Hi there, question about https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers. How does Pulumi handle AWS managed key rotations (once a year): https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys

Note
In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days).

New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter.

Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter.

Will this break our stacks / all of our secret configuration?

AWS KMS manages key rotation entirely transparently to you as a user. KMS' rotation also only impact new Encrypt requests, old key material remains available to decrypt older data. More on this in the link you shared and in https://aws.amazon.com/kms/faqs/. At the Pulumi layer, we simply invoke

Decrypt

and

Encrypt

from the KMS API using your IAM credentials and the KMS KeyID you provide, which is consistent across rotation. So the rotation KMS does is invisible. However, there is a separate question about whether you want to reencrypt (using rotated keys, or a new key) the secrets in your Pulumi stack. This can be accomplished with

pulumi stack change-secrets-provider

(https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/). You can pass that the same KMS key as is already being used to have it generate a new data key and re-encrypt the data key using the KMS Encrypt API, as well as all secrets in the stack with that new data key. This part is not automatic, and you have control over when you do this, and whether you use the same KMS key (with a rotated internal key material) or a new key entirely. The same users who have IAM access to Decrypt data with this key will be able to read the secrets from the stack.

Hey @white-balloon-205, thanks for the response! Yeah, that makes perfect sense, exactly what I was looking for.