confluent_byok_key
provides a BYOK Key resource that enables creating, editing, and deleting BYOK Key on Confluent Cloud.
resource "confluent_byok_key" "aws_key" {
aws {
key_arn = "arn:aws:kms:us-west-2:111111111111:key/11111111-1111-1111-1111-111111111111""
}
}
resource "confluent_byok_key" "azure_key"{
azure {
tenant_id = "11111111-1111-1111-1111-111111111111"
key_vault_id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault"
key_identifier = "https://test-vault.vault.azure.net/keys/test-key"
}
}
resource "confluent_byok_key" "gcp_key"{
gcp {
key_id = "projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test"
}
}
The following arguments are supported:
aws
(Optional Configuration Block) supports the following:
key_arn
- (Required String) The Amazon Resource Name (ARN) of an AWS KMS key.azure
(Optional Configuration Block) supports the following:
key_identifier
- (Required String) The unique Key Object Identifier URL of an Azure Key Vault key.key_vault_id
- (Required String) Key Vault ID containing the key.tenant_id
- (Required String) Tenant ID (uuid) hosting the Key Vault containing the key.gcp
(Optional Configuration Block) supports the following:
key_id
- (Required String) The Google Cloud Platform key ID.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the BYOK key, for example, cck-abcde
.aws
(Optional Configuration Block) supports the following:
roles
- (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environmentazure
(Optional Configuration Block) supports the following:
application_id
- (Optional String) The Application ID created for this key-environment combination.gcp
(Optional Configuration Block) supports the following:
security_group
- (Optional String) The Google security group created for this key.You can import a BYOK Key by using BYOK Key ID. The following example shows how to import a BYOK Key:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_byok_key.aws_key cck-abcde
The following end-to-end examples might help to get started with confluent_byok_key
resource:
See Confluent Cloud Bring Your Own Key (BYOK) Management API to learn more about Encrypting Confluent Cloud Kafka Clusters using Self-Managed Keys.