NetApp Volumes always encrypts your data at rest using volume-specific keys.
A CMEK policy (customer-managed encryption key) warps such volume-specific keys in a key stored in Cloud Key Management Service (KMS).
To get more information about kmsconfig, see:
resource "google_kms_key_ring" "keyring" {
name = "key-ring"
location = "us-central1"
}
resource "google_kms_crypto_key" "crypto_key" {
name = "crypto-name"
key_ring = google_kms_key_ring.keyring.id
# rotation_period = "7776000s"
}
resource "google_netapp_kmsconfig" "kmsConfig" {
name = "kms-test"
description="this is a test description"
crypto_key_name=google_kms_crypto_key.crypto_key.id
location="us-central1"
}
The following arguments are supported:
crypto_key_name
-
(Required)
Resource name of the KMS key to use. Only regional keys are supported. Format: projects/{{project}}/locations/{{location}}/keyRings/{{key_ring}}/cryptoKeys/{{key}}
.
location
-
(Required)
Name of the policy location. CMEK policies apply to the whole region.
name
-
(Required)
Name of the CMEK policy.
description
-
(Optional)
Description for the CMEK policy.
labels
-
(Optional)
Labels as key value pairs. Example: { "owner": "Bob", "department": "finance", "purpose": "testing" }
.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/kmsConfigs/{{name}}
instructions
-
Access to the key needs to be granted. The instructions contain gcloud commands to run to grant access.
To make the policy work, a CMEK policy check is required, which verifies key access.
service_account
-
The Service account which needs to have access to the provided KMS key.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.kmsconfig can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/kmsConfigs/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import kmsconfig using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/kmsConfigs/{{name}}"
to = google_netapp_kmsconfig.default
}
When using the terraform import
command, kmsconfig can be imported using one of the formats above. For example:
$ terraform import google_netapp_kmsconfig.default projects/{{project}}/locations/{{location}}/kmsConfigs/{{name}}
$ terraform import google_netapp_kmsconfig.default {{project}}/{{location}}/{{name}}
$ terraform import google_netapp_kmsconfig.default {{location}}/{{name}}
This resource supports User Project Overrides.