mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-04 17:51:11 +00:00
Encourage users to set lifecycle hooks on kms_crypto_key resources (#1896)
@michaelharo suggested this would be a good best practice for this particular resource to prevent users from accidentally deleting a bunch of encryption keys on a -/+ and losing data, and I agree. This commit adds a quick documentation blurb saying what actually happens if those crypto key versions are destroyed and also updates the snippet to showcase a lifecycle hook.
This commit is contained in:
parent
37534f542d
commit
96cb1fbc16
@ -16,8 +16,13 @@ and
|
||||
A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a
|
||||
Google Cloud KMS KeyRing.
|
||||
|
||||
~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it
|
||||
from state and delete all CryptoKeyVersions, rendering the key unusable, but **will not delete the resource on the server**.
|
||||
~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a
|
||||
Terraform-managed CryptoKey will remove it from state and delete all
|
||||
CryptoKeyVersions, rendering the key unusable, but **will not delete the
|
||||
resource on the server**. When Terraform destroys these keys, any data
|
||||
previously encrypted with these keys will be irrecoverable. For this reason, it
|
||||
is strongly recommended that you add lifecycle hooks to the resource to prevent
|
||||
accidental destruction.
|
||||
|
||||
## Example Usage
|
||||
|
||||
@ -32,6 +37,10 @@ resource "google_kms_crypto_key" "my_crypto_key" {
|
||||
name = "my-crypto-key"
|
||||
key_ring = "${google_kms_key_ring.my_key_ring.self_link}"
|
||||
rotation_period = "100000s"
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user