Module kms

@pulumi/aws > kms

class Alias

extends CustomResource

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence Terraform too) allows you to create as many aliases as the account limits allow you.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {});
const alias = new aws.kms.Alias("a", {
    targetKeyId: key.keyId,
});

constructor

new Alias(name: string, args: AliasArgs, opts?: pulumi.CustomResourceOptions)

Create a Alias resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AliasState, opts?: pulumi.CustomResourceOptions): Alias

Get an existing Alias resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key alias.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyArn

public targetKeyArn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the target key identifier.

property targetKeyId

public targetKeyId: pulumi.Output<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Ciphertext

extends CustomResource

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the aws_kms_ciphertext data source.

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const oauthConfig = new aws.kms.Key("oauth_config", {
    description: "oauth config",
    isEnabled: true,
});
const oauth = new aws.kms.Ciphertext("oauth", {
    keyId: oauthConfig.keyId,
    plaintext: `{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
`,
});

constructor

new Ciphertext(name: string, args: CiphertextArgs, opts?: pulumi.CustomResourceOptions)

Create a Ciphertext resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CiphertextState, opts?: pulumi.CustomResourceOptions): Ciphertext

Get an existing Ciphertext resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property ciphertextBlob

public ciphertextBlob: pulumi.Output<string>;

Base64 encoded ciphertext

property context

public context: pulumi.Output<{[key: string]: string} | undefined>;

An optional mapping that makes up the encryption context.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyId

public keyId: pulumi.Output<string>;

Globally unique key ID for the customer master key.

property plaintext

public plaintext: pulumi.Output<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class ExternalKey

extends CustomResource

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the aws_kms_key resource.

Note: All arguments including the key material will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.kms.ExternalKey("example", {
    description: "KMS EXTERNAL for AMI encryption",
});

constructor

new ExternalKey(name: string, args?: ExternalKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a ExternalKey resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ExternalKeyState, opts?: pulumi.CustomResourceOptions): ExternalKey

Get an existing ExternalKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

public deletionWindowInDays: pulumi.Output<number | undefined>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

public description: pulumi.Output<string | undefined>;

Description of the key.

property enabled

public enabled: pulumi.Output<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property expirationModel

public expirationModel: pulumi.Output<string>;

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyMaterialBase64

public keyMaterialBase64: pulumi.Output<string | undefined>;

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

property keyState

public keyState: pulumi.Output<string>;

The state of the CMK.

property keyUsage

public keyUsage: pulumi.Output<string>;

The cryptographic operations for which you can use the CMK.

property policy

public policy: pulumi.Output<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A key-value map of tags to assign to the key.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validTo

public validTo: pulumi.Output<string | undefined>;

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

class Grant

extends CustomResource

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const role = new aws.iam.Role("a", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const key = new aws.kms.Key("a", {});
const grant = new aws.kms.Grant("a", {
    constraints: [{
        encryptionContextEquals: {
            Department: "Finance",
        },
    }],
    granteePrincipal: role.arn,
    keyId: key.keyId,
    operations: [
        "Encrypt",
        "Decrypt",
        "GenerateDataKey",
    ],
});

constructor

new Grant(name: string, args: GrantArgs, opts?: pulumi.CustomResourceOptions)

Create a Grant resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GrantState, opts?: pulumi.CustomResourceOptions): Grant

Get an existing Grant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property constraints

public constraints: pulumi.Output<{
    encryptionContextEquals: undefined | {[key: string]: string};
    encryptionContextSubset: undefined | {[key: string]: string};
}[] | undefined>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

public grantCreationTokens: pulumi.Output<string[] | undefined>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens. * retire_on_delete -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

property grantId

public grantId: pulumi.Output<string>;

The unique identifier for the grant.

property grantToken

public grantToken: pulumi.Output<string>;

The grant token for the created grant. For more information, see Grant Tokens.

property granteePrincipal

public granteePrincipal: pulumi.Output<string>;

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, terraform’s state may not always be refreshed to reflect what is true in AWS.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyId

public keyId: pulumi.Output<string>;

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

property name

public name: pulumi.Output<string>;

A friendly name for identifying the grant.

property operations

public operations: pulumi.Output<string[]>;

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

property retireOnDelete

public retireOnDelete: pulumi.Output<boolean | undefined>;

property retiringPrincipal

public retiringPrincipal: pulumi.Output<string | undefined>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Key

extends CustomResource

Provides a KMS customer master key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {
    deletionWindowInDays: 10,
    description: "KMS key 1",
});

constructor

new Key(name: string, args?: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

public deletionWindowInDays: pulumi.Output<number | undefined>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

public description: pulumi.Output<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

public enableKeyRotation: pulumi.Output<boolean | undefined>;

Specifies whether key rotation is enabled. Defaults to false.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property isEnabled

public isEnabled: pulumi.Output<boolean | undefined>;

Specifies whether the key is enabled. Defaults to true.

property keyId

public keyId: pulumi.Output<string>;

The globally unique identifier for the key.

property keyUsage

public keyUsage: pulumi.Output<string>;

Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

property policy

public policy: pulumi.Output<string>;

A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A mapping of tags to assign to the object.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

function getAlias

getAlias(args: GetAliasArgs, opts?: pulumi.InvokeOptions): Promise<GetAliasResult>

Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having to hard code the ARN as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const s3 = pulumi.output(aws.kms.getAlias({
    name: "alias/aws/s3",
}));

function getCipherText

getCipherText(args: GetCipherTextArgs, opts?: pulumi.InvokeOptions): Promise<GetCipherTextResult>

The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this data source changes every apply. For a stable ciphertext value, see the aws_kms_ciphertext resource.

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const oauthConfig = new aws.kms.Key("oauth_config", {
    description: "oauth config",
    isEnabled: true,
});
const oauth = oauthConfig.keyId.apply(keyId => aws.kms.getCipherText({
    keyId: keyId,
    plaintext: `{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
`,
}));

function getKey

getKey(args: GetKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetKeyResult>

Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const foo = pulumi.output(aws.kms.getKey({
    keyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
}));

function getSecret

getSecret(args: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult>

!> WARNING: This data source was removed in version 2.0.0 of the Terraform AWS Provider. You can migrate existing configurations to the aws_kms_secrets data source following instructions available in the Version 2 Upgrade Guide.

function getSecrets

getSecrets(args: GetSecretsArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretsResult>

Decrypt multiple secrets from data encrypted with the AWS KMS service.

NOTE: Using this data provider will allow you to conceal secret data within your resource definitions but does not take care of protecting that data in all Terraform logging and state output. Please take care to secure your secret data beyond just the Terraform configuration.

interface AliasArgs

The set of arguments for constructing a Alias resource.

property name

name?: pulumi.Input<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyId

targetKeyId: pulumi.Input<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

interface AliasState

Input properties used for looking up and filtering Alias resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key alias.

property name

name?: pulumi.Input<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyArn

targetKeyArn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the target key identifier.

property targetKeyId

targetKeyId?: pulumi.Input<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

interface CiphertextArgs

The set of arguments for constructing a Ciphertext resource.

property context

context?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

An optional mapping that makes up the encryption context.

property keyId

keyId: pulumi.Input<string>;

Globally unique key ID for the customer master key.

property plaintext

plaintext: pulumi.Input<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface CiphertextState

Input properties used for looking up and filtering Ciphertext resources.

property ciphertextBlob

ciphertextBlob?: pulumi.Input<string>;

Base64 encoded ciphertext

property context

context?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

An optional mapping that makes up the encryption context.

property keyId

keyId?: pulumi.Input<string>;

Globally unique key ID for the customer master key.

property plaintext

plaintext?: pulumi.Input<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface ExternalKeyArgs

The set of arguments for constructing a ExternalKey resource.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

description?: pulumi.Input<string>;

Description of the key.

property enabled

enabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property keyMaterialBase64

keyMaterialBase64?: pulumi.Input<string>;

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

property policy

policy?: pulumi.Input<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A key-value map of tags to assign to the key.

property validTo

validTo?: pulumi.Input<string>;

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

interface ExternalKeyState

Input properties used for looking up and filtering ExternalKey resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

description?: pulumi.Input<string>;

Description of the key.

property enabled

enabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property expirationModel

expirationModel?: pulumi.Input<string>;

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

property keyMaterialBase64

keyMaterialBase64?: pulumi.Input<string>;

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

property keyState

keyState?: pulumi.Input<string>;

The state of the CMK.

property keyUsage

keyUsage?: pulumi.Input<string>;

The cryptographic operations for which you can use the CMK.

property policy

policy?: pulumi.Input<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A key-value map of tags to assign to the key.

property validTo

validTo?: pulumi.Input<string>;

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

interface GetAliasArgs

A collection of arguments for invoking getAlias.

property name

name: string;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

interface GetAliasResult

A collection of values returned by getAlias.

property arn

arn: string;

The Amazon Resource Name(ARN) of the key alias.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property name

name: string;

property targetKeyArn

targetKeyArn: string;

ARN pointed to by the alias.

property targetKeyId

targetKeyId: string;

Key identifier pointed to by the alias.

interface GetCipherTextArgs

A collection of arguments for invoking getCipherText.

property context

context?: undefined | {[key: string]: string};

An optional mapping that makes up the encryption context.

property keyId

keyId: string;

Globally unique key ID for the customer master key.

property plaintext

plaintext: string;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface GetCipherTextResult

A collection of values returned by getCipherText.

property ciphertextBlob

ciphertextBlob: string;

