» google_kms_crypto_key

Allows creation of a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.

A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.

» Example Usage

resource "google_kms_key_ring" "my_key_ring" {
  name     = "my-key-ring"
  project  = "my-project"
  location = "us-central1"

resource "google_kms_crypto_key" "my_crypto_key" {
  name            = "my-crypto-key"
  key_ring        = "${google_kms_key_ring.my_key_ring.self_link}"
  rotation_period = "100000s"

  lifecycle {
    prevent_destroy = true

» Argument Reference

The following arguments are supported:

  • name - (Required) The CryptoKey's name. A CryptoKey’s name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}

  • key_ring - (Required) The id of the Google Cloud Platform KeyRing to which the key shall belong.

  • rotation_period - (Optional) Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

  • version_template - (Optional) A template describing settings for new crypto key versions. Structure is documented below.

The version_template block supports:

  • algorithm - (Required) The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protection_level - (Optional) The protection level to use when creating a version based on this template. One of SOFTWARE, or HSM.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • self_link - The self link of the created CryptoKey. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}.

» Import

CryptoKeys can be imported using the CryptoKey autogenerated id, e.g.

$ terraform import google_kms_crypto_key.my_crypto_key my-gcp-project/us-central1/my-key-ring/my-crypto-key

$ terraform import google_kms_crypto_key.my_crypto_key us-central1/my-key-ring/my-crypto-key