v5.18.0/website/docs/r/kms_crypto_key.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Cloud Key Management Service"
 description: |-
   A `CryptoKey` represents a logical key that can be used for cryptographic operations.
 ---

 # google\_kms\_crypto\_key

 A `CryptoKey` represents a logical key that can be used for cryptographic operations.


 ~> **Note:** CryptoKeys cannot be deleted from Google Cloud Platform.
 Destroying a Terraform-managed CryptoKey will remove it from state
 and delete all CryptoKeyVersions, rendering the key unusable, but *will
 not delete the resource from the project.* When Terraform destroys these keys,
 any data previously encrypted with these keys will be irrecoverable.
 For this reason, it is strongly recommended that you add
 [lifecycle](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle)
 hooks to the resource to prevent accidental destruction.


 To get more information about CryptoKey, see:

 * [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
 * How-to Guides
     * [Creating a key](https://cloud.google.com/kms/docs/creating-keys#create_a_key)

 ## Example Usage - Kms Crypto Key Basic


 ```hcl
 resource "google_kms_key_ring" "keyring" {
   name     = "keyring-example"
   location = "global"
 }

 resource "google_kms_crypto_key" "example-key" {
   name            = "crypto-key-example"
   key_ring        = google_kms_key_ring.keyring.id
   rotation_period = "7776000s"

   lifecycle {
     prevent_destroy = true
   }
 }
 ```
 ## Example Usage - Kms Crypto Key Asymmetric Sign


 ```hcl
 resource "google_kms_key_ring" "keyring" {
   name     = "keyring-example"
   location = "global"
 }

 resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
   name     = "crypto-key-example"
   key_ring = google_kms_key_ring.keyring.id
   purpose  = "ASYMMETRIC_SIGN"

   version_template {
     algorithm = "EC_SIGN_P384_SHA384"
   }

   lifecycle {
     prevent_destroy = true
   }
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   The resource name for the CryptoKey.

 * `key_ring` -
   (Required)
   The KeyRing that this key belongs to.
   Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.


 - - -


 * `labels` -
   (Optional)
   Labels with user-defined metadata to apply to this resource.

   **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
   Please refer to the field `effective_labels` for all of the labels present on the resource.

 * `purpose` -
   (Optional)
   The immutable purpose of this CryptoKey. See the
   [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose)
   for possible inputs.
   Default value is "ENCRYPT_DECRYPT".

 * `rotation_period` -
   (Optional)
   Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
   The first rotation will take place after the specified period. The rotation period has
   the format of a decimal number with up to 9 fractional digits, followed by the
   letter `s` (seconds). It must be greater than a day (ie, 86400).

 * `version_template` -
   (Optional)
   A template describing settings for new crypto key versions.
   Structure is [documented below](#nested_version_template).

 * `destroy_scheduled_duration` -
   (Optional)
   The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
   If not specified at creation time, the default duration is 24 hours.

 * `import_only` -
   (Optional)
   Whether this key may contain imported versions only.

 * `skip_initial_version_creation` -
   (Optional)
   If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
   You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion.


 <a name="nested_version_template"></a>The `version_template` block supports:

 * `algorithm` -
   (Required)
   The algorithm to use when creating a version based on this template.
   See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.

 * `protection_level` -
   (Optional)
   The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `{{key_ring}}/cryptoKeys/{{name}}`

 * `primary` -
   A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name.
   Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset.
   Structure is [documented below](#nested_primary).

 * `terraform_labels` -
   The combination of labels configured directly on the resource
    and default labels configured on the provider.

 * `effective_labels` -
   All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


 <a name="nested_primary"></a>The `primary` block contains:

 * `name` -
   (Output)
   The resource name for this CryptoKeyVersion.

 * `state` -
   (Output)
   The current state of the CryptoKeyVersion.

 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 CryptoKey can be imported using any of these accepted formats:

 * `{{key_ring}}/cryptoKeys/{{name}}`
 * `{{key_ring}}/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CryptoKey using one of the formats above. For example:

