Welcome to Pulumi Registry, your window into the cloud. Read the announcement.

AWS Classic

v4.30.0 published on Tuesday, Nov 30, 2021 by Pulumi

KeySigningKey

Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the aws.route53.HostedZoneDnsSec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

Example Usage

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var exampleKey = new Aws.Kms.Key("exampleKey", new Aws.Kms.KeyArgs
        {
            CustomerMasterKeySpec = "ECC_NIST_P256",
            DeletionWindowInDays = 7,
            KeyUsage = "SIGN_VERIFY",
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                { "Statement", new[]
                    {
                        new Dictionary<string, object?>
                        {
                            { "Action", new[]
                                {
                                    "kms:DescribeKey",
                                    "kms:GetPublicKey",
                                    "kms:Sign",
                                }
                             },
                            { "Effect", "Allow" },
                            { "Principal", new Dictionary<string, object?>
                            {
                                { "Service", "dnssec-route53.amazonaws.com" },
                            } },
                            { "Sid", "Allow Route 53 DNSSEC Service" },
                            { "Resource", "*" },
                        },
                        new Dictionary<string, object?>
                        {
                            { "Action", "kms:CreateGrant" },
                            { "Effect", "Allow" },
                            { "Principal", new Dictionary<string, object?>
                            {
                                { "Service", "dnssec-route53.amazonaws.com" },
                            } },
                            { "Sid", "Allow Route 53 DNSSEC Service to CreateGrant" },
                            { "Resource", "*" },
                            { "Condition", new Dictionary<string, object?>
                            {
                                { "Bool", new Dictionary<string, object?>
                                {
                                    { "kms:GrantIsForAWSResource", "true" },
                                } },
                            } },
                        },
                        new Dictionary<string, object?>
                        {
                            { "Action", "kms:*" },
                            { "Effect", "Allow" },
                            { "Principal", new Dictionary<string, object?>
                            {
                                { "AWS", "*" },
                            } },
                            { "Resource", "*" },
                            { "Sid", "IAM User Permissions" },
                        },
                    }
                 },
                { "Version", "2012-10-17" },
            }),
        });
        var exampleZone = new Aws.Route53.Zone("exampleZone", new Aws.Route53.ZoneArgs
        {
        });
        var exampleKeySigningKey = new Aws.Route53.KeySigningKey("exampleKeySigningKey", new Aws.Route53.KeySigningKeyArgs
        {
            HostedZoneId = aws_route53_zone.Test.Id,
            KeyManagementServiceArn = aws_kms_key.Test.Arn,
        });
        var exampleHostedZoneDnsSec = new Aws.Route53.HostedZoneDnsSec("exampleHostedZoneDnsSec", new Aws.Route53.HostedZoneDnsSecArgs
        {
            HostedZoneId = exampleKeySigningKey.HostedZoneId,
        }, new CustomResourceOptions
        {
            DependsOn = 
            {
                exampleKeySigningKey,
            },
        });
    }

}
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/kms"
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/route53"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"Statement": []interface{}{
				map[string]interface{}{
					"Action": []string{
						"kms:DescribeKey",
						"kms:GetPublicKey",
						"kms:Sign",
					},
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"Service": "dnssec-route53.amazonaws.com",
					},
					"Sid":      "Allow Route 53 DNSSEC Service",
					"Resource": "*",
				},
				map[string]interface{}{
					"Action": "kms:CreateGrant",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"Service": "dnssec-route53.amazonaws.com",
					},
					"Sid":      "Allow Route 53 DNSSEC Service to CreateGrant",
					"Resource": "*",
					"Condition": map[string]interface{}{
						"Bool": map[string]interface{}{
							"kms:GrantIsForAWSResource": "true",
						},
					},
				},
				map[string]interface{}{
					"Action": "kms:*",
					"Effect": "Allow",
					"Principal": map[string]interface{}{
						"AWS": "*",
					},
					"Resource": "*",
					"Sid":      "IAM User Permissions",
				},
			},
			"Version": "2012-10-17",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err := kms.NewKey(ctx, "exampleKey", &kms.KeyArgs{
			CustomerMasterKeySpec: pulumi.String("ECC_NIST_P256"),
			DeletionWindowInDays:  pulumi.Int(7),
			KeyUsage:              pulumi.String("SIGN_VERIFY"),
			Policy:                pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		_, err = route53.NewZone(ctx, "exampleZone", nil)
		if err != nil {
			return err
		}
		exampleKeySigningKey, err := route53.NewKeySigningKey(ctx, "exampleKeySigningKey", &route53.KeySigningKeyArgs{
			HostedZoneId:            pulumi.Any(aws_route53_zone.Test.Id),
			KeyManagementServiceArn: pulumi.Any(aws_kms_key.Test.Arn),
		})
		if err != nil {
			return err
		}
		_, err = route53.NewHostedZoneDnsSec(ctx, "exampleHostedZoneDnsSec", &route53.HostedZoneDnsSecArgs{
			HostedZoneId: exampleKeySigningKey.HostedZoneId,
		}, pulumi.DependsOn([]pulumi.Resource{
			exampleKeySigningKey,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import json
import pulumi_aws as aws

example_key = aws.kms.Key("exampleKey",
    customer_master_key_spec="ECC_NIST_P256",
    deletion_window_in_days=7,
    key_usage="SIGN_VERIFY",
    policy=json.dumps({
        "Statement": [
            {
                "Action": [
                    "kms:DescribeKey",
                    "kms:GetPublicKey",
                    "kms:Sign",
                ],
                "Effect": "Allow",
                "Principal": {
                    "Service": "dnssec-route53.amazonaws.com",
                },
                "Sid": "Allow Route 53 DNSSEC Service",
                "Resource": "*",
            },
            {
                "Action": "kms:CreateGrant",
                "Effect": "Allow",
                "Principal": {
                    "Service": "dnssec-route53.amazonaws.com",
                },
                "Sid": "Allow Route 53 DNSSEC Service to CreateGrant",
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true",
                    },
                },
            },
            {
                "Action": "kms:*",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*",
                },
                "Resource": "*",
                "Sid": "IAM User Permissions",
            },
        ],
        "Version": "2012-10-17",
    }))
example_zone = aws.route53.Zone("exampleZone")
example_key_signing_key = aws.route53.KeySigningKey("exampleKeySigningKey",
    hosted_zone_id=aws_route53_zone["test"]["id"],
    key_management_service_arn=aws_kms_key["test"]["arn"])
example_hosted_zone_dns_sec = aws.route53.HostedZoneDnsSec("exampleHostedZoneDnsSec", hosted_zone_id=example_key_signing_key.hosted_zone_id,
opts=pulumi.ResourceOptions(depends_on=[example_key_signing_key]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleKey = new aws.kms.Key("exampleKey", {
    customerMasterKeySpec: "ECC_NIST_P256",
    deletionWindowInDays: 7,
    keyUsage: "SIGN_VERIFY",
    policy: JSON.stringify({
        Statement: [
            {
                Action: [
                    "kms:DescribeKey",
                    "kms:GetPublicKey",
                    "kms:Sign",
                ],
                Effect: "Allow",
                Principal: {
                    Service: "dnssec-route53.amazonaws.com",
                },
                Sid: "Allow Route 53 DNSSEC Service",
                Resource: "*",
            },
            {
                Action: "kms:CreateGrant",
                Effect: "Allow",
                Principal: {
                    Service: "dnssec-route53.amazonaws.com",
                },
                Sid: "Allow Route 53 DNSSEC Service to CreateGrant",
                Resource: "*",
                Condition: {
                    Bool: {
                        "kms:GrantIsForAWSResource": "true",
                    },
                },
            },
            {
                Action: "kms:*",
                Effect: "Allow",
                Principal: {
                    AWS: "*",
                },
                Resource: "*",
                Sid: "IAM User Permissions",
            },
        ],
        Version: "2012-10-17",
    }),
});
const exampleZone = new aws.route53.Zone("exampleZone", {});
const exampleKeySigningKey = new aws.route53.KeySigningKey("exampleKeySigningKey", {
    hostedZoneId: aws_route53_zone.test.id,
    keyManagementServiceArn: aws_kms_key.test.arn,
});
const exampleHostedZoneDnsSec = new aws.route53.HostedZoneDnsSec("exampleHostedZoneDnsSec", {hostedZoneId: exampleKeySigningKey.hostedZoneId}, {
    dependsOn: [exampleKeySigningKey],
});

Create a KeySigningKey Resource

new KeySigningKey(name: string, args: KeySigningKeyArgs, opts?: CustomResourceOptions);
@overload
def KeySigningKey(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  hosted_zone_id: Optional[str] = None,
                  key_management_service_arn: Optional[str] = None,
                  name: Optional[str] = None,
                  status: Optional[str] = None)
@overload
def KeySigningKey(resource_name: str,
                  args: KeySigningKeyArgs,
                  opts: Optional[ResourceOptions] = None)
func NewKeySigningKey(ctx *Context, name string, args KeySigningKeyArgs, opts ...ResourceOption) (*KeySigningKey, error)
public KeySigningKey(string name, KeySigningKeyArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args KeySigningKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args KeySigningKeyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args KeySigningKeyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args KeySigningKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

KeySigningKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The KeySigningKey resource accepts the following input properties:

HostedZoneId string
Identifier of the Route 53 Hosted Zone.
KeyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
Status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
HostedZoneId string
Identifier of the Route 53 Hosted Zone.
KeyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
Status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
hostedZoneId string
Identifier of the Route 53 Hosted Zone.
keyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
hosted_zone_id str
Identifier of the Route 53 Hosted Zone.
key_management_service_arn str
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
name str
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
status str
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.

Outputs

All input properties are implicitly available as output properties. Additionally, the KeySigningKey resource produces the following output properties:

DigestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestAlgorithmType int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
DnskeyRecord string
A string that represents a DNSKEY record.
DsRecord string
A string that represents a delegation signer (DS) record.
Flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
Id string
The provider-assigned unique ID for this managed resource.
KeyTag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
PublicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
SigningAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
SigningAlgorithmType int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
DigestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestAlgorithmType int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
DnskeyRecord string
A string that represents a DNSKEY record.
DsRecord string
A string that represents a delegation signer (DS) record.
Flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
Id string
The provider-assigned unique ID for this managed resource.
KeyTag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
PublicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
SigningAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
SigningAlgorithmType int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
digestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestAlgorithmType number
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
dnskeyRecord string
A string that represents a DNSKEY record.
dsRecord string
A string that represents a delegation signer (DS) record.
flag number
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
id string
The provider-assigned unique ID for this managed resource.
keyTag number
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
publicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
signingAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
signingAlgorithmType number
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
digest_algorithm_mnemonic str
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digest_algorithm_type int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digest_value str
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
dnskey_record str
A string that represents a DNSKEY record.
ds_record str
A string that represents a delegation signer (DS) record.
flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
id str
The provider-assigned unique ID for this managed resource.
key_tag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
public_key str
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
signing_algorithm_mnemonic str
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
signing_algorithm_type int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.

Look up an Existing KeySigningKey Resource

Get an existing KeySigningKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KeySigningKeyState, opts?: CustomResourceOptions): KeySigningKey
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        digest_algorithm_mnemonic: Optional[str] = None,
        digest_algorithm_type: Optional[int] = None,
        digest_value: Optional[str] = None,
        dnskey_record: Optional[str] = None,
        ds_record: Optional[str] = None,
        flag: Optional[int] = None,
        hosted_zone_id: Optional[str] = None,
        key_management_service_arn: Optional[str] = None,
        key_tag: Optional[int] = None,
        name: Optional[str] = None,
        public_key: Optional[str] = None,
        signing_algorithm_mnemonic: Optional[str] = None,
        signing_algorithm_type: Optional[int] = None,
        status: Optional[str] = None) -> KeySigningKey
func GetKeySigningKey(ctx *Context, name string, id IDInput, state *KeySigningKeyState, opts ...ResourceOption) (*KeySigningKey, error)
public static KeySigningKey Get(string name, Input<string> id, KeySigningKeyState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

DigestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestAlgorithmType int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
DnskeyRecord string
A string that represents a DNSKEY record.
DsRecord string
A string that represents a delegation signer (DS) record.
Flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
HostedZoneId string
Identifier of the Route 53 Hosted Zone.
KeyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
KeyTag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
PublicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
SigningAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
SigningAlgorithmType int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
Status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
DigestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestAlgorithmType int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
DigestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
DnskeyRecord string
A string that represents a DNSKEY record.
DsRecord string
A string that represents a delegation signer (DS) record.
Flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
HostedZoneId string
Identifier of the Route 53 Hosted Zone.
KeyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
KeyTag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
PublicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
SigningAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
SigningAlgorithmType int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
Status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
digestAlgorithmMnemonic string
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestAlgorithmType number
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digestValue string
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
dnskeyRecord string
A string that represents a DNSKEY record.
dsRecord string
A string that represents a delegation signer (DS) record.
flag number
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
hostedZoneId string
Identifier of the Route 53 Hosted Zone.
keyManagementServiceArn string
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
keyTag number
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
publicKey string
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
signingAlgorithmMnemonic string
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
signingAlgorithmType number
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
status string
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
digest_algorithm_mnemonic str
A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digest_algorithm_type int
An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
digest_value str
A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
dnskey_record str
A string that represents a DNSKEY record.
ds_record str
A string that represents a delegation signer (DS) record.
flag int
An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
hosted_zone_id str
Identifier of the Route 53 Hosted Zone.
key_management_service_arn str
Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
key_tag int
An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
name str
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
public_key str
The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
signing_algorithm_mnemonic str
A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
signing_algorithm_type int
An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
status str
Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.

Import

aws_route53_key_signing_key resources can be imported by using the Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,), e.g.,

 $ pulumi import aws:route53/keySigningKey:KeySigningKey example Z1D633PJN98FT9,example

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.