

A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_. The default value is `false`.

func (ReplicaExternalKeyOutput) DeletionWindowInDays

func (o ReplicaExternalKeyOutput) DeletionWindowInDays() pulumi.IntPtrOutput

The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.

func (ReplicaExternalKeyOutput) Description

A description of the KMS key.

func (ReplicaExternalKeyOutput) ElementType

func (ReplicaExternalKeyOutput) ElementType() reflect.Type

func (ReplicaExternalKeyOutput) Enabled

Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be `false`. Imported keys default to `true` unless expired.

func (ReplicaExternalKeyOutput) ExpirationModel

func (o ReplicaExternalKeyOutput) ExpirationModel() pulumi.StringOutput

Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.

func (ReplicaExternalKeyOutput) KeyId

The key ID of the replica key. Related multi-Region keys have the same key ID.

func (ReplicaExternalKeyOutput) KeyMaterialBase64

func (o ReplicaExternalKeyOutput) KeyMaterialBase64() pulumi.StringPtrOutput

Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be [reimported](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material), but you cannot import different key material.

func (ReplicaExternalKeyOutput) KeyState

The state of the replica key.

func (ReplicaExternalKeyOutput) KeyUsage

The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.

func (ReplicaExternalKeyOutput) Policy

The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.

func (ReplicaExternalKeyOutput) PrimaryKeyArn

func (o ReplicaExternalKeyOutput) PrimaryKeyArn() pulumi.StringOutput

The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.

func (ReplicaExternalKeyOutput) Tags

A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.

func (ReplicaExternalKeyOutput) TagsAll deprecated

A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.

Deprecated: Please use `tags` instead.

func (ReplicaExternalKeyOutput) ToReplicaExternalKeyOutput

func (o ReplicaExternalKeyOutput) ToReplicaExternalKeyOutput() ReplicaExternalKeyOutput

func (ReplicaExternalKeyOutput) ToReplicaExternalKeyOutputWithContext

func (o ReplicaExternalKeyOutput) ToReplicaExternalKeyOutputWithContext(ctx context.Context) ReplicaExternalKeyOutput

func (ReplicaExternalKeyOutput) ValidTo

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)

type ReplicaExternalKeyState

type ReplicaExternalKeyState struct {
	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
	Arn pulumi.StringPtrInput
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// A description of the KMS key.
	Description pulumi.StringPtrInput
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be `false`. Imported keys default to `true` unless expired.
	Enabled pulumi.BoolPtrInput
	// Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`.
	ExpirationModel pulumi.StringPtrInput
	// The key ID of the replica key. Related multi-Region keys have the same key ID.
	KeyId pulumi.StringPtrInput
	// Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be [reimported](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material), but you cannot import different key material.
	KeyMaterialBase64 pulumi.StringPtrInput
	// The state of the replica key.
	KeyState pulumi.StringPtrInput
	// The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.
	KeyUsage pulumi.StringPtrInput
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringPtrInput
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringPtrInput
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapInput
	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`)
	ValidTo pulumi.StringPtrInput
}

func (ReplicaExternalKeyState) ElementType

func (ReplicaExternalKeyState) ElementType() reflect.Type

type ReplicaKey

type ReplicaKey struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrOutput `pulumi:"deletionWindowInDays"`
	// A description of the KMS key.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is `true`.
	Enabled pulumi.BoolPtrOutput `pulumi:"enabled"`
	// The key ID of the replica key. Related multi-Region keys have the same key ID.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// A Boolean value that specifies whether key rotation is enabled. This is a shared property of multi-Region keys.
	KeyRotationEnabled pulumi.BoolOutput `pulumi:"keyRotationEnabled"`
	// The type of key material in the KMS key. This is a shared property of multi-Region keys.
	KeySpec pulumi.StringOutput `pulumi:"keySpec"`
	// The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.
	KeyUsage pulumi.StringOutput `pulumi:"keyUsage"`
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringOutput `pulumi:"policy"`
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringOutput `pulumi:"primaryKeyArn"`
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapOutput `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapOutput `pulumi:"tagsAll"`
}

