A CryptoKey
represents a logical key that can be used for cryptographic operations.
To get more information about CryptoKey, see:
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "example-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
purpose = "ASYMMETRIC_SIGN"
version_template {
algorithm = "EC_SIGN_P384_SHA384"
}
lifecycle {
prevent_destroy = true
}
}
The following arguments are supported:
name
-
(Required)
The resource name for the CryptoKey.
key_ring
-
(Required)
The KeyRing that this key belongs to.
Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
.
labels
-
(Optional)
Labels with user-defined metadata to apply to this resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
purpose
-
(Optional)
The immutable purpose of this CryptoKey. See the
purpose reference
for possible inputs.
Default value is "ENCRYPT_DECRYPT".
rotation_period
-
(Optional)
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
The first rotation will take place after the specified period. The rotation period has
the format of a decimal number with up to 9 fractional digits, followed by the
letter s
(seconds). It must be greater than a day (ie, 86400).
version_template
-
(Optional)
A template describing settings for new crypto key versions.
Structure is documented below.
destroy_scheduled_duration
-
(Optional)
The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
If not specified at creation time, the default duration is 24 hours.
import_only
-
(Optional)
Whether this key may contain imported versions only.
crypto_key_backend
-
(Optional)
The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
skip_initial_version_creation
-
(Optional)
If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
You must use the google_kms_key_ring_import_job
resource to import the CryptoKeyVersion.
The version_template
block supports:
algorithm
-
(Required)
The algorithm to use when creating a version based on this template.
See the algorithm reference for possible inputs.
protection_level
-
(Optional)
The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{key_ring}}/cryptoKeys/{{name}}
primary
-
A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name.
Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset.
Structure is documented below.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
name
-
(Output)
The resource name for this CryptoKeyVersion.
state
-
(Output)
The current state of the CryptoKeyVersion.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.CryptoKey can be imported using any of these accepted formats:
{{key_ring}}/cryptoKeys/{{name}}
{{key_ring}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import CryptoKey using one of the formats above. For example:
import {
id = "{{key_ring}}/cryptoKeys/{{name}}"
to = google_kms_crypto_key.default
}
When using the terraform import
command, CryptoKey can be imported using one of the formats above. For example:
$ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
$ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}
This resource supports User Project Overrides.