googleKmsCryptoKeyVersion
A cryptoKeyVersion represents an individual cryptographic key, and the associated key material.
Destroying a cryptoKeyVersion will not delete the resource from the project.
To get more information about CryptoKeyVersion, see:
- API documentation
- How-to Guides
- Creating a key Version
Example Usage - Kms Crypto Key Version Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
this,
"keyring",
{
location: "global",
name: "keyring-example",
}
);
const googleKmsCryptoKeyCryptokey = new google.kmsCryptoKey.KmsCryptoKey(
this,
"cryptokey",
{
key_ring: googleKmsKeyRingKeyring.id,
name: "crypto-key-example",
rotation_period: "100000s",
}
);
new google.kmsCryptoKeyVersion.KmsCryptoKeyVersion(this, "example-key", {
crypto_key: googleKmsCryptoKeyCryptokey.id,
});
Argument Reference
The following arguments are supported:
cryptoKey- (Required) The name of the cryptoKey associated with the CryptoKeyVersions. Format:'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
state- (Optional) The current state of the CryptoKeyVersion. Possible values arependingGeneration,enabled,disabled,destroyed,destroyScheduled,pendingImport, andimportFailed.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with format{{name}} -
name- The resource name for this CryptoKeyVersion. -
protectionLevel- The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. -
generateTime- The time this CryptoKeyVersion key material was generated -
algorithm- The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports. -
attestation- Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only provided for key versions with protectionLevel HSM. Structure is documented below.
The attestation block contains:
-
format- (Output) The format of the attestation data. -
content- (Output) The attestation data provided by the HSM when the key operation was performed. -
certChains- (Optional) The certificate chains needed to validate the attestation Structure is documented below. -
externalProtectionLevelOptions- (Optional) ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. Structure is documented below.
The certChains block supports:
-
caviumCerts- (Optional) Cavium certificate chain corresponding to the attestation. -
googleCardCerts- (Optional) Google card certificate chain corresponding to the attestation. -
googlePartitionCerts- (Optional) Google partition certificate chain corresponding to the attestation.
The externalProtectionLevelOptions block supports:
-
externalKeyUri- (Optional) The URI for an external resource that this CryptoKeyVersion represents. -
ekmConnectionKeyPath- (Optional) The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
Timeouts
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
Import
CryptoKeyVersion can be imported using any of these accepted formats: