AWS KMS External Key Store

[ewbankkit]

Today, AWS Key Management Service (AWS KMS) introduces the External Key Store (XKS), a new feature for customers who want to protect their data with encryption keys stored in an external key management system under their control.

Announcement. Blog post.

Requires AWS SDK for Go v1.44.148: https://github.com/hashicorp/terraform-provider-aws/pull/28085.

Affected Resource(s)

• aws_kms_custom_key_store

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bschaatsbergen]

I'll happily pick this up in a few days.

[bschaatsbergen]

Starting on this now 👍

[albgus]

I believe this affects the aws_kms_key resource as well. The docs for CreateKey states:

To create a KMS key in an external key store, use the Origin parameter with a value of EXTERNAL_KEY_STORE and an XksKeyId parameter that identifies an existing external key.

So to actually be able to create keys using the external store these parameters would need to be added on the aws_kms_key resource.

[bschaatsbergen]

Thanks for flagging this @albgus. I'll update the PR accordingly.

[mmianl]

Any chance this gets picked up again?