How to modify configurations after migration in Terraform scenarios - Key Management Service

When shared Key Management Service (also called shared KMS, or KMS 1.0) is migrated to KMS 3.0 instances, the keys and secrets are associated with a specific KMS instance. This means a KMS instance ID attribute will be added. If your shared KMS is Terraform-managed, Terraform configuration changes are required due to the instance ID attribute added. Otherwise, the migration fails. This topic describes how to modify Terraform configurations.

Why modify Terraform configurations

When the migration is complete, if you perform the terraform plan and terraform apply commands, Terraform can detect attribute changes and attempt to update resources to match your configurations. As a result, the migrated Customer Master Keys (CMKs) or secrets are released, and new CMKs or secrets will be created. To address this issue after migration, you need to update your existing Terraform configurations.

Solutions overview

Two solutions can address the issue of resources being released when you run the terraform plan and terraform apply commands after migration. Choose the solution that fits your scenario as follows:

If you want to maintain existing configurations without applying the new changes, choose Solution 1: Addignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval] argument.
Solution 1 is to add the argumentignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval]to the following two Terraform resources:
- alicloud_kms_key
- alicloud_kms_secret
The ignore_changes argument allows Terraform to ignore changes to the KMS instance ID attribute for keys and secrets when executing the terraform plan and terraform apply commands.
If you want to adopt the new changes, choose Solution 2: Add dkms_instance_id related arguments.
Solution 2 is to add somedkms_instance_id related arguments to Terraform configurations. This allows Terraform to identify the value of dkms_instance_id for migrated keys and secrets. It can then configure this value in the alicloud_kms_key and alicloud_kms_secret resources. The configuration will ensure that these resources are correctly set up in the new KMS instance. This allows for seamless migration of your keys and secrets in Alibaba Cloud.

Procedure

Solution 1: Add `ignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval]` argument

Addignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval]in the alicloud_kms_key and alicloud_kms_secret resources.
If keys and secrets have rotation disabled before migration, enable rotation after migration.
For more information, see Key Rotation and Secret Rotation.
Configure the default policy for keys and secrets.
For more information, see Configure a key policy and Configure a secret policy.

Example of modifying alicloud_kms_key resource configuration

In the following example, key rotation with a 90-day interval is enabled and the default key policy is set. For more information about each parameter, see alicloud_kms_key.

resource "alicloud_kms_key" "default_key_encrypt_decrypt" {
 
 #   add this
  lifecycle {
    ignore_changes = [dkms_instance_id,automatic_rotation,rotation_interval]
  }
  automatic_rotation = "Enabled"
  rotation_interval = "90d"
  policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default key policy"
            }
        ],
        "Version": "1"
    }
  EOF
  #   end of add
  
  description = "test tf"
  key_usage = "ENCRYPT/DECRYPT"
  key_spec = "Aliyun_AES_256"
  origin = "Aliyun_KMS"
  pending_window_in_days = 7
  tags = {
      "Environment" = "test"
      "Name" = "KMS-01"
      "SupportTeam" = "PlatformEngineering"
      "Contact" = "group@example.com"
    }
}

Example of modifying alicloud_kms_secret resource configuration

In the following example, secret rotation is not enabled, and the default secret policy is set.

For more information about each parameter, see alicloud_kms_secret.

resource "alicloud_kms_secret" "kms_secret_general" {
 
  #   add this
 lifecycle {
    ignore_changes = [dkms_instance_id]
      }
 enable_automatic_rotation = false   
 policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default secret policy"
            }
        ],
        "Version": "1"
    }
  EOF     
  #   end of add
  
  secret_name = "kms_secret_general1"
  description = "secret_data_kms_secret_general"
  secret_type = "Generic"
  force_delete_without_recovery = true
  encryption_key_id = alicloud_kms_key.default_key_encrypt_decrypt.id
  version_id = "v1"
  secret_data_type ="text"
  secret_data = "secret_data_kms_secret_general1"
}

Solution 2: Add `dkms_instance_id` related arguments

Updatemain.tf file in the root directory.

Add dkms_instance_id = var.use_existing_key == true || alicloud_kms_key.kms.0.dkms_instance_id != "" ? alicloud_kms_key.kms.0.dkms_instance_id : null into the locals block.
Add dkms_instance_id = var.dkms_instance_id to the alicloud_kms_key resource.
Add dkms_instance_id = var.dkms_instance_id to the alicloud_kms_secret resource.

