A CryptoKeyVersion
represents an individual cryptographic key, and the associated key material.
Destroying a cryptoKeyVersion will not delete the resource from the project.
To get more information about CryptoKeyVersion, see:
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "cryptokey" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s"
}
resource "google_kms_crypto_key_version" "example-key" {
crypto_key = google_kms_crypto_key.cryptokey.id
}
The following arguments are supported:
crypto_key
-
(Required)
The name of the cryptoKey associated with the CryptoKeyVersions.
Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyring}}/cryptoKeys/{{cryptoKey}}'
state
-
(Optional)
The current state of the CryptoKeyVersion.
Possible values are: PENDING_GENERATION
, ENABLED
, DISABLED
, DESTROYED
, DESTROY_SCHEDULED
, PENDING_IMPORT
, IMPORT_FAILED
.
external_protection_level_options
-
(Optional)
ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
Structure is documented below.
The external_protection_level_options
block supports:
external_key_uri
-
(Optional)
The URI for an external resource that this CryptoKeyVersion represents.
ekm_connection_key_path
-
(Optional)
The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{name}}
name
-
The resource name for this CryptoKeyVersion.
protection_level
-
The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
generate_time
-
The time this CryptoKeyVersion key material was generated
algorithm
-
The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation
-
Statement that was generated and signed by the HSM at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google.
Only provided for key versions with protectionLevel HSM.
Structure is documented below.
The attestation
block contains:
format
-
(Output)
The format of the attestation data.
content
-
(Output)
The attestation data provided by the HSM when the key operation was performed.
cert_chains
-
(Optional)
The certificate chains needed to validate the attestation
Structure is documented below.
external_protection_level_options
-
(Optional, Deprecated)
ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
Structure is documented below.
~> Warning: externalProtectionLevelOptions
is being un-nested from the attestation
field. Please use the top level externalProtectionLevelOptions
field instead.
The cert_chains
block supports:
cavium_certs
-
(Optional)
Cavium certificate chain corresponding to the attestation.
google_card_certs
-
(Optional)
Google card certificate chain corresponding to the attestation.
google_partition_certs
-
(Optional)
Google partition certificate chain corresponding to the attestation.
The external_protection_level_options
block supports:
external_key_uri
-
(Optional)
The URI for an external resource that this CryptoKeyVersion represents.
ekm_connection_key_path
-
(Optional)
The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.CryptoKeyVersion can be imported using any of these accepted formats:
{{name}}
In Terraform v1.5.0 and later, use an import
block to import CryptoKeyVersion using one of the formats above. For example:
import {
id = "{{name}}"
to = google_kms_crypto_key_version.default
}
When using the terraform import
command, CryptoKeyVersion can be imported using one of the formats above. For example:
$ terraform import google_kms_crypto_key_version.default {{name}}