google_kms_secret_ciphertext

This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.

For more information see the official documentation.

Example Usage

First, create a KMS KeyRing and CryptoKey using the resource definitions:

resource "google_kms_key_ring" "my_key_ring" {
  project  = "my-project"
  name     = "my-key-ring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "my_crypto_key" {
  name     = "my-crypto-key"
  key_ring = google_kms_key_ring.my_key_ring.id
}

Next, encrypt some sensitive information and use the encrypted data in your resource definitions:

data "google_kms_secret_ciphertext" "my_password" {
  crypto_key = google_kms_crypto_key.my_crypto_key.id
  plaintext  = "my-secret-password"
}

resource "google_compute_instance" "instance" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"

    access_config {
    }
  }

  metadata = {
    password = data.google_kms_secret_ciphertext.my_password.ciphertext
  }
}

The resulting instance can then access the encrypted password from its metadata and decrypt it, e.g. using the Cloud SDK):

$ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/password \
> | base64 -d | gcloud kms decrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
my-secret-password

Argument Reference

The following arguments are supported:

Attributes Reference

The following attribute is exported:

User Project Overrides

This data source supports User Project Overrides.