From 1a34c658a3601d89cf126fc2d3dde0a203277e44 Mon Sep 17 00:00:00 2001
From: Janos <86970079+janosdebugs@users.noreply.github.com>
Date: Thu, 14 Mar 2024 16:18:04 +0100
Subject: [PATCH] Adding AWS KMS documentation (#1399)

Signed-off-by: Janos <86970079+janosdebugs@users.noreply.github.com>
---
 website/docs/language/state/encryption.mdx         | 14 ++++++++++++++
 .../language/state/examples/encryption/aws_kms.tf  |  9 +++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 website/docs/language/state/examples/encryption/aws_kms.tf

diff --git a/website/docs/language/state/encryption.mdx b/website/docs/language/state/encryption.mdx
index bc0b96ecc2..cfbb327e40 100644
--- a/website/docs/language/state/encryption.mdx
+++ b/website/docs/language/state/encryption.mdx
@@ -12,6 +12,7 @@ import ConfigurationPS1 from '!!raw-loader!./examples/encryption/configuration.p
 import Enforce from '!!raw-loader!./examples/encryption/enforce.tf'
 import AESGCM from '!!raw-loader!./examples/encryption/aes_gcm.tf'
 import PBKDF2 from '!!raw-loader!./examples/encryption/pbkdf2.tf'
+import AWSKMS from '!!raw-loader!./examples/encryption/aws_kms.tf'
 import Fallback from '!!raw-loader!./examples/encryption/fallback.tf'
 import FallbackFromUnencrypted from '!!raw-loader!./examples/encryption/fallback_from_unencrypted.tf'
 import FallbackToUnencrypted from '!!raw-loader!./examples/encryption/fallback_to_unencrypted.tf'
@@ -98,6 +99,19 @@ The PBKDF2 key provider allows you to use a long passphrase as to generate a key
 | salt_length             | Length of the salt for the key derivation.                                                                                                              | 1         | 32      |
 | hash_function           | Specify either `sha256` or `sha512` to use as a hash function. `sha1` is not supported.                                                                 | N/A       | sha512  |
 
+### AWS KMS
+
+This key provider uses the [Amazon Web Servers Key Management Service](https://aws.amazon.com/kms/) to generate keys. The authentication options are identical to the [S3 backend](/docs/language/settings/backends/s3/) excluding any deprecated options. In addition, please provide the following options:
+
+| Option     | Description                                                                                                                                        | Min. | Default |
+|------------|----------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|
+| kms_key_id | [Key ID on AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id).                                                   | 1    | -       |
+| key_spec   | [Key spec for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec). Adapt this to your encryption method (e.g. . | 1    | -       |
+
+The following example illustrates a minimal example:
+
+<CodeBlock language="hcl">{AWSKMS}</CodeBlock>
+
 ## Methods
 
 ### AES-GCM
diff --git a/website/docs/language/state/examples/encryption/aws_kms.tf b/website/docs/language/state/examples/encryption/aws_kms.tf
new file mode 100644
index 0000000000..f8b9f4ee02
--- /dev/null
+++ b/website/docs/language/state/examples/encryption/aws_kms.tf
@@ -0,0 +1,9 @@
+terraform {
+  encryption {
+    key_provider "aws_kms" "basic" {
+      kms_key_id = "a4f791e1-0d46-4c8e-b489-917e0bec05ef"
+      region = "us-east-1"
+      key_spec = "AES_256"
+    }
+  }
+}
\ No newline at end of file