diff --git a/README.md b/README.md
index e2f734e..c3f3e1d 100644
--- a/README.md
+++ b/README.md
@@ -147,13 +147,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.5.7 |
-| [aws](#requirement\_aws) | >= 6.0 |
+| [aws](#requirement\_aws) | >= 6.11 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 6.0 |
+| [aws](#provider\_aws) | >= 6.11 |
## Modules
@@ -202,6 +202,7 @@ No modules.
| [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
| [key\_service\_roles\_for\_autoscaling](#input\_key\_service\_roles\_for\_autoscaling) | A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access) | `list(string)` | `[]` | no |
| [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
+| [key\_spec](#input\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_224, HMAC\_256, HMAC\_384, HMAC\_512, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, ECC\_SECG\_P256K1, ML\_DSA\_44, ML\_DSA\_65, ML\_DSA\_87, or SM2 (China Regions only). Defaults to SYMMETRIC\_DEFAULT | `string` | `null` | no |
| [key\_statements](#input\_key\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
})) | `null` | no |
| [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |
diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
new file mode 100644
index 0000000..2e818e3
--- /dev/null
+++ b/UPGRADE-4.0.md
@@ -0,0 +1,162 @@
+# Upgrade from v3.x to v4.x
+
+If you have any questions regarding this upgrade process, please consult the [`examples/`](https://github.com/terraform-aws-modules/terraform-aws-kms/tree/master/examples) projects:
+
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Support for Terraform `<1.5.7` has been dropped; `1.5.7` is now the minimum supported version
+- Terraform AWS provider minimum version is now `v6.0.0` in order to support the `region` argument in resources
+- Variable `key_statements.conditions` is now `key_statements.condition`
+- Variable `grants.constraints` has changed to type list
+
+## Additional changes
+
+### Added
+
+- `region` to support creating resources in a different region than the provider region
+
+### Modified
+
+- `key_statements.conditions` changed to `key_statements.condition`
+- `grants.constrants` changed to type list
+
+### Variable and output changes
+
+1. Removed variables:
+
+ - None
+
+2. Renamed variables:
+
+ - `key_statements.conditions` -> `key_statements.condition`
+
+3. Added variables:
+
+ - `region`
+
+4. Removed outputs:
+
+ - None
+
+5. Renamed outputs:
+
+ - None
+
+6. Added outputs:
+
+ - `key_region` added to support output for setting the `region` variable
+
+## Upgrade Migrations
+
+The following examples demonstrate some of the changes that users can elect to make to avoid any potential disruptions when upgrading.
+
+### Before 3.x Example
+
+```hcl
+module "kms" {
+ source = "terraform-aws-modules/kms/aws"
+ version = "~> 3.0"
+
+ # Only the affected attributes are shown
+ key_statements = [
+ {
+ sid = "CloudWatchLogs"
+ actions = [
+ "kms:Encrypt*",
+ "kms:Decrypt*",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:Describe*"
+ ]
+ resources = ["*"]
+
+ principals = [
+ {
+ type = "Service"
+ identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+ }
+ ]
+
+ conditions = [
+ {
+ test = "ArnLike"
+ variable = "kms:EncryptionContext:aws:logs:arn"
+ values = [
+ "arn:aws:logs:${local.region}:${data.aws_caller_identity.current.account_id}:log-group:*",
+ ]
+ }
+ ]
+ }
+ ]
+
+ # Grants
+ grants = {
+ lambda = {
+ grantee_principal = aws_iam_role.lambda.arn
+ operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
+ constraints = {
+ encryption_context_equals = {
+ Department = "Finance"
+ }
+ }
+ }
+ }
+
+ tags = local.tags
+}
+```
+
+### After 4.x Example
+
+```hcl
+module "kms" {
+ source = "terraform-aws-modules/kms/aws"
+ version = "~> 4.0"
+
+ key_statements = [
+ {
+ sid = "CloudWatchLogs"
+ actions = [
+ "kms:Encrypt*",
+ "kms:Decrypt*",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:Describe*"
+ ]
+ resources = ["*"]
+
+ principals = [
+ {
+ type = "Service"
+ identifiers = ["logs.${local.region}.amazonaws.com"]
+ }
+ ]
+
+ condition = [
+ {
+ test = "ArnLike"
+ variable = "kms:EncryptionContext:aws:logs:arn"
+ values = [
+ "arn:aws:logs:${local.region}:${local.account_id}:log-group:*",
+ ]
+ }
+ ]
+ }
+ ]
+
+ # Grants
+ grants = {
+ lambda = {
+ grantee_principal = aws_iam_role.lambda.arn
+ operations = ["Encrypt", "Decrypt", "GenerateDataKey"]
+ constraints = [{
+ encryption_context_equals = {
+ Department = "Finance"
+ }
+ }]
+ }
+ }
+}
+```
diff --git a/examples/complete/README.md b/examples/complete/README.md
index e612714..56ae0c0 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -25,13 +25,13 @@ Note that this example may create resources which will incur monetary charges on
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.5.7 |
-| [aws](#requirement\_aws) | >= 6.0 |
+| [aws](#requirement\_aws) | >= 6.11 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 6.0 |
+| [aws](#provider\_aws) | >= 6.11 |
## Modules
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index db13b0a..1dd135f 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 6.0"
+ version = ">= 6.11"
}
}
}
diff --git a/main.tf b/main.tf
index e724cb8..3410c53 100644
--- a/main.tf
+++ b/main.tf
@@ -49,6 +49,8 @@ resource "aws_kms_external_key" "this" {
description = var.description
enabled = var.is_enabled
key_material_base64 = var.key_material_base64
+ key_spec = var.key_spec
+ key_usage = var.key_usage
multi_region = var.multi_region
policy = coalesce(var.policy, data.aws_iam_policy_document.this[0].json)
valid_to = var.valid_to
diff --git a/variables.tf b/variables.tf
index 60e7983..6d676a2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -184,6 +184,12 @@ variable "key_statements" {
default = null
}
+variable "key_spec" {
+ description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_224, HMAC_256, HMAC_384, HMAC_512, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, ML_DSA_44, ML_DSA_65, ML_DSA_87, or SM2 (China Regions only). Defaults to SYMMETRIC_DEFAULT"
+ type = string
+ default = null
+}
+
variable "source_policy_documents" {
description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
type = list(string)
diff --git a/versions.tf b/versions.tf
index db13b0a..1dd135f 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 6.0"
+ version = ">= 6.11"
}
}
}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 2a5e231..dda712f 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -28,6 +28,7 @@ module "wrapper" {
key_owners = try(each.value.key_owners, var.defaults.key_owners, [])
key_service_roles_for_autoscaling = try(each.value.key_service_roles_for_autoscaling, var.defaults.key_service_roles_for_autoscaling, [])
key_service_users = try(each.value.key_service_users, var.defaults.key_service_users, [])
+ key_spec = try(each.value.key_spec, var.defaults.key_spec, null)
key_statements = try(each.value.key_statements, var.defaults.key_statements, null)
key_symmetric_encryption_users = try(each.value.key_symmetric_encryption_users, var.defaults.key_symmetric_encryption_users, [])
key_usage = try(each.value.key_usage, var.defaults.key_usage, null)
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
index db13b0a..1dd135f 100644
--- a/wrappers/versions.tf
+++ b/wrappers/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 6.0"
+ version = ">= 6.11"
}
}
}