A more deterministic kms

[mdaniel]

This is a follow-up to #9884

Current behavior

#!/usr/bin/env bash
set -euo pipefail

moto_seed=42
kms_key_id=bdd640fb-0667-4ad1-9c80-317fa3b1799d

curl -fsSLX POST http://localhost:5000/moto-api/reset
curl -fsSLX POST "http://localhost:5000/moto-api/seed?a=${moto_seed}"

awslocal kms create-key
plaintext0="hello world"
awslocal kms encrypt --key-id ${kms_key_id} --plaintext "$(echo -n "$plaintext0" | base64 -w0)" | tee kms_encrypt.out
ciphertext="$(jq -r .CiphertextBlob kms_encrypt.out )"

curl -fsSLX POST http://localhost:5000/moto-api/reset
curl -fsSLX POST "http://localhost:5000/moto-api/seed?a=${moto_seed}"

awslocal kms create-key

awslocal kms decrypt --key-id ${kms_key_id} --ciphertext "${ciphertext}" | tee kms_decrypt.out
if [[ "$(jq -r '.Plaintext|@base64d' kms_decrypt.out)" == "$plaintext0" ]]; then
  echo OK
fi

produces:

aws: [ERROR]: An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

New behavior

Because the os.urandom call for the KMS master key has been replaced with the PRNG-aware random system in moto, now the master key bytes are deterministic and the round-trip encrypt-decrypt is successful even across moto resets (and I also tested it across moto_server restarts)

One will spot a seemingly unrelated change to tests/test_moto_api/seeder/test_seeder.py but that is because now there are no more os.urandom calls, so the sts assume-role consumes a PRNG call, which modifies the instance-id that was in that test