Merge pull request #3928 from TimeIncOSS/aws-kms

provider/aws: Add support for KMS

Godeps/Godeps.json

@@ -411,6 +411,11 @@
 			"Comment": "v1.1.2",
 			"Rev": "8041be5461786460d86b4358305fbdf32d37cfb2"
 		},
+		{
+			"ImportPath": "github.com/aws/aws-sdk-go/service/kms",
+			"Comment": "v1.1.0",
+			"Rev": "be2ec39e520e3c4088c0c6288055bdc8184a89ee"
+		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/lambda",
 			"Comment": "v1.1.2",

builtin/providers/aws/config.go

@@ -42,6 +42,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/glacier"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/kinesis"
+	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/aws/aws-sdk-go/service/opsworks"
 	"github.com/aws/aws-sdk-go/service/rds"
@@ -97,6 +98,7 @@ type AWSClient struct {
 	rdsconn              *rds.RDS
 	iamconn              *iam.IAM
 	kinesisconn          *kinesis.Kinesis
+	kmsconn              *kms.KMS
 	firehoseconn         *firehose.Firehose
 	elasticacheconn      *elasticache.ElastiCache
 	elasticbeanstalkconn *elasticbeanstalk.ElasticBeanstalk
@@ -294,6 +296,8 @@ func (c *Config) Client() (interface{}, error) {
 		log.Println("[INFO] Initializing Redshift SDK connection")
 		client.redshiftconn = redshift.New(sess)
 
+		log.Println("[INFO] Initializing KMS connection")
+		client.kmsconn = kms.New(sess)
 	}
 
 	if len(errs) > 0 {

builtin/providers/aws/provider.go

@@ -184,6 +184,8 @@ func Provider() terraform.ResourceProvider {
 			"aws_key_pair":                                 resourceAwsKeyPair(),
 			"aws_kinesis_firehose_delivery_stream":         resourceAwsKinesisFirehoseDeliveryStream(),
 			"aws_kinesis_stream":                           resourceAwsKinesisStream(),
+			"aws_kms_alias":                                resourceAwsKmsAlias(),
+			"aws_kms_key":                                  resourceAwsKmsKey(),
 			"aws_lambda_function":                          resourceAwsLambdaFunction(),
 			"aws_lambda_event_source_mapping":              resourceAwsLambdaEventSourceMapping(),
 			"aws_lambda_alias":                             resourceAwsLambdaAlias(),

builtin/providers/aws/resource_aws_kms_alias.go

@@ -0,0 +1,160 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	"github.com/hashicorp/terraform/helper/schema"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/kms"
+)
+
+func resourceAwsKmsAlias() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsKmsAliasCreate,
+		Read:   resourceAwsKmsAliasRead,
+		Update: resourceAwsKmsAliasUpdate,
+		Delete: resourceAwsKmsAliasDelete,
+
+		Schema: map[string]*schema.Schema{
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+				ValidateFunc: func(v interface{}, k string) (ws []string, es []error) {
+					value := v.(string)
+					if !regexp.MustCompile(`^(alias\/)[a-zA-Z0-9:/_-]+$`).MatchString(value) {
+						es = append(es, fmt.Errorf(
+							"%q must begin with 'alias/' and be comprised of only [a-zA-Z0-9:/_-]", k))
+					}
+					return
+				},
+			},
+			"target_key_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceAwsKmsAliasCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+	name := d.Get("name").(string)
+	targetKeyId := d.Get("target_key_id").(string)
+
+	log.Printf("[DEBUG] KMS alias create name: %s, target_key: %s", name, targetKeyId)
+
+	req := &kms.CreateAliasInput{
+		AliasName:   aws.String(name),
+		TargetKeyId: aws.String(targetKeyId),
+	}
+	_, err := conn.CreateAlias(req)
+	if err != nil {
+		return err
+	}
+	d.SetId(name)
+	return resourceAwsKmsAliasRead(d, meta)
+}
+
+func resourceAwsKmsAliasRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+	name := d.Get("name").(string)
+
+	alias, err := findKmsAliasByName(conn, name, nil)
+	if err != nil {
+		return err
+	}
+	if alias == nil {
+		log.Printf("[DEBUG] Removing KMS Alias %q as it's already gone", name)
+		d.SetId("")
+		return nil
+	}
+
+	log.Printf("[DEBUG] Found KMS Alias: %s", alias)
+
+	d.Set("arn", alias.AliasArn)
+	d.Set("target_key_id", alias.TargetKeyId)
+
+	return nil
+}
+
+func resourceAwsKmsAliasUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+
+	if d.HasChange("target_key_id") {
+		err := resourceAwsKmsAliasTargetUpdate(conn, d)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func resourceAwsKmsAliasTargetUpdate(conn *kms.KMS, d *schema.ResourceData) error {
+	name := d.Get("name").(string)
+	targetKeyId := d.Get("target_key_id").(string)
+
+	log.Printf("[DEBUG] KMS alias: %s, update target: %s", name, targetKeyId)
+
+	req := &kms.UpdateAliasInput{
+		AliasName:   aws.String(name),
+		TargetKeyId: aws.String(targetKeyId),
+	}
+	_, err := conn.UpdateAlias(req)
+
+	return err
+}
+
+func resourceAwsKmsAliasDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+	name := d.Get("name").(string)
+
+	req := &kms.DeleteAliasInput{
+		AliasName: aws.String(name),
+	}
+	_, err := conn.DeleteAlias(req)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("[DEBUG] KMS Alias: %s deleted.", name)
+	d.SetId("")
+	return nil
+}
+
+// API by default limits results to 50 aliases
+// This is how we make sure we won't miss any alias
+// See http://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html
+func findKmsAliasByName(conn *kms.KMS, name string, marker *string) (*kms.AliasListEntry, error) {
+	req := kms.ListAliasesInput{
+		Limit: aws.Int64(int64(100)),
+	}
+	if marker != nil {
+		req.Marker = marker
+	}
+
+	log.Printf("[DEBUG] Listing KMS aliases: %s", req)
+	resp, err := conn.ListAliases(&req)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, entry := range resp.Aliases {
+		if *entry.AliasName == name {
+			return entry, nil
+		}
+	}
+	if *resp.Truncated {
+		log.Printf("[DEBUG] KMS alias list is truncated, listing more via %s", *resp.NextMarker)
+		return findKmsAliasByName(conn, name, resp.NextMarker)
+	}
+
+	return nil, nil
+}

