{"id":28423206,"url":"https://github.com/terraform-aws-modules/terraform-aws-kms","last_synced_at":"2026-01-08T21:15:55.720Z","repository":{"id":40311854,"uuid":"507159992","full_name":"terraform-aws-modules/terraform-aws-kms","owner":"terraform-aws-modules","description":"Terraform module to create AWS KMS resources πŸ‡ΊπŸ‡¦ ","archived":false,"fork":false,"pushed_at":"2024-10-11T16:08:26.000Z","size":67,"stargazers_count":53,"open_issues_count":0,"forks_count":83,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-05T08:45:40.477Z","etag":null,"topics":["aws","aws-kms","encryption","kms","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/terraform-aws-modules/kms/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/terraform-aws-modules.png","metadata":{"funding":{"github":["antonbabenko"],"custom":"https://www.paypal.me/antonbabenko"},"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-24T22:33:55.000Z","updated_at":"2025-05-15T14:47:27.000Z","dependencies_parsed_at":"2023-02-15T13:31:16.701Z","dependency_job_id":"80bd07cf-cf99-43de-87c1-f82d53f9c8b7","html_url":"https://github.com/terraform-aws-modules/terraform-aws-kms","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":"clowdhaus/terraform-aws-module-template","purl":"pkg:github/terraform-aws-modules/terraform-aws-kms","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-kms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-kms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-kms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-kms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/terraform-aws-modules","download_url":"https://codeload.github.com/terraform-aws-modules/terraform-aws-kms/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-kms/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261774595,"owners_count":23207764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-kms","encryption","kms","terraform","terraform-module"],"created_at":"2025-06-05T08:35:53.553Z","updated_at":"2026-01-08T21:15:55.698Z","avatar_url":"https://github.com/terraform-aws-modules.png","language":"HCL","funding_links":["https://github.com/sponsors/antonbabenko","https://www.paypal.me/antonbabenko"],"categories":[],"sub_categories":[],"readme":"# AWS KMS Terraform module\n\nTerraform module which creates AWS KMS resources.\n\n[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)\n\n## Usage\n\nSee [`examples`](https://github.com/terraform-aws-modules/terraform-aws-kms/tree/master/examples) directory for working examples to reference:\n\n### Autoscaling Service Linked Role\n\nReference usage for EC2 AutoScaling service linked role to launch encrypted EBS volumes:\n\n```hcl\nmodule \"kms\" {\n source = \"terraform-aws-modules/kms/aws\"\n\n description = \"EC2 AutoScaling key usage\"\n key_usage = \"ENCRYPT_DECRYPT\"\n\n # Policy\n key_administrators = [\"arn:aws:iam::012345678901:role/admin\"]\n key_service_roles_for_autoscaling = [\"arn:aws:iam::012345678901:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling\"]\n\n # Aliases\n aliases = [\"mycompany/ebs\"]\n\n tags = {\n Terraform = \"true\"\n Environment = \"dev\"\n }\n}\n```\n\n### External Key\n\nReference usage for external CMK (externally provided encryption material):\n\n```hcl\nmodule \"kms\" {\n source = \"terraform-aws-modules/kms/aws\"\n\n description = \"External key example\"\n key_material_base64 = \"Wblj06fduthWggmsT0cLVoIMOkeLbc2kVfMud77i/JY=\"\n valid_to = \"2085-04-12T23:20:50.52Z\"\n\n # Policy\n key_owners = [\"arn:aws:iam::012345678901:role/owner\"]\n key_administrators = [\"arn:aws:iam::012345678901:role/admin\"]\n key_users = [\"arn:aws:iam::012345678901:role/user\"]\n key_service_users = [\"arn:aws:iam::012345678901:role/ec2-role\"]\n\n # Aliases\n aliases = [\"mycompany/external\"]\n aliases_use_name_prefix = true\n\n # Grants\n grants = {\n lambda = {\n grantee_principal = \"arn:aws:iam::012345678901:role/lambda-function\"\n operations = [\"Encrypt\", \"Decrypt\", \"GenerateDataKey\"]\n constraints = {\n encryption_context_equals = {\n Department = \"Finance\"\n }\n }\n }\n }\n\n tags = {\n Terraform = \"true\"\n Environment = \"dev\"\n }\n}\n```\n\n### Reference\n\nReference usage showing available configurations.