Skip to content

googleKmsSecret

This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions.

For more information see the official documentation.

\~> NOTE: Using this data provider will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Example Usage

First, create a KMS KeyRing and CryptoKey using the resource definitions:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingMyKeyRing = new google.kmsKeyRing.KmsKeyRing(
  this,
  "my_key_ring",
  {
    location: "us-central1",
    name: "my-key-ring",
    project: "my-project",
  }
);
new google.kmsCryptoKey.KmsCryptoKey(this, "my_crypto_key", {
  key_ring: googleKmsKeyRingMyKeyRing.id,
  name: "my-crypto-key",
});

Next, use the Cloud SDK to encrypt some sensitive information:

$ echo -n my-secret-password | gcloud kms encrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
> | base64
CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=

Finally, reference the encrypted ciphertext in your resource definitions:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, random.
For a more precise conversion please use the --provider flag in convert.*/
const randomIdDbNameSuffix = new random.id.Id(this, "db_name_suffix", {
  byte_length: 4,
});
const dataGoogleKmsSecretSqlUserPassword =
  new google.dataGoogleKmsSecret.DataGoogleKmsSecret(
    this,
    "sql_user_password",
    {
      ciphertext:
        "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=",
      crypto_key: "${google_kms_crypto_key.my_crypto_key.id}",
    }
  );
const googleSqlDatabaseInstanceMain =
  new google.sqlDatabaseInstance.SqlDatabaseInstance(this, "main", {
    database_version: "MYSQL_5_7",
    name: `main-instance-\${${randomIdDbNameSuffix.hex}}`,
    settings: [
      {
        tier: "db-f1-micro",
      },
    ],
  });
new google.sqlUser.SqlUser(this, "users", {
  host: "me.com",
  instance: googleSqlDatabaseInstanceMain.name,
  name: "me",
  password: dataGoogleKmsSecretSqlUserPassword.plaintext,
});

This will result in a Cloud SQL user being created with password mySecretPassword.

Argument Reference

The following arguments are supported:

  • ciphertext (Required) - The ciphertext to be decrypted, encoded in base64
  • cryptoKey (Required) - The id of the CryptoKey that will be used to decrypt the provided ciphertext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.
  • additionalAuthenticatedData (Optional) - The additional authenticated data used for integrity checks during encryption and decryption.

Attributes Reference

The following attribute is exported:

  • plaintext - Contains the result of decrypting the provided ciphertext.