// API by default limits results to 50 aliases
// This is how we make sure we won't miss any alias
// See http://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html
func findKmsAliasByName(conn *kms.KMS, name string, marker *string) (*kms.AliasListEntry, error) {
req := kms.ListAliasesInput{
Limit: aws.Int64(int64(100)),
}
if marker != nil {
req.Marker = marker
}
log.Printf("[DEBUG] Listing KMS aliases: %s", req)
resp, err := conn.ListAliases(&req)
if err != nil {
return nil, err
}
for _, entry := range resp.Aliases {
if *entry.AliasName == name {
return entry, nil
}
}
if *resp.Truncated {
log.Printf("[DEBUG] KMS alias list is truncated, listing more via %s", *resp.NextMarker)
return findKmsAliasByName(conn, name, resp.NextMarker)
}
return nil, nil
}
func decrypt(c *kms.KMS, b *[]byte) ([]byte, error) {
resp, err := c.Decrypt(&kms.DecryptInput{
CiphertextBlob: *b,
})
if err != nil {
return nil, err
}
return resp.Plaintext, nil
}
func resourceAwsKmsKeyDescriptionUpdate(conn *kms.KMS, d *schema.ResourceData) error {
description := d.Get("description").(string)
keyId := d.Get("key_id").(string)
log.Printf("[DEBUG] KMS key: %s, update description: %s", keyId, description)
req := &kms.UpdateKeyDescriptionInput{
Description: aws.String(description),
KeyId: aws.String(keyId),
}
_, err := conn.UpdateKeyDescription(req)
return err
}
func resourceAwsKmsAliasTargetUpdate(conn *kms.KMS, d *schema.ResourceData) error {
name := d.Get("name").(string)
targetKeyId := d.Get("target_key_id").(string)
log.Printf("[DEBUG] KMS alias: %s, update target: %s", name, targetKeyId)
req := &kms.UpdateAliasInput{
AliasName: aws.String(name),
TargetKeyId: aws.String(targetKeyId),
}
_, err := conn.UpdateAlias(req)
return err
}
func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error {
policy := d.Get("policy").(string)
keyId := d.Get("key_id").(string)
log.Printf("[DEBUG] KMS key: %s, update policy: %s", keyId, policy)
req := &kms.PutKeyPolicyInput{
KeyId: aws.String(keyId),
Policy: aws.String(normalizeJson(policy)),
PolicyName: aws.String("default"),
}
_, err := conn.PutKeyPolicy(req)
return err
}
func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error {
policy, err := normalizeJsonString(d.Get("policy").(string))
if err != nil {
return errwrap.Wrapf("policy contains an invalid JSON: {{err}}", err)
}
keyId := d.Get("key_id").(string)
log.Printf("[DEBUG] KMS key: %s, update policy: %s", keyId, policy)
req := &kms.PutKeyPolicyInput{
KeyId: aws.String(keyId),
Policy: aws.String(policy),
PolicyName: aws.String("default"),
}
_, err = conn.PutKeyPolicy(req)
return err
}
// decrypt returns a KMS decrypted byte array
// See http://docs.aws.amazon.com/sdk-for-go/api/service/kms/KMS.html#Decrypt-instance_method
func decrypt(payload []byte, svc *kms.KMS) ([]byte, error) {
params := &kms.DecryptInput{
CiphertextBlob: payload,
EncryptionContext: aws.StringMap(map[string]string{
"Key": "EncryptionContextValue",
}),
GrantTokens: aws.StringSlice([]string{
"GrantTokenType",
}),
}
resp, err := svc.Decrypt(params)
if err != nil {
return nil, err
}
return resp.Plaintext, nil
}
// encrypt returns a KMS encrypted byte array
// See http://docs.aws.amazon.com/sdk-for-go/api/service/kms/KMS.html#Encrypt-instance_method
func encrypt(payload []byte, svc *kms.KMS, keyID string) ([]byte, error) {
params := &kms.EncryptInput{
KeyId: aws.String(keyID),
Plaintext: payload,
EncryptionContext: aws.StringMap(map[string]string{
"Key": "EncryptionContextValue",
}),
GrantTokens: aws.StringSlice([]string{
"GrantTokenType",
}),
}
resp, err := svc.Encrypt(params)
if err != nil {
return nil, err
}
return resp.CiphertextBlob, nil
}
func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error {
var err error
shouldEnableRotation := d.Get("enable_key_rotation").(bool)
if shouldEnableRotation {
log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id())
_, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{
KeyId: aws.String(d.Id()),
})
} else {
log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id())
_, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{
KeyId: aws.String(d.Id()),
})
}
if err != nil {
return fmt.Errorf("Failed to set key rotation for %q to %t: %q",
d.Id(), shouldEnableRotation, err.Error())
}
// Wait for propagation since KMS is eventually consistent
wait := resource.StateChangeConf{
Pending: []string{fmt.Sprintf("%t", !shouldEnableRotation)},
Target: []string{fmt.Sprintf("%t", shouldEnableRotation)},
Timeout: 5 * time.Minute,
MinTimeout: 1 * time.Second,
ContinuousTargetOccurence: 5,
Refresh: func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking if KMS key %s rotation status is %t",
d.Id(), shouldEnableRotation)
resp, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
KeyId: aws.String(d.Id()),
})
if err != nil {
return resp, "FAILED", err
}
status := fmt.Sprintf("%t", *resp.KeyRotationEnabled)
log.Printf("[DEBUG] KMS key %s rotation status received: %s, retrying", d.Id(), status)
return resp, status, nil
},
}
_, err = wait.WaitForState()
if err != nil {
return fmt.Errorf("Failed setting KMS key rotation status to %t: %s", shouldEnableRotation, err)
}
return nil
}
func updateKmsKeyStatus(conn *kms.KMS, id string, shouldBeEnabled bool) error {
var err error
if shouldBeEnabled {
log.Printf("[DEBUG] Enabling KMS key %q", id)
_, err = conn.EnableKey(&kms.EnableKeyInput{
KeyId: aws.String(id),
})
} else {
log.Printf("[DEBUG] Disabling KMS key %q", id)
_, err = conn.DisableKey(&kms.DisableKeyInput{
KeyId: aws.String(id),
})
}
if err != nil {
return fmt.Errorf("Failed to set KMS key %q status to %t: %q",
id, shouldBeEnabled, err.Error())
}
// Wait for propagation since KMS is eventually consistent
wait := resource.StateChangeConf{
Pending: []string{fmt.Sprintf("%t", !shouldBeEnabled)},
Target: []string{fmt.Sprintf("%t", shouldBeEnabled)},
Timeout: 20 * time.Minute,
MinTimeout: 2 * time.Second,
ContinuousTargetOccurence: 10,
Refresh: func() (interface{}, string, error) {
log.Printf("[DEBUG] Checking if KMS key %s enabled status is %t",
id, shouldBeEnabled)
resp, err := conn.DescribeKey(&kms.DescribeKeyInput{
KeyId: aws.String(id),
})
if err != nil {
return resp, "FAILED", err
}
status := fmt.Sprintf("%t", *resp.KeyMetadata.Enabled)
log.Printf("[DEBUG] KMS key %s status received: %s, retrying", id, status)
return resp, status, nil
},
}
_, err = wait.WaitForState()
if err != nil {
return fmt.Errorf("Failed setting KMS key status to %t: %s", shouldBeEnabled, err)
}
return nil
}