Key is the Schema for the Keys API. Manages a single-Region or multi-Region primary KMS key.
Type
CRD
Group
kms.aws.upbound.io
Version
v1beta1
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
KeySpec defines the desired state of Key
No description provided.
THIS IS A BETA FIELD. It will be honored unless the Management Policies feature flag is disabled. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler.
THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
KeyStatus defines the observed state of Key.
No description provided.
Conditions of the resource.
sample-key-${Rand.RFC1123Subdomain}
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: rds/v1beta1/instance
labels:
testing.upbound.io/example-name: sample-key
name: sample-key-${Rand.RFC1123Subdomain}
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
example-endpoint
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: dms/v1beta1/endpoint
labels:
testing.upbound.io/example-name: example-endpoint
name: example-endpoint
spec:
forProvider:
deletionWindowInDays: 7
description: KMS Key
region: us-west-1
sample-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: sample-key
name: sample-key
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-east-1
kmskey
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: vault
name: kmskey
spec:
forProvider:
deletionWindowInDays: 10
description: KMS key 1
region: us-west-1
sample-key-${Rand.RFC1123Subdomain}
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: rds/v1beta1/dbsnapshotcopy
labels:
testing.upbound.io/example-name: sample-key-ssc
name: sample-key-${Rand.RFC1123Subdomain}
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: kafka/v1beta1/scramsecretassociation
labels:
testing.upbound.io/example-name: scram-secret-association
name: example
spec:
forProvider:
description: Example Key for MSK Cluster Scram Secret Association
region: us-east-2
example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: ec2/v1beta1/ebsdefaultkmskey
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
test
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: test
name: test
spec:
forProvider:
deletionWindowInDays: 7
description: Athena KMS Key
region: us-west-1
dms-example-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: dms/v1beta1/endpoint
labels:
testing.upbound.io/example-name: dms-example-key
name: dms-example-key
spec:
forProvider:
deletionWindowInDays: 7
description: dms-example-key
region: us-west-1
kms
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: kms
name: kms
spec:
forProvider:
description: example
region: us-east-2
sample-key-${Rand.RFC1123Subdomain}
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: rds/v1beta1/snapshot
labels:
testing.upbound.io/example-name: sample-key-snapshot
name: sample-key-${Rand.RFC1123Subdomain}
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
sample-replicakey
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
name: sample-replicakey
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
multiRegion: true
region: us-east-1
launchtemplate-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: launchtemplate-key
name: launchtemplate-key
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-east-1
example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
upjet.upbound.io/manual-intervention: The dependent resource HostedZoneDNSSEC is not stable and is thus skipped.
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
customerMasterKeySpec: ECC_NIST_P256
deletionWindowInDays: 7
keyUsage: SIGN_VERIFY
policy: >-
${jsonencode({
Statement = [
{
Action = [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
],
Effect = "Allow"
Principal = {
Service = "dnssec-route53.amazonaws.com"
}
Sid = "Allow Route 53 DNSSEC Service",
Resource = "*"
Condition = {
StringEquals = {
"aws:SourceAccount" = "${data.aws_caller_identity.current.account_id}"
}
ArnLike = {
"aws:SourceArn" = "arn:aws:route53:::hostedzone/*"
}
}
},
{
Action = "kms:CreateGrant",
Effect = "Allow"
Principal = {
Service = "dnssec-route53.amazonaws.com"
}
Sid = "Allow Route 53 DNSSEC Service to CreateGrant",
Resource = "*"
Condition = {
Bool = {
"kms:GrantIsForAWSResource" = "true"
}
}
},
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
]
Version = "2012-10-17"
})}
region: us-west-1
example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: dms/v1beta1/replicationtask
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
deletionWindowInDays: 7
description: KMS Key
region: us-west-1
glue-example-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
labels:
testing.upbound.io/example-name: glue-example-key
name: glue-example-key
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
lambda-example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: cognitoidp/v1beta1/userpool
labels:
testing.upbound.io/example-name: lambda-example
name: lambda-example
spec:
forProvider:
deletionWindowInDays: 7
region: eu-west-1
default-cas
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: rds/v1beta1/clusteractivitystream
labels:
testing.upbound.io/example-name: default-cas
name: default-cas
spec:
forProvider:
description: AWS KMS Key to encrypt Database Activity Stream
region: us-west-1
mykey-${Rand.RFC1123Subdomain}
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: s3/v1beta1/bucketserversideencryptionconfiguration
labels:
testing.upbound.io/example-name: mykey
name: mykey-${Rand.RFC1123Subdomain}
spec:
forProvider:
deletionWindowInDays: 10
description: This key is used to encrypt bucket objects
region: us-west-1
sample-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
name: sample-key
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-east-1
example
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: dms/v1beta1/eventsubscription
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
deletionWindowInDays: 7
description: KMS Key
region: us-west-1
example-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: efs/v1beta1/filesystem
labels:
testing.upbound.io/example-name: example-key
name: example-key
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
sample-key
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: redshift/v1beta1/snapshotcopygrant
labels:
testing.upbound.io/example-name: test
name: sample-key
spec:
forProvider:
deletionWindowInDays: 7
description: KMS Key
region: us-west-1
sample-key-${Rand.RFC1123Subdomain}
apiVersion: kms.aws.upbound.io/v1beta1
kind: Key
metadata:
annotations:
meta.upbound.io/example-id: rds/v1beta1/instanceroleassociation
labels:
testing.upbound.io/example-name: sample-key-ira
name: sample-key-${Rand.RFC1123Subdomain}
spec:
forProvider:
deletionWindowInDays: 7
description: Created with Crossplane
region: us-west-1
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.