Base64 encoded ciphertext

property context

context?: undefined | {[key: string]: string};

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyId

keyId: string;

property plaintext

plaintext: string;

interface GetKeyArgs

A collection of arguments for invoking getKey.

property grantTokens

grantTokens?: string[];

List of grant tokens

property keyId

keyId: string;

Key identifier which can be one of the following format: * Key ID. E.g: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN. E.g.: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab * Alias name. E.g.: alias/my-key * Alias ARN: E.g.: arn:aws:kms:us-east-1:111122223333:alias/my-key

interface GetKeyResult

A collection of values returned by getKey.

property arn

arn: string;

property awsAccountId

awsAccountId: string;

property creationDate

creationDate: string;

property deletionDate

deletionDate: string;

property description

description: string;

property enabled

enabled: boolean;

property expirationModel

expirationModel: string;

property grantTokens

grantTokens?: string[];

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyId

keyId: string;

property keyManager

keyManager: string;

property keyState

keyState: string;

property keyUsage

keyUsage: string;

property origin

origin: string;

property validTo

validTo: string;

interface GetSecretArgs

A collection of arguments for invoking getSecret.

property secrets

secrets: {
    context: undefined | {[key: string]: string};
    grantTokens: string[];
    name: string;
    payload: string;
}[];

interface GetSecretResult

A collection of values returned by getSecret.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property secrets

secrets: {
    context: undefined | {[key: string]: string};
    grantTokens: string[];
    name: string;
    payload: string;
}[];

interface GetSecretsArgs

A collection of arguments for invoking getSecrets.

property secrets

secrets: {
    context: undefined | {[key: string]: string};
    grantTokens: string[];
    name: string;
    payload: string;
}[];

One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

interface GetSecretsResult

A collection of values returned by getSecrets.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property plaintext

plaintext: {[key: string]: string};

Map containing each secret name as the key with its decrypted plaintext value

property secrets

secrets: {
    context: undefined | {[key: string]: string};
    grantTokens: string[];
    name: string;
    payload: string;
}[];

interface GrantArgs

The set of arguments for constructing a Grant resource.

property constraints

constraints?: pulumi.Input<pulumi.Input<{
    encryptionContextEquals: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
    encryptionContextSubset: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}>[]>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

grantCreationTokens?: pulumi.Input<pulumi.Input<string>[]>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens. * retire_on_delete -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

property granteePrincipal

granteePrincipal: pulumi.Input<string>;

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, terraform’s state may not always be refreshed to reflect what is true in AWS.

property keyId

keyId: pulumi.Input<string>;

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

property name

name?: pulumi.Input<string>;

A friendly name for identifying the grant.

property operations

operations: pulumi.Input<pulumi.Input<string>[]>;

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

property retireOnDelete

retireOnDelete?: pulumi.Input<boolean>;

property retiringPrincipal

retiringPrincipal?: pulumi.Input<string>;

interface GrantState

Input properties used for looking up and filtering Grant resources.

property constraints

constraints?: pulumi.Input<pulumi.Input<{
    encryptionContextEquals: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
    encryptionContextSubset: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}>[]>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

grantCreationTokens?: pulumi.Input<pulumi.Input<string>[]>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens. * retire_on_delete -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

property grantId

grantId?: pulumi.Input<string>;

The unique identifier for the grant.

property grantToken

grantToken?: pulumi.Input<string>;

The grant token for the created grant. For more information, see Grant Tokens.

property granteePrincipal

granteePrincipal?: pulumi.Input<string>;

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, terraform’s state may not always be refreshed to reflect what is true in AWS.

property keyId

keyId?: pulumi.Input<string>;

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

property name

name?: pulumi.Input<string>;

A friendly name for identifying the grant.

property operations

operations?: pulumi.Input<pulumi.Input<string>[]>;

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

property retireOnDelete

retireOnDelete?: pulumi.Input<boolean>;

property retiringPrincipal

retiringPrincipal?: pulumi.Input<string>;

interface KeyArgs

The set of arguments for constructing a Key resource.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

description?: pulumi.Input<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

enableKeyRotation?: pulumi.Input<boolean>;

Specifies whether key rotation is enabled. Defaults to false.

property isEnabled

isEnabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Defaults to true.

property keyUsage

keyUsage?: pulumi.Input<string>;

Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

property policy

policy?: pulumi.Input<string>;

A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the object.

interface KeyState

Input properties used for looking up and filtering Key resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

description?: pulumi.Input<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

enableKeyRotation?: pulumi.Input<boolean>;

Specifies whether key rotation is enabled. Defaults to false.

property isEnabled

isEnabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Defaults to true.

property keyId

keyId?: pulumi.Input<string>;

The globally unique identifier for the key.

property keyUsage

keyUsage?: pulumi.Input<string>;

Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

property policy

policy?: pulumi.Input<string>;

A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the object.