builtin/providers/aws/resource_aws_kms_alias_test.go

@@ -0,0 +1,128 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSKmsAlias_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSKmsAliasDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSKmsSingleAlias,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsAliasExists("aws_kms_alias.single"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSKmsSingleAlias_modified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsAliasExists("aws_kms_alias.single"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSKmsAlias_multiple(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSKmsAliasDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSKmsMultipleAliases,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsAliasExists("aws_kms_alias.one"),
+					testAccCheckAWSKmsAliasExists("aws_kms_alias.two"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSKmsAliasDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).kmsconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_kms_alias" {
+			continue
+		}
+
+		entry, err := findKmsAliasByName(conn, rs.Primary.ID, nil)
+		if err != nil {
+			return err
+		}
+		if entry != nil {
+			return fmt.Errorf("KMS alias still exists:\n%#v", entry)
+		}
+
+		return nil
+	}
+
+	return nil
+}
+
+func testAccCheckAWSKmsAliasExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		return nil
+	}
+}
+
+var kmsAliasTimestamp = time.Now().Format(time.RFC1123)
+var testAccAWSKmsSingleAlias = fmt.Sprintf(`
+resource "aws_kms_key" "one" {
+    description = "Terraform acc test One %s"
+    deletion_window_in_days = 7
+}
+resource "aws_kms_key" "two" {
+    description = "Terraform acc test Two %s"
+    deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "single" {
+    name = "alias/tf-acc-key-alias"
+    target_key_id = "${aws_kms_key.one.key_id}"
+}`, kmsAliasTimestamp, kmsAliasTimestamp)
+
+var testAccAWSKmsSingleAlias_modified = fmt.Sprintf(`
+resource "aws_kms_key" "one" {
+    description = "Terraform acc test One %s"
+    deletion_window_in_days = 7
+}
+resource "aws_kms_key" "two" {
+    description = "Terraform acc test Two %s"
+    deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "single" {
+    name = "alias/tf-acc-key-alias"
+    target_key_id = "${aws_kms_key.two.key_id}"
+}`, kmsAliasTimestamp, kmsAliasTimestamp)
+
+var testAccAWSKmsMultipleAliases = fmt.Sprintf(`
+resource "aws_kms_key" "single" {
+    description = "Terraform acc test One %s"
+    deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "one" {
+    name = "alias/tf-acc-key-alias-one"
+    target_key_id = "${aws_kms_key.single.key_id}"
+}
+resource "aws_kms_alias" "two" {
+    name = "alias/tf-acc-key-alias-two"
+    target_key_id = "${aws_kms_key.single.key_id}"
+}`, kmsAliasTimestamp)

