Try AWS Native preview for resources not in the classic version.
aws.kms.ReplicaExternalKey
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Manages a KMS multi-Region replica key that uses external key material. See the AWS KMS Developer Guide for more information on importing key material into multi-Region keys.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const primary = new aws.kms.ExternalKey("primary", {
description: "Multi-Region primary key",
deletionWindowInDays: 30,
multiRegion: true,
enabled: true,
keyMaterialBase64: "...",
});
const replica = new aws.kms.ReplicaExternalKey("replica", {
description: "Multi-Region replica key",
deletionWindowInDays: 7,
primaryKeyArn: primaryAwsKmsExternal.arn,
keyMaterialBase64: "...",
});
import pulumi
import pulumi_aws as aws
primary = aws.kms.ExternalKey("primary",
description="Multi-Region primary key",
deletion_window_in_days=30,
multi_region=True,
enabled=True,
key_material_base64="...")
replica = aws.kms.ReplicaExternalKey("replica",
description="Multi-Region replica key",
deletion_window_in_days=7,
primary_key_arn=primary_aws_kms_external["arn"],
key_material_base64="...")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewExternalKey(ctx, "primary", &kms.ExternalKeyArgs{
Description: pulumi.String("Multi-Region primary key"),
DeletionWindowInDays: pulumi.Int(30),
MultiRegion: pulumi.Bool(true),
Enabled: pulumi.Bool(true),
KeyMaterialBase64: pulumi.String("..."),
})
if err != nil {
return err
}
_, err = kms.NewReplicaExternalKey(ctx, "replica", &kms.ReplicaExternalKeyArgs{
Description: pulumi.String("Multi-Region replica key"),
DeletionWindowInDays: pulumi.Int(7),
PrimaryKeyArn: pulumi.Any(primaryAwsKmsExternal.Arn),
KeyMaterialBase64: pulumi.String("..."),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var primary = new Aws.Kms.ExternalKey("primary", new()
{
Description = "Multi-Region primary key",
DeletionWindowInDays = 30,
MultiRegion = true,
Enabled = true,
KeyMaterialBase64 = "...",
});
var replica = new Aws.Kms.ReplicaExternalKey("replica", new()
{
Description = "Multi-Region replica key",
DeletionWindowInDays = 7,
PrimaryKeyArn = primaryAwsKmsExternal.Arn,
KeyMaterialBase64 = "...",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.ExternalKey;
import com.pulumi.aws.kms.ExternalKeyArgs;
import com.pulumi.aws.kms.ReplicaExternalKey;
import com.pulumi.aws.kms.ReplicaExternalKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var primary = new ExternalKey("primary", ExternalKeyArgs.builder()
.description("Multi-Region primary key")
.deletionWindowInDays(30)
.multiRegion(true)
.enabled(true)
.keyMaterialBase64("...")
.build());
var replica = new ReplicaExternalKey("replica", ReplicaExternalKeyArgs.builder()
.description("Multi-Region replica key")
.deletionWindowInDays(7)
.primaryKeyArn(primaryAwsKmsExternal.arn())
.keyMaterialBase64("...")
.build());
}
}
resources:
primary:
type: aws:kms:ExternalKey
properties:
description: Multi-Region primary key
deletionWindowInDays: 30
multiRegion: true
enabled: true
keyMaterialBase64: '...'
replica:
type: aws:kms:ReplicaExternalKey
properties:
description: Multi-Region replica key
deletionWindowInDays: 7
primaryKeyArn: ${primaryAwsKmsExternal.arn}
keyMaterialBase64: '...'
Create ReplicaExternalKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ReplicaExternalKey(name: string, args: ReplicaExternalKeyArgs, opts?: CustomResourceOptions);
@overload
def ReplicaExternalKey(resource_name: str,
args: ReplicaExternalKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ReplicaExternalKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
primary_key_arn: Optional[str] = None,
bypass_policy_lockout_safety_check: Optional[bool] = None,
deletion_window_in_days: Optional[int] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
key_material_base64: Optional[str] = None,
policy: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
valid_to: Optional[str] = None)
func NewReplicaExternalKey(ctx *Context, name string, args ReplicaExternalKeyArgs, opts ...ResourceOption) (*ReplicaExternalKey, error)
public ReplicaExternalKey(string name, ReplicaExternalKeyArgs args, CustomResourceOptions? opts = null)
public ReplicaExternalKey(String name, ReplicaExternalKeyArgs args)
public ReplicaExternalKey(String name, ReplicaExternalKeyArgs args, CustomResourceOptions options)
type: aws:kms:ReplicaExternalKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ReplicaExternalKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ReplicaExternalKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ReplicaExternalKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ReplicaExternalKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ReplicaExternalKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var replicaExternalKeyResource = new Aws.Kms.ReplicaExternalKey("replicaExternalKeyResource", new()
{
PrimaryKeyArn = "string",
BypassPolicyLockoutSafetyCheck = false,
DeletionWindowInDays = 0,
Description = "string",
Enabled = false,
KeyMaterialBase64 = "string",
Policy = "string",
Tags =
{
{ "string", "string" },
},
ValidTo = "string",
});
example, err := kms.NewReplicaExternalKey(ctx, "replicaExternalKeyResource", &kms.ReplicaExternalKeyArgs{
PrimaryKeyArn: pulumi.String("string"),
BypassPolicyLockoutSafetyCheck: pulumi.Bool(false),
DeletionWindowInDays: pulumi.Int(0),
Description: pulumi.String("string"),
Enabled: pulumi.Bool(false),
KeyMaterialBase64: pulumi.String("string"),
Policy: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
ValidTo: pulumi.String("string"),
})
var replicaExternalKeyResource = new ReplicaExternalKey("replicaExternalKeyResource", ReplicaExternalKeyArgs.builder()
.primaryKeyArn("string")
.bypassPolicyLockoutSafetyCheck(false)
.deletionWindowInDays(0)
.description("string")
.enabled(false)
.keyMaterialBase64("string")
.policy("string")
.tags(Map.of("string", "string"))
.validTo("string")
.build());
replica_external_key_resource = aws.kms.ReplicaExternalKey("replicaExternalKeyResource",
primary_key_arn="string",
bypass_policy_lockout_safety_check=False,
deletion_window_in_days=0,
description="string",
enabled=False,
key_material_base64="string",
policy="string",
tags={
"string": "string",
},
valid_to="string")
const replicaExternalKeyResource = new aws.kms.ReplicaExternalKey("replicaExternalKeyResource", {
primaryKeyArn: "string",
bypassPolicyLockoutSafetyCheck: false,
deletionWindowInDays: 0,
description: "string",
enabled: false,
keyMaterialBase64: "string",
policy: "string",
tags: {
string: "string",
},
validTo: "string",
});
type: aws:kms:ReplicaExternalKey
properties:
bypassPolicyLockoutSafetyCheck: false
deletionWindowInDays: 0
description: string
enabled: false
keyMaterialBase64: string
policy: string
primaryKeyArn: string
tags:
string: string
validTo: string
ReplicaExternalKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ReplicaExternalKey resource accepts the following input properties:
- Primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - Description string
- A description of the KMS key.
- Enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - Key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- Policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Dictionary<string, string>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- Primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - Description string
- A description of the KMS key.
- Enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - Key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- Policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- map[string]string
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- primary
Key StringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window IntegerIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description String
- A description of the KMS key.
- enabled Boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - key
Material StringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- policy String
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Map<String,String>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - valid
To String - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- bypass
Policy booleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window numberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description string
- A description of the KMS key.
- enabled boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- {[key: string]: string}
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- primary_
key_ strarn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- bypass_
policy_ boollockout_ safety_ check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion_
window_ intin_ days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description str
- A description of the KMS key.
- enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - key_
material_ strbase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- policy str
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Mapping[str, str]
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - valid_
to str - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- primary
Key StringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window NumberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description String
- A description of the KMS key.
- enabled Boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - key
Material StringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- policy String
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Map<String>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - valid
To String - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
Outputs
All input properties are implicitly available as output properties. Additionally, the ReplicaExternalKey resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- Expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- Key
State string - The state of the replica key.
- Key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- Arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- Expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- Key
State string - The state of the replica key.
- Key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- expiration
Model String - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
State String - The state of the replica key.
- key
Usage String - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - id string
- The provider-assigned unique ID for this managed resource.
- key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
State string - The state of the replica key.
- key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn str
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- expiration_
model str - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - id str
- The provider-assigned unique ID for this managed resource.
- key_
id str - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key_
state str - The state of the replica key.
- key_
usage str - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- expiration
Model String - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
State String - The state of the replica key.
- key
Usage String - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
Look up Existing ReplicaExternalKey Resource
Get an existing ReplicaExternalKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ReplicaExternalKeyState, opts?: CustomResourceOptions): ReplicaExternalKey
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
bypass_policy_lockout_safety_check: Optional[bool] = None,
deletion_window_in_days: Optional[int] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
expiration_model: Optional[str] = None,
key_id: Optional[str] = None,
key_material_base64: Optional[str] = None,
key_state: Optional[str] = None,
key_usage: Optional[str] = None,
policy: Optional[str] = None,
primary_key_arn: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
valid_to: Optional[str] = None) -> ReplicaExternalKey
func GetReplicaExternalKey(ctx *Context, name string, id IDInput, state *ReplicaExternalKeyState, opts ...ResourceOption) (*ReplicaExternalKey, error)
public static ReplicaExternalKey Get(string name, Input<string> id, ReplicaExternalKeyState? state, CustomResourceOptions? opts = null)
public static ReplicaExternalKey get(String name, Output<String> id, ReplicaExternalKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - Description string
- A description of the KMS key.
- Enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - Expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - Key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- Key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- Key
State string - The state of the replica key.
- Key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Dictionary<string, string>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - Valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- Arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - Description string
- A description of the KMS key.
- Enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - Expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - Key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- Key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- Key
State string - The state of the replica key.
- Key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- Policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- Primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- map[string]string
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - Valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- arn String
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window IntegerIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description String
- A description of the KMS key.
- enabled Boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - expiration
Model String - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - key
Id String - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
Material StringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- key
State String - The state of the replica key.
- key
Usage String - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- policy String
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- primary
Key StringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Map<String,String>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - valid
To String - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- arn string
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- bypass
Policy booleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window numberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description string
- A description of the KMS key.
- enabled boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - expiration
Model string - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - key
Id string - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
Material stringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- key
State string - The state of the replica key.
- key
Usage string - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- policy string
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- primary
Key stringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- {[key: string]: string}
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - valid
To string - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- arn str
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- bypass_
policy_ boollockout_ safety_ check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion_
window_ intin_ days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description str
- A description of the KMS key.
- enabled bool
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - expiration_
model str - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - key_
id str - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key_
material_ strbase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- key_
state str - The state of the replica key.
- key_
usage str - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- policy str
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- primary_
key_ strarn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Mapping[str, str]
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - valid_
to str - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
- arn String
- The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - deletion
Window NumberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. - description String
- A description of the KMS key.
- enabled Boolean
- Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be
false
. Imported keys default totrue
unless expired. - expiration
Model String - Whether the key material expires. Empty when pending key material import, otherwise
KEY_MATERIAL_EXPIRES
orKEY_MATERIAL_DOES_NOT_EXPIRE
. - key
Id String - The key ID of the replica key. Related multi-Region keys have the same key ID.
- key
Material StringBase64 - Base64 encoded 256-bit symmetric encryption key material to import. The KMS key is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
- key
State String - The state of the replica key.
- key
Usage String - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
- policy String
- The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
- primary
Key StringArn - The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
- Map<String>
- A map of tags to assign to the replica key. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - valid
To String - Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (
YYYY-MM-DDTHH:MM:SSZ
)
Import
Using pulumi import
, import KMS multi-Region replica keys using the id
. For example:
$ pulumi import aws:kms/replicaExternalKey:ReplicaExternalKey example 1234abcd-12ab-34cd-56ef-1234567890ab
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.
Try AWS Native preview for resources not in the classic version.