A KeyRingImportJob
can be used to create CryptoKeys
and CryptoKeyVersions
using pre-existing
key material, generated outside of Cloud KMS. A KeyRingImportJob
expires 3 days after it is created.
Once expired, Cloud KMS will no longer be able to import or unwrap any key material that
was wrapped with the KeyRingImportJob
's public key.
To get more information about KeyRingImportJob, see:
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "example-key" {
name = "cryptokey-example""
key_ring = google_kms_key_ring.keyring.id
skip_initial_version_creation = true
}
resource "google_kms_key_ring_import_job" "import-job" {
key_ring = google_kms_key_ring.keyring.id
import_job_id = "my-import-job"
import_method = "RSA_OAEP_3072_SHA1_AES_256"
protection_level = "SOFTWARE"
}
The following arguments are supported:
import_method
-
(Required)
The wrapping method to be used for incoming key material.
Possible values are: RSA_OAEP_3072_SHA1_AES_256
, RSA_OAEP_4096_SHA1_AES_256
.
protection_level
-
(Required)
The protection level of the ImportJob. This must match the protectionLevel of the
versionTemplate on the CryptoKey you attempt to import into.
Possible values are: SOFTWARE
, HSM
, EXTERNAL
.
key_ring
-
(Required)
The KeyRing that this import job belongs to.
Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
.
import_job_id
-
(Required)
It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{name}}
name
-
The resource name for this ImportJob in the format projects//locations//keyRings//importJobs/.
expire_time
-
The time at which this resource is scheduled for expiration and can no longer be used.
This is in RFC3339 text format.
state
-
The current state of the ImportJob, indicating if it can be used.
public_key
-
The public key with which to wrap key material prior to import. Only returned if state is ACTIVE
.
Structure is documented below.
attestation
-
Statement that was generated and signed by the key creator (for example, an HSM) at key creation time.
Use this statement to verify attributes of the key as stored on the HSM, independently of Google.
Only present if the chosen ImportMethod is one with a protection level of HSM.
Structure is documented below.
The public_key
block contains:
pem
-
(Output)
The public key, encoded in PEM format. For more information, see the RFC 7468 sections
for General Considerations and Textual Encoding of Subject Public Key Info.The attestation
block contains:
format
-
(Output)
The format of the attestation data.
content
-
(Output)
The attestation data provided by the HSM when the key operation was performed.
A base64-encoded string.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.delete
- Default is 20 minutes.KeyRingImportJob can be imported using any of these accepted formats:
{{name}}
In Terraform v1.5.0 and later, use an import
block to import KeyRingImportJob using one of the formats above. For example:
import {
id = "{{name}}"
to = google_kms_key_ring_import_job.default
}
When using the terraform import
command, KeyRingImportJob can be imported using one of the formats above. For example:
$ terraform import google_kms_key_ring_import_job.default {{name}}