Adding AWS KMS documentation (#1399)

Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
2025-02-25 18:45:20 -06:00 · 2024-03-14 16:18:04 +01:00 · 2024-03-14 16:18:04 +01:00 · 1a34c658a3
commit 1a34c658a3
parent 8c99c75229
2 changed files with 23 additions and 0 deletions
--- a/website/docs/language/state/encryption.mdx
+++ b/website/docs/language/state/encryption.mdx
@ -12,6 +12,7 @@ import ConfigurationPS1 from '!!raw-loader!./examples/encryption/configuration.p
 import Enforce from '!!raw-loader!./examples/encryption/enforce.tf'
 import AESGCM from '!!raw-loader!./examples/encryption/aes_gcm.tf'
 import PBKDF2 from '!!raw-loader!./examples/encryption/pbkdf2.tf'
+import AWSKMS from '!!raw-loader!./examples/encryption/aws_kms.tf'
 import Fallback from '!!raw-loader!./examples/encryption/fallback.tf'
 import FallbackFromUnencrypted from '!!raw-loader!./examples/encryption/fallback_from_unencrypted.tf'
 import FallbackToUnencrypted from '!!raw-loader!./examples/encryption/fallback_to_unencrypted.tf'
@ -98,6 +99,19 @@ The PBKDF2 key provider allows you to use a long passphrase as to generate a key
 | salt_length             | Length of the salt for the key derivation.                                                                                                              | 1         | 32      |
 | hash_function           | Specify either `sha256` or `sha512` to use as a hash function. `sha1` is not supported.                                                                 | N/A       | sha512  |

+### AWS KMS
+
+This key provider uses the [Amazon Web Servers Key Management Service](https://aws.amazon.com/kms/) to generate keys. The authentication options are identical to the [S3 backend](/docs/language/settings/backends/s3/) excluding any deprecated options. In addition, please provide the following options:
+
+| Option     | Description                                                                                                                                        | Min. | Default |
+|------------|----------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|
+| kms_key_id | [Key ID on AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id).                                                   | 1    | -       |
+| key_spec   | [Key spec for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec). Adapt this to your encryption method (e.g. . | 1    | -       |
+
+The following example illustrates a minimal example:
+
+<CodeBlock language="hcl">{AWSKMS}</CodeBlock>
+
 ## Methods

 ### AES-GCM
--- a/website/docs/language/state/examples/encryption/aws_kms.tf
+++ b/website/docs/language/state/examples/encryption/aws_kms.tf
@ -0,0 +1,9 @@
+terraform {
+  encryption {
+    key_provider "aws_kms" "basic" {
+      kms_key_id = "a4f791e1-0d46-4c8e-b489-917e0bec05ef"
+      region = "us-east-1"
+      key_spec = "AES_256"
+    }
+  }
+}