Example:

locals {
  this_kms_key_id    = var.use_existing_key == true || var.existing_key_id != "" ? var.existing_key_id : concat(alicloud_kms_key.kms.*.id, [""])[0]
  dkms_instance_id    = var.use_existing_key == true || alicloud_kms_key.kms.0.dkms_instance_id != "" ? alicloud_kms_key.kms.0.dkms_instance_id : null
  policy    = var.use_existing_key == true || alicloud_kms_key.kms.0.policy != "" ? alicloud_kms_key.kms.0.policy : null
  automatic_rotation= var.use_existing_key == true || alicloud_kms_key.kms.0.automatic_rotation != "" ? alicloud_kms_key.kms.0.automatic_rotation : null
  rotation_interval= var.automatic_rotation == "Enabled" || alicloud_kms_key.kms.0.rotation_interval != "" ? alicloud_kms_key.kms.0.rotation_interval : null
  secret_name = var.secret == true ||alicloud_kms_secret.kms.0.secret_name != "" ? alicloud_kms_secret.kms.0.secret_name : null
  secret_type = var.secret == true ||alicloud_kms_secret.kms.0.secret_type != "" ? alicloud_kms_secret.kms.0.secret_type : null
  version_id = var.secret == true ||alicloud_kms_secret.kms.0.version_id != "" ? alicloud_kms_secret.kms.0.version_id : null
  force_delete_without_recovery = var.secret == true ||alicloud_kms_secret.kms.0.force_delete_without_recovery != "" ? alicloud_kms_secret.kms.0.force_delete_without_recovery : null
  secret_data = var.secret == true ||alicloud_kms_secret.kms.0.secret_data != "" ? alicloud_kms_secret.kms.0.secret_data : null
  secret_data_type = var.secret == true ||alicloud_kms_secret.kms.0.secret_data_type != "" ? alicloud_kms_secret.kms.0.secret_data_type : null
  enable_automatic_rotation = var.secret == true ||alicloud_kms_secret.kms.0.enable_automatic_rotation != "" ? alicloud_kms_secret.kms.0.enable_automatic_rotation : null
}

resource "alicloud_kms_key" "kms" {
  count                   = var.use_existing_key == true ? 0 : var.create_kms ? 1 : 0
  description             = var.description
  key_usage               = var.key_usage
  pending_window_in_days = var.pending_window_in_days
  status              = var.status
  policy = var.policy
  automatic_rotation = var.automatic_rotation
  rotation_interval = var.rotation_interval
  #   add this
  dkms_instance_id    = var.dkms_instance_id
  #   end of add
}

resource "alicloud_kms_secret" "kms" {
  count              = var.existing_key_id != "" ? var.existing_key_id : var.encrypt ? 1 : 0
  secret_name                   = var.secret_name
  encryption_key_id             = concat(alicloud_kms_key.kms.*.id, [""])[0]
  secret_type                   = var.secret_type
  version_id                    = var.version_id
  force_delete_without_recovery = var.force_delete_without_recovery
  #   add this
  dkms_instance_id    = var.dkms_instance_id
  #   end of add
  secret_data = var.secret_data
  secret_data_type =var.secret_data_type
  enable_automatic_rotation = var.enable_automatic_rotation
}

Define the dkms_instance_id variable in the variable.tf file located in the root directory.
Important
The default value must be set to either "" (an empty string) or null.
```
# module default variable
variable "dkms_instance_id" {
  description = "The ID of the KMS instance."
  type        = string
  default     = ""
}
```

In the key related module, add instance ID, set key policies, and decide whether to enable rotation as required.

The example below shows the following:

Rotation interval: Set to 90 days.
KMS instance ID: Used kst-hkk66e****boq8qsxxgxd.
Key policy: A default policy is set. If you want to set custom policies, see Key Policy Overview.
Make adjustments to the example based on your business.

  automatic_rotation = "Enabled"
  rotation_interval = "90d"
  dkms_instance_id        = "kst-hkk66e****boq8qsxxgxd"
  policy = <<EOF
    {
        "Statement": [
            {
                "Action": [
                    "kms:*"
                ],
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::5135****76002605:*"
                    ]
                },
                "Resource": [
                    "*"
                ],
                "Sid": "kms default key policy"
            }
        ],
        "Version": "1"
    }
  EOF

In the secret related module, add instance ID, set secret policies, and decide whether to enable rotation as required.