Google Cloud Key Management Service Key Ring Import Job
This page shows how to write Terraform for Cloud Key Management Service Key Ring Import Job and write them securely.
google_kms_key_ring_import_job (Terraform)
The Key Ring Import Job in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_key_ring_import_job
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_kms_key_ring_import_job" "this" {
import_job_id = var.import_job_id
import_method = var.import_method
key_ring = var.key_ring
protection_level = var.protection_level
Parameters
-
attestation
optional computed - list of object
Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM.
-
content
- string -
format
- string -
expire_time
optional computed - string
The time at which this resource is scheduled for expiration and can no longer be used. This is in RFC3339 text format.
-
id
optional computed - string -
import_job_id
required - string
It must be unique within a KeyRing and match the regular expression [a-zA-Z0-9_-][1,63]
-
import_method
required - string
The wrapping method to be used for incoming key material. Possible values: ["RSA_OAEP_3072_SHA1_AES_256", "RSA_OAEP_4096_SHA1_AES_256"]
-
key_ring
required - string
The KeyRing that this import job belongs to. Format: ''projects/[[project]]/locations/[[location]]/keyRings/[[keyRing]]''.
-
name
optional computed - string
The resource name for this ImportJob in the format projects//locations//keyRings//importJobs/.
-
protection_level
required - string
The protection level of the ImportJob. This must match the protectionLevel of the versionTemplate on the CryptoKey you attempt to import into. Possible values: ["SOFTWARE", "HSM", "EXTERNAL"]
-
public_key
optional computed - list of object
The public key with which to wrap key material prior to import. Only returned if state is 'ACTIVE'.
The current state of the ImportJob, indicating if it can be used.
Explanation in Terraform Registry
A
KeyRingImportJob
can be used to createCryptoKeys
andCryptoKeyVersions
using pre-existing key material, generated outside of Cloud KMS. AKeyRingImportJob
expires 3 days after it is created. Once expired, Cloud KMS will no longer be able to import or unwrap any key material that was wrapped with theKeyRingImportJob
's public key.Note: KeyRingImportJobs cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRingImportJob will remove it from state but will not delete the resource from the project. To get more information about KeyRingImportJob, see:
- API documentation
- How-to Guides
Tips: Best Practices for The Other Google Cloud Key Management Service Resources
In addition to the google_kms_crypto_key, Google Cloud Key Management Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_kms_crypto_key
Ensure your KMS key is rotated at least every 90 days
It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.
Frequently asked questions
What is Google Cloud Key Management Service Key Ring Import Job?
Google Cloud Key Management Service Key Ring Import Job is a resource for Cloud Key Management Service of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Key Management Service Key Ring Import Job?
For Terraform, the niveklabs/google source code example is useful. See the Terraform Example section for further details.