1. Docs
  2. Reference
  3. API
  4. mongodbatlas
  5. EncryptionAtRest

EncryptionAtRest

mongodbatlas..EncryptionAtRest Atlas encrypts your data at rest using encrypted storage media. Using keys you manage with AWS KMS, Atlas encrypts your data a second time when it writes it to the MongoDB encrypted storage engine. You can use the following clouds: AWS CMK, AZURE KEY VAULT and GOOGLE KEY VAULT to encrypt the MongoDB master encryption keys.

NOTE: Groups and projects are synonymous terms. You may find groupId in the official documentation.

Example Usage

using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;

class MyStack : Stack
{
    public MyStack()
    {
        var test = new Mongodbatlas.EncryptionAtRest("test", new Mongodbatlas.EncryptionAtRestArgs
        {
            AwsKms = new Mongodbatlas.Inputs.EncryptionAtRestAwsKmsArgs
            {
                Access_key_id = "AKIAIOSFODNN7EXAMPLE",
                Customer_master_key_id = "030gce02-586d-48d2-a966-05ea954fde0g",
                Enabled = true,
                Region = "US_EAST_1",
                Secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
            },
            AzureKeyVault = new Mongodbatlas.Inputs.EncryptionAtRestAzureKeyVaultArgs
            {
                Azure_environment = "AZURE",
                Client_id = "g54f9e2-89e3-40fd-8188-EXAMPLEID",
                Enabled = true,
                Key_identifier = "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
                Key_vault_name = "EXAMPLEKeyVault",
                Resource_group_name = "ExampleRGName",
                Secret = "EXAMPLESECRET",
                Subscription_id = "0ec944e3-g725-44f9-a147-EXAMPLEID",
                Tenant_id = "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID",
            },
            GoogleCloudKms = new Mongodbatlas.Inputs.EncryptionAtRestGoogleCloudKmsArgs
            {
                Enabled = true,
                Key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
                Service_account_key = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
            },
            ProjectId = "<PROJECT-ID>",
        });
    }

}

Coming soon!

import pulumi
import pulumi_mongodbatlas as mongodbatlas

test = mongodbatlas.EncryptionAtRest("test",
    aws_kms={
        "access_key_id": "AKIAIOSFODNN7EXAMPLE",
        "customer_master_key_id": "030gce02-586d-48d2-a966-05ea954fde0g",
        "enabled": True,
        "region": "US_EAST_1",
        "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    },
    azure_key_vault={
        "azure_environment": "AZURE",
        "client_id": "g54f9e2-89e3-40fd-8188-EXAMPLEID",
        "enabled": True,
        "key_identifier": "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
        "key_vault_name": "EXAMPLEKeyVault",
        "resource_group_name": "ExampleRGName",
        "secret": "EXAMPLESECRET",
        "subscription_id": "0ec944e3-g725-44f9-a147-EXAMPLEID",
        "tenant_id": "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID",
    },
    google_cloud_kms={
        "enabled": True,
        "key_version_resource_id": "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
        "service_account_key": "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
    },
    project_id="<PROJECT-ID>")
import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";

const test = new mongodbatlas.EncryptionAtRest("test", {
    awsKms: {
        access_key_id: "AKIAIOSFODNN7EXAMPLE",
        customer_master_key_id: "030gce02-586d-48d2-a966-05ea954fde0g",
        enabled: true,
        region: "US_EAST_1",
        secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    },
    azureKeyVault: {
        azure_environment: "AZURE",
        client_id: "g54f9e2-89e3-40fd-8188-EXAMPLEID",
        enabled: true,
        key_identifier: "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
        key_vault_name: "EXAMPLEKeyVault",
        resource_group_name: "ExampleRGName",
        secret: "EXAMPLESECRET",
        subscription_id: "0ec944e3-g725-44f9-a147-EXAMPLEID",
        tenant_id: "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID",
    },
    googleCloudKms: {
        enabled: true,
        key_version_resource_id: "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
        service_account_key: "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
    },
    projectId: "<PROJECT-ID>",
});

