v6.2.0/website/docs/r/kms_ekm_connection.html.markdown

---
# ----------------------------------------------------------------------------
#
#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
#
# ----------------------------------------------------------------------------
#
#     This file is automatically generated by Magic Modules and manual
#     changes will be clobbered when the file is regenerated.
#
#     Please read more about how to change this file in
#     .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Cloud Key Management Service"
description: |-
  `Ekm Connections` are used to control the connection settings for an `EXTERNAL_VPC` CryptoKey.
---

# google_kms_ekm_connection

`Ekm Connections` are used to control the connection settings for an `EXTERNAL_VPC` CryptoKey.
It is used to connect customer's external key manager to Google Cloud EKM.


~> **Note:** Ekm Connections cannot be deleted from Google Cloud Platform.


To get more information about EkmConnection, see:

* [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections)
* How-to Guides
    * [Creating a Ekm Connection](https://cloud.google.com/kms/docs/create-ekm-connection)

## Example Usage - Kms Ekm Connection Basic


```hcl
resource "google_kms_ekm_connection" "example-ekmconnection" {
  name            	= "ekmconnection_example"
  location		= "us-central1"
  key_management_mode 	= "MANUAL"
  service_resolvers  	{
      service_directory_service  = "projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name"
      hostname 			 = "example-ekm.goog"
      server_certificates        {
      		raw_der	= "==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY=="
      	}
    }
}
```

## Argument Reference

The following arguments are supported:


* `name` -
  (Required)
  The resource name for the EkmConnection.

* `service_resolvers` -
  (Required)
  A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported
  Structure is [documented below](#nested_service_resolvers).

* `location` -
  (Required)
  The location for the EkmConnection.
  A full list of valid locations can be found by running `gcloud kms locations list`.


<a name="nested_service_resolvers"></a>The `service_resolvers` block supports:

* `service_directory_service` -
  (Required)
  Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects/*/locations/*/namespaces/*/services/*

* `hostname` -
  (Required)
  Required. The hostname of the EKM replica used at TLS and HTTP layers.

* `server_certificates` -
  (Required)
  Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported.
  Structure is [documented below](#nested_server_certificates).

* `endpoint_filter` -
  (Optional)
  Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.


<a name="nested_server_certificates"></a>The `server_certificates` block supports:

* `raw_der` -
  (Required)
  Required. The raw certificate bytes in DER format. A base64-encoded string.

* `parsed` -
  (Output)
  Output only. True if the certificate was parsed successfully.

* `issuer` -
  (Output)
  Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.

* `subject` -
  (Output)
  Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.

* `not_before_time` -
  (Output)
  Output only. The certificate is not valid before this time. Only present if parsed is true.
  A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `not_after_time` -
  (Output)
  Output only. The certificate is not valid after this time. Only present if parsed is true.
  A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `sha256_fingerprint` -
  (Output)
  Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.

* `serial_number` -
  (Output)
  Output only. The certificate serial number as a hex string. Only present if parsed is true.

* `subject_alternative_dns_names` -
  (Output)
  Output only. The subject Alternative DNS names. Only present if parsed is true.

- - -


* `key_management_mode` -
  (Optional)
  Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL
  Default value is `MANUAL`.
  Possible values are: `MANUAL`, `CLOUD_KMS`.

* `etag` -
  (Optional)
  Optional. Etag of the currently stored EkmConnection.

* `crypto_space_path` -
  (Optional)
  Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.

* `project` - (Optional) The ID of the project in which the resource belongs.
    If it is not provided, the provider project is used.


## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}`

* `create_time` -
  Output only. The time at which the EkmConnection was created.
  A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".


## Timeouts

This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.

## Import


EkmConnection can be imported using any of these accepted formats:

* `projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}`
* `{{project}}/{{location}}/{{name}}`
* `{{location}}/{{name}}`


In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import EkmConnection using one of the formats above. For example:

```tf
import {
  id = "projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}"
  to = google_kms_ekm_connection.default
}
```

When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), EkmConnection can be imported using one of the formats above. For example:

```
$ terraform import google_kms_ekm_connection.default projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}
$ terraform import google_kms_ekm_connection.default {{project}}/{{location}}/{{name}}
$ terraform import google_kms_ekm_connection.default {{location}}/{{name}}
```

## User Project Overrides

This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).