All Products
Search

This Product

    Key Management Service:Post-migration configuration changes for Terraform-managed KMS

    Document Center

    Key Management Service:Post-migration configuration changes for Terraform-managed KMS

    Last Updated:Feb 19, 2025

    When shared Key Management Service (also called shared KMS, or KMS 1.0) is migrated to KMS 3.0 instances, the keys and secrets are associated with a specific KMS instance. This means a KMS instance ID attribute will be added. If your shared KMS is Terraform-managed, Terraform configuration changes are required due to the instance ID attribute added. Otherwise, the migration fails. This topic describes how to modify Terraform configurations.

    Why modify Terraform configurations

    When the migration is complete, if you perform the terraform plan and terraform apply commands, Terraform can detect attribute changes and attempt to update resources to match your configurations. As a result, the migrated Customer Master Keys (CMKs) or secrets are released, and new CMKs or secrets are created. To do this after migration, you must update your existing Terraform configurations.

    Solutions overview

    Two solutions can address the issue of resources being released when you run the terraform plan and terraform apply commands after migration. Choose the solution that fits your scenario as follows:

    • Solution 1: Maintain existing configurations: Maintain existing configurations

      This solution maintains existing configurations without applying new changes. Add ignore_changes = ["dkms_instance_id", "automatic_rotation", "rotation_interval"] to your alicloud_kms_key and alicloud_kms_secret resources. This prevents Terraform from detecting these changes.

      • Compatibility: Works with Terraform versions 1.235.0 and earlier. For later versions, remove dkms_instance_id from the ignore_changes argument.

      • Hardware to software key migration: If migrating keys from hardware to software protection levels, add protection_level to the ignore_changes argument: ignore_changes = ["dkms_instance_id", "automatic_rotation", "rotation_interval", "protection_level"].

    • Solution 2: Adopt new changes: Adopt new changes

      This solution incorporates changes by adding dkms_instance_id related arguments to your Terraform configuration. This allows Terraform to identify the dkms_instance_id for migrated keys and secrets, correctly configuring the alicloud_kms_key and alicloud_kms_secret resources within the new KMS instance. This ensures seamless migration of your Alibaba Cloud keys and secrets.

    Procedure

    Solution 1: Maintain existing configurations

    1. Add ignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval] in the alicloud_kms_key and alicloud_kms_secret resources.

    2. If keys and secrets have rotation disabled before migration, enable it after migration.

      For more information, see Key Rotation and Secret Rotation.

    3. Configure the default policy for keys and secrets.

      For more information, see Configure a key policy and Configure a secret policy.

    Example of modifying alicloud_kms_key resource configuration

    In the following example, key rotation with a 90-day interval is enabled and the default key policy is set. For more information about each parameter, see alicloud_kms_key.

    resource "alicloud_kms_key" "default_key_encrypt_decrypt" {
 
 #   add this
  lifecycle {
    ignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval]
  }
  automatic_rotation = "Enabled"
  rotation_interval = "90d"
  policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default key policy"
            }
        ],
        "Version": "1"
    }
  EOF
  #   end of add
  
  description = "test tf"
  key_usage = "ENCRYPT/DECRYPT"
  key_spec = "Aliyun_AES_256"
  origin = "Aliyun_KMS"
  pending_window_in_days = 7
  tags = {
      "Environment" = "test"
      "Name" = "KMS-01"
      "SupportTeam" = "PlatformEngineering"
      "Contact" = "group@example.com"
    }
}

    Example of modifying alicloud_kms_secret resource configuration

    In the following example, secret rotation is not enabled, and the default secret policy is set.

    For more information about each parameter, see alicloud_kms_secret.

    resource "alicloud_kms_secret" "kms_secret_general" {
 
  #   add this
 lifecycle {
    ignore_changes = [dkms_instance_id]
      }
 enable_automatic_rotation = false   
 policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default secret policy"
            }
        ],
        "Version": "1"
    }
  EOF     
  #   end of add
  
  secret_name = "kms_secret_general1"
  description = "secret_data_kms_secret_general"
  secret_type = "Generic"
  force_delete_without_recovery = true
  encryption_key_id = alicloud_kms_key.default_key_encrypt_decrypt.id
  version_id = "v1"
  secret_data_type ="text"
  secret_data = "secret_data_kms_secret_general1"
}

    Solution 2: Adopt new changes

    1. Update main.tf file in the root directory.

      1. Add dkms_instance_id = var.use_existing_key == true || alicloud_kms_key.kms.0.dkms_instance_id != "" ? alicloud_kms_key.kms.0.dkms_instance_id : null into the locals block.

      2. Add dkms_instance_id = var.dkms_instance_id to the alicloud_kms_key resource.

      3. Add dkms_instance_id = var.dkms_instance_id to the alicloud_kms_secret resource.

      Example:

      locals {
  this_kms_key_id    = var.use_existing_key == true || var.existing_key_id != "" ? var.existing_key_id : concat(alicloud_kms_key.kms.*.id, [""])[0]
  dkms_instance_id    = var.use_existing_key == true || alicloud_kms_key.kms.0.dkms_instance_id != "" ? alicloud_kms_key.kms.0.dkms_instance_id : null
  policy    = var.use_existing_key == true || alicloud_kms_key.kms.0.policy != "" ? alicloud_kms_key.kms.0.policy : null
  automatic_rotation= var.use_existing_key == true || alicloud_kms_key.kms.0.automatic_rotation != "" ? alicloud_kms_key.kms.0.automatic_rotation : null
  rotation_interval= var.automatic_rotation == "Enabled" || alicloud_kms_key.kms.0.rotation_interval != "" ? alicloud_kms_key.kms.0.rotation_interval : null
  secret_name = var.secret == true ||alicloud_kms_secret.kms.0.secret_name != "" ? alicloud_kms_secret.kms.0.secret_name : null
  secret_type = var.secret == true ||alicloud_kms_secret.kms.0.secret_type != "" ? alicloud_kms_secret.kms.0.secret_type : null
  version_id = var.secret == true ||alicloud_kms_secret.kms.0.version_id != "" ? alicloud_kms_secret.kms.0.version_id : null
  force_delete_without_recovery = var.secret == true ||alicloud_kms_secret.kms.0.force_delete_without_recovery != "" ? alicloud_kms_secret.kms.0.force_delete_without_recovery : null
  secret_data = var.secret == true ||alicloud_kms_secret.kms.0.secret_data != "" ? alicloud_kms_secret.kms.0.secret_data : null
  secret_data_type = var.secret == true ||alicloud_kms_secret.kms.0.secret_data_type != "" ? alicloud_kms_secret.kms.0.secret_data_type : null
  enable_automatic_rotation = var.secret == true ||alicloud_kms_secret.kms.0.enable_automatic_rotation != "" ? alicloud_kms_secret.kms.0.enable_automatic_rotation : null
}

resource "alicloud_kms_key" "kms" {
  count                   = var.use_existing_key == true ? 0 : var.create_kms ? 1 : 0
  description             = var.description
  key_usage               = var.key_usage
  pending_window_in_days = var.pending_window_in_days
  status              = var.status
  policy = var.policy
  automatic_rotation = var.automatic_rotation
  rotation_interval = var.rotation_interval
  #   add this
  dkms_instance_id    = var.dkms_instance_id
  #   end of add
}

resource "alicloud_kms_secret" "kms" {
  count              = var.existing_key_id != "" ? var.existing_key_id : var.encrypt ? 1 : 0
  secret_name                   = var.secret_name
  encryption_key_id             = concat(alicloud_kms_key.kms.*.id, [""])[0]
  secret_type                   = var.secret_type
  version_id                    = var.version_id
  force_delete_without_recovery = var.force_delete_without_recovery
  #   add this
  dkms_instance_id    = var.dkms_instance_id
  #   end of add
  secret_data = var.secret_data
  secret_data_type =var.secret_data_type
  enable_automatic_rotation = var.enable_automatic_rotation
}

    2. Define the dkms_instance_id variable in the variable.tf file located in the root directory.

      Important

      The default value must be set to either "" (an empty string) or null.

      # module default variable
variable "dkms_instance_id" {
  description = "The ID of the KMS instance."
  type        = string
  default     = ""
}

    3. In the key related module, add instance ID, set key policies, and decide whether to enable rotation as required.

      The example below shows the following:

      • Rotation interval: Set to 90 days.

      • KMS instance ID: Used kst-hkk66e****boq8qsxxgxd.

      • Key policy: A default policy is set. If you want to set custom policies, see Key Policy Overview.

        Make adjustments to the example based on your business.

        automatic_rotation = "Enabled"
  rotation_interval = "90d"
  dkms_instance_id        = "kst-hkk66e****boq8qsxxgxd"
  policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default key policy"
            }
        ],
        "Version": "1"
    }
  EOF

    4. In the secret related module, add instance ID, set secret policies, and decide whether to enable rotation as required.

      The example below shows the following:

      • Rotation: Not enabled.

      • KMS instance ID: Used kst-hkk66e****boq8qsxxgxd.

      • Secret policy: A default policy is set. If you want to set custom policies, see Secret Policy Overview.

        Make adjustments to the example based on your business.

       #secret
  secret_data = "secret_data_kms_secret_general1"
  secret_name = "kms_secret_general1"
  version_id = "v1"
  secret_data_type ="text"
  secret_type = "Generic"
  enable_automatic_rotation = false
  dkms_instance_id        = "kst-hkk66e****boq8qsxxgxd"
  policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default secret policy"
            }
        ],
        "Version": "1"
    }
  EOF   
  force_delete_without_recovery = true