Module hook

Expand description

Cross-service KMS hook.

Services that accept a KmsKeyId (Secrets Manager, SSM SecureString, S3 SSE-KMS, SQS, SNS, DynamoDB) call into this module so that:

The supplied key is resolved (alias aws/<service> and bare aliases included), auto-provisioning AWS-managed keys on first use to match real AWS.
Each call is recorded in KmsUsageState so test code can assert through /_fakecloud/kms/usage that the right service triggered the right operation on the right key.
The returned ciphertext is a real envelope decryptable by the public KMS Decrypt API (uses the same fakecloud-kms: envelope as the existing service-side encrypt path).

Encryption context, key policy enforcement, and KMS-managed key rotation come in follow-up PRs.

Structs§

KmsServiceHook: Hook used by service crates that need to call KMS for encryption / decryption without going through the AWS-shaped HTTP layer.
KmsUsageRecord: One recorded KMS hook call. Returned by the introspection endpoint so test code can assert kms:GenerateDataKey / kms:Decrypt ran on the expected key + service principal.
KmsUsageState

DEFAULT_AWS_MANAGED_ALIASES: Canonical AWS-managed service aliases (alias/aws/<service>). Real AWS pre-creates these in every account/region, so aws kms list-aliases returns them on a brand-new account and data.aws_kms_alias resolves them. The Terraform acceptance tests for several services (e.g. aws_dynamodb_table encryption) read alias/aws/<service> via that data source, so they must be listable even before any KMS use.

ensure_default_managed_aliases: Idempotently provision every DEFAULT_AWS_MANAGED_ALIASES entry that isn’t already present, so ListAliases mirrors real AWS. Provisioning a missing alias also mints its backing AWS-managed key, matching the auto-provision-on-first-use path in [resolve_or_provision].