Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
To get more information about SecretCiphertext, see:
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "cryptokey" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_secret_ciphertext" "my_password" {
crypto_key = google_kms_crypto_key.cryptokey.id
plaintext = "my-secret-password"
}
resource "google_compute_instance" "instance" {
name = "my-instance"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
access_config {
}
}
metadata = {
password = google_kms_secret_ciphertext.my_password.ciphertext
}
}
The following arguments are supported:
plaintext
-
(Required)
The plaintext to be encrypted.
Note: This property is sensitive and will not be displayed in the plan.
crypto_key
-
(Required)
The full name of the CryptoKey that will be used to encrypt the provided plaintext.
Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'
additional_authenticated_data
-
(Optional)
The additional authenticated data used for integrity checks during encryption and decryption.
Note: This property is sensitive and will not be displayed in the plan.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{crypto_key}}/{{ciphertext}}
ciphertext
-
Contains the result of encrypting the provided plaintext, encoded in base64.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.delete
- Default is 20 minutes.This resource does not support import.
This resource supports User Project Overrides.