 ```tf
 import {
   id = "{{key_ring}}/cryptoKeys/{{name}}"
   to = google_kms_crypto_key.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CryptoKey can be imported using one of the formats above. For example:

 ```
 $ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
 $ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Cloud Key Management Service"
	description: \|-
	A `CryptoKey` represents a logical key that can be used for cryptographic operations.
	---

	# google\_kms\_crypto\_key

	A `CryptoKey` represents a logical key that can be used for cryptographic operations.


	~> Note: CryptoKeys cannot be deleted from Google Cloud Platform.
	Destroying a Terraform-managed CryptoKey will remove it from state
	and delete all CryptoKeyVersions, rendering the key unusable, but *will
	not delete the resource from the project.* When Terraform destroys these keys,
	any data previously encrypted with these keys will be irrecoverable.
	For this reason, it is strongly recommended that you add
	[lifecycle](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle)
	hooks to the resource to prevent accidental destruction.


	To get more information about CryptoKey, see:

	* [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)
	* How-to Guides
	* [Creating a key](https://cloud.google.com/kms/docs/creating-keys#create_a_key)

	## Example Usage - Kms Crypto Key Basic


	```hcl
	resource "google_kms_key_ring" "keyring" {
	name = "keyring-example"
	location = "global"
	}

	resource "google_kms_crypto_key" "example-key" {
	name = "crypto-key-example"
	key_ring = google_kms_key_ring.keyring.id
	rotation_period = "7776000s"

	lifecycle {
	prevent_destroy = true
	}
	}
	```
	## Example Usage - Kms Crypto Key Asymmetric Sign


	```hcl
	resource "google_kms_key_ring" "keyring" {
	name = "keyring-example"
	location = "global"
	}

	resource "google_kms_crypto_key" "example-asymmetric-sign-key" {
	name = "crypto-key-example"
	key_ring = google_kms_key_ring.keyring.id
	purpose = "ASYMMETRIC_SIGN"

	version_template {
	algorithm = "EC_SIGN_P384_SHA384"
	}

	lifecycle {
	prevent_destroy = true
	}
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	The resource name for the CryptoKey.

	* `key_ring` -
	(Required)
	The KeyRing that this key belongs to.
	Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.


	- - -


	* `labels` -
	(Optional)
	Labels with user-defined metadata to apply to this resource.

	Note: This field is non-authoritative, and will only manage the labels present in your configuration.
	Please refer to the field `effective_labels` for all of the labels present on the resource.

	* `purpose` -
	(Optional)
	The immutable purpose of this CryptoKey. See the
	[purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose)
	for possible inputs.
	Default value is "ENCRYPT_DECRYPT".

	* `rotation_period` -
	(Optional)
	Every time this period passes, generate a new CryptoKeyVersion and set it as the primary.
	The first rotation will take place after the specified period. The rotation period has
	the format of a decimal number with up to 9 fractional digits, followed by the
	letter `s` (seconds). It must be greater than a day (ie, 86400).

	* `version_template` -
	(Optional)
	A template describing settings for new crypto key versions.
	Structure is [documented below](#nested_version_template).

	* `destroy_scheduled_duration` -
	(Optional)
	The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
	If not specified at creation time, the default duration is 24 hours.

	* `import_only` -
	(Optional)
	Whether this key may contain imported versions only.

	* `skip_initial_version_creation` -
	(Optional)
	If set to true, the request will create a CryptoKey without any CryptoKeyVersions.
	You must use the `google_kms_key_ring_import_job` resource to import the CryptoKeyVersion.


	<a name="nested_version_template"></a>The `version_template` block supports:

	* `algorithm` -
	(Required)
	The algorithm to use when creating a version based on this template.
	See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.

	* `protection_level` -
	(Optional)
	The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".

	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `{{key_ring}}/cryptoKeys/{{name}}`

	* `primary` -
	A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name.
	Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset.
	Structure is [documented below](#nested_primary).

	* `terraform_labels` -
	The combination of labels configured directly on the resource
	and default labels configured on the provider.

	* `effective_labels` -
	All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


	<a name="nested_primary"></a>The `primary` block contains:

	* `name` -
	(Output)
	The resource name for this CryptoKeyVersion.

	* `state` -
	(Output)
	The current state of the CryptoKeyVersion.

	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	CryptoKey can be imported using any of these accepted formats:

	* `{{key_ring}}/cryptoKeys/{{name}}`
	* `{{key_ring}}/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CryptoKey using one of the formats above. For example:

	```tf
	import {
	id = "{{key_ring}}/cryptoKeys/{{name}}"
	to = google_kms_crypto_key.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CryptoKey can be imported using one of the formats above. For example:

	```
	$ terraform import google_kms_crypto_key.default {{key_ring}}/cryptoKeys/{{name}}
	$ terraform import google_kms_crypto_key.default {{key_ring}}/{{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).