confluent_schema_registry_kek
provides a Schema Registry Key Encryption Key (KEK) resource that enables creating, editing, and deleting Schema Registry Key Encryption Keys on Confluent Cloud.
provider "confluent" {
cloud_api_key = var.confluent_cloud_api_key # optionally use CONFLUENT_CLOUD_API_KEY env var
cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}
resource "confluent_schema_registry_kek" "aws_key" {
schema_registry_cluster {
id = confluent_schema_registry_cluster.essentials.id
}
rest_endpoint = confluent_schema_registry_cluster.essentials.rest_endpoint
credentials {
key = "<Schema Registry API Key for confluent_schema_registry_cluster.essentials>"
secret = "<Schema Registry API Secret for confluent_schema_registry_cluster.essentials>"
}
name = "my_key"
kms_type = "aws-kms"
kms_key_id = "key_id"
doc = "test key"
shared = false
hard_delete = true
lifecycle {
prevent_destroy = true
}
}
provider "confluent" {
schema_registry_id = var.schema_registry_id # optionally use SCHEMA_REGISTRY_ID env var
schema_registry_rest_endpoint = var.schema_registry_rest_endpoint # optionally use SCHEMA_REGISTRY_REST_ENDPOINT env var
schema_registry_api_key = var.schema_registry_api_key # optionally use SCHEMA_REGISTRY_API_KEY env var
schema_registry_api_secret = var.schema_registry_api_secret # optionally use SCHEMA_REGISTRY_API_SECRET env var
}
resource "confluent_schema_registry_kek" "pii" {
name = "my_key"
kms_type = "aws-kms"
kms_key_id = "key_id"
doc = "test key"
shared = false
hard_delete = true
lifecycle {
prevent_destroy = true
}
}
The following arguments are supported:
schema_registry_cluster
- (Optional Configuration Block) supports the following:
id
- (Required String) The ID of the Schema Registry cluster, for example, lsrc-abc123
.rest_endpoint
- (Optional String) The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443
).credentials
(Optional Configuration Block) supports the following:
key
- (Required String) The Schema Registry API Key.secret
- (Required String, Sensitive) The Schema Registry API Secret.name
- (Required String) The name for the KEK.kms_type
- (Required String) The type of Key Management Service (KMS). The supported values include aws-kms
, azure-kms
, and gcp-kms
. Additionally, custom KMS types are supported as well.kms_key_id
- (Required String) The ID of the key from KMS.
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc
.https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef
.projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1
.properties
- (Optional Map) The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT
, KeyState=Enabled
):
name
- (Required String) The custom property name (for example, KeyUsage
).value
- (Required String) The custom property value (for example, ENCRYPT_DECRYPT
).doc
- (Optional String) The optional description for the KEK.shared
- (Optional Boolean) The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false
.hard_delete
- (Optional Boolean) The optional flag to control whether a kek should be soft or hard deleted. Defaults to false
.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Schema Registry Key, in the format <Schema Registry cluster ID>/<Kek name>
, for example, lsrc-8wrx70/aws_key
.You can import a Schema Registry Key by using the Schema Registry cluster ID, Kek name in the format <Schema Registry cluster ID>/<Kek name>
, for example:
$ export IMPORT_SCHEMA_REGISTRY_API_KEY="<schema_registry_api_key>"
$ export IMPORT_SCHEMA_REGISTRY_API_SECRET="<schema_registry_api_secret>"
$ export IMPORT_SCHEMA_REGISTRY_REST_ENDPOINT="<schema_registry_rest_endpoint>"
$ terraform import confluent_schema_registry_kek.aws_key lsrc-8wrx70/aws_key
The following end-to-end example might help to get started with field-level encryption: