terraform-aws-modules · bryantbiggs · Jul 5, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.99.4
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

diff --git a/README.md b/README.md
@@ -146,14 +146,14 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.49 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.49 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
@@ -180,7 +180,7 @@ No modules.
 | <a name="input_aliases"></a> [aliases](#input\_aliases) | A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values | `list(string)` | `[]` | no |
 | <a name="input_aliases_use_name_prefix"></a> [aliases\_use\_name\_prefix](#input\_aliases\_use\_name\_prefix) | Determines whether the alias name is used as a prefix | `bool` | `false` | no |
 | <a name="input_bypass_policy_lockout_safety_check"></a> [bypass\_policy\_lockout\_safety\_check](#input\_bypass\_policy\_lockout\_safety\_check) | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable | `bool` | `null` | no |
-| <a name="input_computed_aliases"></a> [computed\_aliases](#input\_computed\_aliases) | A map of aliases to create. Values provided via the `name` key of the map can be computed from upstream resources | `any` | `{}` | no |
+| <a name="input_computed_aliases"></a> [computed\_aliases](#input\_computed\_aliases) | A map of aliases to create. Values provided via the `name` key of the map can be computed from upstream resources | <pre>map(object({<br/>    name = string<br/>  }))</pre> | `{}` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_external"></a> [create\_external](#input\_create\_external) | Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material) | `bool` | `false` | no |
 | <a name="input_create_replica"></a> [create\_replica](#input\_create\_replica) | Determines whether a replica standard CMK will be created (AWS provided material) | `bool` | `false` | no |
@@ -192,7 +192,7 @@ No modules.
 | <a name="input_enable_default_policy"></a> [enable\_default\_policy](#input\_enable\_default\_policy) | Specifies whether to enable the default key policy. Defaults to `true` | `bool` | `true` | no |
 | <a name="input_enable_key_rotation"></a> [enable\_key\_rotation](#input\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to `true` | `bool` | `true` | no |
 | <a name="input_enable_route53_dnssec"></a> [enable\_route53\_dnssec](#input\_enable\_route53\_dnssec) | Determines whether the KMS policy used for Route53 DNSSEC signing is enabled | `bool` | `false` | no |
-| <a name="input_grants"></a> [grants](#input\_grants) | A map of grant definitions to create | `any` | `{}` | no |
+| <a name="input_grants"></a> [grants](#input\_grants) | A map of grant definitions to create | <pre>map(object({<br/>    constraints = optional(list(object({<br/>      encryption_context_equals = optional(map(string))<br/>      encryption_context_subset = optional(map(string))<br/>    })))<br/>    grant_creation_tokens = optional(list(string))<br/>    grantee_principal     = string<br/>    name                  = optional(string) # Will fall back to use map key<br/>    operations            = list(string)<br/>    retire_on_delete      = optional(bool)<br/>    retiring_principal    = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_is_enabled"></a> [is\_enabled](#input\_is\_enabled) | Specifies whether the key is enabled. Defaults to `true` | `bool` | `null` | no |
 | <a name="input_key_administrators"></a> [key\_administrators](#input\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators) | `list(string)` | `[]` | no |
 | <a name="input_key_asymmetric_public_encryption_users"></a> [key\_asymmetric\_public\_encryption\_users](#input\_key\_asymmetric\_public\_encryption\_users) | A list of IAM ARNs for [key asymmetric public encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
@@ -202,7 +202,7 @@ No modules.
 | <a name="input_key_owners"></a> [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
 | <a name="input_key_service_roles_for_autoscaling"></a> [key\_service\_roles\_for\_autoscaling](#input\_key\_service\_roles\_for\_autoscaling) | A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access) | `list(string)` | `[]` | no |
 | <a name="input_key_service_users"></a> [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
-| <a name="input_key_statements"></a> [key\_statements](#input\_key\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
+| <a name="input_key_statements"></a> [key\_statements](#input\_key\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_key_symmetric_encryption_users"></a> [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
 | <a name="input_key_usage"></a> [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |
 | <a name="input_key_users"></a> [key\_users](#input\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |
@@ -211,8 +211,9 @@ No modules.
 | <a name="input_policy"></a> [policy](#input\_policy) | A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used | `string` | `null` | no |
 | <a name="input_primary_external_key_arn"></a> [primary\_external\_key\_arn](#input\_primary\_external\_key\_arn) | The primary external key arn of a multi-region replica external key | `string` | `null` | no |
 | <a name="input_primary_key_arn"></a> [primary\_key\_arn](#input\_primary\_key\_arn) | The primary key arn of a multi-region replica key | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_rotation_period_in_days"></a> [rotation\_period\_in\_days](#input\_rotation\_period\_in\_days) | Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive) | `number` | `null` | no |
-| <a name="input_route53_dnssec_sources"></a> [route53\_dnssec\_sources](#input\_route53\_dnssec\_sources) | A list of maps containing `account_ids` and Route53 `hosted_zone_arn` that will be allowed to sign DNSSEC records | `list(any)` | `[]` | no |
+| <a name="input_route53_dnssec_sources"></a> [route53\_dnssec\_sources](#input\_route53\_dnssec\_sources) | A list of maps containing `account_ids` and Route53 `hosted_zone_arn` that will be allowed to sign DNSSEC records | <pre>list(object({<br/>    account_ids     = optional(list(string))<br/>    hosted_zone_arn = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_valid_to"></a> [valid\_to](#input\_valid\_to) | Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire | `string` | `null` | no |
@@ -229,6 +230,7 @@ No modules.
 | <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | The Amazon Resource Name (ARN) of the key |
 | <a name="output_key_id"></a> [key\_id](#output\_key\_id) | The globally unique identifier for the key |
 | <a name="output_key_policy"></a> [key\_policy](#output\_key\_policy) | The IAM resource policy set on the key |
+| <a name="output_key_region"></a> [key\_region](#output\_key\_region) | The region for the key |
 <!-- END_TF_DOCS -->
 
