confluent_schema_registry_kek Resource

Early Access

confluent_schema_registry_kek provides a Schema Registry Key Encryption Key (KEK) resource that enables creating, editing, and deleting Schema Registry Key Encryption Keys on Confluent Cloud.

Example Usage

Option #1: Manage multiple Schema Registry clusters in the same Terraform workspace

provider "confluent" {
  cloud_api_key    = var.confluent_cloud_api_key    # optionally use CONFLUENT_CLOUD_API_KEY env var
  cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}

resource "confluent_schema_registry_kek" "aws_key" {
  schema_registry_cluster {
    id = confluent_schema_registry_cluster.essentials.id
  }
  rest_endpoint = confluent_schema_registry_cluster.essentials.rest_endpoint
  credentials {
    key    = "<Schema Registry API Key for confluent_schema_registry_cluster.essentials>"
    secret = "<Schema Registry API Secret for confluent_schema_registry_cluster.essentials>"
  }

  name = "my_key"
  kms_type = "aws-kms"
  kms_key_id = "key_id"
  doc = "test key"
  shared = false
  hard_delete = true

  lifecycle {
    prevent_destroy = true
  }
}

Option #2: Manage a single Schema Registry cluster in the same Terraform workspace

provider "confluent" {
  schema_registry_id            = var.schema_registry_id            # optionally use SCHEMA_REGISTRY_ID env var
  schema_registry_rest_endpoint = var.schema_registry_rest_endpoint # optionally use SCHEMA_REGISTRY_REST_ENDPOINT env var
  schema_registry_api_key       = var.schema_registry_api_key       # optionally use SCHEMA_REGISTRY_API_KEY env var
  schema_registry_api_secret    = var.schema_registry_api_secret    # optionally use SCHEMA_REGISTRY_API_SECRET env var
}

resource "confluent_schema_registry_kek" "pii" {
  name        = "my_key"
  kms_type    = "aws-kms"
  kms_key_id  = "key_id"
  doc         = "test key"
  shared      = false
  hard_delete = true

  lifecycle {
    prevent_destroy = true
  }
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the preceding arguments, the following attributes are exported:

Import

You can import a Schema Registry Key by using the Schema Registry cluster ID, Kek name in the format <Schema Registry cluster ID>/<Kek name>, for example:

$ export IMPORT_SCHEMA_REGISTRY_API_KEY="<schema_registry_api_key>"
$ export IMPORT_SCHEMA_REGISTRY_API_SECRET="<schema_registry_api_secret>"
$ export IMPORT_SCHEMA_REGISTRY_REST_ENDPOINT="<schema_registry_rest_endpoint>"
$ terraform import confluent_schema_registry_kek.aws_key lsrc-8wrx70/aws_key

Getting Started

The following end-to-end example might help to get started with field-level encryption: