confluent_byok_key Resource

General Availability

confluent_byok_key provides a BYOK Key resource that enables creating, editing, and deleting BYOK Key on Confluent Cloud.

Example Usage

Example BYOK Key on AWS

resource "confluent_byok_key" "aws_key" {
    aws {
        key_arn = "arn:aws:kms:us-west-2:111111111111:key/11111111-1111-1111-1111-111111111111""
    }
}

Example BYOK Key on Azure

resource "confluent_byok_key" "azure_key"{
    azure {
        tenant_id      = "11111111-1111-1111-1111-111111111111"
        key_vault_id   = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault"
        key_identifier = "https://test-vault.vault.azure.net/keys/test-key"
    }
}

Example BYOK Key on GCP

resource "confluent_byok_key" "gcp_key"{
    gcp {
        key_id = "projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test"
    }
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the preceding arguments, the following attributes are exported:

Import

You can import a BYOK Key by using BYOK Key ID. The following example shows how to import a BYOK Key:

$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_byok_key.aws_key cck-abcde

Getting Started

The following end-to-end examples might help to get started with confluent_byok_key resource:

See Confluent Cloud Bring Your Own Key (BYOK) Management API to learn more about Encrypting Confluent Cloud Kafka Clusters using Self-Managed Keys.