builtin/providers/aws/resource_aws_kms_key.go

@@ -0,0 +1,377 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/kms"
+)
+
+func resourceAwsKmsKey() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsKmsKeyCreate,
+		Read:   resourceAwsKmsKeyRead,
+		Update: resourceAwsKmsKeyUpdate,
+		Delete: resourceAwsKmsKeyDelete,
+
+		Schema: map[string]*schema.Schema{
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"key_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"description": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"key_usage": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+				ValidateFunc: func(v interface{}, k string) (ws []string, es []error) {
+					value := v.(string)
+					if !(value == "ENCRYPT_DECRYPT" || value == "") {
+						es = append(es, fmt.Errorf(
+							"%q must be ENCRYPT_DECRYPT or not specified", k))
+					}
+					return
+				},
+			},
+			"policy": &schema.Schema{
+				Type:      schema.TypeString,
+				Optional:  true,
+				Computed:  true,
+				StateFunc: normalizeJson,
+			},
+			"is_enabled": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
+			"enable_key_rotation": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"deletion_window_in_days": &schema.Schema{
+				Type:     schema.TypeInt,
+				Optional: true,
+				ValidateFunc: func(v interface{}, k string) (ws []string, es []error) {
+					value := v.(int)
+					if value > 30 || value < 7 {
+						es = append(es, fmt.Errorf(
+							"%q must be between 7 and 30 days inclusive", k))
+					}
+					return
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+
+	// Allow aws to chose default values if we don't pass them
+	var req kms.CreateKeyInput
+	if v, exists := d.GetOk("description"); exists {
+		req.Description = aws.String(v.(string))
+	}
+	if v, exists := d.GetOk("key_usage"); exists {
+		req.KeyUsage = aws.String(v.(string))
+	}
+	if v, exists := d.GetOk("policy"); exists {
+		req.Policy = aws.String(v.(string))
+	}
+
+	resp, err := conn.CreateKey(&req)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(*resp.KeyMetadata.KeyId)
+	d.Set("key_id", resp.KeyMetadata.KeyId)
+
+	return _resourceAwsKmsKeyUpdate(d, meta, true)
+}
+
+func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+
+	req := &kms.DescribeKeyInput{
+		KeyId: aws.String(d.Id()),
+	}
+	resp, err := conn.DescribeKey(req)
+	if err != nil {
+		return err
+	}
+	metadata := resp.KeyMetadata
+
+	if *metadata.KeyState == "PendingDeletion" {
+		log.Printf("[WARN] Removing KMS key %s because it's already gone", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	d.SetId(*metadata.KeyId)
+
+	d.Set("arn", metadata.Arn)
+	d.Set("key_id", metadata.KeyId)
+	d.Set("description", metadata.Description)
+	d.Set("key_usage", metadata.KeyUsage)
+	d.Set("is_enabled", metadata.Enabled)
+
+	p, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
+		KeyId:      metadata.KeyId,
+		PolicyName: aws.String("default"),
+	})
+	if err != nil {
+		return err
+	}
+
+	d.Set("policy", normalizeJson(*p.Policy))
+
+	krs, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
+		KeyId: metadata.KeyId,
+	})
+	if err != nil {
+		return err
+	}
+	d.Set("enable_key_rotation", krs.KeyRotationEnabled)
+
+	return nil
+}
+
+func resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}) error {
+	return _resourceAwsKmsKeyUpdate(d, meta, false)
+}
+
+// We expect new keys to be enabled already
+// but there is no easy way to differentiate between Update()
+// called from Create() and regular update, so we have this wrapper
+func _resourceAwsKmsKeyUpdate(d *schema.ResourceData, meta interface{}, isFresh bool) error {
+	conn := meta.(*AWSClient).kmsconn
+
+	if d.HasChange("is_enabled") && d.Get("is_enabled").(bool) && !isFresh {
+		// Enable before any attributes will be modified
+		if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
+			return err
+		}
+	}
+
+	if d.HasChange("enable_key_rotation") {
+		if err := updateKmsKeyRotationStatus(conn, d); err != nil {
+			return err
+		}
+	}
+
+	if d.HasChange("description") {
+		if err := resourceAwsKmsKeyDescriptionUpdate(conn, d); err != nil {
+			return err
+		}
+	}
+	if d.HasChange("policy") {
+		if err := resourceAwsKmsKeyPolicyUpdate(conn, d); err != nil {
+			return err
+		}
+	}
+
+	if d.HasChange("is_enabled") && !d.Get("is_enabled").(bool) {
+		// Only disable when all attributes are modified
+		// because we cannot modify disabled keys
+		if err := updateKmsKeyStatus(conn, d.Id(), d.Get("is_enabled").(bool)); err != nil {
+			return err
+		}
+	}
+
+	return resourceAwsKmsKeyRead(d, meta)
+}
+
+func resourceAwsKmsKeyDescriptionUpdate(conn *kms.KMS, d *schema.ResourceData) error {
+	description := d.Get("description").(string)
+	keyId := d.Get("key_id").(string)
+
+	log.Printf("[DEBUG] KMS key: %s, update description: %s", keyId, description)
+
+	req := &kms.UpdateKeyDescriptionInput{
+		Description: aws.String(description),
+		KeyId:       aws.String(keyId),
+	}
+	_, err := conn.UpdateKeyDescription(req)
+	return err
+}
+
+func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error {
