googleKmsCryptoKey
A cryptoKey
represents a logical key that can be used for cryptographic operations.
\~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.
To get more information about CryptoKey, see:
- API documentation
- How-to Guides
- Creating a key
Example Usage - Kms Crypto Key Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
this,
"keyring",
{
location: "global",
name: "keyring-example",
}
);
const googleKmsCryptoKeyExampleKey = new google.kmsCryptoKey.KmsCryptoKey(
this,
"example-key",
{
key_ring: googleKmsKeyRingKeyring.id,
name: "crypto-key-example",
rotation_period: "100000s",
}
);
googleKmsCryptoKeyExampleKey.addOverride("lifecycle", [
{
prevent_destroy: true,
},
]);
Example Usage - Kms Crypto Key Asymmetric Sign
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
this,
"keyring",
{
location: "global",
name: "keyring-example",
}
);
const googleKmsCryptoKeyExampleAsymmetricSignKey =
new google.kmsCryptoKey.KmsCryptoKey(this, "example-asymmetric-sign-key", {
key_ring: googleKmsKeyRingKeyring.id,
name: "crypto-key-example",
purpose: "ASYMMETRIC_SIGN",
version_template: [
{
algorithm: "EC_SIGN_P384_SHA384",
},
],
});
googleKmsCryptoKeyExampleAsymmetricSignKey.addOverride("lifecycle", [
{
prevent_destroy: true,
},
]);
Argument Reference
The following arguments are supported:
-
name
- (Required) The resource name for the CryptoKey. -
keyRing
- (Required) The KeyRing that this key belongs to. Format:'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
.
-
labels
- (Optional) Labels with user-defined metadata to apply to this resource. -
purpose
- (Optional) The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value isencryptDecrypt
. Possible values areencryptDecrypt
,asymmetricSign
,asymmetricDecrypt
, andmac
. -
rotationPeriod
- (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letters
(seconds). It must be greater than a day (ie, 86400). -
versionTemplate
- (Optional) A template describing settings for new crypto key versions. Structure is documented below. -
destroyScheduledDuration
- (Optional) The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours. -
importOnly
- (Optional) Whether this key may contain imported versions only. -
skipInitialVersionCreation
- (Optional) If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use thegoogleKmsKeyRingImportJob
resource to import the CryptoKeyVersion.
The versionTemplate
block supports:
-
algorithm
- (Required) The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs. -
protectionLevel
- (Optional) The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format{{keyRing}}/cryptoKeys/{{name}}
Timeouts
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
Import
CryptoKey can be imported using any of these accepted formats:
$ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
$ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}
User Project Overrides
This resource supports User Project Overrides.