Does anyone know of a way of updating the policy of an AWS Key Management Service (KMS) Customer Managed Key (CMK), without having to recreate the key?
Currently a CMK is declared as part of a module, which defines a basic key policy:
resource “aws_kms_key” “sqs_key” {
description = “SQS message encryption at rest.”
policy = (var.kms == null ?
jsonencode{
{…}
)
:
jsonencode(
{…}
)
)
}
We have a need to update the key policy to add an additional Principal due to a new micro-service being created, but I can’t find a way of updating the key policy without either declaring a new key, which will break the current configuration, or adding the Principal to the existing resource definition but this will add the Principal to all CMKs which isn’t needed.
For IAM there is the resource aws_iam_policy_attachment which would allow an additional policy to be added to a user, group or role but I can’t find an equivalent for KMS.
Any help provided would be appreciated.
Addendum:
Is there a Terraform equivalent of the CLI command aws kms put-key-policy? Can’t find it myself.