This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions.
For more information see the official documentation.
First, create a KMS KeyRing and CryptoKey using the resource definitions:
resource "google_kms_key_ring" "my_key_ring" {
project = "my-project"
name = "my-key-ring"
location = "us-central1"
}
resource "google_kms_crypto_key" "my_crypto_key" {
name = "my-crypto-key"
key_ring = google_kms_key_ring.my_key_ring.id
}
Next, use the Cloud SDK to encrypt some sensitive information:
$ echo -n my-secret-password | gcloud kms encrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
> | base64
CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=
Finally, reference the encrypted ciphertext in your resource definitions:
data "google_kms_secret" "sql_user_password" {
crypto_key = google_kms_crypto_key.my_crypto_key.id
ciphertext = "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU="
}
resource "random_id" "db_name_suffix" {
byte_length = 4
}
resource "google_sql_database_instance" "main" {
name = "main-instance-${random_id.db_name_suffix.hex}"
database_version = "MYSQL_5_7"
settings {
tier = "db-f1-micro"
}
}
resource "google_sql_user" "users" {
name = "me"
instance = google_sql_database_instance.main.name
host = "me.com"
password = data.google_kms_secret.sql_user_password.plaintext
}
This will result in a Cloud SQL user being created with password my-secret-password
.
The following arguments are supported:
ciphertext
(Required) - The ciphertext to be decrypted, encoded in base64crypto_key
(Required) - The id of the CryptoKey that will be used to
decrypt the provided ciphertext. This is represented by the format
{projectId}/{location}/{keyRingName}/{cryptoKeyName}
.additional_authenticated_data
(Optional) - The additional authenticated data used for integrity checks during encryption and decryption.The following attribute is exported:
plaintext
- Contains the result of decrypting the provided ciphertext.