AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
This makes deployments complicated. For example, in order to deploy DynamoDB global table we need three different CFN stacks: one for a multi region key, the second for the replica key, and the third for the table itself. All three need to be deployed sequentially.
It seems this is a misbehaviour of the provider, because the original ReplicateKey API operation is supposed to have arbitrary ReplicaRegion property
Hi there,
Currently create replica request uses local region
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-kms/blob/ab09ebd093d22d184e45f04738ab0d28cbe85ce6/replicakey/src/main/java/software/amazon/kms/replicakey/CreateHandler.java#L59
This makes deployments complicated. For example, in order to deploy DynamoDB global table we need three different CFN stacks: one for a multi region key, the second for the replica key, and the third for the table itself. All three need to be deployed sequentially.
It seems this is a misbehaviour of the provider, because the original ReplicateKey API operation is supposed to have arbitrary
ReplicaRegionpropertyhttps://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html
Wondering if that is possible to fix that behaviour and make the replica region a variable.