public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-09-07 09:36:44 +00:00
Code Issues Projects Releases Wiki Activity
58ca18e2bf
terraform-provider-google/website/docs/r/google_kms_crypto_key.html.markdown
Seth Vargo 96cb1fbc16 Encourage users to set lifecycle hooks on kms_crypto_key resources (#1896) 
@michaelharo suggested this would be a good best practice for this particular resource to prevent users from accidentally deleting a bunch of encryption keys on a -/+ and losing data, and I agree.

This commit adds a quick documentation blurb saying what actually happens if those crypto key versions are destroyed and also updates the snippet to showcase a lifecycle hook.
2018-09-05 09:59:41 -07:00

79 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: "google"
page_title: "Google: google_kms_crypto_key"
sidebar_current: "docs-google-kms-crypto-key-x"
description: |-
Allows creation of a Google Cloud Platform KMS CryptoKey.
---
# google\_kms\_crypto\_key
Allows creation of a Google Cloud Platform KMS CryptoKey. For more information see
[the official documentation](https://cloud.google.com/kms/docs/object-hierarchy#cryptokey)
and
[API](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys).
A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a
Google Cloud KMS KeyRing.
~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a
Terraform-managed CryptoKey will remove it from state and delete all
CryptoKeyVersions, rendering the key unusable, but **will not delete the
resource on the server**. When Terraform destroys these keys, any data
previously encrypted with these keys will be irrecoverable. For this reason, it
is strongly recommended that you add lifecycle hooks to the resource to prevent
accidental destruction.
## Example Usage
```hcl
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
project = "my-project"
location = "us-central1"
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = "${google_kms_key_ring.my_key_ring.self_link}"
rotation_period = "100000s"
lifecycle {
prevent_destroy = true
}
}
```
## Argument Reference
The following arguments are supported:
* `name` - (Required) The CryptoKey's name.
A CryptoKeys name must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
* `key_ring` - (Required) The id of the Google Cloud Platform KeyRing to which the key shall belong.
- - -
* `rotation_period` - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as
the primary. The first rotation will take place after the specified period. The rotation period has the format
of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than
a day (ie, 86400).
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are
exported:
* `self_link` - The self link of the created CryptoKey. Its format is `projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}`.
## Import
CryptoKeys can be imported using the CryptoKey autogenerated `id`, e.g.
```
$ terraform import google_kms_crypto_key.my_crypto_key my-gcp-project/us-central1/my-key-ring/my-crypto-key
$ terraform import google_kms_crypto_key.my_crypto_key us-central1/my-key-ring/my-crypto-key
```
Reference in New Issue View Git Blame Copy Permalink