google_secure_source_manager_instance

Instances are deployed to an available Google Cloud region and are accessible via their web interface.

To get more information about Instance, see:

Open in Cloud Shell

Example Usage - Secure Source Manager Instance Basic

resource "google_secure_source_manager_instance" "default" {
    location = "us-central1"
    instance_id = "my-instance"
    labels = {
      "foo" = "bar"
    }
}
Open in Cloud Shell

Example Usage - Secure Source Manager Instance Cmek

resource "google_kms_key_ring" "key_ring" {
  name     = "my-keyring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "crypto_key" {
  name     = "my-key"
  key_ring = google_kms_key_ring.key_ring.id
}

resource "google_kms_crypto_key_iam_member" "crypto_key_binding" {
  crypto_key_id = google_kms_crypto_key.crypto_key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

  member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
}

resource "google_secure_source_manager_instance" "default" {
    location = "us-central1"
    instance_id = "my-instance"
    kms_key = google_kms_crypto_key.crypto_key.id

    depends_on = [
      google_kms_crypto_key_iam_member.crypto_key_binding
    ]
}

data "google_project" "project" {}
Open in Cloud Shell

Example Usage - Secure Source Manager Instance Private

resource "google_privateca_ca_pool" "ca_pool" {
  name     = "ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
  publishing_options {
    publish_ca_cert = true
    publish_crl     = true
  }
}

resource "google_privateca_certificate_authority" "root_ca" {
  pool                     = google_privateca_ca_pool.ca_pool.name
  certificate_authority_id = "root-ca"
  location                 = "us-central1"
  config {
    subject_config {
      subject {
        organization = "google"
        common_name = "my-certificate-authority"
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable deletion protections for easier test cleanup purposes
  deletion_protection = false
  ignore_active_certificates_on_deletion = true
  skip_grace_period = true
}

resource "google_privateca_ca_pool_iam_binding" "ca_pool_binding" {
  ca_pool = google_privateca_ca_pool.ca_pool.id
  role = "roles/privateca.certificateRequester"

  members = [
    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
  ]
}

resource "google_secure_source_manager_instance" "default" {
  instance_id = "my-instance"
  location = "us-central1"
  private_config {
    is_private = true
    ca_pool = google_privateca_ca_pool.ca_pool.id
  }
  depends_on = [
    google_privateca_certificate_authority.root_ca,
    time_sleep.wait_60_seconds
  ]
}

# ca pool IAM permissions can take time to propagate
resource "time_sleep" "wait_60_seconds" {
  depends_on = [google_privateca_ca_pool_iam_binding.ca_pool_binding]

  create_duration = "60s"
}

data "google_project" "project" {}

Argument Reference

The following arguments are supported:


The private_config block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

The host_config block contains:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Instance can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Instance using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/instances/{{instance_id}}"
  to = google_secure_source_manager_instance.default
}

When using the terraform import command, Instance can be imported using one of the formats above. For example:

$ terraform import google_secure_source_manager_instance.default projects/{{project}}/locations/{{location}}/instances/{{instance_id}}
$ terraform import google_secure_source_manager_instance.default {{project}}/{{location}}/{{instance_id}}
$ terraform import google_secure_source_manager_instance.default {{location}}/{{instance_id}}
$ terraform import google_secure_source_manager_instance.default {{instance_id}}

User Project Overrides

This resource supports User Project Overrides.