mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-09-19 01:29:57 +00:00
30fe927df6
<!-- This change is generated by MagicModules. --> /cc @kierachell
92 lines
3.2 KiB
Markdown
92 lines
3.2 KiB
Markdown
---
|
||
layout: "google"
|
||
page_title: "Google: google_kms_crypto_key"
|
||
sidebar_current: "docs-google-kms-crypto-key-x"
|
||
description: |-
|
||
Allows creation of a Google Cloud Platform KMS CryptoKey.
|
||
---
|
||
|
||
# google\_kms\_crypto\_key
|
||
|
||
Allows creation of a Google Cloud Platform KMS CryptoKey. For more information see
|
||
[the official documentation](https://cloud.google.com/kms/docs/object-hierarchy#key)
|
||
and
|
||
[API](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys).
|
||
|
||
A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a
|
||
Google Cloud KMS KeyRing.
|
||
|
||
~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a
|
||
Terraform-managed CryptoKey will remove it from state and delete all
|
||
CryptoKeyVersions, rendering the key unusable, but **will not delete the
|
||
resource on the server**. When Terraform destroys these keys, any data
|
||
previously encrypted with these keys will be irrecoverable. For this reason, it
|
||
is strongly recommended that you add lifecycle hooks to the resource to prevent
|
||
accidental destruction.
|
||
|
||
## Example Usage
|
||
|
||
```hcl
|
||
resource "google_kms_key_ring" "my_key_ring" {
|
||
name = "my-key-ring"
|
||
project = "my-project"
|
||
location = "us-central1"
|
||
}
|
||
|
||
resource "google_kms_crypto_key" "my_crypto_key" {
|
||
name = "my-crypto-key"
|
||
key_ring = "${google_kms_key_ring.my_key_ring.self_link}"
|
||
rotation_period = "100000s"
|
||
|
||
lifecycle {
|
||
prevent_destroy = true
|
||
}
|
||
}
|
||
```
|
||
|
||
## Argument Reference
|
||
|
||
The following arguments are supported:
|
||
|
||
* `name` - (Required) The CryptoKey's name.
|
||
A CryptoKey’s name must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
|
||
|
||
* `key_ring` - (Required) The id of the Google Cloud Platform KeyRing to which the key shall belong.
|
||
|
||
- - -
|
||
|
||
* `rotation_period` - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as
|
||
the primary. The first rotation will take place after the specified period. The rotation period has the format
|
||
of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than
|
||
a day (ie, 86400).
|
||
|
||
* `version_template` - (Optional) A template describing settings for new crypto key versions. Structure is documented below.
|
||
|
||
---
|
||
|
||
The `version_template` block supports:
|
||
|
||
* `algorithm` - (Required) The algorithm to use when creating a version based on this template.
|
||
See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)
|
||
for possible inputs.
|
||
|
||
* `protection_level` - (Optional) The protection level to use when creating a version based on this template.
|
||
One of `SOFTWARE`, or `HSM`.
|
||
|
||
## Attributes Reference
|
||
|
||
In addition to the arguments listed above, the following computed attributes are
|
||
exported:
|
||
|
||
* `self_link` - The self link of the created CryptoKey. Its format is `projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}`.
|
||
|
||
## Import
|
||
|
||
CryptoKeys can be imported using the CryptoKey autogenerated `id`, e.g.
|
||
|
||
```
|
||
$ terraform import google_kms_crypto_key.my_crypto_key my-gcp-project/us-central1/my-key-ring/my-crypto-key
|
||
|
||
$ terraform import google_kms_crypto_key.my_crypto_key us-central1/my-key-ring/my-crypto-key
|
||
```
|