From 0a13a11f3257ef3f0cc6b26df6fb55123c5f313a Mon Sep 17 00:00:00 2001 From: Albert Silva Date: Sat, 11 Mar 2023 09:23:19 -0500 Subject: [PATCH] deprecate aws_kms_key attribute 'policy' in favor of aws_kms_key_policy_attachment resource --- internal/service/kms/key.go | 1 + website/docs/r/kms_key.html.markdown | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/internal/service/kms/key.go b/internal/service/kms/key.go index c02261289b36..975d4a2fb8f8 100644 --- a/internal/service/kms/key.go +++ b/internal/service/kms/key.go @@ -99,6 +99,7 @@ func ResourceKey() *schema.Resource { Type: schema.TypeString, Optional: true, Computed: true, + Deprecated: "Use the aws_kms_key_policy_attachment resource instead", DiffSuppressFunc: verify.SuppressEquivalentPolicyDiffs, DiffSuppressOnRefresh: true, ValidateFunc: validation.StringIsJSON, diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown index 574fe74e9cc4..0aac447be097 100644 --- a/website/docs/r/kms_key.html.markdown +++ b/website/docs/r/kms_key.html.markdown @@ -6,6 +6,10 @@ description: |- Manages a single-Region or multi-Region primary KMS key. --- +~> **NOTE on KMS Key Policy:** KMS Key Policy can be configured in either the standalone resource [`aws_kms_key_policy_attachment`](kms_key_policy_attachment.html) +or with the deprecated parameter `policy` in the resource `aws_kms_key`. +Configuring with both will cause inconsistencies and may overwrite configuration. + # Resource: aws_kms_key Manages a single-Region or multi-Region primary KMS key. @@ -29,7 +33,7 @@ Defaults to `ENCRYPT_DECRYPT`. * `custom_key_store_id` - (Optional) ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM). * `customer_master_key_spec` - (Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html). -* `policy` - (Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an [`aws_iam_policy_document`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document), in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy). +* `policy` - (Optional, **Deprecated** use `aws_kms_key_policy_attachment` instead) A valid policy JSON document. Although this is a key policy, not an IAM policy, an [`aws_iam_policy_document`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document), in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy). ~> **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.