Google Cloud Key Management Service Crypto Key

google_kms_crypto_key (Terraform)

The Crypto Key in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_crypto_key. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

SnidermanIndustries/checkov-fork

resource "google_kms_crypto_key" "key_good_1" {
  name = "crypto-key-example"
  key_ring = google_kms_key_ring.keyring.id
  rotation_period = "100000s"

  lifecycle {

ulamlabs/gcp-terraform-starter

resource "google_kms_crypto_key" "terraform-state" {
  name            = "terraform-state"
  key_ring        = google_kms_key_ring.regional.id
  rotation_period = "7776000s"

  lifecycle {

melscoop-test/check

resource "google_kms_crypto_key" "key_good_1" {
  name = "crypto-key-example"
  key_ring = google_kms_key_ring.keyring.id
  rotation_period = "100000s"

  lifecycle {

hashicorp/boundary-reference-architecture

resource "google_kms_crypto_key" "root" {
  name            = local.boundary_root_key_name
  key_ring        = google_kms_key_ring.this.id
  rotation_period = var.kms_crypto_key_rotation_period
}

jjmartres/terraform

resource "google_kms_crypto_key" "key" {
  count           = var.prevent_destroy ? length(var.keys) : 0
  name            = var.keys[count.index]
  key_ring        = google_kms_key_ring.key_ring.self_link
  rotation_period = var.key_rotation_period

Security Best Practices for google_kms_crypto_key

There is 1 setting in google_kms_crypto_key that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure your KMS key is rotated at least every 90 days

It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.

Parameters

• id optional computed - string
• key_ring required - string

The KeyRing that this key belongs to. Format: ''projects/[[project]]/locations/[[location]]/keyRings/[[keyRing]]''.

• labels optional - map from string to string

Labels with user-defined metadata to apply to this resource.

• name required - string

The resource name for the CryptoKey.

• purpose optional - string

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Default value: "ENCRYPT_DECRYPT" Possible values: ["ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"]

• rotation_period optional - string

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter 's' (seconds). It must be greater than a day (ie, 86400).

• self_link optional computed - string

The self link of the created KeyRing in the format projects/[project]/locations/[location]/keyRings/[name].

• skip_initial_version_creation optional - bool

If set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must use the 'google_kms_key_ring_import_job' resource to import the CryptoKeyVersion.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string
• version_template list block
  • algorithm required - string

  The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.

  • protection_level optional - string

  The protection level to use when creating a version based on this template. Default value: "SOFTWARE" Possible values: ["SOFTWARE", "HSM"]

Explanation in Terraform Registry

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction. To get more information about CryptoKey, see:

• API documentation
• How-to Guides
  • Creating a key