key#
State module for managing Amazon KMS Keys.
- async idem_aws.states.aws.kms.key.present(hub, ctx, name: str, resource_id: str = None, description: str = '', key_usage: str = 'ENCRYPT_DECRYPT', key_spec: str = 'SYMMETRIC_DEFAULT', key_state: str = 'Enabled', origin: str = 'AWS_KMS', multi_region: bool = False, policy: str = None, bypass_policy_lockout_safety_check: bool = False, enable_key_rotation: bool = False, tags: List[Dict[str, Any]] = None, timeout: Dict = None) Dict[str, Any][source]#
Creates an AWS KMS key.
- Update limitations:
policycan be updated, but cannot be cleared once set.multi_region,key_usage, andkey_speccannot be updated.enable_key_rotationcannot be enabled on asymmetric KMS keys.
- Parameters:
name (str) – An Idem name of the resource.
resource_id (str, Optional) – The ID or ARN of the key in Amazon Web Services.
description (str, Optional) – A description of the KMS key.
key_usage (str, Optional) – Determines the cryptographic operations for which you can use the KMS key. The default value is
ENCRYPT_DECRYPT. Valid values areENCRYPT_DECRYPT,GENERATE_VERIFY_MAC,SIGN_VERIFY.key_spec (str, Optional) – Specifies the type of KMS key to create. The default value is
SYMMETRIC_DEFAULT. Valid values areSYMMETRIC_DEFAULT,HMAC_224,HMAC_256,HMAC_384,HMAC_512,RSA_2048,RSA_3072,RSA_4096,ECC_NIST_P256,ECC_NIST_P384,ECC_NIST_P521,ECC_SECG_P256K1,SM2.key_state (str, Optional) – Whether the key is enabled or not. The default value is
Enabled. Valid values areEnabled,Disabled.origin (str, Optional) – The source of the key material for the KMS key. The default value is
AWS_KMS. Valid values areAWS_KMS,EXTERNAL,AWS_CLOUDHSM.multi_region (bool, Optional) – Creates a multi-Region primary key that you can replicate into other Amazon Web Services Regions. Default value is
False.policy (str, Optional) – The key policy to attach to the KMS key. If you do not specify a key policy, KMS attaches a default key policy to the KMS key.
bypass_policy_lockout_safety_check (bool, Optional) –
A flag to indicate whether to bypass the key policy lockout safety check. Default value is
False.Warning
Setting this value to
Trueincreases the risk that the KMS key becomes unmanageable. Do not set this value toTrueindiscriminately.enable_key_rotation (bool, Optional) – Whether to enable or disable automatic rotation of the key material of the specified symmetric encryption KMS key. Default value is
False.tags (dict or list, Optional) –
Dict in the format of
{tag-key: tag-value}or List of tags in the format of[{"TagKey": tag-key, "TagValue": tag-value}]to associate with the key. To use this parameter, you must havekms:TagResourcepermission in an IAM policy.- TagKey (str):
The key of the tag.
- TagValue (str):
The value of the tag.
timeout (dict, Optional) –
Timeout configuration for update of AWS KMS key.
- update (dict, Optional):
Timeout configuration when updating a KMS key.
- delay (int, Optional):
The amount of time in seconds to wait between attempts. Default value is
2.
- max_attempts (int, Optional):
Max attempts of waiting for change. Default value is
120.
- Request Syntax:
[idem_test_aws_kms_key]: aws.kms.key.present: - name: 'string' - resource_id: 'string' - description: 'string' - key_usage: 'ENCRYPT_DECRYPT|GENERATE_VERIFY_MAC|SIGN_VERIFY' - key_spec: 'SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256| ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SM2' - key_state: 'Enabled|Disabled' - origin: 'AWS_KMS|EXTERNAL|AWS_CLOUDHSM' - multi_region: True|False - policy: 'string' - bypass_policy_lockout_safety_check: True|False - enable_key_rotation: True|False - tags: - TagKey: 'string' TagValue: 'string' - timeout: update: delay: int max_attemps: int
- Returns:
Dict[str, Any]
Examples
idem_test_aws_kms_key: aws.kms.key.present: - name: idem_test_kms_key - description: 'AWS KMS KEY' - key_usage: 'ENCRYPT_DECRYPT' - key_spec: 'SYMMETRIC_DEFAULT' - key_state: 'Enabled' - origin: 'AWS_KMS' - multi_region: False - policy: Version: '2012-10-17' Statement: - Sid: 'EnableIAMUserPermissions' Effect: 'Allow' Principal: AWS: 'arn:aws:iam::111122223333:root' Action: ['kms:*'] Resource: '*' - bypass_policy_lockout_safety_check: False - enable_key_rotation: False - tags: - TagKey: provider TagValue: idem
- async idem_aws.states.aws.kms.key.absent(hub, ctx, name: str, resource_id: str = None, pending_window_in_days: int = 7) Dict[str, Any][source]#
Deletes an AWS KMS key.
Key cannot be immediately deleted but can be scheduled to be deleted. Once the key is set to be deleted in
pending_window_in_daysa deletion date is set on the key and it cannot be modified. So deleting again with a differentpending_window_in_daysis ignored. Also key can be disabled using the “present” function withkey_state: 'Disabled'.- Parameters:
name (str) – An Idem name of the resource.
resource_id (str, Optional) –
The ID or ARN of the key in Amazon Web Services.
Warning
Idem automatically considers this resource being absent if this field is not specified.
pending_window_in_days (int, Optional) – The waiting period, specified in number of days. After the waiting period ends, KMS deletes the KMS key. Default value is
7.
- Returns:
Dict[str, Any]
- Request Syntax:
[idem_test_aws_kms_key]: aws.kms.key.absent: - name: 'string' - resource_id: 'string' - pending_window_in_days: 'int'
Examples
idem_test_aws_kms_key: aws.kms.key.absent: - name: idem_test_kms_key - resource_id: 1234abcd-12ab-34cd-56ef-1234567890ab - pending_window_in_days: 2