Google Cloud Key Management Service Key Ring
This page shows how to write Terraform for Cloud Key Management Service Key Ring and write them securely.
google_kms_key_ring (Terraform)
The Key Ring in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_key_ring
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_kms_key_ring" "default" {
name = "default"
location = "global"
}
resource "google_kms_key_ring" "regional" {
resource "google_kms_key_ring" "stripe-prod" {
depends_on = [google_project_service.cloudkms-api]
name = "stripe-prod"
location = "global"
}
resource "google_kms_key_ring" "sad_ring" {
project = google_project.sad.project_id
name = "lvhpay-sad-ring"
location = var.location
}
resource "google_kms_crypto_key" "sad_crypto_key" {
resource "google_kms_key_ring" "us-bad" {
name = "keyring-example"
location = "us-west4"
}
resource "google_kms_key_ring" "asia" {
Parameters
The location for the KeyRing. A full list of valid locations can be found by running 'gcloud kms locations list'.
-
name
required - string
The resource name for the KeyRing.
The self link of the created KeyRing in the format projects/[project]/locations/[location]/keyRings/[name].
Explanation in Terraform Registry
A
KeyRing
is a toplevel logical grouping ofCryptoKeys
.Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyRing will remove it from state but will not delete the resource from the project. To get more information about KeyRing, see:
- API documentation
- How-to Guides
Tips: Best Practices for The Other Google Cloud Key Management Service Resources
In addition to the google_kms_crypto_key, Google Cloud Key Management Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_kms_crypto_key
Ensure your KMS key is rotated at least every 90 days
It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.
Frequently asked questions
What is Google Cloud Key Management Service Key Ring?
Google Cloud Key Management Service Key Ring is a resource for Cloud Key Management Service of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Key Management Service Key Ring?
For Terraform, the ulamlabs/gcp-terraform-starter, CloudNativeEntrepreneur/infrastructure and intetunder-temp/terraform-modules source code examples are useful. See the Terraform Example section for further details.