terraform fetch existing kms key from multiple regions?

Question

I am trying to setup a reusable global aurora rds cluster module and i am setting the primary instance in us-east-1 and the secondary in us-west-1. I am using data to fetch the kms key from my primary region. My question is how can i fetch the kms key present in the different region from a single data.tf file?

This is my global aurora cluster :-

provider "aws" {
  alias  = "primary"
  region = var.primary_provider_region
}

provider "aws" {
  alias  = "secondary"
  region = var.secondary_provider_region
}


resource "aws_rds_global_cluster" "example" {
  global_cluster_identifier = var.global_cluster_identifier
  engine                    = var.engine
  engine_version            = var.engine_version
  storage_encrypted         = var.storage_encrypted
}

resource "aws_rds_cluster" "primary" {
  provider                    = aws.primary
  engine                      = aws_rds_global_cluster.example.engine
  engine_version              = aws_rds_global_cluster.example.engine_version
  cluster_identifier          = var.primary_cluster_identifier
  master_username             = var.audit_mysql_master_username
  master_password             = var.audit_mysql_master_password
  database_name               = join("_", ["bmw", "${var.stage}"])
  global_cluster_identifier   = aws_rds_global_cluster.example.id
  db_subnet_group_name        = var.db_subnet_group_name_primary
  kms_key_id                  = var.kms_master_key_arn_primary
  vpc_security_group_ids      = ["${var.vpc_security_group_ids_primary}"]
}

resource "aws_rds_cluster_instance" "primary" {
  provider                   = aws.primary
  engine                     = aws_rds_global_cluster.example.engine
  engine_version             = aws_rds_global_cluster.example.engine_version
  identifier                 = var.primary_instance_identifier
  cluster_identifier         = aws_rds_cluster.primary.id
  instance_class             = var.instance_type
  db_subnet_group_name       = var.db_subnet_group_name_primary
}

resource "aws_rds_cluster" "secondary" {
  provider                    = aws.secondary
  engine                      = aws_rds_global_cluster.example.engine
  engine_version              = aws_rds_global_cluster.example.engine_version
  cluster_identifier          = var.secondary_cluster_identifier
  global_cluster_identifier   = aws_rds_global_cluster.example.id
  db_subnet_group_name        = var.db_subnet_group_name_secondary
  kms_key_id                  = var.kms_master_key_arn_secondary
  vpc_security_group_ids      = ["${var.vpc_security_group_ids_secondary}"]
}

resource "aws_rds_cluster_instance" "secondary" {
  provider                   = aws.secondary
  engine                     = aws_rds_global_cluster.example.engine
  engine_version             = aws_rds_global_cluster.example.engine_version
  identifier                 = var.secondary_instance_identifier
  cluster_identifier         = aws_rds_cluster.secondary.id
  instance_class             = var.instance_type
  db_subnet_group_name       = var.db_subnet_group_name_secondary

  depends_on = [
    aws_rds_cluster_instance.primary
  ]
} 

I am calling the module like this :-

module "rds" {
  source = "../../../../modules/aws/rds"
  stage = var.stage
  primary_provider_region = "us-east-1"
  secondary_provider_region = "us-west-2"
  kms_master_key_arn_primary = data.aws_kms_alias.amy_key_for_primary.arn
  kms_master_key_arn_secondary = "Hardcoded arn but this should come from the data.tf file"
}

and this is my data.tf file :-

data "aws_kms_alias" "amy_key_for_primary" {
  name = "alias/primary"
} 

Now my data.tf code snippet does the job of pulling the arn for the key in my primary region aka us-east-1 but how can i configure it so i can also use the other key from us-west-2 region. Any help will be appreciated. Thank you.

Answer 1

according to the docs you can use the provider meta argument.

Based on what I can tell from your setup, you'd need to move the aws_kms_alias into the rds module itself. (remove the kms_master_key_arn_primary and kms_master_key_arn_secondary variables from the module.

# modules/aws/rds.tf
...

data "aws_kms_alias" "amy_key_for_primary" {
  provider  = aws.primary

  name = "alias/primary"
} 

data "aws_kms_alias" "amy_key_for_secondary" {
  provider  = aws.secondary

  name = "alias/secondary"
} 

...

resource "aws_rds_cluster" "primary" {
  provider                    = aws.primary
  ...
  kms_key_id                  = aws_kms_alias.amy_key_for_primary.arn
  ...
}

...

resource "aws_rds_cluster" "secondary" {
  provider                    = aws.secondary
  ...
  kms_key_id                  = aws_kms_alias.amy_key_for_secondary.arn
  ...
}