 ## License

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -24,14 +24,14 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.49 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.49 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
@@ -53,7 +53,6 @@ Note that this example may create resources which will incur monetary charges on
 |------|------|
 | [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -2,21 +2,26 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_caller_identity" "current" {}
+
 locals {
   region           = "us-east-1"
-  name             = "kms-ex-${replace(basename(path.cwd), "_", "-")}"
+  region_secondary = "eu-west-1"
+  name             = "kms-ex-${basename(path.cwd)}"
+
+  account_id       = data.aws_caller_identity.current.account_id
   current_identity = data.aws_caller_identity.current.arn
 
+  # Removes noise from hh:mm:ss in the timestamp
+  valid_to = replace(timeadd(plantimestamp(), "4380h"), "/T.*/", "T00:00:00Z") # 6 months
+
   tags = {
     Name       = local.name
     Example    = "complete"
     Repository = "https://github.com/terraform-aws-modules/terraform-aws-kms"
   }
 }
 
-data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
-
 ################################################################################
 # KMS Module
 ################################################################################
@@ -37,7 +42,7 @@ module "kms_complete" {
   key_administrators                     = [local.current_identity]
   key_users                              = [local.current_identity]
   key_service_users                      = [local.current_identity]
-  key_service_roles_for_autoscaling      = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
+  key_service_roles_for_autoscaling      = ["arn:aws:iam::${local.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]
   key_symmetric_encryption_users         = [local.current_identity]
   key_hmac_users                         = [local.current_identity]
   key_asymmetric_public_encryption_users = [local.current_identity]
@@ -57,16 +62,16 @@ module "kms_complete" {
       principals = [
         {
           type        = "Service"
-          identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+          identifiers = ["logs.${local.region}.amazonaws.com"]
         }
       ]
 
