» google_kms_secret_ciphertext

This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.

For more information see the official documentation.

» Example Usage

First, create a KMS KeyRing and CryptoKey using the resource definitions:

resource "google_kms_key_ring" "my_key_ring" {
  project  = "my-project"
  name     = "my-key-ring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "my_crypto_key" {
  name     = "my-crypto-key"
  key_ring = "${google_kms_key_ring.my_key_ring.self_link}"
}

Next, encrypt some sensitive information and use the encrypted data in your resource definitions:

data "google_kms_secret_ciphertext" "my_password" {
  crypto_key = "${google_kms_crypto_key.my_crypto_key.self_link}"
  plaintext = "my-secret-password"
}

resource "google_compute_instance" "instance" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"

    access_config {
    }
  }

  metadata = {
    password = "${data.google_kms_secret_ciphertext.my_password.ciphertext}"
  }
}

The resulting instance can then access the encrypted password from its metadata and decrypt it, e.g. using the Cloud SDK): ```bash $ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/password \

| base64 -d | gcloud kms decrypt \ --project my-project \ --location us-central1 \ --keyring my-key-ring \ --key my-crypto-key \ --plaintext-file - \ --ciphertext-file - \ my-secret-password ```

» Argument Reference

The following arguments are supported:

  • plaintext (Required) - The plaintext to be encrypted
  • crypto_key (Required) - The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

» Attributes Reference

The following attribute is exported:

  • ciphertext - Contains the result of encrypting the provided plaintext, encoded in base64.