pcf.particle.aws.kms package

Submodules

pcf.particle.aws.kms.kms_key module

class pcf.particle.aws.kms.kms_key.KMSKey(particle_definition, session=None)

Bases: pcf.core.aws_resource.AWSResource

This is an instantiation of an AWS KMS key. For now, only CMKs stored in KMS are supported. Keys in External or CloudHSM stores will be added later. The creation of a KMS key does not require any inputs with the exception of a key_name, which is used to create an “alias” for the key. Aliases are unique per region. Upon particle termination, the alias will be deleted and the key will be marked for termination (since KMS keys cannot be deleted immediately). If the key name/alias given already exists, the particle will be mapped to that key, rather than create one from scratch.

aws_resource Definition

Parameters:
  • custom_config (dict) –

    [REQUIRED] A dictionary containing configuration values:

    • key_name (str) - [REQUIRED] A string used to uniquely identify the key. Transformed into an alias for the key. No spaces.
  • Policy (str) – A JSON-formatted policy string for the key
  • Description (str) – A description of the key, visible in the AWS console and CLI calls
  • BypassPolicyLockoutSafetyCheck (boolean) – A flag used in conjunction with the policy parameter to indicate if the . Default value is False For more info, see AWS docs.
  • Tags (list) –

    A list of key-value dictionaries with tag information:

    • {} (dict) Containing the following keys:
      • TagKey (str) - [REQUIRED] The tag name
      • TagValue (str) - [REQUIRED] The tag value

Example minimal particle definition: code:

particle_definition = {
    'pcf_name': 'kms_example',
    'flavor': 'kms_key',
    'aws_resource': {
        "custom_config": {
            "key_name": "kms_alias_name"
        }
    }
}

The following states can be handled by the particle:

Particle State KMS Key State Notes
Running Enabled Will create key if DNE, will adopt key if alias given
Stopped Disabled No need to disable prior to deletion
Terminated Pending Deletion Schedules key for deletion in 30 days, removes alias
Pending Pending Import Not used by KMS-generated keys, not supported
Pending Unavailable Not used by KMS-generated keys, not supported
START_PARAMS = {'BypassPolicyLockoutSafetyCheck', 'CustomKeyStoreId', 'Description', 'Policy', 'Tags'}

A set of the params used by the AWS API in the create_key operation. Used as a filter for the return of describe_key, in order to check if the state is equivalent to the definition.

UNIQUE_KEYS = ['aws_resource.custom_config.key_name']

The key used to uniquely identify the particle. User supplied.

_get_alias()

Returns the alias record for the provided key_name in custom configuration.

Returns:
  • AliasName (str) - The alias name (always starts with “alias/”)
  • AliasArn (str) - The ARN for the key alias
  • TargetKeyId (str) - The unique identifier for the key the alias is associated with
Return type:{} (dict) Containing nothing, or the keys above
_get_arn()

Returns the ARN of the key.

Returns:str
_get_status()

Using the _get_alias() method, this method will query for the a key that has the name specified, and return the result of the describe_key API call for that key. If DNE, returns empty dictionary.

Note: The setting of the instance attribute _arn is done in this method. It cannot be done in the start method, since the method may not be called if the key already exists. This method is called by sync_state, so it is always run.

Returns:dict (‘KeyMetadata’ from describe_key API call, or empty if DNE)
_set_unique_keys()

Required method: Used in methods in the base class(es).

Sets the instance variable for unique_keys to the value of the class variable. Bad things happen if this method or both instantiations of the unique_keys variable do not exist.

_start()

Required method: Used in methods in the base class(es).

Creates a customer-managed key (CMK), or if the alias specified already exists, re-enables an existing one. The functionality needs to be mixed, since this function is called in both the Terminated –> Running and the Stopped –> Running state transitions. Return object is supplied for convenience, and is not used in any operations.

Returns:dict (response of boto3 kms create_key or enable_key, depending on transition type)
_stop()

Required method: Used in methods in the base class(es).

This method will disable the key. Return object is supplied for convenience, and is not used in any operations.

Returns:dict (response of disable_key function)
_terminate()

Required method: Used in methods in the base class(es).

Schedules the deletion of the key. CMKs cannot be deleted immediately. Defaults to 30 days. Also deletes alias associated with key, so the particle can be re-used immediately, even if the key isn’t technically deleted yet.

Returns:dict (response of boto3 kms schedule_key_deletion)
_update()

Required method: Used in methods in the base class(es).

Currently does nothing. Needs to be implemented for updates that do not change state, such as modifying tags or description.

_validate_config()

Custom logic that that validates particle’s configurations

flavor = 'kms_key'

Name of the particle type, used in the particle definition

is_state_definition_equivalent()

Overridden method from base class (particle.py), responsible for testing if the particle has reached its desired state.

Original method ran a diff_dict on the current_state_definition and the desired_state_definition (A.K.A. the resource from the particle configuration). Since the return of the describe_key operation is used to set the current_state_definition, and it would never contain the custom_config key, it was necessary to force a filtering before the comparison operation.

Returns:bool
state_lookup = {'Disabled': <State.stopped: 2>, 'Enabled': <State.running: 1>, 'PendingDeletion': <State.terminated: 3>, 'PendingImport': <State.pending: 4>, 'Unavailable': <State.pending: 4>}

Mapping of PCF states to the KMS states used by AWS. Used after describe calls to determine latest state.

sync_state()

Required method: Logic that updates the current state of the particle. Used in methods in the base class(es).

Works by fetching the latest key information, then setting the current_state_definition equal to the result. Also updates particle state before exiting.

Module contents