fetch_ml/configs/schema/kms_config_schema.yaml

# KMS Configuration Schema
# Defines the structure for KMS (Key Management System) configuration
# per ADR-012 through ADR-015.

$schema: http://json-schema.org/draft-07/schema#
type: object
description: KMS configuration for external key management (Vault, AWS KMS, etc.)

properties:
  provider:
    type: string
    enum: [vault, aws, memory]
    description: KMS provider type

  vault:
    type: object
    description: HashiCorp Vault configuration
    properties:
      address:
        type: string
        format: uri
        description: Vault server URL (e.g., https://vault.internal:8200)
      auth_method:
        type: string
        enum: [approle, kubernetes, token]
        description: Authentication method
      role_id:
        type: string
        description: AppRole role ID (for approle auth)
      secret_id:
        type: string
        description: AppRole secret ID (for approle auth)
      token:
        type: string
        description: Vault token (for token auth, development only)
      transit_mount:
        type: string
        default: transit
        description: Transit engine mount path
      key_prefix:
        type: string
        default: fetchml-tenant
        description: Prefix for tenant key names
      region:
        type: string
        description: Region identifier for per-region keys (per ADR-014)
      timeout:
        type: integer
        default: 30
        description: HTTP client timeout in seconds

  aws:
    type: object
    description: AWS KMS configuration
    properties:
      region:
        type: string
        description: AWS region (e.g., us-east-1)
      key_alias_prefix:
        type: string
        default: alias/fetchml
        description: Prefix for KMS key aliases
      role_arn:
        type: string
        description: IAM role ARN to assume (optional)
      endpoint:
        type: string
        format: uri
        description: Custom endpoint for testing (e.g., LocalStack)

  cache:
    type: object
    description: DEK cache configuration per ADR-012
    properties:
      ttl_minutes:
        type: integer
        default: 15
        description: DEK cache TTL in minutes
      max_entries:
        type: integer
        default: 1000
        description: Maximum cached DEKs (LRU eviction)
      grace_window_minutes:
        type: integer
        default: 60
        description: Extended grace period during KMS unavailability (per ADR-013)

required:
  - provider

# Conditional validation
allOf:
  - if:
      properties:
        provider:
          const: vault
    then:
      required: [vault]
  - if:
      properties:
        provider:
          const: aws
    then:
      required: [aws]