Create a EncryptionAtRest Resource

new EncryptionAtRest(name: string, args: EncryptionAtRestArgs, opts?: CustomResourceOptions);
def EncryptionAtRest(resource_name, opts=None, aws_kms=None, azure_key_vault=None, google_cloud_kms=None, project_id=None, __props__=None);
func NewEncryptionAtRest(ctx *Context, name string, args EncryptionAtRestArgs, opts ...ResourceOption) (*EncryptionAtRest, error)
public EncryptionAtRest(string name, EncryptionAtRestArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args EncryptionAtRestArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args EncryptionAtRestArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args EncryptionAtRestArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

EncryptionAtRest Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The EncryptionAtRest resource accepts the following input properties:

ProjectId string

The unique identifier for the project.

AwsKms EncryptionAtRestAwsKmsArgs

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

AzureKeyVault EncryptionAtRestAzureKeyVaultArgs

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

GoogleCloudKms EncryptionAtRestGoogleCloudKmsArgs

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

ProjectId string

The unique identifier for the project.

AwsKms EncryptionAtRestAwsKms

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

AzureKeyVault EncryptionAtRestAzureKeyVault

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

GoogleCloudKms EncryptionAtRestGoogleCloudKms

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

projectId string

The unique identifier for the project.

awsKms EncryptionAtRestAwsKms

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

azureKeyVault EncryptionAtRestAzureKeyVault

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

googleCloudKms EncryptionAtRestGoogleCloudKms

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

project_id str

The unique identifier for the project.

aws_kms Dict[EncryptionAtRestAwsKms]

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

azure_key_vault Dict[EncryptionAtRestAzureKeyVault]

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

google_cloud_kms Dict[EncryptionAtRestGoogleCloudKms]

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

Outputs

All input properties are implicitly available as output properties. Additionally, the EncryptionAtRest resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing EncryptionAtRest Resource

Get an existing EncryptionAtRest resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EncryptionAtRestState, opts?: CustomResourceOptions): EncryptionAtRest
static get(resource_name, id, opts=None, aws_kms=None, azure_key_vault=None, google_cloud_kms=None, project_id=None, __props__=None);
func GetEncryptionAtRest(ctx *Context, name string, id IDInput, state *EncryptionAtRestState, opts ...ResourceOption) (*EncryptionAtRest, error)
public static EncryptionAtRest Get(string name, Input<string> id, EncryptionAtRestState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AwsKms EncryptionAtRestAwsKmsArgs

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

AzureKeyVault EncryptionAtRestAzureKeyVaultArgs

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

GoogleCloudKms EncryptionAtRestGoogleCloudKmsArgs

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

ProjectId string

The unique identifier for the project.

AwsKms EncryptionAtRestAwsKms

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

AzureKeyVault EncryptionAtRestAzureKeyVault

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

GoogleCloudKms EncryptionAtRestGoogleCloudKms

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

ProjectId string

The unique identifier for the project.

awsKms EncryptionAtRestAwsKms

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

azureKeyVault EncryptionAtRestAzureKeyVault

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

googleCloudKms EncryptionAtRestGoogleCloudKms

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

projectId string

The unique identifier for the project.

aws_kms Dict[EncryptionAtRestAwsKms]

Specifies AWS KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

azure_key_vault Dict[EncryptionAtRestAzureKeyVault]

Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.

google_cloud_kms Dict[EncryptionAtRestGoogleCloudKms]

Specifies GCP KMS configuration details and whether Encryption at Rest is enabled for an Atlas project.

project_id str

The unique identifier for the project.

Supporting Types

EncryptionAtRestAwsKms

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

AccessKeyId string

The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.

CustomerMasterKeyId string

The AWS customer master key used to encrypt and decrypt the MongoDB master keys.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

Region string

The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1

SecretAccessKey string

The IAM secret access key with permissions to access the customer master key specified by customerMasterKeyID.

AccessKeyId string

The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.

