confluent_schema_registry_kek
describes a Schema Registry Key Encryption Key (KEK) data source.
provider "confluent" {
cloud_api_key = var.confluent_cloud_api_key # optionally use CONFLUENT_CLOUD_API_KEY env var
cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}
data "confluent_schema_registry_kek" "my_key" {
schema_registry_cluster {
id = confluent_schema_registry_cluster.essentials.id
}
rest_endpoint = confluent_schema_registry_cluster.essentials.rest_endpoint
credentials {
key = "<Schema Registry API Key for confluent_schema_registry_cluster.essentials>"
secret = "<Schema Registry API Secret for confluent_schema_registry_cluster.essentials>"
}
name = "my_key"
}
provider "confluent" {
schema_registry_id = var.schema_registry_id # optionally use SCHEMA_REGISTRY_ID env var
schema_registry_rest_endpoint = var.schema_registry_rest_endpoint # optionally use SCHEMA_REGISTRY_REST_ENDPOINT env var
schema_registry_api_key = var.schema_registry_api_key # optionally use SCHEMA_REGISTRY_API_KEY env var
schema_registry_api_secret = var.schema_registry_api_secret # optionally use SCHEMA_REGISTRY_API_SECRET env var
}
data "confluent_schema_registry_kek" "my_key" {
name = "my_key"
}
The following arguments are supported:
schema_registry_cluster
- (Optional Configuration Block) supports the following:
id
- (Required String) The ID of the Schema Registry cluster, for example, lsrc-abc123
.rest_endpoint
- (Optional String) The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443
).credentials
(Optional Configuration Block) supports the following:
key
- (Required String) The Schema Registry API Key.secret
- (Required String, Sensitive) The Schema Registry API Secret.name
- (Required String) The name for the KEK.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Schema Registry Key, in the format <Schema Registry cluster ID>/<Kek name>
, for example, lsrc-8wrx70/aws_key
.kms_type
- (Required String) The type of Key Management Service (KMS). The supported values include aws-kms
, azure-kms
, and gcp-kms
. Additionally, custom KMS types are supported as well.kms_key_id
- (Required String) The ID of the key from KMS.
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc
.https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef
.projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1
.properties
- (Optional Map) The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT
, KeyState=Enabled
):
name
- (Required String) The custom property name (for example, KeyUsage
).value
- (Required String) The custom property value (for example, ENCRYPT_DECRYPT
).doc
- (Optional String) The optional description for the KEK.shared
- (Optional Boolean) The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false
.hard_delete
- (Optional Boolean) The optional flag to control whether a kek should be soft or hard deleted. Defaults to false
.