googleKmsSecretAsymmetric
This data source allows you to use data encrypted with a Google Cloud KMS asymmetric key within your resource definitions.
For more information see the official documentation.
\~> NOTE: Using this data provider will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.
\~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.
Example Usage
First, create a KMS KeyRing and CryptoKey using the resource definitions:
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingMyKeyRing = new google.kmsKeyRing.KmsKeyRing(
this,
"my_key_ring",
{
location: "us-central1",
name: "my-key-ring",
project: "my-project",
}
);
const googleKmsCryptoKeyMyCryptoKey = new google.kmsCryptoKey.KmsCryptoKey(
this,
"my_crypto_key",
{
key_ring: googleKmsKeyRingMyKeyRing.id,
name: "my-crypto-key",
purpose: "ASYMMETRIC_DECRYPT",
version_template: [
{
algorithm: "RSA_DECRYPT_OAEP_4096_SHA256",
},
],
}
);
const dataGoogleKmsCryptoKeyVersionMyCryptoKey =
new google.dataGoogleKmsCryptoKeyVersion.DataGoogleKmsCryptoKeyVersion(
this,
"my_crypto_key_2",
{
crypto_key: googleKmsCryptoKeyMyCryptoKey.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataGoogleKmsCryptoKeyVersionMyCryptoKey.overrideLogicalId("my_crypto_key");
Next, use the Cloud SDK to encrypt some sensitive information:
## get the public key to encrypt the secret with
$ gcloud kms keys versions get-public-key 1 \
--project my-project \
--location us-central1 \
--keyring my-key-ring \
--key my-crypto-key \
--output-file public-key.pem
## encrypt secret with the public key
$ echo -n my-secret-password | \
openssl pkeyutl -in - \
-encrypt \
-pubin \
-inkey public-key.pem \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256 \
-pkeyopt rsa_mgf1_md:sha256 > \
my-secret-password.enc
## base64 encode the ciphertext
$ openssl base64 -in my-secret-password.enc
M7nUoba9EGVTu2LjNjBKGdGVBYjyS/i/AY+4yQMQF0Qf/RfUfX31Jw6+VO9OuThq
ylu/7ihX9XD4bM7yYdXnMv9p1OHQUlorSBSbb/J6n1W9UJhcp6um8Tw8/Isx4f75
4PskYS6f8Y2ItliGt1/A9iR5BTgGtJBwOxMlgoX2Ggq+Nh4E5SbdoaE5o6CO1nBx
eIPsPEebQ6qC4JehQM3IGuV/lrm58+hZhaXAqNzX1cEYyAt5GYqJIVCiI585SUYs
wRToGyTgaN+zthF0HP9IWlR4Am4LmJ/1OcePTnYw11CkU8wNRbDzVAzogwNH+rXr
LTmf7hxVjBm6bBSVSNFcBKAXFlllubSfIeZ5hgzGqn54OmSf6odO12L5JxllddHc
yAd54vWKs2kJtnsKV2V4ZdkI0w6y1TeI67baFZDNGo6qsCpFMPnvv7d46Pg2VOp1
J6Ivner0NnNHE4MzNmpZRk8WXMwqq4P/gTiT7F/aCX6oFCUQ4AWPQhJYh2dkcOmL
IP+47Veb10aFn61F1CJwpmOOiGNXKdDT1vK8CMnnwhm825K0q/q9Zqpzc1+1ae1z
mSqol1zCoa88CuSN6nTLQlVnN/dzfrGbc0boJPaM0iGhHtSzHk4SWg84LhiJB1q9
A9XFJmOVdkvRY9nnz/iVLAdd0Q3vFtLqCdUYsNN2yh4=
## optionally calculate the CRC32 of the ciphertext
$ go get github.com/binxio/crc32
$ $GOPATH/bin/crc32 -polynomial castagnoli < my-secret-password.enc
12c59e54
Finally, reference the encrypted ciphertext in your resource definitions:
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, random.
For a more precise conversion please use the --provider flag in convert.*/
const randomIdDbNameSuffix = new random.id.Id(this, "db_name_suffix", {
byte_length: 4,
});
new google.dataGoogleKmsSecretAsymmetric.DataGoogleKmsSecretAsymmetric(
this,
"sql_user_password",
{
ciphertext:
" M7nUoba9EGVTu2LjNjBKGdGVBYjyS/i/AY+4yQMQF0Qf/RfUfX31Jw6+VO9OuThq\n ylu/7ihX9XD4bM7yYdXnMv9p1OHQUlorSBSbb/J6n1W9UJhcp6um8Tw8/Isx4f75\n 4PskYS6f8Y2ItliGt1/A9iR5BTgGtJBwOxMlgoX2Ggq+Nh4E5SbdoaE5o6CO1nBx\n eIPsPEebQ6qC4JehQM3IGuV/lrm58+hZhaXAqNzX1cEYyAt5GYqJIVCiI585SUYs\n wRToGyTgaN+zthF0HP9IWlR4Am4LmJ/1OcePTnYw11CkU8wNRbDzVAzogwNH+rXr\n LTmf7hxVjBm6bBSVSNFcBKAXFlllubSfIeZ5hgzGqn54OmSf6odO12L5JxllddHc\n yAd54vWKs2kJtnsKV2V4ZdkI0w6y1TeI67baFZDNGo6qsCpFMPnvv7d46Pg2VOp1\n J6Ivner0NnNHE4MzNmpZRk8WXMwqq4P/gTiT7F/aCX6oFCUQ4AWPQhJYh2dkcOmL\n IP+47Veb10aFn61F1CJwpmOOiGNXKdDT1vK8CMnnwhm825K0q/q9Zqpzc1+1ae1z\n mSqol1zCoa88CuSN6nTLQlVnN/dzfrGbc0boJPaM0iGhHtSzHk4SWg84LhiJB1q9\n A9XFJmOVdkvRY9nnz/iVLAdd0Q3vFtLqCdUYsNN2yh4=\n",
crc32: "12c59e54",
crypto_key_version:
"${data.google_kms_crypto_key_version.my_crypto_key.id}",
}
);
const googleSqlDatabaseInstanceMain =
new google.sqlDatabaseInstance.SqlDatabaseInstance(this, "main", {
database_version: "MYSQL_5_7",
name: `main-instance-\${${randomIdDbNameSuffix.hex}}`,
settings: [
{
tier: "db-f1-micro",
},
],
});
new google.sqlUser.SqlUser(this, "users", {
host: "me.com",
instance: googleSqlDatabaseInstanceMain.name,
name: "me",
password: "${data.google_kms_secret.sql_user_password.plaintext}",
});
This will result in a Cloud SQL user being created with password mySecretPassword.
Argument Reference
The following arguments are supported:
ciphertext(Required) - The ciphertext to be decrypted, encoded in base64cryptoKeyVersion(Required) - The id of the CryptoKey version that will be used to decrypt the provided ciphertext. This is represented by the formatprojects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}/cryptoKeyVersions/{version}.crc32(Optional) - The crc32 checksum of theciphertextin hexadecimal notation. If not specified, it will be computed.
Attributes Reference
The following attribute is exported:
plaintext- Contains the result of decrypting the provided ciphertext.crc32- Contains the crc32 checksum of the provided ciphertext.