Export or backup KMS key?

So I’ve been working with Terragrunt/Terraform to configure our local development environment. We create well over 100 queues, topics, and dynamo tables. Load 10+ lambda’s along with a KMS key and save the entire configuration via pod save. We use the KMS key to encrypt both data in Dynamo as well as a local mysql database. As I’ve been testing the setup, I’ve been tearing down and recreating the entire stack, which means I’ve been generating a new KMS key everytime. Eventually, we plan to check in the saved pod file for shared use, but I suspect one day we will want to regenerate the entire stack and once again we’ll have a new KMS key and need to migrate all that encrypted data, which gets tricky as you can imagine.

Now, AWS native doesn’t support KMS key material export for security reasons, but localstack already does this via pod save, AFAIK there isn’t a mechanism to just restore the KMS portion from a given pod save file. Is there another way to do this, or is something that could be supported?

Of course, after thinking this through it occurs to me I can just import the key material from the start, and thus control the value, so this is now just a “would-be-nice” feature. Heck, I can probably even extract it from the pod save file.

Answering my own question: You can extract the file:


From your pod save file, save that off separately, and then update any new pod save files via zip. That works until someone changes an object or serialization format. So key export/import would still be a more long term maintainable solution.