CustomerMasterKeyId string

The AWS customer master key used to encrypt and decrypt the MongoDB master keys.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

Region string

The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1

SecretAccessKey string

The IAM secret access key with permissions to access the customer master key specified by customerMasterKeyID.

accessKeyId string

The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.

customerMasterKeyId string

The AWS customer master key used to encrypt and decrypt the MongoDB master keys.

enabled boolean

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

region string

The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1

secretAccessKey string

The IAM secret access key with permissions to access the customer master key specified by customerMasterKeyID.

access_key_id str

The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.

customer_master_key_id str

The AWS customer master key used to encrypt and decrypt the MongoDB master keys.

enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

region str

The AWS region in which the AWS customer master key exists: CA_CENTRAL_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, SA_EAST_1

secret_access_key str

The IAM secret access key with permissions to access the customer master key specified by customerMasterKeyID.

EncryptionAtRestAzureKeyVault

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

AzureEnvironment string

The Azure environment where the Azure account credentials reside. Valid values are the following: AZURE, AZURE_CHINA, AZURE_GERMANY

ClientId string

The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

KeyIdentifier string

The unique identifier of a key in an Azure Key Vault.

KeyVaultName string

The name of an Azure Key Vault containing your key.

ResourceGroupName string

The name of the Azure Resource group that contains an Azure Key Vault.

Secret string

The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID.

SubscriptionId string

The unique identifier associated with an Azure subscription.

TenantId string

The unique identifier for an Azure AD tenant within an Azure subscription.

AzureEnvironment string

The Azure environment where the Azure account credentials reside. Valid values are the following: AZURE, AZURE_CHINA, AZURE_GERMANY

ClientId string

The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

KeyIdentifier string

The unique identifier of a key in an Azure Key Vault.

KeyVaultName string

The name of an Azure Key Vault containing your key.

ResourceGroupName string

The name of the Azure Resource group that contains an Azure Key Vault.

Secret string

The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID.

SubscriptionId string

The unique identifier associated with an Azure subscription.

TenantId string

The unique identifier for an Azure AD tenant within an Azure subscription.

azureEnvironment string

The Azure environment where the Azure account credentials reside. Valid values are the following: AZURE, AZURE_CHINA, AZURE_GERMANY

clientId string

The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.

enabled boolean

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

keyIdentifier string

The unique identifier of a key in an Azure Key Vault.

keyVaultName string

The name of an Azure Key Vault containing your key.

resourceGroupName string

The name of the Azure Resource group that contains an Azure Key Vault.

secret string

The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID.

subscriptionId string

The unique identifier associated with an Azure subscription.

tenantId string

The unique identifier for an Azure AD tenant within an Azure subscription.

azure_environment str

The Azure environment where the Azure account credentials reside. Valid values are the following: AZURE, AZURE_CHINA, AZURE_GERMANY

client_id str

The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.

enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

key_identifier str

The unique identifier of a key in an Azure Key Vault.

key_vault_name str

The name of an Azure Key Vault containing your key.

resource_group_name str

The name of the Azure Resource group that contains an Azure Key Vault.

secret str

The secret associated with the Azure Key Vault specified by azureKeyVault.tenantID.

subscription_id str

The unique identifier associated with an Azure subscription.

tenant_id str

The unique identifier for an Azure AD tenant within an Azure subscription.

EncryptionAtRestGoogleCloudKms

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

KeyVersionResourceId string

The Key Version Resource ID from your GCP account.

ServiceAccountKey string

String-formatted JSON object containing GCP KMS credentials from your GCP account.

Enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

KeyVersionResourceId string

The Key Version Resource ID from your GCP account.

ServiceAccountKey string

String-formatted JSON object containing GCP KMS credentials from your GCP account.

enabled boolean

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

keyVersionResourceId string

The Key Version Resource ID from your GCP account.

serviceAccountKey string

String-formatted JSON object containing GCP KMS credentials from your GCP account.

enabled bool

Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.

key_version_resource_id str

The Key Version Resource ID from your GCP account.

service_account_key str

String-formatted JSON object containing GCP KMS credentials from your GCP account.

Package Details

Repository
https://github.com/pulumi/pulumi-mongodbatlas
License
Apache-2.0
Notes
This Pulumi package is based on the mongodbatlas Terraform Provider.