Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / refs/heads/main / . / v6.2.0 / website / docs / r / kms_secret_ciphertext.html.markdown
blob: 66490e21db0a634ad4abf58ce8f8579725972e90 [file] [log] [blame] [edit]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Cloud Key Management Service"
description: |-
Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
---
# google_kms_secret_ciphertext
Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.
~> **NOTE:** Using this resource will allow you to conceal secret data within your
resource definitions, but it does not take care of protecting that data in the
logging output, plan output, or state output. Please take care to secure your secret
data outside of resource definitions.
To get more information about SecretCiphertext, see:
* [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt)
* How-to Guides
* [Encrypting and decrypting data with a symmetric key](https://cloud.google.com/kms/docs/encrypt-decrypt)
~> **Warning:** All arguments including the following potentially sensitive
values will be stored in the raw state as plain text: `plaintext`, `additional_authenticated_data`.
[Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
## Example Usage - Kms Secret Ciphertext Basic
```hcl
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "cryptokey" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_secret_ciphertext" "my_password" {
crypto_key = google_kms_crypto_key.cryptokey.id
plaintext = "my-secret-password"
}
resource "google_compute_instance" "instance" {
name = "my-instance"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
access_config {
}
}
metadata = {
password = google_kms_secret_ciphertext.my_password.ciphertext
}
}
```
## Argument Reference
The following arguments are supported:
* `plaintext` -
(Required)
The plaintext to be encrypted.
**Note**: This property is sensitive and will not be displayed in the plan.
* `crypto_key` -
(Required)
The full name of the CryptoKey that will be used to encrypt the provided plaintext.
Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'`
- - -
* `additional_authenticated_data` -
(Optional)
The additional authenticated data used for integrity checks during encryption and decryption.
**Note**: This property is sensitive and will not be displayed in the plan.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `{{crypto_key}}/{{ciphertext}}`
* `ciphertext` -
Contains the result of encrypting the provided plaintext, encoded in base64.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
This resource does not support import.
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).