+	policy := d.Get("policy").(string)
+	keyId := d.Get("key_id").(string)
+
+	log.Printf("[DEBUG] KMS key: %s, update policy: %s", keyId, policy)
+
+	req := &kms.PutKeyPolicyInput{
+		KeyId:      aws.String(keyId),
+		Policy:     aws.String(normalizeJson(policy)),
+		PolicyName: aws.String("default"),
+	}
+	_, err := conn.PutKeyPolicy(req)
+	return err
+}
+
+func updateKmsKeyStatus(conn *kms.KMS, id string, shouldBeEnabled bool) error {
+	var err error
+
+	if shouldBeEnabled {
+		log.Printf("[DEBUG] Enabling KMS key %q", id)
+		_, err = conn.EnableKey(&kms.EnableKeyInput{
+			KeyId: aws.String(id),
+		})
+	} else {
+		log.Printf("[DEBUG] Disabling KMS key %q", id)
+		_, err = conn.DisableKey(&kms.DisableKeyInput{
+			KeyId: aws.String(id),
+		})
+	}
+
+	if err != nil {
+		return fmt.Errorf("Failed to set KMS key %q status to %t: %q",
+			id, shouldBeEnabled, err.Error())
+	}
+
+	// Wait for propagation since KMS is eventually consistent
+	wait := resource.StateChangeConf{
+		Pending:                   []string{fmt.Sprintf("%t", !shouldBeEnabled)},
+		Target:                    []string{fmt.Sprintf("%t", shouldBeEnabled)},
+		Timeout:                   20 * time.Minute,
+		MinTimeout:                2 * time.Second,
+		ContinuousTargetOccurence: 10,
+		Refresh: func() (interface{}, string, error) {
+			log.Printf("[DEBUG] Checking if KMS key %s enabled status is %t",
+				id, shouldBeEnabled)
+			resp, err := conn.DescribeKey(&kms.DescribeKeyInput{
+				KeyId: aws.String(id),
+			})
+			if err != nil {
+				return resp, "FAILED", err
+			}
+			status := fmt.Sprintf("%t", *resp.KeyMetadata.Enabled)
+			log.Printf("[DEBUG] KMS key %s status received: %s, retrying", id, status)
+
+			return resp, status, nil
+		},
+	}
+
+	_, err = wait.WaitForState()
+	if err != nil {
+		return fmt.Errorf("Failed setting KMS key status to %t: %s", shouldBeEnabled, err)
+	}
+
+	return nil
+}
+
+func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error {
+	var err error
+	shouldEnableRotation := d.Get("enable_key_rotation").(bool)
+	if shouldEnableRotation {
+		log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id())
+		_, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{
+			KeyId: aws.String(d.Id()),
+		})
+	} else {
+		log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id())
+		_, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{
+			KeyId: aws.String(d.Id()),
+		})
+	}
+
+	if err != nil {
+		return fmt.Errorf("Failed to set key rotation for %q to %t: %q",
+			d.Id(), shouldEnableRotation, err.Error())
+	}
+
+	// Wait for propagation since KMS is eventually consistent
+	wait := resource.StateChangeConf{
+		Pending:                   []string{fmt.Sprintf("%t", !shouldEnableRotation)},
+		Target:                    []string{fmt.Sprintf("%t", shouldEnableRotation)},
+		Timeout:                   5 * time.Minute,
+		MinTimeout:                1 * time.Second,
+		ContinuousTargetOccurence: 5,
+		Refresh: func() (interface{}, string, error) {
+			log.Printf("[DEBUG] Checking if KMS key %s rotation status is %t",
+				d.Id(), shouldEnableRotation)
+			resp, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{
+				KeyId: aws.String(d.Id()),
+			})
+			if err != nil {
+				return resp, "FAILED", err
+			}
+			status := fmt.Sprintf("%t", *resp.KeyRotationEnabled)
+			log.Printf("[DEBUG] KMS key %s rotation status received: %s, retrying", d.Id(), status)
+
+			return resp, status, nil
+		},
+	}
+
+	_, err = wait.WaitForState()
+	if err != nil {
+		return fmt.Errorf("Failed setting KMS key rotation status to %t: %s", shouldEnableRotation, err)
+	}
+
+	return nil
+}
+
+func resourceAwsKmsKeyDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).kmsconn
+	keyId := d.Get("key_id").(string)
+
+	req := &kms.ScheduleKeyDeletionInput{
+		KeyId: aws.String(keyId),
+	}
+	if v, exists := d.GetOk("deletion_window_in_days"); exists {
+		req.PendingWindowInDays = aws.Int64(int64(v.(int)))
+	}
+	_, err := conn.ScheduleKeyDeletion(req)
+	if err != nil {
+		return err
+	}
+
+	// Wait for propagation since KMS is eventually consistent
+	wait := resource.StateChangeConf{
+		Pending:                   []string{"Enabled", "Disabled"},
+		Target:                    []string{"PendingDeletion"},
+		Timeout:                   20 * time.Minute,
+		MinTimeout:                2 * time.Second,
+		ContinuousTargetOccurence: 10,
+		Refresh: func() (interface{}, string, error) {
+			log.Printf("[DEBUG] Checking if KMS key %s state is PendingDeletion", keyId)
+			resp, err := conn.DescribeKey(&kms.DescribeKeyInput{
+				KeyId: aws.String(keyId),
+			})
+			if err != nil {
+				return resp, "Failed", err
+			}
+
+			metadata := *resp.KeyMetadata
+			log.Printf("[DEBUG] KMS key %s state is %s, retrying", keyId, *metadata.KeyState)
+
+			return resp, *metadata.KeyState, nil
+		},
+	}
+
+	_, err = wait.WaitForState()
+	if err != nil {
+		return fmt.Errorf("Failed deactivating KMS key %s: %s", keyId, err)
+	}
+
+	log.Printf("[DEBUG] KMS Key %s deactivated.", keyId)
+	d.SetId("")
+	return nil
+}

