public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-05 17:52:38 +00:00
Code Issues Projects Releases Wiki Activity
dc95bd3468
terraform-provider-google/website/docs/r/google_kms_crypto_key.html.markdown
The Magician 30fe927df6 Data Sources for KMS Key Ring and Key (#2891) 
<!-- This change is generated by MagicModules. -->
/cc @kierachell
2019-01-17 16:12:22 -08:00

3.2 KiB
Raw Blame History

layout page_title sidebar_current description
google Google: google_kms_crypto_key docs-google-kms-crypto-key-x Allows creation of a Google Cloud Platform KMS CryptoKey.

google_kms_crypto_key

Allows creation of a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.

A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.

~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource on the server. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

Example Usage

resource "google_kms_key_ring" "my_key_ring" {
  name     = "my-key-ring"
  project  = "my-project"
  location = "us-central1"
}

resource "google_kms_crypto_key" "my_crypto_key" {
  name            = "my-crypto-key"
  key_ring        = "${google_kms_key_ring.my_key_ring.self_link}"
  rotation_period = "100000s"

  lifecycle {
    prevent_destroy = true
  }
}

Argument Reference

The following arguments are supported:

  • name - (Required) The CryptoKey's name. A CryptoKeys name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

  • key_ring - (Required) The id of the Google Cloud Platform KeyRing to which the key shall belong.

  • rotation_period - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

  • version_template - (Optional) A template describing settings for new crypto key versions. Structure is documented below.

The version_template block supports:

  • algorithm - (Required) The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protection_level - (Optional) The protection level to use when creating a version based on this template. One of SOFTWARE, or HSM.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • self_link - The self link of the created CryptoKey. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}.

Import

CryptoKeys can be imported using the CryptoKey autogenerated id, e.g.

$ terraform import google_kms_crypto_key.my_crypto_key my-gcp-project/us-central1/my-key-ring/my-crypto-key

$ terraform import google_kms_crypto_key.my_crypto_key us-central1/my-key-ring/my-crypto-key