* Adds support for creating KMS CryptoKeys resources * Destroy extant CryptoKeyVersions on CryptoKey destroy * Inherit project, location etc from KeyRing in CryptoKey * Add function to calculate next rotation * Implement RotationPeriod parameter on CryptoKey * Import CryptoKey state * Uncommit my local acceptance test hacks * Docs for google_kms_crypto_key * Clear id at the end of CryptoKey deletion Also add more detail to warning message. * Fix parseCryptoKeyId error messages * Use correct naming in CryptoKeyIdParsing test * Check RotationPeriod is present in acceptance test * Rename variable in test function for consistency * Fix wrong resource name in cryptokey docs * Add KeyRing to CryptoKey doc example * Run test CryptoKey configs through terraform fmt * Don't set CryptoKey purpose in terraform state on import * Fix indentation in CryptoKey test * Parallelise CryptoKey tests * Set rotation_key on CryptoKey read * Move RotationPeriod validation to planning phase * Use import state passthrough for CryptoKey * Correct casing issues in test case names * Remove redundant CheckDestroy calls in CryptoKey tests * Add explanatory comment about extra test steps * More explicit error handling in CryptoKey tests * Explicit dependency on project services in test keyring configs * Clean up comments in cryptokey resource * Do not repeat in cryptokey id regexes
2.4 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
Google: google_kms_crypto_key | docs-google-kms-crypto-key | Allows creation of a Google Cloud Platform KMS CryptoKey. |
google_kms_crypto_key
Allows creation of a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.
A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.
~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource on the server.
Example Usage
resource "google_kms_key_ring" "my_key_ring" {
name = "my-key-ring"
project = "my-project"
location = "us-central1"
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = "${google_kms_key_ring.my_key_ring.id}"
rotation_period = "100000s"
}
Argument Reference
The following arguments are supported:
-
name
- (Required) The CryptoKey's name. A CryptoKey’s name must be unique within a location and match the regular expression[a-zA-Z0-9_-]{1,63}
-
key_ring
- (Required) The id of the Google Cloud Platform KeyRing to which the key shall belong.
rotation_period
- (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 83400).
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
id
- The ID of the created CryptoKey. Its format is{projectId}/{location}/{keyRingName}/{cryptoKeyName}
.
Import
CryptoKeys can be imported using the CryptoKey autogenerated id
, e.g.
$ terraform import google_kms_crypto_key.my_crypto_key my-gcp-project/us-central1/my-key-ring/my-crypto-key
$ terraform import google_kms_crypto_key.my_crypto_key us-central1/my-key-ring/my-crypto-key