\n\n```hcl\nmodule \"kms\" {\n source = \"terraform-aws-modules/kms/aws\"\n\n description = \"Complete key example showing various configurations available\"\n deletion_window_in_days = 7\n enable_key_rotation = true\n is_enabled = true\n key_usage = \"ENCRYPT_DECRYPT\"\n multi_region = false\n\n # Policy\n enable_default_policy = true\n key_owners = [\"arn:aws:iam::012345678901:role/owner\"]\n key_administrators = [\"arn:aws:iam::012345678901:role/admin\"]\n key_users = [\"arn:aws:iam::012345678901:role/user\"]\n key_service_users = [\"arn:aws:iam::012345678901:role/ec2-role\"]\n key_symmetric_encryption_users = [\"arn:aws:iam::012345678901:role/symmetric-user\"]\n key_hmac_users = [\"arn:aws:iam::012345678901:role/hmac-user\"]\n key_asymmetric_public_encryption_users = [\"arn:aws:iam::012345678901:role/asymmetric-public-user\"]\n key_asymmetric_sign_verify_users = [\"arn:aws:iam::012345678901:role/sign-verify-user\"]\n\n # Aliases\n aliases = [\"one\", \"foo/bar\"] # accepts static strings only\n computed_aliases = {\n ex = {\n # Sometimes you want to pass in an upstream attribute as the name and\n # that conflicts with using `for_each over a `toset()` since the value is not\n # known until after applying. Instead, we can use `computed_aliases` to work\n # around this limitation\n # Reference: https://github.com/hashicorp/terraform/issues/30937\n name = aws_iam_role.lambda.name\n }\n }\n aliases_use_name_prefix = true\n\n # Grants\n grants = {\n lambda = {\n grantee_principal = \"arn:aws:iam::012345678901:role/lambda-function\"\n operations = [\"Encrypt\", \"Decrypt\", \"GenerateDataKey\"]\n constraints = {\n encryption_context_equals = {\n Department = \"Finance\"\n }\n }\n }\n }\n\n tags = {\n Terraform = \"true\"\n Environment = \"dev\"\n }\n}\n```\n\n## Examples\n\nExamples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-kms/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!\n\n- [Complete](https://github.com/terraform-aws-modules/terraform-aws-kms/tree/master/examples/complete)\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5.7 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 6.28 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 6.28 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_external_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_external_key) | resource |\n| [aws_kms_grant.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant) | resource |\n| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_kms_replica_external_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_external_key) | resource |\n| [aws_kms_replica_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_aliases\"\u003e\u003c/a\u003e [aliases](#input\\_aliases) | A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values | `list(string)` | `[]` | no |\n| \u003ca name=\"input_aliases_use_name_prefix\"\u003e\u003c/a\u003e [aliases\\_use\\_name\\_prefix](#input\\_aliases\\_use\\_name\\_prefix) | Determines whether the alias name is used as a prefix | `bool` | `false` | no |\n| \u003ca name=\"input_bypass_policy_lockout_safety_check\"\u003e\u003c/a\u003e [bypass\\_policy\\_lockout\\_safety\\_check](#input\\_bypass\\_policy\\_lockout\\_safety\\_check) | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable | `bool` | `null` | no |\n| \u003ca name=\"input_computed_aliases\"\u003e\u003c/a\u003e [computed\\_aliases](#input\\_computed\\_aliases) | A map of aliases to create. Values provided via the `name` key of the map can be computed from upstream resources | \u003cpre\u003emap(object({\u003cbr/\u003e name = string\u003cbr/\u003e }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_create\"\u003e\u003c/a\u003e [create](#input\\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |\n| \u003ca name=\"input_create_external\"\u003e\u003c/a\u003e [create\\_external](#input\\_create\\_external) | Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material) | `bool` | `false` | no |\n| \u003ca name=\"input_create_replica\"\u003e\u003c/a\u003e [create\\_replica](#input\\_create\\_replica) | Determines whether a replica standard CMK will be created (AWS provided material) | `bool` | `false` | no |\n| \u003ca name=\"input_create_replica_external\"\u003e\u003c/a\u003e [create\\_replica\\_external](#input\\_create\\_replica\\_external) | Determines whether a replica external CMK will be created (externally provided material) | `bool` | `false` | no |\n| \u003ca name=\"input_custom_key_store_id\"\u003e\u003c/a\u003e [custom\\_key\\_store\\_id](#input\\_custom\\_key\\_store\\_id) | ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM). | `string` | `null` | no |\n| \u003ca name=\"input_customer_master_key_spec\"\u003e\u003c/a\u003e [customer\\_master\\_key\\_spec](#input\\_customer\\_master\\_key\\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT` | `string` | `null` | no |\n| \u003ca name=\"input_deletion_window_in_days\"\u003e\u003c/a\u003e [deletion\\_window\\_in\\_days](#input\\_deletion\\_window\\_in\\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30` | `number` | `null` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | The description of the key as viewed in AWS console | `string` | `null` | no |\n| \u003ca name=\"input_enable_default_policy\"\u003e\u003c/a\u003e [enable\\_default\\_policy](#input\\_enable\\_default\\_policy) | Specifies whether to enable the default key policy. Defaults to `true` | `bool` | `true` | no |\n| \u003ca name=\"input_enable_key_rotation\"\u003e\u003c/a\u003e [enable\\_key\\_rotation](#input\\_enable\\_key\\_rotation) | Specifies whether key rotation is enabled. Defaults to `true` | `bool` | `true` | no |\n| \u003ca name=\"input_enable_route53_dnssec\"\u003e\u003c/a\u003e [enable\\_route53\\_dnssec](#input\\_enable\\_route53\\_dnssec) | Determines whether the KMS policy used for Route53 DNSSEC signing is enabled | `bool` | `false` | no |\n| \u003ca name=\"input_grants\"\u003e\u003c/a\u003e [grants](#input\\_grants) | A map of grant definitions to create | \u003cpre\u003emap(object({\u003cbr/\u003e constraints = optional(list(object({\u003cbr/\u003e encryption_context_equals = optional(map(string))\u003cbr/\u003e encryption_context_subset = optional(map(string))\u003cbr/\u003e })))\u003cbr/\u003e grant_creation_tokens = optional(list(string))\u003cbr/\u003e grantee_principal = string\u003cbr/\u003e name = optional(string) # Will fall back to use map key\u003cbr/\u003e operations = list(string)\u003cbr/\u003e retire_on_delete = optional(bool)\u003cbr/\u003e retiring_principal = optional(string)\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_is_enabled\"\u003e\u003c/a\u003e [is\\_enabled](#input\\_is\\_enabled) | Specifies whether the key is enabled. Defaults to `true` | `bool` | `null` | no |\n| \u003ca name=\"input_key_administrators\"\u003e\u003c/a\u003e [key\\_administrators](#input\\_key\\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_asymmetric_public_encryption_users\"\u003e\u003c/a\u003e [key\\_asymmetric\\_public\\_encryption\\_users](#input\\_key\\_asymmetric\\_public\\_encryption\\_users) | A list of IAM ARNs for [key asymmetric public encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_asymmetric_sign_verify_users\"\u003e\u003c/a\u003e [key\\_asymmetric\\_sign\\_verify\\_users](#input\\_key\\_asymmetric\\_sign\\_verify\\_users) | A list of IAM ARNs for [key asymmetric sign and verify users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_hmac_users\"\u003e\u003c/a\u003e [key\\_hmac\\_users](#input\\_key\\_hmac\\_users) | A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_material_base64\"\u003e\u003c/a\u003e [key\\_material\\_base64](#input\\_key\\_material\\_base64) | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only | `string` | `null` | no |\n| \u003ca name=\"input_key_owners\"\u003e\u003c/a\u003e [key\\_owners](#input\\_key\\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_service_roles_for_autoscaling\"\u003e\u003c/a\u003e [key\\_service\\_roles\\_for\\_autoscaling](#input\\_key\\_service\\_roles\\_for\\_autoscaling) | A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_service_users\"\u003e\u003c/a\u003e [key\\_service\\_users](#input\\_key\\_service\\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_spec\"\u003e\u003c/a\u003e [key\\_spec](#input\\_key\\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\\_DEFAULT, RSA\\_2048, RSA\\_3072, RSA\\_4096, HMAC\\_224, HMAC\\_256, HMAC\\_384, HMAC\\_512, ECC\\_NIST\\_P256, ECC\\_NIST\\_P384, ECC\\_NIST\\_P521, ECC\\_SECG\\_P256K1, ML\\_DSA\\_44, ML\\_DSA\\_65, ML\\_DSA\\_87, or SM2 (China Regions only). Defaults to SYMMETRIC\\_DEFAULT | `string` | `null` | no |\n| \u003ca name=\"input_key_statements\"\u003e\u003c/a\u003e [key\\_statements](#input\\_key\\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | \u003cpre\u003elist(object({\u003cbr/\u003e sid = optional(string)\u003cbr/\u003e actions = optional(list(string))\u003cbr/\u003e not_actions = optional(list(string))\u003cbr/\u003e effect = optional(string)\u003cbr/\u003e resources = optional(list(string))\u003cbr/\u003e not_resources = optional(list(string))\u003cbr/\u003e principals = optional(list(object({\u003cbr/\u003e type = string\u003cbr/\u003e