Top / Google Cloud Platform / Google Cloud Key Management Service / Key Ring

Google Cloud Key Management Service Key Ring

This page shows how to write Terraform for Cloud Key Management Service Key Ring and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_kms_key_ring (Terraform)

The Key Ring in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_key_ring. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

kms.tf#L1
resource "google_kms_key_ring" "default" {
  name     = "default"
  location = "global"
}

resource "google_kms_key_ring" "regional" {
stripe.tf#L14
resource "google_kms_key_ring" "stripe-prod" {
  depends_on = [google_project_service.cloudkms-api]
  name     = "stripe-prod"
  location = "global"
}
main.tf#L1
resource "google_kms_key_ring" "sad_ring" {
  project  = google_project.sad.project_id
  name     = "lvhpay-sad-ring"
  location = var.location
}
resource "google_kms_crypto_key" "sad_crypto_key" {
kms_bad.tf#L1
resource "google_kms_key_ring" "us-bad" {
  name     = "keyring-example"
  location = "us-west4"
}

resource "google_kms_key_ring" "asia" {

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The location for the KeyRing. A full list of valid locations can be found by running 'gcloud kms locations list'.

The resource name for the KeyRing.

The self link of the created KeyRing in the format projects/[project]/locations/[location]/keyRings/[name].

>> from Terraform Registry

Explanation in Terraform Registry

A KeyRing is a toplevel logical grouping of CryptoKeys.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRing will remove it from state but will not delete the resource from the project. To get more information about KeyRing, see:

>> from Terraform Registry

Tips: Best Practices for The Other Google Cloud Key Management Service Resources

In addition to the google_kms_crypto_key, Google Cloud Key Management Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_kms_crypto_key

Ensure your KMS key is rotated at least every 90 days

It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.

Review your Google Cloud Key Management Service settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

The Other Related Google Cloud Key Management Service Resources

Frequently asked questions

What is Google Cloud Key Management Service Key Ring?

Google Cloud Key Management Service Key Ring is a resource for Cloud Key Management Service of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Key Management Service Key Ring?

For Terraform, the ulamlabs/gcp-terraform-starter, CloudNativeEntrepreneur/infrastructure and intetunder-temp/terraform-modules source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents