googleKmsSecretCiphertext

Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.

\~> NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

To get more information about SecretCiphertext, see:

• API documentation
• How-to Guides
• Encrypting and decrypting data with a symmetric key

\~> Warning: All arguments including plaintext and additionalAuthenticatedData will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage - Kms Secret Ciphertext Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleKmsKeyRingKeyring = new google.kmsKeyRing.KmsKeyRing(
  this,
  "keyring",
  {
    location: "global",
    name: "keyring-example",
  }
);
const googleKmsCryptoKeyCryptokey = new google.kmsCryptoKey.KmsCryptoKey(
  this,
  "cryptokey",
  {
    key_ring: googleKmsKeyRingKeyring.id,
    name: "crypto-key-example",
    rotation_period: "100000s",
  }
);
googleKmsCryptoKeyCryptokey.addOverride("lifecycle", [
  {
    prevent_destroy: true,
  },
]);
const googleKmsSecretCiphertextMyPassword =
  new google.kmsSecretCiphertext.KmsSecretCiphertext(this, "my_password", {
    crypto_key: googleKmsCryptoKeyCryptokey.id,
    plaintext: "my-secret-password",
  });
new google.computeInstance.ComputeInstance(this, "instance", {
  boot_disk: [
    {
      initialize_params: [
        {
          image: "debian-cloud/debian-11",
        },
      ],
    },
  ],
  machine_type: "e2-medium",
  metadata: [
    {
      password: googleKmsSecretCiphertextMyPassword.ciphertext,
    },
  ],
  name: "my-instance",
  network_interface: [
    {
      access_config: [{}],
      network: "default",
    },
  ],
  zone: "us-central1-a",
});

Argument Reference

The following arguments are supported:

• plaintext - (Required) The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

• cryptoKey - (Required) The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

• additionalAuthenticatedData - (Optional) The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

• id - an identifier for the resource with format {{cryptoKey}}/{{ciphertext}}

• ciphertext - Contains the result of encrypting the provided plaintext, encoded in base64.

Timeouts

This resource provides the following Timeouts configuration options:

• create - Default is 20 minutes.
• delete - Default is 20 minutes.

Import

This resource does not support import.

User Project Overrides

This resource supports User Project Overrides.