[New Resource]: KMS resource for signing

[KyleKotowick]

Description

The AWS provider currently offers a resource (and data source) for using a KMS key to encrypt plaintext into ciphertext (aws_kms_ciphertext), i.e. a resource that uses the https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html operation.

What would be equally useful is a resource and data source that uses a KMS key to sign a message, i.e. a resource / data source that uses the https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html operation.

Specifically, this would allow us to build a KMS-based certificate authority without needing to store any secrets (private keys) in the Terraform state.

This operation is supported in the AWS Go SDK v2.

Requested Resource(s) and/or Data Source(s)

Resource:

• aws_kms_signature

Data source:

• aws_kms_signature

Potential Terraform Configuration

resource "aws_kms_key" "mykey" {
  description = "test key"
  is_enabled  = true
}

resource "aws_kms_signature" "signature" {
  key_id = aws_kms_key.mykey.key_id
  signing_algorithm = "RSASSA_PSS_SHA_256"
  message_type = "RAW"
  message = <<EOF
{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
EOF
}

data "aws_kms_signature" "signature" {
  key_id = aws_kms_key.mykey.key_id
  signing_algorithm = "RSASSA_PSS_SHA_256"
  message_type = "RAW"
  message = <<EOF
{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
EOF
}

### References

_No response_

### Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[maxdec]

I think you meant https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html

[KyleKotowick]

I think you meant https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html

Fixed, thank you.