Have the code below:
data "aws_kms_key" "rds_key" {
key_id = "alias/rds_cluster_enryption_key"
}
And I want to use this key to encrypt rds instance
resource "aws_rds_cluster" "tf-aws-rds-1" {
cluster_identifier = "aurora-cluster-1"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
database_name = "cupday"
master_username = "administrator"
master_password = var.password
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
storage_encrypted = true
kms_key_id = "data.aws_kms_key.rds_key.arn"
}
However, I'm getting an error like below:
Error: "kms_key_id" (data.aws_kms_key.rds_key.id) is an invalid ARN: arn: invalid prefix
on main.tf line 42, in resource "aws_rds_cluster" "tf-aws-rds-1":
42: kms_key_id = "data.aws_kms_key.rds_key.id"
Error: "kms_key_id" (data.aws_kms_key.rds_key.arn) is an invalid ARN: arn: invalid prefix
on main.tf line 42, in resource "aws_rds_cluster" "tf-aws-rds-1":
42: kms_key_id = "data.aws_kms_key.rds_key.arn"
How on the earth I should refer them?
I do not want to disclose my account id in kms_key_id
Your use of :
kms_key_id = "data.aws_kms_key.rds_key.arn"
will result in kms_key_id being literally string "data.aws_kms_key.rds_key.arn".
It should be either (tf 0.12+):
kms_key_id = data.aws_kms_key.rds_key.arn
or for tf 0.11:
kms_key_id = "${data.aws_kms_key.rds_key.arn}"