diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 2ade14f..32adb8a 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,9 +1,9 @@ ack_generate_info: - build_date: "2025-02-18T00:06:18Z" - build_hash: 66c0f840b0bcf6f552be46cf5ee0fb95ad57053e - go_version: go1.23.6 - version: v0.43.0 -api_directory_checksum: e3a6c7a62fcea61f2120123949ca1acf059daf87 + build_date: "2025-02-19T23:24:02Z" + build_hash: 8b426c490ff1984d8ce5577e11d6dabe1b6373b8 + go_version: go1.24.0 + version: v0.43.1 +api_directory_checksum: c839ebf16d147bdda4cd5bd76baed63bb1b8c147 api_version: v1alpha1 aws_sdk_go_version: v1.32.6 generator_config_info: diff --git a/apis/v1alpha1/alias.go b/apis/v1alpha1/alias.go index 905e06d..b77735c 100644 --- a/apis/v1alpha1/alias.go +++ b/apis/v1alpha1/alias.go @@ -33,7 +33,9 @@ type AliasSpec struct { // alphanumeric characters, forward slashes (/), underscores (_), and dashes // (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is // reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). + // +kubebuilder:validation:Required + Name *string `json:"name"` // Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). // The KMS key must be in the same Amazon Web Services Region. @@ -48,12 +50,14 @@ type AliasSpec struct { // // For example: // - // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab // - // - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. - TargetKeyID *string `json:"targetKeyID,omitempty"` + + TargetKeyID *string `json:"targetKeyID,omitempty"` + TargetKeyRef *ackv1alpha1.AWSResourceReferenceWrapper `json:"targetKeyRef,omitempty"` } @@ -64,7 +68,7 @@ type AliasStatus struct { // constructed ARN for the resource // +kubebuilder:validation:Optional ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"` - // All CRS managed by ACK have a common `Status.Conditions` member that + // All CRs managed by ACK have a common `Status.Conditions` member that // contains a collection of `ackv1alpha1.Condition` objects that describe // the various terminal states of the CR and its backend AWS service API // resource diff --git a/apis/v1alpha1/grant.go b/apis/v1alpha1/grant.go index e062359..d9d801f 100644 --- a/apis/v1alpha1/grant.go +++ b/apis/v1alpha1/grant.go @@ -52,6 +52,7 @@ type GrantSpec struct { // in the Key Management Service Developer Guide. For more information about // encryption context, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) // in the Key Management Service Developer Guide . + Constraints *GrantConstraints `json:"constraints,omitempty"` // A list of grant tokens. // @@ -60,6 +61,7 @@ type GrantSpec struct { // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) // in the Key Management Service Developer Guide. + GrantTokens []*string `json:"grantTokens,omitempty"` // The identity that gets the permissions specified in the grant. // @@ -68,7 +70,9 @@ type GrantSpec struct { // accounts, IAM users, IAM roles, federated users, and assumed role users. // For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) // in the Identity and Access Management User Guide . + // +kubebuilder:validation:Required + GranteePrincipal *string `json:"granteePrincipal"` // Identifies the KMS key for the grant. The grant gives principals permission // to use this KMS key. @@ -78,12 +82,14 @@ type GrantSpec struct { // // For example: // - // - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab // - // - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. - KeyID *string `json:"keyID,omitempty"` + + KeyID *string `json:"keyID,omitempty"` + KeyRef *ackv1alpha1.AWSResourceReferenceWrapper `json:"keyRef,omitempty"` // A friendly name for the grant. Use this value to prevent the unintended creation // of duplicate grants when retrying this request. @@ -100,6 +106,7 @@ type GrantSpec struct { // without creating a new grant. Note that the returned grant token is unique // with every CreateGrant request, even when a duplicate GrantId is returned. // All grant tokens for the same grant ID can be used interchangeably. + Name *string `json:"name,omitempty"` // A list of operations that the grant permits. // @@ -110,7 +117,9 @@ type GrantSpec struct { // If you try, KMS returns a ValidationError exception. For details, see Grant // operations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) // in the Key Management Service Developer Guide. + // +kubebuilder:validation:Required + Operations []*string `json:"operations"` // The principal that has permission to use the RetireGrant operation to retire // the grant. @@ -125,6 +134,7 @@ type GrantSpec struct { // permission to retire the grant or revoke the grant. For details, see RevokeGrant // and Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) // in the Key Management Service Developer Guide. + RetiringPrincipal *string `json:"retiringPrincipal,omitempty"` } @@ -135,7 +145,7 @@ type GrantStatus struct { // constructed ARN for the resource // +kubebuilder:validation:Optional ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"` - // All CRS managed by ACK have a common `Status.Conditions` member that + // All CRs managed by ACK have a common `Status.Conditions` member that // contains a collection of `ackv1alpha1.Condition` objects that describe // the various terminal states of the CR and its backend AWS service API // resource diff --git a/apis/v1alpha1/key.go b/apis/v1alpha1/key.go index 1c5e476..2e24f43 100644 --- a/apis/v1alpha1/key.go +++ b/apis/v1alpha1/key.go @@ -35,6 +35,7 @@ type KeySpec struct { // Use this parameter only when you intend to prevent the principal that is // making the request from making a subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) // request on the KMS key. + BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty"` // Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // The ConnectionState of the custom key store must be CONNECTED. To find the @@ -48,6 +49,9 @@ type KeySpec struct { // with the KMS key. When you create a KMS key in an external key store, you // must use the XksKeyId parameter to specify an external key that serves as // key material for the KMS key. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + CustomKeyStoreID *string `json:"customKeyStoreID,omitempty"` // A description of the KMS key. Use a description that helps you decide whether // the KMS key is appropriate for a task. The default value is an empty string @@ -57,8 +61,12 @@ type KeySpec struct { // field may be displayed in plaintext in CloudTrail logs and other output. // // To set or change the description after the key is created, use UpdateKeyDescription. - Description *string `json:"description,omitempty"` - EnableKeyRotation *bool `json:"enableKeyRotation,omitempty"` + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + + Description *string `json:"description,omitempty"` + + EnableKeyRotation *bool `json:"enableKeyRotation,omitempty"` // Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, // creates a KMS key with a 256-bit AES-GCM key that is used for encryption // and decryption, except in China Regions, where it creates a 128-bit symmetric @@ -82,22 +90,25 @@ type KeySpec struct { // // KMS supports the following key specs for KMS keys: // - // - Symmetric encryption key (default) SYMMETRIC_DEFAULT + // * Symmetric encryption key (default) SYMMETRIC_DEFAULT // - // - HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512 + // * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512 // - // - Asymmetric RSA key pairs (encryption and decryption -or- signing and - // verification) RSA_2048 RSA_3072 RSA_4096 + // * Asymmetric RSA key pairs (encryption and decryption -or- signing and + // verification) RSA_2048 RSA_3072 RSA_4096 // - // - Asymmetric NIST-recommended elliptic curve key pairs (signing and verification - // -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384 - // (secp384r1) ECC_NIST_P521 (secp521r1) + // * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification + // -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384 + // (secp384r1) ECC_NIST_P521 (secp521r1) // - // - Other asymmetric elliptic curve key pairs (signing and verification) - // ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. + // * Other asymmetric elliptic curve key pairs (signing and verification) + // ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. // - // - SM2 key pairs (encryption and decryption -or- signing and verification - // -or- deriving shared secrets) SM2 (China Regions only) + // * SM2 key pairs (encryption and decryption -or- signing and verification + // -or- deriving shared secrets) SM2 (China Regions only) + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + KeySpec *string `json:"keySpec,omitempty"` // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) // for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. @@ -107,20 +118,23 @@ type KeySpec struct { // // Select only one valid value. // - // - For symmetric encryption KMS keys, omit the parameter or specify ENCRYPT_DECRYPT. + // * For symmetric encryption KMS keys, omit the parameter or specify ENCRYPT_DECRYPT. // - // - For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC. + // * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC. // - // - For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT - // or SIGN_VERIFY. + // * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT + // or SIGN_VERIFY. // - // - For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, - // specify SIGN_VERIFY or KEY_AGREEMENT. + // * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, + // specify SIGN_VERIFY or KEY_AGREEMENT. // - // - For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY. + // * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY. // - // - For asymmetric KMS keys with SM2 key pairs (China Regions only), specify - // ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT. + // * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify + // ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + KeyUsage *string `json:"keyUsage,omitempty"` // Creates a multi-Region primary key that you can replicate into other Amazon // Web Services Regions. You cannot change this value after you create the KMS @@ -144,6 +158,9 @@ type KeySpec struct { // You can create a symmetric or asymmetric multi-Region key, and you can create // a multi-Region key with imported key material. However, you cannot create // a multi-Region key in a custom key store. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + MultiRegion *bool `json:"multiRegion,omitempty"` // The source of the key material for the KMS key. You cannot change the origin // after you create the KMS key. The default is AWS_KMS, which means that KMS @@ -164,25 +181,28 @@ type KeySpec struct { // set this value to EXTERNAL_KEY_STORE. You must also use the CustomKeyStoreId // parameter to identify the external key store and the XksKeyId parameter to // identify the associated external key. The KeySpec value must be SYMMETRIC_DEFAULT. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + Origin *string `json:"origin,omitempty"` // The key policy to attach to the KMS key. // // If you provide a key policy, it must meet the following criteria: // - // - The key policy must allow the calling principal to make a subsequent - // PutKeyPolicy request on the KMS key. This reduces the risk that the KMS - // key becomes unmanageable. For more information, see Default key policy - // (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - // in the Key Management Service Developer Guide. (To omit this condition, - // set BypassPolicyLockoutSafetyCheck to true.) - // - // - Each statement in the key policy must contain one or more principals. - // The principals in the key policy must exist and be visible to KMS. When - // you create a new Amazon Web Services principal, you might need to enforce - // a delay before including the new principal in a key policy because the - // new principal might not be immediately visible to KMS. For more information, - // see Changes that I make are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the Amazon Web Services Identity and Access Management User Guide. + // * The key policy must allow the calling principal to make a subsequent + // PutKeyPolicy request on the KMS key. This reduces the risk that the KMS + // key becomes unmanageable. For more information, see Default key policy + // (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) + // in the Key Management Service Developer Guide. (To omit this condition, + // set BypassPolicyLockoutSafetyCheck to true.) + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to KMS. When + // you create a new Amazon Web Services principal, you might need to enforce + // a delay before including the new principal in a key policy because the + // new principal might not be immediately visible to KMS. For more information, + // see Changes that I make are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the Amazon Web Services Identity and Access Management User Guide. // // If you do not provide a key policy, KMS attaches a default key policy to // the KMS key. