googleKmsCryptoKey

A cryptoKey represents a logical key that can be used for cryptographic operations.

\~> Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

To get more information about CryptoKey, see:

Example Usage - Kms Crypto Key Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
  this,
  "keyring",
  {
    location: "global",
    name: "keyring-example",
  }
);
const googleKmsCryptoKeyExampleKey = new google.kmsCryptoKey.KmsCryptoKey(
  this,
  "example-key",
  {
    key_ring: googleKmsKeyRingKeyring.id,
    name: "crypto-key-example",
    rotation_period: "100000s",
  }
);
googleKmsCryptoKeyExampleKey.addOverride("lifecycle", [
  {
    prevent_destroy: true,
  },
]);

Example Usage - Kms Crypto Key Asymmetric Sign

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
  this,
  "keyring",
  {
    location: "global",
    name: "keyring-example",
  }
);
const googleKmsCryptoKeyExampleAsymmetricSignKey =
  new google.kmsCryptoKey.KmsCryptoKey(this, "example-asymmetric-sign-key", {
    key_ring: googleKmsKeyRingKeyring.id,
    name: "crypto-key-example",
    purpose: "ASYMMETRIC_SIGN",
    version_template: [
      {
        algorithm: "EC_SIGN_P384_SHA384",
      },
    ],
  });
googleKmsCryptoKeyExampleAsymmetricSignKey.addOverride("lifecycle", [
  {
    prevent_destroy: true,
  },
]);

Argument Reference

The following arguments are supported:

name - (Required) The resource name for the CryptoKey.
keyRing - (Required) The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

labels - (Optional) Labels with user-defined metadata to apply to this resource.
purpose - (Optional) The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is encryptDecrypt. Possible values are encryptDecrypt, asymmetricSign, asymmetricDecrypt, and mac.
rotationPeriod - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
versionTemplate - (Optional) A template describing settings for new crypto key versions. Structure is documented below.
destroyScheduledDuration - (Optional) The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 24 hours.
importOnly - (Optional) Whether this key may contain imported versions only.
skipInitialVersionCreation - (Optional) If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the googleKmsKeyRingImportJob resource to import the CryptoKeyVersion.

The versionTemplate block supports:

algorithm - (Required) The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protectionLevel - (Optional) The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

id - an identifier for the resource with format {{keyRing}}/cryptoKeys/{{name}}

Timeouts

This resource provides the following Timeouts configuration options:

create - Default is 20 minutes.
update - Default is 20 minutes.
delete - Default is 20 minutes.

Import

CryptoKey can be imported using any of these accepted formats:

$ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
$ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.