identifiers = list(string)\u003cbr/\u003e })))\u003cbr/\u003e not_principals = optional(list(object({\u003cbr/\u003e type = string\u003cbr/\u003e identifiers = list(string)\u003cbr/\u003e })))\u003cbr/\u003e condition = optional(list(object({\u003cbr/\u003e test = string\u003cbr/\u003e values = list(string)\u003cbr/\u003e variable = string\u003cbr/\u003e })))\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_key_symmetric_encryption_users\"\u003e\u003c/a\u003e [key\\_symmetric\\_encryption\\_users](#input\\_key\\_symmetric\\_encryption\\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_key_usage\"\u003e\u003c/a\u003e [key\\_usage](#input\\_key\\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |\n| \u003ca name=\"input_key_users\"\u003e\u003c/a\u003e [key\\_users](#input\\_key\\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |\n| \u003ca name=\"input_multi_region\"\u003e\u003c/a\u003e [multi\\_region](#input\\_multi\\_region) | Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false` | `bool` | `false` | no |\n| \u003ca name=\"input_override_policy_documents\"\u003e\u003c/a\u003e [override\\_policy\\_documents](#input\\_override\\_policy\\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |\n| \u003ca name=\"input_policy\"\u003e\u003c/a\u003e [policy](#input\\_policy) | A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used | `string` | `null` | no |\n| \u003ca name=\"input_primary_external_key_arn\"\u003e\u003c/a\u003e [primary\\_external\\_key\\_arn](#input\\_primary\\_external\\_key\\_arn) | The primary external key arn of a multi-region replica external key | `string` | `null` | no |\n| \u003ca name=\"input_primary_key_arn\"\u003e\u003c/a\u003e [primary\\_key\\_arn](#input\\_primary\\_key\\_arn) | The primary key arn of a multi-region replica key | `string` | `null` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |\n| \u003ca name=\"input_rotation_period_in_days\"\u003e\u003c/a\u003e [rotation\\_period\\_in\\_days](#input\\_rotation\\_period\\_in\\_days) | Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive) | `number` | `null` | no |\n| \u003ca name=\"input_route53_dnssec_sources\"\u003e\u003c/a\u003e [route53\\_dnssec\\_sources](#input\\_route53\\_dnssec\\_sources) | A list of maps containing `account_ids` and Route53 `hosted_zone_arn` that will be allowed to sign DNSSEC records | \u003cpre\u003elist(object({\u003cbr/\u003e account_ids = optional(list(string))\u003cbr/\u003e hosted_zone_arn = optional(string)\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_source_policy_documents\"\u003e\u003c/a\u003e [source\\_policy\\_documents](#input\\_source\\_policy\\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |\n| \u003ca name=\"input_valid_to\"\u003e\u003c/a\u003e [valid\\_to](#input\\_valid\\_to) | Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire | `string` | `null` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_aliases\"\u003e\u003c/a\u003e [aliases](#output\\_aliases) | A map of aliases created and their attributes |\n| \u003ca name=\"output_external_key_expiration_model\"\u003e\u003c/a\u003e [external\\_key\\_expiration\\_model](#output\\_external\\_key\\_expiration\\_model) | Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE` |\n| \u003ca name=\"output_external_key_state\"\u003e\u003c/a\u003e [external\\_key\\_state](#output\\_external\\_key\\_state) | The state of the CMK |\n| \u003ca name=\"output_external_key_usage\"\u003e\u003c/a\u003e [external\\_key\\_usage](#output\\_external\\_key\\_usage) | The cryptographic operations for which you can use the CMK |\n| \u003ca name=\"output_grants\"\u003e\u003c/a\u003e [grants](#output\\_grants) | A map of grants created and their attributes |\n| \u003ca name=\"output_key_arn\"\u003e\u003c/a\u003e [key\\_arn](#output\\_key\\_arn) | The Amazon Resource Name (ARN) of the key |\n| \u003ca name=\"output_key_id\"\u003e\u003c/a\u003e [key\\_id](#output\\_key\\_id) | The globally unique identifier for the key |\n| \u003ca name=\"output_key_policy\"\u003e\u003c/a\u003e [key\\_policy](#output\\_key\\_policy) | The IAM resource policy set on the key |\n| \u003ca name=\"output_key_region\"\u003e\u003c/a\u003e [key\\_region](#output\\_key\\_region) | The region for the key |\n\u003c!-- END_TF_DOCS --\u003e\n\n## License\n\nApache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-kms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-kms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-kms/lists"}