in tools/infrasys/src/root.rs [97:172]
fn add_keys_kms(
available_keys: &HashMap<String, String>,
role: &KeyRole,
threshold: &NonZeroUsize,
filepath: &str,
key_id: &mut Option<String>,
) -> Result<()> {
ensure!(
(*available_keys).len() >= (*threshold).get(),
error::InvalidThreshold {
threshold: threshold.to_string(),
num_keys: (*available_keys).len(),
}
);
match role {
KeyRole::Root => {
tuftool!(
Region::default().name(),
"root set-threshold '{}' root '{}' ",
filepath,
threshold.to_string()
);
for (keyid, region) in available_keys.iter() {
tuftool!(
region,
"root add-key '{}' aws-kms:///'{}' --role root",
filepath,
keyid
);
}
}
KeyRole::Publication => {
tuftool!(
Region::default().name(),
"root set-threshold '{}' snapshot '{}' ",
filepath,
threshold.to_string()
);
tuftool!(
Region::default().name(),
"root set-threshold '{}' targets '{}' ",
filepath,
threshold.to_string()
);
tuftool!(
Region::default().name(),
"root set-threshold '{}' timestamp '{}' ",
filepath,
threshold.to_string()
);
for (keyid, region) in available_keys.iter() {
tuftool!(
region,
"root add-key '{}' aws-kms:///'{}' --role snapshot --role targets --role timestamp",
filepath,
keyid
);
}
// Set key_id using a publication key (if one is not already provided)
if key_id.is_none() {
*key_id = Some(
available_keys
.iter()
.next()
.context(error::KeyCreation)?
.0
.to_string(),
);
}
}
}
Ok(())
}