-      conditions = [
+      condition = [
         {
           test     = "ArnLike"
           variable = "kms:EncryptionContext:aws:logs:arn"
           values = [
-            "arn:aws:logs:${local.region}:${data.aws_caller_identity.current.account_id}:log-group:*",
+            "arn:aws:logs:${local.region}:${local.account_id}:log-group:*",
           ]
         }
       ]
@@ -92,11 +97,11 @@ module "kms_complete" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
@@ -112,7 +117,7 @@ module "kms_external" {
   is_enabled              = true
   key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   multi_region            = false
-  valid_to                = "2023-11-21T23:20:50Z"
+  valid_to                = local.valid_to
 
   tags = local.tags
 }
@@ -129,8 +134,8 @@ module "kms_dnssec_signing" {
   enable_key_rotation   = false
   route53_dnssec_sources = [
     {
-      accounts_ids    = [data.aws_caller_identity.current.account_id] # can ommit if using current account ID which is default
-      hosted_zone_arn = "arn:aws:route53:::hostedzone/*"              # can ommit, this is default value
+      accounts_ids    = [local.account_id]               # can ommit if using current account ID which is default
+      hosted_zone_arn = "arn:aws:route53:::hostedzone/*" # can ommit, this is default value
     }
   ]
 
@@ -170,14 +175,11 @@ module "kms_primary" {
   tags = local.tags
 }
 
-provider "aws" {
-  region = "eu-west-1"
-  alias  = "replica"
-}
-
 module "kms_replica" {
   source = "../.."
 
+  region = local.region_secondary
+
   deletion_window_in_days = 7
   description             = "Replica key example showing various configurations available"
   create_replica          = true
@@ -206,19 +208,15 @@ module "kms_replica" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
   tags = local.tags
-
-  providers = {
-    aws = aws.replica
-  }
 }
 
 ################################################################################
@@ -234,7 +232,7 @@ module "kms_primary_external" {
   create_external         = true
   key_material_base64     = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   multi_region            = true
-  valid_to                = "2023-11-21T23:20:50Z"
+  valid_to                = local.valid_to
 
   aliases = ["primary-external"]
 
@@ -244,14 +242,16 @@ module "kms_primary_external" {
 module "kms_replica_external" {
   source = "../.."
 
+  region = local.region_secondary
+
   deletion_window_in_days = 7
   description             = "Replica external key example showing various configurations available"
   create_replica_external = true
   is_enabled              = true
   # key material must be the same as the primary's
   key_material_base64      = "Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY="
   primary_external_key_arn = module.kms_primary_external.key_arn
-  valid_to                 = "2023-11-21T23:20:50Z"
+  valid_to                 = local.valid_to
 
   aliases = ["replica-external"]
 
@@ -260,19 +260,15 @@ module "kms_replica_external" {
     lambda = {
       grantee_principal = aws_iam_role.lambda.arn
       operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
-      constraints = {
+      constraints = [{
         encryption_context_equals = {
           Department = "Finance"
         }
-      }
+      }]
     }
   }
 
   tags = local.tags
-
-  providers = {
-    aws = aws.replica
-  }
 }
 
 ################################################################################

diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -40,6 +40,7 @@ output "complete_aliases" {
 output "complete_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_complete.grants
+  sensitive   = true
 }
 
 ################################################################################
@@ -84,6 +85,7 @@ output "external_aliases" {
 output "external_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_external.grants
+  sensitive   = true
 }
 
 ################################################################################
@@ -128,9 +130,9 @@ output "default_aliases" {
 output "default_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_default.grants
+  sensitive   = true
 }
 
-
 ################################################################################
 # Replica
 ################################################################################
@@ -173,9 +175,9 @@ output "replica_aliases" {
 output "replica_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_replica.grants
+  sensitive   = true
 }
 
-
 ################################################################################
 # Replica External
 ################################################################################
@@ -218,4 +220,5 @@ output "replica_external_aliases" {
 output "replica_external_grants" {
   description = "A map of grants created and their attributes"
   value       = module.kms_replica_external.grants
+  sensitive   = true
 }
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.49"
+      version = ">= 6.0"
     }
   }
 }