pulumi-gcp-kotlin/com.pulumi.gcp.kms.kotlin/CryptoKey

CryptoKey

class CryptoKey : KotlinCustomResource

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you use Pulumi's protect resource option. To get more information about CryptoKey, see:

API documentation
How-to Guides

Creating a key

Example Usage

Kms Crypto Key Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
    name: "keyring-example",
    location: "global",
});
const example_key = new gcp.kms.CryptoKey("example-key", {
    name: "crypto-key-example",
    keyRing: keyring.id,
    rotationPeriod: "7776000s",
});

import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
    name="keyring-example",
    location="global")
example_key = gcp.kms.CryptoKey("example-key",
    name="crypto-key-example",
    key_ring=keyring.id,
    rotation_period="7776000s")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Name = "keyring-example",
        Location = "global",
    });
    var example_key = new Gcp.Kms.CryptoKey("example-key", new()
    {
        Name = "crypto-key-example",
        KeyRing = keyring.Id,
        RotationPeriod = "7776000s",
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("keyring-example"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-key", &kms.CryptoKeyArgs{
			Name:           pulumi.String("crypto-key-example"),
			KeyRing:        keyring.ID(),
			RotationPeriod: pulumi.String("7776000s"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .name("keyring-example")
            .location("global")
            .build());
        var example_key = new CryptoKey("example-key", CryptoKeyArgs.builder()
            .name("crypto-key-example")
            .keyRing(keyring.id())
            .rotationPeriod("7776000s")
            .build());
    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      name: keyring-example
      location: global
  example-key:
    type: gcp:kms:CryptoKey
    properties:
      name: crypto-key-example
      keyRing: ${keyring.id}
      rotationPeriod: 7776000s

Kms Crypto Key Asymmetric Sign

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
    name: "keyring-example",
    location: "global",
});
const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
    name: "crypto-key-example",
    keyRing: keyring.id,
    purpose: "ASYMMETRIC_SIGN",
    versionTemplate: {
        algorithm: "EC_SIGN_P384_SHA384",
    },
});

import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
    name="keyring-example",
    location="global")
example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
    name="crypto-key-example",
    key_ring=keyring.id,
    purpose="ASYMMETRIC_SIGN",
    version_template={
        "algorithm": "EC_SIGN_P384_SHA384",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Name = "keyring-example",
        Location = "global",
    });
    var example_asymmetric_sign_key = new Gcp.Kms.CryptoKey("example-asymmetric-sign-key", new()
    {
        Name = "crypto-key-example",
        KeyRing = keyring.Id,
        Purpose = "ASYMMETRIC_SIGN",
        VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
        {
            Algorithm = "EC_SIGN_P384_SHA384",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("keyring-example"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-asymmetric-sign-key", &kms.CryptoKeyArgs{
			Name:    pulumi.String("crypto-key-example"),
			KeyRing: keyring.ID(),
			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
				Algorithm: pulumi.String("EC_SIGN_P384_SHA384"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .name("keyring-example")
            .location("global")
            .build());
        var example_asymmetric_sign_key = new CryptoKey("example-asymmetric-sign-key", CryptoKeyArgs.builder()
            .name("crypto-key-example")
            .keyRing(keyring.id())
            .purpose("ASYMMETRIC_SIGN")
            .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
                .algorithm("EC_SIGN_P384_SHA384")
                .build())
            .build());
    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      name: keyring-example
      location: global
  example-asymmetric-sign-key:
    type: gcp:kms:CryptoKey
    properties:
      name: crypto-key-example
      keyRing: ${keyring.id}
      purpose: ASYMMETRIC_SIGN
      versionTemplate:
        algorithm: EC_SIGN_P384_SHA384

Import

CryptoKey can be imported using any of these accepted formats:

{{key_ring}}/cryptoKeys/{{name}}
{{key_ring}}/{{name}} When using the pulumi import command, CryptoKey can be imported using one of the formats above. For example:

$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}}

$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}}

Properties

cryptoKeyBackend

val cryptoKeyBackend: Output<String>

The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/" and only applies to "EXTERNAL_VPC" keys. ///

destroyScheduledDuration

val destroyScheduledDuration: Output<String>

The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.

effectiveLabels

val effectiveLabels: Output<Map<String, String>>

All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.

val id: Output<String>

importOnly

val importOnly: Output<Boolean>

Whether this key may contain imported versions only.

keyAccessJustificationsPolicy

val keyAccessJustificationsPolicy: Output<CryptoKeyKeyAccessJustificationsPolicy>

The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.

keyRing

val keyRing: Output<String>

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

labels

val labels: Output<Map<String, String>>?

Labels with user-defined metadata to apply to this resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

name

val name: Output<String>

The resource name for the CryptoKey.

primaries

val primaries: Output<List<CryptoKeyPrimary>>

A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. Structure is documented below.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiLabels

val pulumiLabels: Output<Map<String, String>>

The combination of labels configured directly on the resource and default labels configured on the provider.

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

purpose

val purpose: Output<String>?

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".

rotationPeriod

val rotationPeriod: Output<String>?

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

skipInitialVersionCreation

val skipInitialVersionCreation: Output<Boolean>?

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.

urn

val urn: Output<String>

versionTemplate

val versionTemplate: Output<CryptoKeyVersionTemplate>

A template describing settings for new crypto key versions. Structure is documented below.