v6.2.0/website/docs/r/kms_key_handle.html.markdown - terraform-provider-google - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Cloud Key Management Service"
 description: |-
   A `KeyHandle` is a resource used to auto-provision CryptoKeys for CMEK.
 ---

 # google_kms_key_handle

 A `KeyHandle` is a resource used to auto-provision CryptoKeys for CMEK.


 ~> **Note:** KeyHandles cannot be deleted from Google Cloud Platform.
 Destroying a Terraform-managed KeyHandle will remove it from state but
 *will not delete the resource from the project.*

 ~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
 See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

 To get more information about KeyHandle, see:

 * [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyHandles)
 * How-to Guides
     * [Cloud KMS with Autokey](https://cloud.google.com/kms/docs/kms-with-autokey)

 ## Example Usage - Kms Key Handle Basic


 ```hcl
 # Create Folder in GCP Organization
 resource "google_folder" "autokms_folder" {
   provider     = google-beta
   display_name = "folder-example"
   parent       = "organizations/123456789"
   deletion_protection = false
 }

 # Create the key project
 resource "google_project" "key_project" {
   provider        = google-beta
   project_id      = "key-proj"
   name            = "key-proj"
   folder_id       = google_folder.autokms_folder.folder_id
   billing_account = "000000-0000000-0000000-000000"
   depends_on      = [google_folder.autokms_folder]
   deletion_policy = "DELETE"
 }

 # Create the resource project
 resource "google_project" "resource_project" {
   provider        = google-beta
   project_id      = "resources"
   name            = "resources"
   folder_id       = google_folder.autokms_folder.folder_id
   billing_account = "000000-0000000-0000000-000000"
   depends_on      = [google_folder.autokms_folder]
   deletion_policy = "DELETE"
 }

 # Enable the Cloud KMS API
 resource "google_project_service" "kms_api_service" {
   provider                   = google-beta
   service                    = "cloudkms.googleapis.com"
   project                    = google_project.key_project.project_id
   disable_on_destroy         = false
   disable_dependent_services = true
   depends_on                 = [google_project.key_project]
 }

 # Wait delay after enabling APIs
 resource "time_sleep" "wait_enable_service_api" {
   depends_on       = [google_project_service.kms_api_service]
   create_duration  = "30s"
 }

 #Create KMS Service Agent
 resource "google_project_service_identity" "kms_service_agent" {
   provider   = google-beta
   service    = "cloudkms.googleapis.com"
   project    = google_project.key_project.number
   depends_on = [time_sleep.wait_enable_service_api]
 }

 # Wait delay after creating service agent.
 resource "time_sleep" "wait_service_agent" {
   depends_on       = [google_project_service_identity.kms_service_agent]
   create_duration  = "10s"
 }

 #Grant the KMS Service Agent the Cloud KMS Admin role
 resource "google_project_iam_member" "autokey_project_admin" {
   provider   = google-beta
   project    = google_project.key_project.project_id
   role       = "roles/cloudkms.admin"
   member     = "serviceAccount:service-${google_project.key_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
   depends_on = [time_sleep.wait_service_agent]
 }

 # Wait delay after granting IAM permissions
 resource "time_sleep" "wait_srv_acc_permissions" {
   create_duration = "10s"
   depends_on      = [google_project_iam_member.autokey_project_admin]
 }

 resource "google_kms_autokey_config" "autokey_config" {
   provider    = google-beta
   folder      = google_folder.autokms_folder.folder_id
   key_project = "projects/${google_project.key_project.project_id}"
   depends_on  = [time_sleep.wait_srv_acc_permissions]
 }

 # Wait delay for autokey config to take effect
 resource "time_sleep" "wait_autokey_config" {
   create_duration = "10s"
   depends_on      = [google_kms_autokey_config.autokey_config]
 }

 resource "google_kms_key_handle" "example-keyhandle" {
   provider               = google-beta
   project                = google_project.resource_project.project_id
   name                   = "example-key-handle"
   location               = "global"
   resource_type_selector = "storage.googleapis.com/Bucket"
   depends_on             = [time_sleep.wait_autokey_config]
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   The resource name for the KeyHandle.

 * `resource_type_selector` -
   (Required)
   Selector of the resource type where we want to protect resources.
   For example, `storage.googleapis.com/Bucket`.

 * `location` -
   (Required)
   The location for the KeyHandle.
   A full list of valid locations can be found by running `gcloud kms locations list`.


 - - -


 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/keyHandles/{{name}}`

 * `kms_key` -
   A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested
   product/project/location, for example
   `projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff`


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 KeyHandle can be imported using any of these accepted formats:

 * `projects/{{project}}/locations/{{location}}/keyHandles/{{name}}`
 * `{{project}}/{{location}}/{{name}}`
 * `{{location}}/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import KeyHandle using one of the formats above. For example:

 ```tf
 import {
   id = "projects/{{project}}/locations/{{location}}/keyHandles/{{name}}"
   to = google_kms_key_handle.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), KeyHandle can be imported using one of the formats above. For example:

 ```
 $ terraform import google_kms_key_handle.default projects/{{project}}/locations/{{location}}/keyHandles/{{name}}
 $ terraform import google_kms_key_handle.default {{project}}/{{location}}/{{name}}
 $ terraform import google_kms_key_handle.default {{location}}/{{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Cloud Key Management Service"
	description: \|-
	A `KeyHandle` is a resource used to auto-provision CryptoKeys for CMEK.
	---

	# google_kms_key_handle

	A `KeyHandle` is a resource used to auto-provision CryptoKeys for CMEK.


	~> Note: KeyHandles cannot be deleted from Google Cloud Platform.
	Destroying a Terraform-managed KeyHandle will remove it from state but
	will not delete the resource from the project.

	~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider.
	See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

	To get more information about KeyHandle, see:

	* [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyHandles)
	* How-to Guides
	* [Cloud KMS with Autokey](https://cloud.google.com/kms/docs/kms-with-autokey)

	## Example Usage - Kms Key Handle Basic


	```hcl
	# Create Folder in GCP Organization
	resource "google_folder" "autokms_folder" {
	provider = google-beta
	display_name = "folder-example"
	parent = "organizations/123456789"
	deletion_protection = false
	}

	# Create the key project
	resource "google_project" "key_project" {
	provider = google-beta
	project_id = "key-proj"
	name = "key-proj"
	folder_id = google_folder.autokms_folder.folder_id
	billing_account = "000000-0000000-0000000-000000"
	depends_on = [google_folder.autokms_folder]
	deletion_policy = "DELETE"
	}

	# Create the resource project
	resource "google_project" "resource_project" {
	provider = google-beta
	project_id = "resources"
	name = "resources"
	folder_id = google_folder.autokms_folder.folder_id
	billing_account = "000000-0000000-0000000-000000"
	depends_on = [google_folder.autokms_folder]
	deletion_policy = "DELETE"
	}

	# Enable the Cloud KMS API
	resource "google_project_service" "kms_api_service" {
	provider = google-beta
	service = "cloudkms.googleapis.com"
	project = google_project.key_project.project_id
	disable_on_destroy = false
	disable_dependent_services = true
	depends_on = [google_project.key_project]
	}

	# Wait delay after enabling APIs
	resource "time_sleep" "wait_enable_service_api" {
	depends_on = [google_project_service.kms_api_service]
	create_duration = "30s"
	}

	#Create KMS Service Agent
	resource "google_project_service_identity" "kms_service_agent" {
	provider = google-beta
	service = "cloudkms.googleapis.com"
	project = google_project.key_project.number
	depends_on = [time_sleep.wait_enable_service_api]
	}

	# Wait delay after creating service agent.
	resource "time_sleep" "wait_service_agent" {
	depends_on = [google_project_service_identity.kms_service_agent]
	create_duration = "10s"
	}

	#Grant the KMS Service Agent the Cloud KMS Admin role
	resource "google_project_iam_member" "autokey_project_admin" {
	provider = google-beta
	project = google_project.key_project.project_id
	role = "roles/cloudkms.admin"
	member = "serviceAccount:service-${google_project.key_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
	depends_on = [time_sleep.wait_service_agent]
	}

	# Wait delay after granting IAM permissions
	resource "time_sleep" "wait_srv_acc_permissions" {
	create_duration = "10s"
	depends_on = [google_project_iam_member.autokey_project_admin]
	}

	resource "google_kms_autokey_config" "autokey_config" {
	provider = google-beta
	folder = google_folder.autokms_folder.folder_id
	key_project = "projects/${google_project.key_project.project_id}"
	depends_on = [time_sleep.wait_srv_acc_permissions]
	}

	# Wait delay for autokey config to take effect
	resource "time_sleep" "wait_autokey_config" {
	create_duration = "10s"
	depends_on = [google_kms_autokey_config.autokey_config]
	}

	resource "google_kms_key_handle" "example-keyhandle" {
	provider = google-beta
	project = google_project.resource_project.project_id
	name = "example-key-handle"
	location = "global"
	resource_type_selector = "storage.googleapis.com/Bucket"
	depends_on = [time_sleep.wait_autokey_config]
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	The resource name for the KeyHandle.

	* `resource_type_selector` -
	(Required)
	Selector of the resource type where we want to protect resources.
	For example, `storage.googleapis.com/Bucket`.

	* `location` -
	(Required)
	The location for the KeyHandle.
	A full list of valid locations can be found by running `gcloud kms locations list`.


	- - -


	* `project` - (Optional) The ID of the project in which the resource belongs.
	If it is not provided, the provider project is used.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/keyHandles/{{name}}`

	* `kms_key` -
	A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested
	product/project/location, for example
	`projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff`


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	KeyHandle can be imported using any of these accepted formats:

	* `projects/{{project}}/locations/{{location}}/keyHandles/{{name}}`
	* `{{project}}/{{location}}/{{name}}`
	* `{{location}}/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import KeyHandle using one of the formats above. For example:

	```tf
	import {
	id = "projects/{{project}}/locations/{{location}}/keyHandles/{{name}}"
	to = google_kms_key_handle.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), KeyHandle can be imported using one of the formats above. For example:

	```
	$ terraform import google_kms_key_handle.default projects/{{project}}/locations/{{location}}/keyHandles/{{name}}
	$ terraform import google_kms_key_handle.default {{project}}/{{location}}/{{name}}
	$ terraform import google_kms_key_handle.default {{location}}/{{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).