Decrypt a given ciphertext with KMS to use the resulting plaintext in resources.
resource "alicloud_kms_key" "key" {
description = "example key"
is_enabled = true
}
# Encrypt plaintext 'example'
resource "alicloud_kms_ciphertext" "encrypted" {
key_id = alicloud_kms_key.key.id
plaintext = "example"
}
# Decrypt encrypted ciphertext
data "alicloud_kms_plaintext" "plaintext" {
ciphertext_blob = alicloud_kms_ciphertext.encrypted.ciphertext_blob
}
# Output 'example' should match the plaintext encrypted in the beginning
output "decrypted" {
value = data.alicloud_kms_plaintext.plaintext.plaintext
}
The following arguments are supported:
encryption_context
-
(Optional) The Encryption context. If you specify this parameter in the Encrypt or GenerateDataKey API operation, it is also required when you call the Decrypt API operation. For more information, see Encryption Context.ciphertext_blob
- The ciphertext to be decrypted.The following attributes are exported in addition to the arguments listed above:
plaintext
- The decrypted plaintext.key_id
- The globally unique ID of the CMK. It is the ID of the CMK used to decrypt ciphertext.