Google Cloud Key Management Service Secret Ciphertext
This page shows how to write Terraform for Cloud Key Management Service Secret Ciphertext and write them securely.
google_kms_secret_ciphertext (Terraform)
The Secret Ciphertext in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_secret_ciphertext
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_kms_secret_ciphertext" "this" {
additional_authenticated_data = var.additional_authenticated_data
crypto_key = var.crypto_key
plaintext = var.plaintext
dynamic "timeouts" {
resource "google_kms_secret_ciphertext" "vault-tls-key-encrypted" {
count = local.manage_tls_count
crypto_key = google_kms_crypto_key.vault-init.self_link
plaintext = tls_private_key.vault-server[0].private_key_pem
}
Parameters
-
additional_authenticated_data
optional - string
The additional authenticated data used for integrity checks during encryption and decryption.
-
ciphertext
optional computed - string
Contains the result of encrypting the provided plaintext, encoded in base64.
-
crypto_key
required - string
The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: ''projects/[[project]]/locations/[[location]]/keyRings/[[keyRing]]/cryptoKeys/[[cryptoKey]]''
The plaintext to be encrypted.
Explanation in Terraform Registry
Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions. To get more information about SecretCiphertext, see:
- API documentation
- How-to Guides
- Encrypting and decrypting data with a symmetric key
Warning: All arguments including
plaintext
andadditional_authenticated_data
will be stored in the raw state as plain-text. Read more about sensitive data in state.
Tips: Best Practices for The Other Google Cloud Key Management Service Resources
In addition to the google_kms_crypto_key, Google Cloud Key Management Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_kms_crypto_key
Ensure your KMS key is rotated at least every 90 days
It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.
Frequently asked questions
What is Google Cloud Key Management Service Secret Ciphertext?
Google Cloud Key Management Service Secret Ciphertext is a resource for Cloud Key Management Service of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Key Management Service Secret Ciphertext?
For Terraform, the niveklabs/google and tkam8/vault-gcp-demo-module source code examples are useful. See the Terraform Example section for further details.