builtin/providers/aws/resource_aws_kms_key_test.go

@@ -0,0 +1,189 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSKmsKey_basic(t *testing.T) {
+	var keyBefore, keyAfter kms.KeyMetadata
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSKmsKeyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSKmsKey,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyBefore),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSKmsKey_removedPolicy,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.foo", &keyAfter),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSKmsKey_isEnabled(t *testing.T) {
+	var key1, key2, key3 kms.KeyMetadata
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSKmsKeyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSKmsKey_enabledRotation,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key1),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
+					testAccCheckAWSKmsKeyIsEnabled(&key1, true),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSKmsKey_disabled,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key2),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "false"),
+					testAccCheckAWSKmsKeyIsEnabled(&key2, false),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "false"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSKmsKey_enabled,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSKmsKeyExists("aws_kms_key.bar", &key3),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "is_enabled", "true"),
+					testAccCheckAWSKmsKeyIsEnabled(&key3, true),
+					resource.TestCheckResourceAttr("aws_kms_key.bar", "enable_key_rotation", "true"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckAWSKmsKeyDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).kmsconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_kms_key" {
+			continue
+		}
+
+		out, err := conn.DescribeKey(&kms.DescribeKeyInput{
+			KeyId: aws.String(rs.Primary.ID),
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if *out.KeyMetadata.KeyState == "PendingDeletion" {
+			return nil
+		}
+
+		return fmt.Errorf("KMS key still exists:\n%#v", out.KeyMetadata)
+	}
+
+	return nil
+}
+
+func testAccCheckAWSKmsKeyExists(name string, key *kms.KeyMetadata) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No KMS Key ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).kmsconn
+
+		out, err := conn.DescribeKey(&kms.DescribeKeyInput{
+			KeyId: aws.String(rs.Primary.ID),
+		})
+		if err != nil {
+			return err
+		}
+
+		*key = *out.KeyMetadata
+
+		return nil
+	}
+}
+
+func testAccCheckAWSKmsKeyIsEnabled(key *kms.KeyMetadata, isEnabled bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *key.Enabled != isEnabled {
+			return fmt.Errorf("Expected key %q to have is_enabled=%t, given %t",
+				*key.Arn, isEnabled, *key.Enabled)
+		}
+
+		return nil
+	}
+}
+
+var kmsTimestamp = time.Now().Format(time.RFC1123)
+var testAccAWSKmsKey = fmt.Sprintf(`
+resource "aws_kms_key" "foo" {
+    description = "Terraform acc test %s"
+    deletion_window_in_days = 7
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}`, kmsTimestamp)
+
+var testAccAWSKmsKey_removedPolicy = fmt.Sprintf(`
+resource "aws_kms_key" "foo" {
+    description = "Terraform acc test %s"
+    deletion_window_in_days = 7
+}`, kmsTimestamp)
+
+var testAccAWSKmsKey_enabledRotation = fmt.Sprintf(`
+resource "aws_kms_key" "bar" {
+    description = "Terraform acc test is_enabled %s"
+    deletion_window_in_days = 7
+    enable_key_rotation = true
+}`, kmsTimestamp)
+var testAccAWSKmsKey_disabled = fmt.Sprintf(`
+resource "aws_kms_key" "bar" {
+    description = "Terraform acc test is_enabled %s"
+    deletion_window_in_days = 7
+    enable_key_rotation = false
+    is_enabled = false
+}`, kmsTimestamp)
+var testAccAWSKmsKey_enabled = fmt.Sprintf(`
+resource "aws_kms_key" "bar" {
+    description = "Terraform acc test is_enabled %s"
+    deletion_window_in_days = 7
+    enable_key_rotation = true
+    is_enabled = true
+}`, kmsTimestamp)

