Top / Google Cloud Platform / Google Cloud Key Management Service / Secret Ciphertext

Google Cloud Key Management Service Secret Ciphertext

This page shows how to write Terraform for Cloud Key Management Service Secret Ciphertext and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_kms_secret_ciphertext (Terraform)

The Secret Ciphertext in Cloud Key Management Service can be configured in Terraform with the resource name google_kms_secret_ciphertext. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "google_kms_secret_ciphertext" "this" {
  additional_authenticated_data = var.additional_authenticated_data
  crypto_key                    = var.crypto_key
  plaintext                     = var.plaintext

  dynamic "timeouts" {
crypto.tf#L133
resource "google_kms_secret_ciphertext" "vault-tls-key-encrypted" {
  count = local.manage_tls_count

  crypto_key = google_kms_crypto_key.vault-init.self_link
  plaintext  = tls_private_key.vault-server[0].private_key_pem
}

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The additional authenticated data used for integrity checks during encryption and decryption.

Contains the result of encrypting the provided plaintext, encoded in base64.

The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: ''projects/[[project]]/locations/[[location]]/keyRings/[[keyRing]]/cryptoKeys/[[cryptoKey]]''

The plaintext to be encrypted.

>> from Terraform Registry

Explanation in Terraform Registry

Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.

NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions. To get more information about SecretCiphertext, see:

>> from Terraform Registry

Tips: Best Practices for The Other Google Cloud Key Management Service Resources

In addition to the google_kms_crypto_key, Google Cloud Key Management Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_kms_crypto_key

Ensure your KMS key is rotated at least every 90 days

It is better to rotate your KMS key at least every 90 days to reduce the risk of compromise.

Review your Google Cloud Key Management Service settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

The Other Related Google Cloud Key Management Service Resources

Frequently asked questions

What is Google Cloud Key Management Service Secret Ciphertext?

Google Cloud Key Management Service Secret Ciphertext is a resource for Cloud Key Management Service of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Key Management Service Secret Ciphertext?

For Terraform, the niveklabs/google and tkam8/vault-gcp-demo-module source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents