pulumi-aws-kotlin/com.pulumi.aws.route53.kotlin/KeySigningKey

KeySigningKey

class KeySigningKey : KotlinCustomResource

Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the aws.route53.HostedZoneDnsSec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.route53.Zone;
import com.pulumi.aws.route53.KeySigningKey;
import com.pulumi.aws.route53.KeySigningKeyArgs;
import com.pulumi.aws.route53.HostedZoneDnsSec;
import com.pulumi.aws.route53.HostedZoneDnsSecArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var current = AwsFunctions.getCallerIdentity();
        var exampleKey = new Key("exampleKey", KeyArgs.builder()
            .customerMasterKeySpec("ECC_NIST_P256")
            .deletionWindowInDays(7)
            .keyUsage("SIGN_VERIFY")
            .policy(serializeJson(
                jsonObject(
                    jsonProperty("Statement", jsonArray(
                        jsonObject(
                            jsonProperty("Action", jsonArray(
                                "kms:DescribeKey",
                                "kms:GetPublicKey",
                                "kms:Sign"
                            )),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("Service", "dnssec-route53.amazonaws.com")
                            )),
                            jsonProperty("Sid", "Allow Route 53 DNSSEC Service"),
                            jsonProperty("Resource", "*"),
                            jsonProperty("Condition", jsonObject(
                                jsonProperty("StringEquals", jsonObject(
                                    jsonProperty("aws:SourceAccount", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
                                )),
                                jsonProperty("ArnLike", jsonObject(
                                    jsonProperty("aws:SourceArn", "arn:aws:route53:::hostedzone/*")
                                ))
                            ))
                        ),
                        jsonObject(
                            jsonProperty("Action", "kms:CreateGrant"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("Service", "dnssec-route53.amazonaws.com")
                            )),
                            jsonProperty("Sid", "Allow Route 53 DNSSEC Service to CreateGrant"),
                            jsonProperty("Resource", "*"),
                            jsonProperty("Condition", jsonObject(
                                jsonProperty("Bool", jsonObject(
                                    jsonProperty("kms:GrantIsForAWSResource", "true")
                                ))
                            ))
                        ),
                        jsonObject(
                            jsonProperty("Action", "kms:*"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                            )),
                            jsonProperty("Resource", "*"),
                            jsonProperty("Sid", "Enable IAM User Permissions")
                        )
                    )),
                    jsonProperty("Version", "2012-10-17")
                )))
            .build());
        var exampleZone = new Zone("exampleZone");
        var exampleKeySigningKey = new KeySigningKey("exampleKeySigningKey", KeySigningKeyArgs.builder()
            .hostedZoneId(aws_route53_zone.test().id())
            .keyManagementServiceArn(aws_kms_key.test().arn())
            .build());
        var exampleHostedZoneDnsSec = new HostedZoneDnsSec("exampleHostedZoneDnsSec", HostedZoneDnsSecArgs.builder()
            .hostedZoneId(exampleKeySigningKey.hostedZoneId())
            .build(), CustomResourceOptions.builder()
                .dependsOn(exampleKeySigningKey)
                .build());
    }
}

Import

Using pulumi import, import aws_route53_key_signing_key resources using the Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,). For example:

$ pulumi import aws:route53/keySigningKey:KeySigningKey example Z1D633PJN98FT9,example

Properties

digestAlgorithmMnemonic

val digestAlgorithmMnemonic: Output<String>

A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.

digestAlgorithmType

val digestAlgorithmType: Output<Int>

An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.

digestValue

val digestValue: Output<String>

A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.

dnskeyRecord

val dnskeyRecord: Output<String>

A string that represents a DNSKEY record.

dsRecord

val dsRecord: Output<String>

A string that represents a delegation signer (DS) record.

flag

val flag: Output<Int>

An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.

hostedZoneId

val hostedZoneId: Output<String>

Identifier of the Route 53 Hosted Zone.

val id: Output<String>

keyManagementServiceArn

val keyManagementServiceArn: Output<String>

Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.

keyTag

val keyTag: Output<Int>

An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.

name

val name: Output<String>

Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone. The following arguments are optional:

publicKey

val publicKey: Output<String>

The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

signingAlgorithmMnemonic

val signingAlgorithmMnemonic: Output<String>

A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.

signingAlgorithmType

val signingAlgorithmType: Output<Int>

An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.

status

val status: Output<String>?

Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.

urn

val urn: Output<String>