vendor/github.com/aws/aws-sdk-go/service/kms/kmsiface/interface.go

@@ -0,0 +1,138 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+// Package kmsiface provides an interface for the AWS Key Management Service.
+package kmsiface
+
+import (
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/kms"
+)
+
+// KMSAPI is the interface type for kms.KMS.
+type KMSAPI interface {
+	CancelKeyDeletionRequest(*kms.CancelKeyDeletionInput) (*request.Request, *kms.CancelKeyDeletionOutput)
+
+	CancelKeyDeletion(*kms.CancelKeyDeletionInput) (*kms.CancelKeyDeletionOutput, error)
+
+	CreateAliasRequest(*kms.CreateAliasInput) (*request.Request, *kms.CreateAliasOutput)
+
+	CreateAlias(*kms.CreateAliasInput) (*kms.CreateAliasOutput, error)
+
+	CreateGrantRequest(*kms.CreateGrantInput) (*request.Request, *kms.CreateGrantOutput)
+
+	CreateGrant(*kms.CreateGrantInput) (*kms.CreateGrantOutput, error)
+
+	CreateKeyRequest(*kms.CreateKeyInput) (*request.Request, *kms.CreateKeyOutput)
+
+	CreateKey(*kms.CreateKeyInput) (*kms.CreateKeyOutput, error)
+
+	DecryptRequest(*kms.DecryptInput) (*request.Request, *kms.DecryptOutput)
+
+	Decrypt(*kms.DecryptInput) (*kms.DecryptOutput, error)
+
+	DeleteAliasRequest(*kms.DeleteAliasInput) (*request.Request, *kms.DeleteAliasOutput)
+
+	DeleteAlias(*kms.DeleteAliasInput) (*kms.DeleteAliasOutput, error)
+
+	DescribeKeyRequest(*kms.DescribeKeyInput) (*request.Request, *kms.DescribeKeyOutput)
+
+	DescribeKey(*kms.DescribeKeyInput) (*kms.DescribeKeyOutput, error)
+
+	DisableKeyRequest(*kms.DisableKeyInput) (*request.Request, *kms.DisableKeyOutput)
+
+	DisableKey(*kms.DisableKeyInput) (*kms.DisableKeyOutput, error)
+
+	DisableKeyRotationRequest(*kms.DisableKeyRotationInput) (*request.Request, *kms.DisableKeyRotationOutput)
+
+	DisableKeyRotation(*kms.DisableKeyRotationInput) (*kms.DisableKeyRotationOutput, error)
+
+	EnableKeyRequest(*kms.EnableKeyInput) (*request.Request, *kms.EnableKeyOutput)
+
+	EnableKey(*kms.EnableKeyInput) (*kms.EnableKeyOutput, error)
+
+	EnableKeyRotationRequest(*kms.EnableKeyRotationInput) (*request.Request, *kms.EnableKeyRotationOutput)
+
+	EnableKeyRotation(*kms.EnableKeyRotationInput) (*kms.EnableKeyRotationOutput, error)
+
+	EncryptRequest(*kms.EncryptInput) (*request.Request, *kms.EncryptOutput)
+
+	Encrypt(*kms.EncryptInput) (*kms.EncryptOutput, error)
+
+	GenerateDataKeyRequest(*kms.GenerateDataKeyInput) (*request.Request, *kms.GenerateDataKeyOutput)
+
+	GenerateDataKey(*kms.GenerateDataKeyInput) (*kms.GenerateDataKeyOutput, error)
+
+	GenerateDataKeyWithoutPlaintextRequest(*kms.GenerateDataKeyWithoutPlaintextInput) (*request.Request, *kms.GenerateDataKeyWithoutPlaintextOutput)
+
+	GenerateDataKeyWithoutPlaintext(*kms.GenerateDataKeyWithoutPlaintextInput) (*kms.GenerateDataKeyWithoutPlaintextOutput, error)
+
+	GenerateRandomRequest(*kms.GenerateRandomInput) (*request.Request, *kms.GenerateRandomOutput)
+
+	GenerateRandom(*kms.GenerateRandomInput) (*kms.GenerateRandomOutput, error)
+
+	GetKeyPolicyRequest(*kms.GetKeyPolicyInput) (*request.Request, *kms.GetKeyPolicyOutput)
+
+	GetKeyPolicy(*kms.GetKeyPolicyInput) (*kms.GetKeyPolicyOutput, error)
+
+	GetKeyRotationStatusRequest(*kms.GetKeyRotationStatusInput) (*request.Request, *kms.GetKeyRotationStatusOutput)
+
+	GetKeyRotationStatus(*kms.GetKeyRotationStatusInput) (*kms.GetKeyRotationStatusOutput, error)
+
+	ListAliasesRequest(*kms.ListAliasesInput) (*request.Request, *kms.ListAliasesOutput)
+
+	ListAliases(*kms.ListAliasesInput) (*kms.ListAliasesOutput, error)
+
+	ListAliasesPages(*kms.ListAliasesInput, func(*kms.ListAliasesOutput, bool) bool) error
+
+	ListGrantsRequest(*kms.ListGrantsInput) (*request.Request, *kms.ListGrantsResponse)
+
+	ListGrants(*kms.ListGrantsInput) (*kms.ListGrantsResponse, error)
+
+	ListGrantsPages(*kms.ListGrantsInput, func(*kms.ListGrantsResponse, bool) bool) error
+
+	ListKeyPoliciesRequest(*kms.ListKeyPoliciesInput) (*request.Request, *kms.ListKeyPoliciesOutput)
+
+	ListKeyPolicies(*kms.ListKeyPoliciesInput) (*kms.ListKeyPoliciesOutput, error)
+
+	ListKeyPoliciesPages(*kms.ListKeyPoliciesInput, func(*kms.ListKeyPoliciesOutput, bool) bool) error
+
+	ListKeysRequest(*kms.ListKeysInput) (*request.Request, *kms.ListKeysOutput)
+
+	ListKeys(*kms.ListKeysInput) (*kms.ListKeysOutput, error)
+
+	ListKeysPages(*kms.ListKeysInput, func(*kms.ListKeysOutput, bool) bool) error
+
+	ListRetirableGrantsRequest(*kms.ListRetirableGrantsInput) (*request.Request, *kms.ListGrantsResponse)
+
+	ListRetirableGrants(*kms.ListRetirableGrantsInput) (*kms.ListGrantsResponse, error)
+
+	PutKeyPolicyRequest(*kms.PutKeyPolicyInput) (*request.Request, *kms.PutKeyPolicyOutput)
+
+	PutKeyPolicy(*kms.PutKeyPolicyInput) (*kms.PutKeyPolicyOutput, error)
+
+	ReEncryptRequest(*kms.ReEncryptInput) (*request.Request, *kms.ReEncryptOutput)
+
+	ReEncrypt(*kms.ReEncryptInput) (*kms.ReEncryptOutput, error)
+
+	RetireGrantRequest(*kms.RetireGrantInput) (*request.Request, *kms.RetireGrantOutput)
+
+	RetireGrant(*kms.RetireGrantInput) (*kms.RetireGrantOutput, error)
+
+	RevokeGrantRequest(*kms.RevokeGrantInput) (*request.Request, *kms.RevokeGrantOutput)
+
+	RevokeGrant(*kms.RevokeGrantInput) (*kms.RevokeGrantOutput, error)
+
+	ScheduleKeyDeletionRequest(*kms.ScheduleKeyDeletionInput) (*request.Request, *kms.ScheduleKeyDeletionOutput)
+
+	ScheduleKeyDeletion(*kms.ScheduleKeyDeletionInput) (*kms.ScheduleKeyDeletionOutput, error)
+
+	UpdateAliasRequest(*kms.UpdateAliasInput) (*request.Request, *kms.UpdateAliasOutput)
+
+	UpdateAlias(*kms.UpdateAliasInput) (*kms.UpdateAliasOutput, error)
+
+	UpdateKeyDescriptionRequest(*kms.UpdateKeyDescriptionInput) (*request.Request, *kms.UpdateKeyDescriptionOutput)
+
+	UpdateKeyDescription(*kms.UpdateKeyDescriptionInput) (*kms.UpdateKeyDescriptionOutput, error)
+}
+
+var _ KMSAPI = (*kms.KMS)(nil)

vendor/github.com/aws/aws-sdk-go/service/kms/service.go

@@ -0,0 +1,146 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package kms
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
+	"github.com/aws/aws-sdk-go/private/signer/v4"
+)
+
+// AWS Key Management Service (AWS KMS) is an encryption and key management
+// web service. This guide describes the AWS KMS operations that you can call
+// programmatically. For general information about AWS KMS, see the AWS Key
+// Management Service Developer Guide (http://docs.aws.amazon.com/kms/latest/developerguide/).
+//
+//  AWS provides SDKs that consist of libraries and sample code for various
+// programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.).
+// The SDKs provide a convenient way to create programmatic access to AWS KMS
+// and other AWS services. For example, the SDKs take care of tasks such as
+// signing requests (see below), managing errors, and retrying requests automatically.
+// For more information about the AWS SDKs, including how to download and install
+// them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/).
+//
+//  We recommend that you use the AWS SDKs to make programmatic API calls to
+// AWS KMS.
+//
+// Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS
+// 1.2. Clients must also support cipher suites with Perfect Forward Secrecy
+// (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral
+// Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support
+// these modes.
+//
+// Signing Requests
+//
+// Requests must be signed by using an access key ID and a secret access key.
+// We strongly recommend that you do not use your AWS account access key ID
+// and secret key for everyday work with AWS KMS. Instead, use the access key
+// ID and secret access key for an IAM user, or you can use the AWS Security
+// Token Service to generate temporary security credentials that you can use
+// to sign requests.
+//
+// All AWS KMS operations require Signature Version 4 (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
+//
+// Logging API Requests
+//
+// AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related
+// events for your AWS account and delivers them to an Amazon S3 bucket that
+// you specify. By using the information collected by CloudTrail, you can determine
+// what requests were made to AWS KMS, who made the request, when it was made,
+// and so on. To learn more about CloudTrail, including how to turn it on and
+// find your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+//
+// Additional Resources
+//
+// For more information about credentials and request signing, see the following:
+//
+//   AWS Security Credentials (http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
+// - This topic provides general information about the types of credentials
+// used for accessing AWS.   AWS Security Token Service (http://docs.aws.amazon.com/STS/latest/UsingSTS/)
+// - This guide describes how to create and use temporary security credentials.
+//   Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
+// - This set of topics walks you through the process of signing a request using
+// an access key ID and a secret access key.   Commonly Used APIs
+//
+//  Of the APIs discussed in this guide, the following will prove the most
+// useful for most applications. You will likely perform actions other than
+// these, such as creating keys and assigning policies, by using the console.
+//
+//  Encrypt Decrypt GenerateDataKey GenerateDataKeyWithoutPlaintext
+//The service client's operations are safe to be used concurrently.
+// It is not safe to mutate any of the client's properties though.
+type KMS struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// A ServiceName is the name of the service the client will make API calls to.
+const ServiceName = "kms"
+
+// New creates a new instance of the KMS client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a KMS client from just a session.
+//     svc := kms.New(mySession)
+//
+//     // Create a KMS client with additional configuration
+//     svc := kms.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *KMS {
+	c := p.ClientConfig(ServiceName, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion string) *KMS {
+	svc := &KMS{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2014-11-01",
+				JSONVersion:   "1.1",
+				TargetPrefix:  "TrentService",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBack(v4.Sign)
+	svc.Handlers.Build.PushBack(jsonrpc.Build)
+	svc.Handlers.Unmarshal.PushBack(jsonrpc.Unmarshal)
+	svc.Handlers.UnmarshalMeta.PushBack(jsonrpc.UnmarshalMeta)
+	svc.Handlers.UnmarshalError.PushBack(jsonrpc.UnmarshalError)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a KMS operation and runs any
+// custom request initialization.
+func (c *KMS) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}

website/source/docs/providers/aws/r/kms_alias.html.markdown

@@ -0,0 +1,38 @@
+---
+layout: "aws"
+page_title: "AWS: aws_kms_alias"
+sidebar_current: "docs-aws-resource-kms-alias"
+description: |-
+  Provides a display name for a customer master key.
+---
+
+# aws\_kms\_alias
+
+Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys,
+but API (hence Terraform too) allows you to create as many aliases as
+the [account limits](http://docs.aws.amazon.com/kms/latest/developerguide/limits.html) allow you.
+
+## Example Usage
+
+```
+resource "aws_kms_key" "a" {
+}
+
+resource "aws_kms_alias" "a" {
+    name = "alias/my-key-alias"
+    target_key_id = "${aws_kms_key.a.key_id}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The display name of the alias. The name must start with the word "alias" followed by a forward slash (alias/)
+* `target_key_id` - (Required) Identifier for the key for which the alias is for, can be either an ARN or key_id.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The Amazon Resource Name (ARN) of the key alias.

website/source/docs/providers/aws/r/kms_key.html.markdown

@@ -0,0 +1,41 @@
+---
+layout: "aws"
+page_title: "AWS: aws_kms_key"
+sidebar_current: "docs-aws-resource-kms-key"
+description: |-
+  Provides a KMS customer master key.
+---
+
+# aws\_kms\_key
+
+Provides a KMS customer master key.
+
+## Example Usage
+
+```
+resource "aws_kms_key" "a" {
+    description = "KMS key 1"
+    deletion_window_in_days = 10
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `description` - (Optional) The description of the key as viewed in AWS console.
+* `key_usage` - (Optional) Specifies the intended use of the key.
+	Defaults to ENCRYPT/DECRYPT, and only symmetric encryption and decryption are supported.
+* `policy` - (Optional) A valid policy JSON document.
+* `deletion_window_in_days` - (Optional) Duration in days after which the key is deleted
+	after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
+* `is_enabled` - (Optional) Specifies whether the key is enabled. Defaults to true.
+* `enable_key_rotation` - (Optional) Specifies whether [key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+	is enabled. Defaults to false.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The Amazon Resource Name (ARN) of the key.
+* `key_id` - The globally unique identifier for the key.

website/source/layouts/aws.erb

@@ -410,6 +410,20 @@
                 </ul>
               </li>
 
+              <li<%= sidebar_current(/^docs-aws-resource-kms/) %>>
+                <a href="#">KMS Resources</a>
+                <ul class="nav nav-visible">
+
+                  <li<%= sidebar_current("docs-aws-resource-kms-key") %>>
+                    <a href="/docs/providers/aws/r/kms_key.html">aws_kms_key</a>
+                  </li>
+                  <li<%= sidebar_current("docs-aws-resource-kms-alias") %>>
+                    <a href="/docs/providers/aws/r/kms_alias.html">aws_kms_alias</a>
+                  </li>
+
+                </ul>
+              </li>
+
               <li<%= sidebar_current(/^docs-aws-resource-lambda/) %>>
                   <a href="#">Lambda Resources</a>
                   <ul class="nav nav-visible">