» google_kms_secret_ciphertext

Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.

To get more information about SecretCiphertext, see:

» Example Usage - Kms Secret Ciphertext Basic

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

resource "google_kms_crypto_key" "cryptokey" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "100000s"

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_kms_secret_ciphertext" "my_password" {
  crypto_key = google_kms_crypto_key.cryptokey.id
  plaintext  = "my-secret-password"
}

resource "google_compute_instance" "instance" {
  name         = "my-instance"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"

    access_config {
    }
  }

  metadata = {
    password = google_kms_secret_ciphertext.my_password.ciphertext
  }
}

» Argument Reference

The following arguments are supported:

  • plaintext - (Required) The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

  • crypto_key - (Required) The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'


  • additional_authenticated_data - (Optional) The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{crypto_key}}/{{ciphertext}}

  • ciphertext - Contains the result of encrypting the provided plaintext, encoded in base64.

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • delete - Default is 4 minutes.

» User Project Overrides

This resource supports User Project Overrides.