pulumi-gcp-kotlin/com.pulumi.gcp.kms.kotlin/CryptoKeyArgs

CryptoKeyArgs

data class CryptoKeyArgs(val cryptoKeyBackend: Output<String>? = null, val destroyScheduledDuration: Output<String>? = null, val importOnly: Output<Boolean>? = null, val keyAccessJustificationsPolicy: Output<CryptoKeyKeyAccessJustificationsPolicyArgs>? = null, val keyRing: Output<String>? = null, val labels: Output<Map<String, String>>? = null, val name: Output<String>? = null, val purpose: Output<String>? = null, val rotationPeriod: Output<String>? = null, val skipInitialVersionCreation: Output<Boolean>? = null, val versionTemplate: Output<CryptoKeyVersionTemplateArgs>? = null) : ConvertibleToJava<CryptoKeyArgs>

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you use Pulumi's protect resource option. To get more information about CryptoKey, see:

API documentation
How-to Guides

Creating a key

Example Usage

Kms Crypto Key Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
    name: "keyring-example",
    location: "global",
});
const example_key = new gcp.kms.CryptoKey("example-key", {
    name: "crypto-key-example",
    keyRing: keyring.id,
    rotationPeriod: "7776000s",
});

import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
    name="keyring-example",
    location="global")
example_key = gcp.kms.CryptoKey("example-key",
    name="crypto-key-example",
    key_ring=keyring.id,
    rotation_period="7776000s")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Name = "keyring-example",
        Location = "global",
    });
    var example_key = new Gcp.Kms.CryptoKey("example-key", new()
    {
        Name = "crypto-key-example",
        KeyRing = keyring.Id,
        RotationPeriod = "7776000s",
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("keyring-example"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-key", &kms.CryptoKeyArgs{
			Name:           pulumi.String("crypto-key-example"),
			KeyRing:        keyring.ID(),
			RotationPeriod: pulumi.String("7776000s"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .name("keyring-example")
            .location("global")
            .build());
        var example_key = new CryptoKey("example-key", CryptoKeyArgs.builder()
            .name("crypto-key-example")
            .keyRing(keyring.id())
            .rotationPeriod("7776000s")
            .build());
    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      name: keyring-example
      location: global
  example-key:
    type: gcp:kms:CryptoKey
    properties:
      name: crypto-key-example
      keyRing: ${keyring.id}
      rotationPeriod: 7776000s

Kms Crypto Key Asymmetric Sign

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {
    name: "keyring-example",
    location: "global",
});
const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
    name: "crypto-key-example",
    keyRing: keyring.id,
    purpose: "ASYMMETRIC_SIGN",
    versionTemplate: {
        algorithm: "EC_SIGN_P384_SHA384",
    },
});

import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring",
    name="keyring-example",
    location="global")
example_asymmetric_sign_key = gcp.kms.CryptoKey("example-asymmetric-sign-key",
    name="crypto-key-example",
    key_ring=keyring.id,
    purpose="ASYMMETRIC_SIGN",
    version_template={
        "algorithm": "EC_SIGN_P384_SHA384",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Name = "keyring-example",
        Location = "global",
    });
    var example_asymmetric_sign_key = new Gcp.Kms.CryptoKey("example-asymmetric-sign-key", new()
    {
        Name = "crypto-key-example",
        KeyRing = keyring.Id,
        Purpose = "ASYMMETRIC_SIGN",
        VersionTemplate = new Gcp.Kms.Inputs.CryptoKeyVersionTemplateArgs
        {
            Algorithm = "EC_SIGN_P384_SHA384",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("keyring-example"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "example-asymmetric-sign-key", &kms.CryptoKeyArgs{
			Name:    pulumi.String("crypto-key-example"),
			KeyRing: keyring.ID(),
			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
				Algorithm: pulumi.String("EC_SIGN_P384_SHA384"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyVersionTemplateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .name("keyring-example")
            .location("global")
            .build());
        var example_asymmetric_sign_key = new CryptoKey("example-asymmetric-sign-key", CryptoKeyArgs.builder()
            .name("crypto-key-example")
            .keyRing(keyring.id())
            .purpose("ASYMMETRIC_SIGN")
            .versionTemplate(CryptoKeyVersionTemplateArgs.builder()
                .algorithm("EC_SIGN_P384_SHA384")
                .build())
            .build());
    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      name: keyring-example
      location: global
  example-asymmetric-sign-key:
    type: gcp:kms:CryptoKey
    properties:
      name: crypto-key-example
      keyRing: ${keyring.id}
      purpose: ASYMMETRIC_SIGN
      versionTemplate:
        algorithm: EC_SIGN_P384_SHA384

Import

CryptoKey can be imported using any of these accepted formats:

{{key_ring}}/cryptoKeys/{{name}}
{{key_ring}}/{{name}} When using the pulumi import command, CryptoKey can be imported using one of the formats above. For example:

$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}}

$ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}}

Constructors

CryptoKeyArgs

constructor(cryptoKeyBackend: Output<String>? = null, destroyScheduledDuration: Output<String>? = null, importOnly: Output<Boolean>? = null, keyAccessJustificationsPolicy: Output<CryptoKeyKeyAccessJustificationsPolicyArgs>? = null, keyRing: Output<String>? = null, labels: Output<Map<String, String>>? = null, name: Output<String>? = null, purpose: Output<String>? = null, rotationPeriod: Output<String>? = null, skipInitialVersionCreation: Output<Boolean>? = null, versionTemplate: Output<CryptoKeyVersionTemplateArgs>? = null)

Properties

cryptoKeyBackend

val cryptoKeyBackend: Output<String>? = null

The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. The resource name is in the format "projects//locations//ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.

destroyScheduledDuration

val destroyScheduledDuration: Output<String>? = null

The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.

importOnly

val importOnly: Output<Boolean>? = null

Whether this key may contain imported versions only.

keyAccessJustificationsPolicy

val keyAccessJustificationsPolicy: Output<CryptoKeyKeyAccessJustificationsPolicyArgs>? = null

The policy used for Key Access Justifications Policy Enforcement. If this field is present and this key is enrolled in Key Access Justifications Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and sign operations, and the operation will fail if rejected by the policy. The policy is defined by specifying zero or more allowed justification codes. https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes By default, this field is absent, and all justification codes are allowed. This field is currently in beta and is subject to change. Structure is documented below.

keyRing

val keyRing: Output<String>? = null

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

labels

val labels: Output<Map<String, String>>? = null

Labels with user-defined metadata to apply to this resource. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

name

val name: Output<String>? = null

The resource name for the CryptoKey.

purpose

val purpose: Output<String>? = null

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value is "ENCRYPT_DECRYPT".

rotationPeriod

val rotationPeriod: Output<String>? = null

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

skipInitialVersionCreation

val skipInitialVersionCreation: Output<Boolean>? = null

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the gcp.kms.CryptoKeyVersion resource to create a new CryptoKeyVersion or gcp.kms.KeyRingImportJob resource to import the CryptoKeyVersion.

versionTemplate

val versionTemplate: Output<CryptoKeyVersionTemplateArgs>? = null

A template describing settings for new crypto key versions. Structure is documented below. //*/

Functions

toJava

open override fun toJava(): CryptoKeyArgs