added custom_key_store_id to aws_kms_key

hashicorp · May 16, 2022 · 3ea2d0b · 3ea2d0b
1 parent 6e8fe78
commit 3ea2d0b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/internal/service/kms/key.go b/internal/service/kms/key.go
@@ -40,6 +40,12 @@ func ResourceKey() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"custom_key_store_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.StringLenBetween(1, 22),
+			},
 			"customer_master_key_spec": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -121,6 +127,11 @@ func resourceKeyCreate(d *schema.ResourceData, meta interface{}) error {
 		input.Policy = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("custom_key_store_id"); ok {
+		input.Origin = aws.String(kms.OriginTypeAwsCloudhsm)
+		input.CustomKeyStoreId = aws.String(v.(string))
+	}
+
 	if len(tags) > 0 {
 		input.Tags = Tags(tags.IgnoreAWS())
 	}
@@ -192,6 +203,7 @@ func resourceKeyRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	d.Set("arn", key.metadata.Arn)
+	d.Set("custom_key_store_id", key.metadata.CustomKeyStoreId)
 	d.Set("customer_master_key_spec", key.metadata.CustomerMasterKeySpec)
 	d.Set("description", key.metadata.Description)
 	d.Set("enable_key_rotation", key.rotation)

diff --git a/website/docs/r/kms_key.html.markdown b/website/docs/r/kms_key.html.markdown
@@ -42,6 +42,7 @@ If the KMS key is a multi-Region primary key with replicas, the waiting period b
 * `is_enabled` - (Optional) Specifies whether the key is enabled. Defaults to `true`.
 * `enable_key_rotation` - (Optional) Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) is enabled. Defaults to false.
 * `multi_region` - (Optional) Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`.
+* `custom_key_store_id` - (Optional) ID of the KMS [Custom Key Store](https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) where the key will be stored instead of KMS (eg CloudHSM).
 * `tags` - (Optional) A map of tags to assign to the object. If configured with a provider [`default_tags` configuration block](https://www.terraform.io/docs/providers/aws/index.html#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 
 ## Attributes Reference