Manages a KMS multi-Region replica key.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		primary, err := kms.NewKey(ctx, "primary", &kms.KeyArgs{
			Description:          pulumi.String("Multi-Region primary key"),
			DeletionWindowInDays: pulumi.Int(30),
			MultiRegion:          pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewReplicaKey(ctx, "replica", &kms.ReplicaKeyArgs{
			Description:          pulumi.String("Multi-Region replica key"),
			DeletionWindowInDays: pulumi.Int(7),
			PrimaryKeyArn:        primary.Arn,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Using `pulumi import`, import KMS multi-Region replica keys using the `id`. For example:

```sh $ pulumi import aws:kms/replicaKey:ReplicaKey example 1234abcd-12ab-34cd-56ef-1234567890ab ```

func GetReplicaKey

func GetReplicaKey(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ReplicaKeyState, opts ...pulumi.ResourceOption) (*ReplicaKey, error)

GetReplicaKey gets an existing ReplicaKey resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewReplicaKey

func NewReplicaKey(ctx *pulumi.Context,
	name string, args *ReplicaKeyArgs, opts ...pulumi.ResourceOption) (*ReplicaKey, error)

NewReplicaKey registers a new resource with the given unique name, arguments, and options.

func (*ReplicaKey) ElementType

func (*ReplicaKey) ElementType() reflect.Type

func (*ReplicaKey) ToReplicaKeyOutput

func (i *ReplicaKey) ToReplicaKeyOutput() ReplicaKeyOutput

func (*ReplicaKey) ToReplicaKeyOutputWithContext

func (i *ReplicaKey) ToReplicaKeyOutputWithContext(ctx context.Context) ReplicaKeyOutput

type ReplicaKeyArgs

type ReplicaKeyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// A description of the KMS key.
	Description pulumi.StringPtrInput
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is `true`.
	Enabled pulumi.BoolPtrInput
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringPtrInput
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringInput
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
}

The set of arguments for constructing a ReplicaKey resource.

func (ReplicaKeyArgs) ElementType

func (ReplicaKeyArgs) ElementType() reflect.Type

type ReplicaKeyArray

type ReplicaKeyArray []ReplicaKeyInput

func (ReplicaKeyArray) ElementType

func (ReplicaKeyArray) ElementType() reflect.Type

func (ReplicaKeyArray) ToReplicaKeyArrayOutput

func (i ReplicaKeyArray) ToReplicaKeyArrayOutput() ReplicaKeyArrayOutput

func (ReplicaKeyArray) ToReplicaKeyArrayOutputWithContext

func (i ReplicaKeyArray) ToReplicaKeyArrayOutputWithContext(ctx context.Context) ReplicaKeyArrayOutput

type ReplicaKeyArrayInput

type ReplicaKeyArrayInput interface {
	pulumi.Input

	ToReplicaKeyArrayOutput() ReplicaKeyArrayOutput
	ToReplicaKeyArrayOutputWithContext(context.Context) ReplicaKeyArrayOutput
}

ReplicaKeyArrayInput is an input type that accepts ReplicaKeyArray and ReplicaKeyArrayOutput values. You can construct a concrete instance of `ReplicaKeyArrayInput` via:

ReplicaKeyArray{ ReplicaKeyArgs{...} }

type ReplicaKeyArrayOutput

type ReplicaKeyArrayOutput struct{ *pulumi.OutputState }

func (ReplicaKeyArrayOutput) ElementType

func (ReplicaKeyArrayOutput) ElementType() reflect.Type

func (ReplicaKeyArrayOutput) Index

func (ReplicaKeyArrayOutput) ToReplicaKeyArrayOutput

func (o ReplicaKeyArrayOutput) ToReplicaKeyArrayOutput() ReplicaKeyArrayOutput

func (ReplicaKeyArrayOutput) ToReplicaKeyArrayOutputWithContext

func (o ReplicaKeyArrayOutput) ToReplicaKeyArrayOutputWithContext(ctx context.Context) ReplicaKeyArrayOutput

type ReplicaKeyInput

type ReplicaKeyInput interface {
	pulumi.Input

	ToReplicaKeyOutput() ReplicaKeyOutput
	ToReplicaKeyOutputWithContext(ctx context.Context) ReplicaKeyOutput
}

type ReplicaKeyMap

type ReplicaKeyMap map[string]ReplicaKeyInput

func (ReplicaKeyMap) ElementType

func (ReplicaKeyMap) ElementType() reflect.Type

func (ReplicaKeyMap) ToReplicaKeyMapOutput

func (i ReplicaKeyMap) ToReplicaKeyMapOutput() ReplicaKeyMapOutput

func (ReplicaKeyMap) ToReplicaKeyMapOutputWithContext

func (i ReplicaKeyMap) ToReplicaKeyMapOutputWithContext(ctx context.Context) ReplicaKeyMapOutput

type ReplicaKeyMapInput

type ReplicaKeyMapInput interface {
	pulumi.Input

	ToReplicaKeyMapOutput() ReplicaKeyMapOutput
	ToReplicaKeyMapOutputWithContext(context.Context) ReplicaKeyMapOutput
}

ReplicaKeyMapInput is an input type that accepts ReplicaKeyMap and ReplicaKeyMapOutput values. You can construct a concrete instance of `ReplicaKeyMapInput` via:

ReplicaKeyMap{ "key": ReplicaKeyArgs{...} }

type ReplicaKeyMapOutput

type ReplicaKeyMapOutput struct{ *pulumi.OutputState }

func (ReplicaKeyMapOutput) ElementType

func (ReplicaKeyMapOutput) ElementType() reflect.Type

func (ReplicaKeyMapOutput) MapIndex

func (ReplicaKeyMapOutput) ToReplicaKeyMapOutput

func (o ReplicaKeyMapOutput) ToReplicaKeyMapOutput() ReplicaKeyMapOutput

func (ReplicaKeyMapOutput) ToReplicaKeyMapOutputWithContext

func (o ReplicaKeyMapOutput) ToReplicaKeyMapOutputWithContext(ctx context.Context) ReplicaKeyMapOutput

type ReplicaKeyOutput

type ReplicaKeyOutput struct{ *pulumi.OutputState }

func (ReplicaKeyOutput) Arn

The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.

func (ReplicaKeyOutput) BypassPolicyLockoutSafetyCheck

func (o ReplicaKeyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput

A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_. The default value is `false`.

func (ReplicaKeyOutput) DeletionWindowInDays

func (o ReplicaKeyOutput) DeletionWindowInDays() pulumi.IntPtrOutput

The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.

func (ReplicaKeyOutput) Description

func (o ReplicaKeyOutput) Description() pulumi.StringPtrOutput

A description of the KMS key.

func (ReplicaKeyOutput) ElementType

func (ReplicaKeyOutput) ElementType() reflect.Type

func (ReplicaKeyOutput) Enabled

Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is `true`.

func (ReplicaKeyOutput) KeyId

The key ID of the replica key. Related multi-Region keys have the same key ID.

func (ReplicaKeyOutput) KeyRotationEnabled

func (o ReplicaKeyOutput) KeyRotationEnabled() pulumi.BoolOutput

A Boolean value that specifies whether key rotation is enabled. This is a shared property of multi-Region keys.

func (ReplicaKeyOutput) KeySpec

func (o ReplicaKeyOutput) KeySpec() pulumi.StringOutput

The type of key material in the KMS key. This is a shared property of multi-Region keys.

func (ReplicaKeyOutput) KeyUsage

func (o ReplicaKeyOutput) KeyUsage() pulumi.StringOutput

The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.

func (ReplicaKeyOutput) Policy

The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.

func (ReplicaKeyOutput) PrimaryKeyArn

func (o ReplicaKeyOutput) PrimaryKeyArn() pulumi.StringOutput

The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.

func (ReplicaKeyOutput) Tags

A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.

func (ReplicaKeyOutput) TagsAll deprecated

A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.

Deprecated: Please use `tags` instead.

func (ReplicaKeyOutput) ToReplicaKeyOutput

func (o ReplicaKeyOutput) ToReplicaKeyOutput() ReplicaKeyOutput

func (ReplicaKeyOutput) ToReplicaKeyOutputWithContext

func (o ReplicaKeyOutput) ToReplicaKeyOutputWithContext(ctx context.Context) ReplicaKeyOutput

type ReplicaKeyState

type ReplicaKeyState struct {
	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
	Arn pulumi.StringPtrInput
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	// The default value is `false`.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
	// If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`.
	DeletionWindowInDays pulumi.IntPtrInput
	// A description of the KMS key.
	Description pulumi.StringPtrInput
	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is `true`.
	Enabled pulumi.BoolPtrInput
	// The key ID of the replica key. Related multi-Region keys have the same key ID.
	KeyId pulumi.StringPtrInput
	// A Boolean value that specifies whether key rotation is enabled. This is a shared property of multi-Region keys.
	KeyRotationEnabled pulumi.BoolPtrInput
	// The type of key material in the KMS key. This is a shared property of multi-Region keys.
	KeySpec pulumi.StringPtrInput
	// The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. This is a shared property of multi-Region keys.
	KeyUsage pulumi.StringPtrInput
	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) to the KMS key.
	Policy pulumi.StringPtrInput
	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
	PrimaryKeyArn pulumi.StringPtrInput
	// A map of tags to assign to the replica key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapInput
}

func (ReplicaKeyState) ElementType

func (ReplicaKeyState) ElementType() reflect.Type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL