Hi,
I am able to complete the Task but verification failed, please check and advice.
Blockquote # Create the KMS key
resource “aws_kms_key” “xfusion_kms_key” {
description = “KMS key for encrypting and decrypting sensitive data”
key_usage = “ENCRYPT_DECRYPT”
customer_master_key_spec = “SYMMETRIC_DEFAULT”
tags = {
Name = “xfusion-kms-key”
}
}
Create an alias for the KMS key
resource “aws_kms_alias” “xfusion_kms_key_alias” {
name = “alias/xfusion-kms-key”
target_key_id = aws_kms_key.xfusion_kms_key.key_id
}
Encrypt the file
resource “aws_kms_ciphertext” “encrypted_data” {
key_id = aws_kms_key.xfusion_kms_key.key_id
plaintext = file(“/home/bob/terraform/SensitiveData.txt”)
}
Save the Base64 encoded ciphertext to a file
resource “local_file” “encrypted_file” {
content = aws_kms_ciphertext.encrypted_data.ciphertext_blob
filename = “/home/bob/terraform/EncryptedData.bin”
}
Decrypt the data back to plaintext
data “aws_kms_secrets” “decrypted_data” {
secret {
name = “decrypted”
payload = aws_kms_ciphertext.encrypted_data.ciphertext_blob
}
}
Save the decrypted file for verification
resource “local_file” “decrypted_file” {
content = lookup(data.aws_kms_secrets.decrypted_data.plaintext, “decrypted”)
filename = “/home/bob/terraform/DecryptedData.txt”
}
Hi @suryaeshwaran
Thanks for your detailed feedback. I checked and faced the same issue, but with a different error message. I’ll work with the team to verify and validate it. I’ll keep you updated.
Hi @suryaeshwaran
Thanks for your detail feedback, the team has updated it, please try again.
Hi @raymond.baoly
Thank you very much, Have completed the Task.
Hi @raymond.baoly ,
I am still getting an error (Decryption using KMS key failed), even though I am successfully able to see the encrypted and decrypted files in VS Code / terminal.
My TF code:
# 1. Create a symmetric KMS key
resource "aws_kms_key" "xfusion-kms-key" {
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
tags = {
Name = "xfusion-kms-key"
}
}
resource "aws_kms_alias" "alias" {
name = "alias/xfusion-kms-key"
target_key_id = aws_kms_key.xfusion-kms-key.id
}
# 2. Read plaintext from SensitiveData.txt
locals {
sensitive_file_path = "/home/bob/terraform/SensitiveData.txt"
sensitive_plaintext = file(local.sensitive_file_path)
}
# 3. Encrypt the plaintext using KMS
resource "aws_kms_ciphertext" "encrypted_data" {
key_id = aws_kms_key.xfusion-kms-key.arn
plaintext = local.sensitive_plaintext
}
# 4. Save base64 encoded ciphertext to EncryptedData.bin
resource "local_file" "encrypted_file" {
filename = "/home/bob/terraform/EncryptedData.bin"
content = base64encode(resource.aws_kms_ciphertext.encrypted_data.ciphertext_blob)
}
# 5. Decrypt the ciphertext to verify using new data source aws_kms_secrets
data "aws_kms_secrets" "decrypted_data" {
secret {
name = "decrypted"
payload = resource.aws_kms_ciphertext.encrypted_data.ciphertext_blob
}
}
# 6. Save decrypted data for verification
resource "local_file" "decrypted_file" {
filename = "/home/bob/terraform/DecryptedData.txt"
content = data.aws_kms_secrets.decrypted_data.plaintext["decrypted"]
}
I was able to resolve it by removing the base64encode function, which is odd because the task explicitly mentions to base64 code the ciphertext.
Maybe the task instructions need to be modified, or the validation script could be tailored to factor the base64code. Just a suggestion from my end.
Hi @m.muiz.q
Thank you very much for your feedback. I understand your confusion. In the Terraform documentation at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_ciphertext, the ciphertext_blob attribute is a Base64-encoded ciphertext. This means it is already encoded in Base64, so we don’t need to do it ourselves. The question mentions Base64 to make sure we are using the correct resources. I really appreciate your feedback, and if more people find this unclear, we will consider updating it.
