Merge pull request #31216 from albgus/aws_kms_key-xks_key_id

r/aws_kms_key: Add xks_key_id argument
hashicorp · Dec 27, 2023 · d890de3 · d890de3
2 parents ad50991 + eb7c806
commit d890de3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/.changelog/31216.txt b/.changelog/31216.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_kms_key: Add `xks_key_id` attribute
+```
diff --git a/internal/service/kms/key.go b/internal/service/kms/key.go
@@ -121,6 +121,13 @@ func ResourceKey() *schema.Resource {
 			},
 			names.AttrTags:    tftags.TagsSchema(),
 			names.AttrTagsAll: tftags.TagsSchemaComputed(),
+			"xks_key_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				RequiredWith: []string{"custom_key_store_id"},
+				ValidateFunc: validation.StringLenBetween(1, 128),
+			},
 		},
 	}
 }
@@ -158,6 +165,11 @@ func resourceKeyCreate(ctx context.Context, d *schema.ResourceData, meta interfa
 		input.CustomKeyStoreId = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("xks_key_id"); ok {
+		input.Origin = aws.String(kms.OriginTypeExternalKeyStore)
+		input.XksKeyId = aws.String(v.(string))
+	}
+
 	// AWS requires any principal in the policy to exist before the key is created.
 	// The KMS service's awareness of principals is limited by "eventual consistency".
 	// They acknowledge this here:
@@ -234,6 +246,12 @@ func resourceKeyRead(ctx context.Context, d *schema.ResourceData, meta interface
 	d.Set("key_usage", key.metadata.KeyUsage)
 	d.Set("multi_region", key.metadata.MultiRegion)
 
+	if key.metadata.XksKeyConfiguration != nil {
+		d.Set("xks_key_id", key.metadata.XksKeyConfiguration.Id)
+	} else {
+		d.Set("xks_key_id", nil)
+	}
+
 	policyToSet, err := verify.PolicyToSet(d.Get("policy").(string), key.policy)
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "while setting policy (%s), encountered: %s", key.policy, err)

diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown
@@ -48,6 +48,7 @@ If the KMS key is a multi-Region primary key with replicas, the waiting period b
 * `enable_key_rotation` - (Optional) Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to `false`.
 * `multi_region` - (Optional) Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
 * `tags` - (Optional) A map of tags to assign to the object. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
+* `xks_key_id` - (Optional) Identifies the external key that serves as key material for the KMS key in an external key store.
 
 ## Attribute Reference