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) @@ -193,6 +213,7 @@ type KeySpec struct { // For help writing and formatting a JSON policy document, see the IAM JSON // Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) // in the Identity and Access Management User Guide . + Policy *string `json:"policy,omitempty"` // Assigns one or more tags to the KMS key. Use this parameter to tag the KMS // key when it is created. To tag an existing KMS key, use the TagResource operation. @@ -217,6 +238,7 @@ type KeySpec struct { // generates a cost allocation report with usage and costs aggregated by tags. // Tags can also be used to control access to a KMS key. For details, see Tagging // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). + Tags []*Tag `json:"tags,omitempty"` } @@ -227,7 +249,7 @@ type KeyStatus struct { // constructed ARN for the resource // +kubebuilder:validation:Optional ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"` - // All CRS managed by ACK have a common `Status.Conditions` member that + // All CRs managed by ACK have a common `Status.Conditions` member that // contains a collection of `ackv1alpha1.Condition` objects that describe // the various terminal states of the CR and its backend AWS service API // resource diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index a50a2b9..744f38d 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/kms-controller - newTag: 1.0.21 + newTag: 1.0.22 diff --git a/config/crd/bases/kms.services.k8s.aws_aliases.yaml b/config/crd/bases/kms.services.k8s.aws_aliases.yaml index de5de97..ad50f6f 100644 --- a/config/crd/bases/kms.services.k8s.aws_aliases.yaml +++ b/config/crd/bases/kms.services.k8s.aws_aliases.yaml @@ -40,38 +40,8 @@ spec: description: AliasSpec defines the desired state of Alias. properties: name: - description: |- - Specifies the alias name. This value must begin with alias/ followed by a - name, such as alias/ExampleAlias. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - The AliasName value must be string of 1-256 characters. It can contain only - alphanumeric characters, forward slashes (/), underscores (_), and dashes - (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is - reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). type: string targetKeyID: - description: |- - Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). - The KMS key must be in the same Amazon Web Services Region. - - A valid key ID is required. If you supply a null or empty string value, this - operation returns an error. - - For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) - in the Key Management Service Developer Guide . - - Specify the key ID or key ARN of the KMS key. - - For example: - - * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab - - * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - - To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. type: string targetKeyRef: description: "AWSResourceReferenceWrapper provides a wrapper around @@ -127,7 +97,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/config/crd/bases/kms.services.k8s.aws_grants.yaml b/config/crd/bases/kms.services.k8s.aws_grants.yaml index 2ce6452..469c539 100644 --- a/config/crd/bases/kms.services.k8s.aws_grants.yaml +++ b/config/crd/bases/kms.services.k8s.aws_grants.yaml @@ -41,34 +41,28 @@ spec: properties: constraints: description: |- - Specifies a grant constraint. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - KMS supports the EncryptionContextEquals and EncryptionContextSubset grant - constraints, which allow the permissions in the grant only when the encryption - context in the request matches (EncryptionContextEquals) or includes (EncryptionContextSubset) - the encryption context specified in the constraint. - - The encryption context grant constraints are supported only on grant operations - (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - that include an EncryptionContext parameter, such as cryptographic operations - on symmetric encryption KMS keys. Grants with grant constraints can include - the DescribeKey and RetireGrant operations, but the constraint doesn't apply - to these operations. If a grant with a grant constraint includes the CreateGrant - operation, the constraint requires that any grants created with the CreateGrant - permission have an equally strict or stricter encryption context constraint. - - You cannot use an encryption context grant constraint for cryptographic operations - with asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't - support an encryption context. - - Each constraint value can include up to 8 encryption context pairs. The encryption - context value in each constraint cannot exceed 384 characters. For information - about grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) - in the Key Management Service Developer Guide. For more information about - encryption context, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + in the grant only when the operation request includes the specified encryption + context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). + + KMS applies the grant constraints only to cryptographic operations that support + an encryption context, that is, all cryptographic operations with a symmetric + KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). + Grant constraints are not applied to operations that do not support an encryption + context, such as cryptographic operations with asymmetric KMS keys and management + operations, such as DescribeKey or RetireGrant. + + In a cryptographic operation, the encryption context in the decryption operation + must be an exact, case-sensitive match for the keys and values in the encryption + context of the encryption operation. Only the order of the pairs can vary. + + However, in a grant constraint, the key in each key-value pair is not case + sensitive, but the value is case sensitive. + + To avoid confusion, do not use multiple encryption context pairs that differ + only by case. To require a fully case-sensitive encryption context, use the + kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM + or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) in the Key Management Service Developer Guide . properties: encryptionContextEquals: @@ -81,42 +75,12 @@ spec: type: object type: object grantTokens: - description: |- - A list of grant tokens. - - Use a grant token when your permission to call this operation comes from - a new grant that has not yet achieved eventual consistency. For more information, - see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - in the Key Management Service Developer Guide. items: type: string type: array granteePrincipal: - description: |- - The identity that gets the permissions specified in the grant. - - To specify the grantee principal, use the Amazon Resource Name (ARN) of an - Amazon Web Services principal. Valid principals include Amazon Web Services - accounts, IAM users, IAM roles, federated users, and assumed role users. - For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - in the Identity and Access Management User Guide . type: string keyID: - description: |- - Identifies the KMS key for the grant. The grant gives principals permission - to use this KMS key. - - Specify the key ID or key ARN of the KMS key. To specify a KMS key in adifferent - Amazon Web Services account, you must use the key ARN. - - For example: - - * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab - - * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - - To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. type: string keyRef: description: "AWSResourceReferenceWrapper provides a wrapper around @@ -136,52 +100,12 @@ spec: type: object type: object name: - description: |- - A friendly name for the grant. Use this value to prevent the unintended creation - of duplicate grants when retrying this request. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - When this value is absent, all CreateGrant requests result in a new grant - with a unique GrantId even if all the supplied parameters are identical. - This can result in unintended duplicates when you retry the CreateGrant request. - - When this value is present, you can retry a CreateGrant request with identical - parameters; if the grant already exists, the original GrantId is returned - without creating a new grant. Note that the returned grant token is unique - with every CreateGrant request, even when a duplicate GrantId is returned. - All grant tokens for the same grant ID can be used interchangeably. type: string operations: - description: |- - A list of operations that the grant permits. - - This list must include only operations that are permitted in a grant. Also, - the operation must be supported on the KMS key. For example, you cannot create - a grant for a symmetric encryption KMS key that allows the Sign operation, - or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. - If you try, KMS returns a ValidationError exception. For details, see Grant - operations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - in the Key Management Service Developer Guide. items: type: string type: array retiringPrincipal: - description: |- - The principal that has permission to use the RetireGrant operation to retire - the grant. - - To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - of an Amazon Web Services principal. Valid principals include Amazon Web - Services accounts, IAM users, IAM roles, federated users, and assumed role - users. For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - in the Identity and Access Management User Guide . - - The grant determines the retiring principal. Other principals might have - permission to retire the grant or revoke the grant. For details, see RevokeGrant - and Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) - in the Key Management Service Developer Guide. type: string required: - granteePrincipal @@ -221,7 +145,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/config/crd/bases/kms.services.k8s.aws_keys.yaml b/config/crd/bases/kms.services.k8s.aws_keys.yaml index c39b0f6..c3e2e59 100644 --- a/config/crd/bases/kms.services.k8s.aws_keys.yaml +++ b/config/crd/bases/kms.services.k8s.aws_keys.yaml @@ -40,218 +40,42 @@ spec: description: KeySpec defines the desired state of Key. properties: bypassPolicyLockoutSafetyCheck: - description: |- - Skips ("bypasses") the key policy lockout safety check. The default value - is false. - - Setting this value to true increases the risk that the KMS key becomes unmanageable. - Do not set this value to true indiscriminately. - - For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - in the Key Management Service Developer Guide. - - Use this parameter only when you intend to prevent the principal that is - making the request from making a subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) - request on the KMS key. type: boolean customKeyStoreID: - description: |- - Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). - The ConnectionState of the custom key store must be CONNECTED. To find the - CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores operation. - - This parameter is valid only for symmetric encryption KMS keys in a single - Region. You cannot create any other type of KMS key in a custom key store. - - When you create a KMS key in an CloudHSM key store, KMS generates a non-exportable - 256-bit symmetric key in its associated CloudHSM cluster and associates it - with the KMS key. When you create a KMS key in an external key store, you - must use the XksKeyId parameter to specify an external key that serves as - key material for the KMS key. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf description: - description: |- - A description of the KMS key. Use a description that helps you decide whether - the KMS key is appropriate for a task. The default value is an empty string - (no description). - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - To set or change the description after the key is created, use UpdateKeyDescription. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf enableKeyRotation: type: boolean keySpec: - description: |- - Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, - creates a KMS key with a 256-bit AES-GCM key that is used for encryption - and decryption, except in China Regions, where it creates a 128-bit symmetric - key that uses SM4 encryption. For help choosing a key spec for your KMS key, - see Choosing a KMS key type (https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose) - in the Key Management Service Developer Guide . - - The KeySpec determines whether the KMS key contains a symmetric key or an - asymmetric key pair. It also determines the algorithms that the KMS key supports. - You can't change the KeySpec after the KMS key is created. To further restrict - the algorithms that can be used with the KMS key, use a condition key in - its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm - (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm), - kms:MacAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm) - or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) - in the Key Management Service Developer Guide . - - Amazon Web Services services that are integrated with KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) - use symmetric encryption KMS keys to protect your data. These services do - not support asymmetric KMS keys or HMAC KMS keys. - - KMS supports the following key specs for KMS keys: - - * Symmetric encryption key (default) SYMMETRIC_DEFAULT - - * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512 - - * Asymmetric RSA key pairs (encryption and decryption -or- signing and - verification) RSA_2048 RSA_3072 RSA_4096 - - * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification - -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384 - (secp384r1) ECC_NIST_P521 (secp521r1) - - * Other asymmetric elliptic curve key pairs (signing and verification) - ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. - - * SM2 key pairs (encryption and decryption -or- signing and verification - -or- deriving shared secrets) SM2 (China Regions only) type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf keyUsage: - description: |- - Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. - This parameter is optional when you are creating a symmetric encryption KMS - key; otherwise, it is required. You can't change the KeyUsage value after - the KMS key is created. - - Select only one valid value. - - * For symmetric encryption KMS keys, omit the parameter or specify ENCRYPT_DECRYPT. - - * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC. - - * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT - or SIGN_VERIFY. - - * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, - specify SIGN_VERIFY or KEY_AGREEMENT. - - * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY. - - * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify - ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf multiRegion: - description: |- - Creates a multi-Region primary key that you can replicate into other Amazon - Web Services Regions. You cannot change this value after you create the KMS - key. - - For a multi-Region key, set this parameter to True. For a single-Region KMS - key, omit this parameter or set it to False. The default value is False. - - This operation supports multi-Region keys, an KMS feature that lets you create - multiple interoperable KMS keys in different Amazon Web Services Regions. - Because these KMS keys have the same key ID, key material, and other metadata, - you can use them interchangeably to encrypt data in one Amazon Web Services - Region and decrypt it in a different Amazon Web Services Region without re-encrypting - the data or making a cross-Region call. For more information about multi-Region - keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - in the Key Management Service Developer Guide. - - This value creates a primary key, not a replica. To create a replica key, - use the ReplicateKey operation. - - You can create a symmetric or asymmetric multi-Region key, and you can create - a multi-Region key with imported key material. However, you cannot create - a multi-Region key in a custom key store. type: boolean + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf origin: - description: |- - The source of the key material for the KMS key. You cannot change the origin - after you create the KMS key. The default is AWS_KMS, which means that KMS - creates the key material. - - To create a KMS key with no key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) - (for imported key material), set this value to EXTERNAL. For more information - about importing key material into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - in the Key Management Service Developer Guide. The EXTERNAL origin value - is valid only for symmetric KMS keys. - - To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) - and create its key material in the associated CloudHSM cluster, set this - value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to - identify the CloudHSM key store. The KeySpec value must be SYMMETRIC_DEFAULT. - - To create a KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html), - set this value to EXTERNAL_KEY_STORE. You must also use the CustomKeyStoreId - parameter to identify the external key store and the XksKeyId parameter to - identify the associated external key. The KeySpec value must be SYMMETRIC_DEFAULT. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf policy: - description: |- - The key policy to attach to the KMS key. - - If you provide a key policy, it must meet the following criteria: - - * The key policy must allow the calling principal to make a subsequent - PutKeyPolicy request on the KMS key. This reduces the risk that the KMS - key becomes unmanageable. For more information, see Default key policy - (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - in the Key Management Service Developer Guide. (To omit this condition, - set BypassPolicyLockoutSafetyCheck to true.) - - * Each statement in the key policy must contain one or more principals. - The principals in the key policy must exist and be visible to KMS. When - you create a new Amazon Web Services principal, you might need to enforce - a delay before including the new principal in a key policy because the - new principal might not be immediately visible to KMS. For more information, - see Changes that I make are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - in the Amazon Web Services Identity and Access Management User Guide. - - If you do not provide a key policy, KMS attaches a default key policy to - the KMS key. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - in the Key Management Service Developer Guide. - - The key policy size quota is 32 kilobytes (32768 bytes). - - For help writing and formatting a JSON policy document, see the IAM JSON - Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) - in the Identity and Access Management User Guide . type: string tags: - description: |- - Assigns one or more tags to the KMS key. Use this parameter to tag the KMS - key when it is created. To tag an existing KMS key, use the TagResource operation. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - Tagging or untagging a KMS key can allow or deny permission to the KMS key. - For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - in the Key Management Service Developer Guide. - - To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) - permission in an IAM policy. - - Each tag consists of a tag key and a tag value. Both the tag key and the - tag value are required, but the tag value can be an empty (null) string. - You cannot have more than one tag on a KMS key with the same tag key. If - you specify an existing tag key with a different tag value, KMS replaces - the current tag value with the specified one. - - When you add tags to an Amazon Web Services resource, Amazon Web Services - generates a cost allocation report with usage and costs aggregated by tags. - Tags can also be used to control access to a KMS key. For details, see Tagging - Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). items: description: |- A key-value pair. A tag consists of a tag key and a tag value. Tag keys and @@ -318,7 +142,7 @@ spec: type: string conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 2bb86f3..3b3e524 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: kms-chart description: A Helm chart for the ACK service controller for AWS Key Management Service (KMS) -version: 1.0.21 -appVersion: 1.0.21 +version: 1.0.22 +appVersion: 1.0.22 home: https://github.com/aws-controllers-k8s/kms-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/crds/kms.services.k8s.aws_aliases.yaml b/helm/crds/kms.services.k8s.aws_aliases.yaml index b238bd0..ad50f6f 100644 --- a/helm/crds/kms.services.k8s.aws_aliases.yaml +++ b/helm/crds/kms.services.k8s.aws_aliases.yaml @@ -40,38 +40,8 @@ spec: description: AliasSpec defines the desired state of Alias. properties: name: - description: |- - Specifies the alias name. This value must begin with alias/ followed by a - name, such as alias/ExampleAlias. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - The AliasName value must be string of 1-256 characters. It can contain only - alphanumeric characters, forward slashes (/), underscores (_), and dashes - (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is - reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). type: string targetKeyID: - description: |- - Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). - The KMS key must be in the same Amazon Web Services Region. - - A valid key ID is required. If you supply a null or empty string value, this - operation returns an error. - - For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) - in the Key Management Service Developer Guide . - - Specify the key ID or key ARN of the KMS key. - - For example: - - - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab - - - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - - To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. type: string targetKeyRef: description: "AWSResourceReferenceWrapper provides a wrapper around @@ -127,7 +97,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/crds/kms.services.k8s.aws_grants.yaml b/helm/crds/kms.services.k8s.aws_grants.yaml index 62ea924..469c539 100644 --- a/helm/crds/kms.services.k8s.aws_grants.yaml +++ b/helm/crds/kms.services.k8s.aws_grants.yaml @@ -41,34 +41,28 @@ spec: properties: constraints: description: |- - Specifies a grant constraint. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - KMS supports the EncryptionContextEquals and EncryptionContextSubset grant - constraints, which allow the permissions in the grant only when the encryption - context in the request matches (EncryptionContextEquals) or includes (EncryptionContextSubset) - the encryption context specified in the constraint. - - The encryption context grant constraints are supported only on grant operations - (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - that include an EncryptionContext parameter, such as cryptographic operations - on symmetric encryption KMS keys. Grants with grant constraints can include - the DescribeKey and RetireGrant operations, but the constraint doesn't apply - to these operations. If a grant with a grant constraint includes the CreateGrant - operation, the constraint requires that any grants created with the CreateGrant - permission have an equally strict or stricter encryption context constraint. - - You cannot use an encryption context grant constraint for cryptographic operations - with asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't - support an encryption context. - - Each constraint value can include up to 8 encryption context pairs. The encryption - context value in each constraint cannot exceed 384 characters. For information - about grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) - in the Key Management Service Developer Guide. For more information about - encryption context, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + in the grant only when the operation request includes the specified encryption + context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). + + KMS applies the grant constraints only to cryptographic operations that support + an encryption context, that is, all cryptographic operations with a symmetric + KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). + Grant constraints are not applied to operations that do not support an encryption + context, such as cryptographic operations with asymmetric KMS keys and management + operations, such as DescribeKey or RetireGrant. + + In a cryptographic operation, the encryption context in the decryption operation + must be an exact, case-sensitive match for the keys and values in the encryption + context of the encryption operation. Only the order of the pairs can vary. + + However, in a grant constraint, the key in each key-value pair is not case + sensitive, but the value is case sensitive. + + To avoid confusion, do not use multiple encryption context pairs that differ + only by case. To require a fully case-sensitive encryption context, use the + kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM + or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) in the Key Management Service Developer Guide . properties: encryptionContextEquals: @@ -81,42 +75,12 @@ spec: type: object type: object grantTokens: - description: |- - A list of grant tokens. - - Use a grant token when your permission to call this operation comes from - a new grant that has not yet achieved eventual consistency. For more information, - see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) - and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) - in the Key Management Service Developer Guide. items: type: string type: array granteePrincipal: - description: |- - The identity that gets the permissions specified in the grant. - - To specify the grantee principal, use the Amazon Resource Name (ARN) of an - Amazon Web Services principal. Valid principals include Amazon Web Services - accounts, IAM users, IAM roles, federated users, and assumed role users. - For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - in the Identity and Access Management User Guide . type: string keyID: - description: |- - Identifies the KMS key for the grant. The grant gives principals permission - to use this KMS key. - - Specify the key ID or key ARN of the KMS key. To specify a KMS key in adifferent - Amazon Web Services account, you must use the key ARN. - - For example: - - - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab - - - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - - To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. type: string keyRef: description: "AWSResourceReferenceWrapper provides a wrapper around @@ -136,52 +100,12 @@ spec: type: object type: object name: - description: |- - A friendly name for the grant. Use this value to prevent the unintended creation - of duplicate grants when retrying this request. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - When this value is absent, all CreateGrant requests result in a new grant - with a unique GrantId even if all the supplied parameters are identical. - This can result in unintended duplicates when you retry the CreateGrant request. - - When this value is present, you can retry a CreateGrant request with identical - parameters; if the grant already exists, the original GrantId is returned - without creating a new grant. Note that the returned grant token is unique - with every CreateGrant request, even when a duplicate GrantId is returned. - All grant tokens for the same grant ID can be used interchangeably. type: string operations: - description: |- - A list of operations that the grant permits. - - This list must include only operations that are permitted in a grant. Also, - the operation must be supported on the KMS key. For example, you cannot create - a grant for a symmetric encryption KMS key that allows the Sign operation, - or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. - If you try, KMS returns a ValidationError exception. For details, see Grant - operations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - in the Key Management Service Developer Guide. items: type: string type: array retiringPrincipal: - description: |- - The principal that has permission to use the RetireGrant operation to retire - the grant. - - To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - of an Amazon Web Services principal. Valid principals include Amazon Web - Services accounts, IAM users, IAM roles, federated users, and assumed role - users. For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - in the Identity and Access Management User Guide . - - The grant determines the retiring principal. Other principals might have - permission to retire the grant or revoke the grant. For details, see RevokeGrant - and Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) - in the Key Management Service Developer Guide. type: string required: - granteePrincipal @@ -221,7 +145,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/crds/kms.services.k8s.aws_keys.yaml b/helm/crds/kms.services.k8s.aws_keys.yaml index 05d23c7..c3e2e59 100644 --- a/helm/crds/kms.services.k8s.aws_keys.yaml +++ b/helm/crds/kms.services.k8s.aws_keys.yaml @@ -40,218 +40,42 @@ spec: description: KeySpec defines the desired state of Key. properties: bypassPolicyLockoutSafetyCheck: - description: |- - Skips ("bypasses") the key policy lockout safety check. The default value - is false. - - Setting this value to true increases the risk that the KMS key becomes unmanageable. - Do not set this value to true indiscriminately. - - For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - in the Key Management Service Developer Guide. - - Use this parameter only when you intend to prevent the principal that is - making the request from making a subsequent PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) - request on the KMS key. type: boolean customKeyStoreID: - description: |- - Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). - The ConnectionState of the custom key store must be CONNECTED. To find the - CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores operation. - - This parameter is valid only for symmetric encryption KMS keys in a single - Region. You cannot create any other type of KMS key in a custom key store. - - When you create a KMS key in an CloudHSM key store, KMS generates a non-exportable - 256-bit symmetric key in its associated CloudHSM cluster and associates it - with the KMS key. When you create a KMS key in an external key store, you - must use the XksKeyId parameter to specify an external key that serves as - key material for the KMS key. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf description: - description: |- - A description of the KMS key. Use a description that helps you decide whether - the KMS key is appropriate for a task. The default value is an empty string - (no description). - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - To set or change the description after the key is created, use UpdateKeyDescription. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf enableKeyRotation: type: boolean keySpec: - description: |- - Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, - creates a KMS key with a 256-bit AES-GCM key that is used for encryption - and decryption, except in China Regions, where it creates a 128-bit symmetric - key that uses SM4 encryption. For help choosing a key spec for your KMS key, - see Choosing a KMS key type (https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose) - in the Key Management Service Developer Guide . - - The KeySpec determines whether the KMS key contains a symmetric key or an - asymmetric key pair. It also determines the algorithms that the KMS key supports. - You can't change the KeySpec after the KMS key is created. To further restrict - the algorithms that can be used with the KMS key, use a condition key in - its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm - (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm), - kms:MacAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm) - or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) - in the Key Management Service Developer Guide . - - Amazon Web Services services that are integrated with KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) - use symmetric encryption KMS keys to protect your data. These services do - not support asymmetric KMS keys or HMAC KMS keys. - - KMS supports the following key specs for KMS keys: - - - Symmetric encryption key (default) SYMMETRIC_DEFAULT - - - HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512 - - - Asymmetric RSA key pairs (encryption and decryption -or- signing and - verification) RSA_2048 RSA_3072 RSA_4096 - - - Asymmetric NIST-recommended elliptic curve key pairs (signing and verification - -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384 - (secp384r1) ECC_NIST_P521 (secp521r1) - - - Other asymmetric elliptic curve key pairs (signing and verification) - ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies. - - - SM2 key pairs (encryption and decryption -or- signing and verification - -or- deriving shared secrets) SM2 (China Regions only) type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf keyUsage: - description: |- - Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. - This parameter is optional when you are creating a symmetric encryption KMS - key; otherwise, it is required. You can't change the KeyUsage value after - the KMS key is created. - - Select only one valid value. - - - For symmetric encryption KMS keys, omit the parameter or specify ENCRYPT_DECRYPT. - - - For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC. - - - For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT - or SIGN_VERIFY. - - - For asymmetric KMS keys with NIST-recommended elliptic curve key pairs, - specify SIGN_VERIFY or KEY_AGREEMENT. - - - For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY. - - - For asymmetric KMS keys with SM2 key pairs (China Regions only), specify - ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf multiRegion: - description: |- - Creates a multi-Region primary key that you can replicate into other Amazon - Web Services Regions. You cannot change this value after you create the KMS - key. - - For a multi-Region key, set this parameter to True. For a single-Region KMS - key, omit this parameter or set it to False. The default value is False. - - This operation supports multi-Region keys, an KMS feature that lets you create - multiple interoperable KMS keys in different Amazon Web Services Regions. - Because these KMS keys have the same key ID, key material, and other metadata, - you can use them interchangeably to encrypt data in one Amazon Web Services - Region and decrypt it in a different Amazon Web Services Region without re-encrypting - the data or making a cross-Region call. For more information about multi-Region - keys, see Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - in the Key Management Service Developer Guide. - - This value creates a primary key, not a replica. To create a replica key, - use the ReplicateKey operation. - - You can create a symmetric or asymmetric multi-Region key, and you can create - a multi-Region key with imported key material. However, you cannot create - a multi-Region key in a custom key store. type: boolean + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf origin: - description: |- - The source of the key material for the KMS key. You cannot change the origin - after you create the KMS key. The default is AWS_KMS, which means that KMS - creates the key material. - - To create a KMS key with no key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) - (for imported key material), set this value to EXTERNAL. For more information - about importing key material into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - in the Key Management Service Developer Guide. The EXTERNAL origin value - is valid only for symmetric KMS keys. - - To create a KMS key in an CloudHSM key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html) - and create its key material in the associated CloudHSM cluster, set this - value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to - identify the CloudHSM key store. The KeySpec value must be SYMMETRIC_DEFAULT. - - To create a KMS key in an external key store (https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html), - set this value to EXTERNAL_KEY_STORE. You must also use the CustomKeyStoreId - parameter to identify the external key store and the XksKeyId parameter to - identify the associated external key. The KeySpec value must be SYMMETRIC_DEFAULT. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf policy: - description: |- - The key policy to attach to the KMS key. - - If you provide a key policy, it must meet the following criteria: - - - The key policy must allow the calling principal to make a subsequent - PutKeyPolicy request on the KMS key. This reduces the risk that the KMS - key becomes unmanageable. For more information, see Default key policy - (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) - in the Key Management Service Developer Guide. (To omit this condition, - set BypassPolicyLockoutSafetyCheck to true.) - - - Each statement in the key policy must contain one or more principals. - The principals in the key policy must exist and be visible to KMS. When - you create a new Amazon Web Services principal, you might need to enforce - a delay before including the new principal in a key policy because the - new principal might not be immediately visible to KMS. For more information, - see Changes that I make are not always immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - in the Amazon Web Services Identity and Access Management User Guide. - - If you do not provide a key policy, KMS attaches a default key policy to - the KMS key. For more information, see Default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - in the Key Management Service Developer Guide. - - The key policy size quota is 32 kilobytes (32768 bytes). - - For help writing and formatting a JSON policy document, see the IAM JSON - Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) - in the Identity and Access Management User Guide . type: string tags: - description: |- - Assigns one or more tags to the KMS key. Use this parameter to tag the KMS - key when it is created. To tag an existing KMS key, use the TagResource operation. - - Do not include confidential or sensitive information in this field. This - field may be displayed in plaintext in CloudTrail logs and other output. - - Tagging or untagging a KMS key can allow or deny permission to the KMS key. - For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - in the Key Management Service Developer Guide. - - To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) - permission in an IAM policy. - - Each tag consists of a tag key and a tag value. Both the tag key and the - tag value are required, but the tag value can be an empty (null) string. - You cannot have more than one tag on a KMS key with the same tag key. If - you specify an existing tag key with a different tag value, KMS replaces - the current tag value with the specified one. - - When you add tags to an Amazon Web Services resource, Amazon Web Services - generates a cost allocation report with usage and costs aggregated by tags. - Tags can also be used to control access to a KMS key. For details, see Tagging - Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). items: description: |- A key-value pair. A tag consists of a tag key and a tag value. Tag keys and @@ -318,7 +142,7 @@ spec: type: string conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 5fdfda1..1427e21 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.21". +This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.22". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/values.yaml b/helm/values.yaml index 5242e12..1ea36d1 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/kms-controller - tag: 1.0.21 + tag: 1.0.22 pullPolicy: IfNotPresent pullSecrets: [] diff --git a/pkg/resource/key/sdk.go b/pkg/resource/key/sdk.go index 62aa7bb..229fbdb 100644 --- a/pkg/resource/key/sdk.go +++ b/pkg/resource/key/sdk.go @@ -686,30 +686,3 @@ func (rm *resourceManager) terminalAWSError(err error) bool { // No terminal_errors specified for this resource in generator config return false } - -// getImmutableFieldChanges returns list of immutable fields from the -func (rm *resourceManager) getImmutableFieldChanges( - delta *ackcompare.Delta, -) []string { - var fields []string - if delta.DifferentAt("Spec.CustomKeyStoreID") { - fields = append(fields, "CustomKeyStoreID") - } - if delta.DifferentAt("Spec.Description") { - fields = append(fields, "Description") - } - if delta.DifferentAt("Spec.KeySpec") { - fields = append(fields, "KeySpec") - } - if delta.DifferentAt("Spec.KeyUsage") { - fields = append(fields, "KeyUsage") - } - if delta.DifferentAt("Spec.MultiRegion") { - fields = append(fields, "MultiRegion") - } - if delta.DifferentAt("Spec.Origin") { - fields = append(fields, "Origin") - } - - return fields -}