You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scenario 2: Create multi-region AWS KMS key(s) in the primary region and multi-region replica key in another region(s)
Create one or more multi-region AWS KMS keys along with key resource policies and aliases in the primary region, along with multi-region replica key(s) in another region(s). The target AWS Service in the secondary region(s) will be able to use the Key replica via the known alias.
Account owner has full access to the key(s) and replica key(s)
Key Admin role has administrative access to the key(s) and replica key(s)
Key Usage role(s) have the usage access to the key(s) and replica key(s)
Target AWS Service usage role(s) have the usage access to the key or replica key via the target AWS Service in the respective region.
Prerequisites
One or more IAM roles for the Administration of the keys are identified.
Zero or more IAM roles for the Usage of the keys are identified.
A unique alias prefix is identified that will be used to uniformly name the key aliases.
One or more regions are identified for multi-region replica key.
Terraform backend provider and state locking providers are identified and bootstrapped.
An example bootstrap module/example is provided that provisions Amazon S3 for Terraform state storage and Amazon DynamoDB for Terraform state locking.
Modify terraform.tfvars to match your requirements.
Execution
cd to examples/kms/scenario2 folder.
Modify backend "S3" section in the provider.tf with correct values for region, bucket, dynamodb_table, and key.
Use provided values as guidance.
Modify terraform.tfvars to your requirements.
Use provided values as guidance.
Make sure you are using the correct AWS Profile that has permission to provision the target resources.
aws sts get-caller-identity
Execute terraform init to initialize Terraform.
Execute terraform plan and verify the changes.
Execute terraform apply and approve the changes to provision the resources.