pulumi-aws-kotlin/com.pulumi.aws.kms.kotlin/ExternalKey

ExternalKey

class ExternalKey : KotlinCustomResource

Manages a single-Region or multi-Region primary KMS key that uses external key material. To instead manage a single-Region or multi-Region primary KMS key where AWS automatically generates and potentially rotates key material, see the aws.kms.Key resource.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.ExternalKey;
import com.pulumi.aws.kms.ExternalKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new ExternalKey("example", ExternalKeyArgs.builder()
            .description("KMS EXTERNAL for AMI encryption")
            .build());
    }
}
Content copied to clipboard

Import

KMS External Keys can be imported using the id, e.g.,

$ pulumi import aws:kms/externalKey:ExternalKey a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Content copied to clipboard

Properties

Link copied to clipboard
val arn: Output<String>

The Amazon Resource Name (ARN) of the key.

Link copied to clipboard
val bypassPolicyLockoutSafetyCheck: Output<Boolean>?

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

Link copied to clipboard
val deletionWindowInDays: Output<Int>?

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

Link copied to clipboard
val description: Output<String>?

Description of the key.

Link copied to clipboard
val enabled: Output<Boolean>

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

Link copied to clipboard
val expirationModel: Output<String>

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val keyMaterialBase64: Output<String>?

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

Link copied to clipboard
val keyState: Output<String>

The state of the CMK.

Link copied to clipboard
val keyUsage: Output<String>

The cryptographic operations for which you can use the CMK.

Link copied to clipboard
val multiRegion: Output<Boolean>

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

Link copied to clipboard
val policy: Output<String>

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val tags: Output<Map<String, String>>?

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val validTo: Output<String>?

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)