confluent_schema_registry_dek Resource

Early Access

confluent_schema_registry_dek provides a Schema Registry Data Encryption Key (DEK) resource that enables creating, editing, and deleting Schema Registry Data Encryption Keys on Confluent Cloud.

Example Usage

Option #1: Manage multiple Schema Registry clusters in the same Terraform workspace

provider "confluent" {
  cloud_api_key    = var.confluent_cloud_api_key    # optionally use CONFLUENT_CLOUD_API_KEY env var
  cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}

resource "confluent_schema_registry_dek" "my_dek" {
  schema_registry_cluster {
    id = confluent_schema_registry_cluster.essentials.id
  }
  rest_endpoint = confluent_schema_registry_cluster.essentials.rest_endpoint
  credentials {
    key    = "<Schema Registry API Key for confluent_schema_registry_cluster.essentials>"
    secret = "<Schema Registry API Secret for confluent_schema_registry_cluster.essentials>"
  }

  kek_name = "my_kek"
  subject_name = "my_subject"
  hard_delete = true

  lifecycle {
    prevent_destroy = true
  }
}

Option #2: Manage a single Schema Registry cluster in the same Terraform workspace

provider "confluent" {
  schema_registry_id            = var.schema_registry_id            # optionally use SCHEMA_REGISTRY_ID env var
  schema_registry_rest_endpoint = var.schema_registry_rest_endpoint # optionally use SCHEMA_REGISTRY_REST_ENDPOINT env var
  schema_registry_api_key       = var.schema_registry_api_key       # optionally use SCHEMA_REGISTRY_API_KEY env var
  schema_registry_api_secret    = var.schema_registry_api_secret    # optionally use SCHEMA_REGISTRY_API_SECRET env var
}

resource "confluent_schema_registry_dek" "my_dek" {
  kek_name     = "my_kek"
  subject_name = "my_subject"
  hard_delete  = true

  lifecycle {
    prevent_destroy = true
  }
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the preceding arguments, the following attributes are exported:

Import

You can import a Schema Registry Key by using the Schema Registry cluster ID, KEK name, Subject, Version and Algorithm in the format <Schema Registry Cluster Id>/<Schema Registry KEK Name>/<Subject>/<Version>/<Algorithm>, for example:

$ export IMPORT_SCHEMA_REGISTRY_API_KEY="<schema_registry_api_key>"
$ export IMPORT_SCHEMA_REGISTRY_API_SECRET="<schema_registry_api_secret>"
$ export IMPORT_SCHEMA_REGISTRY_REST_ENDPOINT="<schema_registry_rest_endpoint>"
$ terraform import confluent_schema_registry_dek.my_dek lsrc-8wrx70/testkek/ts/1/AES256_GCM

Getting Started

The following end-to-end example might help to get started with field-level encryption: