confluent_api_key
provides an API Key resource that enables creating, editing, and deleting Cloud API Keys, Cluster API Keys (Kafka API Key, ksqlDB API Key, Schema Registry API Key, Flink API Key) on Confluent Cloud.
resource "confluent_api_key" "app-manager-kafka-api-key" {
display_name = "app-manager-kafka-api-key"
description = "Kafka API Key that is owned by 'app-manager' service account"
owner {
id = confluent_service_account.app-manager.id
api_version = confluent_service_account.app-manager.api_version
kind = confluent_service_account.app-manager.kind
}
managed_resource {
id = confluent_kafka_cluster.basic.id
api_version = confluent_kafka_cluster.basic.api_version
kind = confluent_kafka_cluster.basic.kind
environment {
id = confluent_environment.staging.id
}
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_api_key" "ksqldb-api-key" {
display_name = "ksqldb-api-key"
description = "KsqlDB API Key that is owned by 'app-manager' service account"
owner {
id = confluent_service_account.app-manager.id
api_version = confluent_service_account.app-manager.api_version
kind = confluent_service_account.app-manager.kind
}
managed_resource {
id = confluent_ksql_cluster.main.id
api_version = confluent_ksql_cluster.main.api_version
kind = confluent_ksql_cluster.main.kind
environment {
id = confluent_environment.staging.id
}
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_api_key" "env-manager-schema-registry-api-key" {
display_name = "env-manager-schema-registry-api-key"
description = "Schema Registry API Key that is owned by 'env-manager' service account"
owner {
id = confluent_service_account.env-manager.id
api_version = confluent_service_account.env-manager.api_version
kind = confluent_service_account.env-manager.kind
}
managed_resource {
id = confluent_schema_registry_cluster.essentials.id
api_version = confluent_schema_registry_cluster.essentials.api_version
kind = confluent_schema_registry_cluster.essentials.kind
environment {
id = confluent_environment.staging.id
}
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_api_key" "env-manager-flink-api-key" {
display_name = "env-manager-flink-api-key"
description = "Flink API Key that is owned by 'env-manager' service account"
owner {
id = confluent_service_account.env-manager.id
api_version = confluent_service_account.env-manager.api_version
kind = confluent_service_account.env-manager.kind
}
managed_resource {
id = data.confluent_flink_region.example.id
api_version = data.confluent_flink_region.example.api_version
kind = data.confluent_flink_region.example.kind
environment {
id = confluent_environment.staging.id
}
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_api_key" "env-manager-cloud-api-key" {
display_name = "env-manager-cloud-api-key"
description = "Cloud API Key that is owned by 'env-manager' service account"
owner {
id = confluent_service_account.env-manager.id
api_version = confluent_service_account.env-manager.api_version
kind = confluent_service_account.env-manager.kind
}
lifecycle {
prevent_destroy = true
}
}
The following arguments are supported:
display_name
- (Required String) A human-readable name for the API Key.description
- (Optional String) A free-form description of the API Account.disable_wait_for_ready
- (Optional Boolean) An optional flag to disable wait-for-readiness on create. Its primary use case is for Cluster API Keys for private networking options when readiness check fails. Must be unset when importing. Defaults to false
.owner
(Required Configuration Block) supports the following:
id
- (Required String) The ID of the owner that the API Key belongs to, for example, sa-abc123
or u-abc123
.api_version
- (Required String) The API group and version of the owner that the API Key belongs to, for example, iam/v2
.kind
- (Required String) The kind of the owner that the API Key belongs to, for example, ServiceAccount
or User
.managed_resource
(Optional Configuration Block) This block must be set for Cluster API Keys and must be omitted for Cloud API Keys. It supports the following:
id
- (Required String) The ID of the managed resource that the API Key associated with, for example, lkc-abc123
.api_version
- (Required String) The API group and version of the managed resource that the API Key associated with, for example, cmk/v2
.kind
- (Required String) The kind of the managed resource that the API Key associated with, for example, Cluster
.environment
(Required Configuration Block) supports the following:
id
- (Required String) The ID of the Environment that the managed resource belongs to, for example, env-abc123
.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the API Key, for example, EGWX3S4BVNQIRBMJ
.secret
- (Required String, Sensitive) The secret of the API Key.You can import a Cluster API Key by using the Environment ID and Cluster API Key ID in the format <Environment ID>/<Cluster API Key ID>
, for example:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ export API_KEY_SECRET="<api_key_secret>"
# Option #1: Cluster API Key
$ terraform import confluent_api_key.example_kafka_api_key "env-abc123/UTT6WDRXX7FHD2GV"
You can import a Cloud API Key by using Cloud API Key ID, for example:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ export API_KEY_SECRET="<api_key_secret>"
# Option #2: Cloud API Key
$ terraform import confluent_api_key.example_cloud_api_key "4UEXOMMWIBE5KZQG"
The following end-to-end examples might help to get started with confluent_api_key
resource:
basic-kafka-acls
: _Basic_ Kafka cluster with authorization using ACLsbasic-kafka-acls-with-alias
: _Basic_ Kafka cluster with authorization using ACLsstandard-kafka-acls
: _Standard_ Kafka cluster with authorization using ACLsstandard-kafka-rbac
: _Standard_ Kafka cluster with authorization using RBACdedicated-public-kafka-acls
: _Dedicated_ Kafka cluster that is accessible over the public internet with authorization using ACLsdedicated-public-kafka-rbac
: _Dedicated_ Kafka cluster that is accessible over the public internet with authorization using RBACdedicated-privatelink-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLsdedicated-privatelink-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using RBACdedicated-privatelink-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using RBACdedicated-privatelink-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using RBACdedicated-vnet-peering-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using ACLsdedicated-vnet-peering-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using RBACdedicated-transit-gateway-attachment-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using ACLsdedicated-transit-gateway-attachment-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using RBACenterprise-privatelinkattachment-aws-kafka-acls
: _Enterprise_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLs