Support for generating KMS data keys

[mpalmer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

KMS has the ability to generate what it calls "data keys", which are symmetric keys guaranteed to be generated suitably randomly, and encrypted with the specified KMS key.

We've identified a situation in which it would be extremely useful to generate a data key from within Terraform (to hand to an external system that is already using some Terraform state). However that doesn't appear to be possible at present with the AWS Terraform provider.

New or Affected Resource(s)

For our purposes, we'd need:

• aws_data_key_without_plaintext

However for completeness, you'd probably also want to implement:

• aws_data_key
• aws_data_key_pair
• aws_data_key_pair_without_plaintext

I expect these would all work similarly to how the random_password resource works: generate a new data key if one doesn't already exist, or if the value of some keeper-type parameter changes, otherwise remember the previously-generated data key and keep giving it back on each run.

Potential Terraform Configuration

resource "aws_kms_key" "demo" {
  description = "Demo key"
}

resource "aws_data_key" "demo" {
  key_id = aws_kms_key.demo.id
  key_spec = "AES_128"
}

output "data_key_ciphertext" {
  value = aws_data_key.demo.ciphertext_blob
}

output "data_key_plaintext" {
  value = aws_data_key.demo.plaintext
}

References

• https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html (which, in turn, links to the related AWS API calls)

[mpalmer]

Because we needed this feature in a hurry, I've put together a fairly minimal provider that does a generateDataKeyWithoutPlaintext and stores it in the manner I described previously. So, until this feature gets implemented in this provider, interested parties can use https://registry.terraform.io/providers/cipherstash/kms.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[mpalmer]

This issue is still relevant, as far as I am aware.