1. Docs
  2. Reference
  3. API
  4. @pulumi/gcp
  5. kms

Module kms

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Functions

Others

Resources

Resource CryptoKey

class CryptoKey extends CustomResource

A CryptoKey represents a logical key that can be used for cryptographic operations.

Note: CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a provider-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource on the server. When the provider destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.

To get more information about CryptoKey, see:

Example Usage - Kms Crypto Key Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const exampleKey = new gcp.kms.CryptoKey("example-key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});

Example Usage - Kms Crypto Key Asymmetric Sign

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const exampleAsymmetricSignKey = new gcp.kms.CryptoKey("example-asymmetric-sign-key", {
    keyRing: keyring.id,
    purpose: "ASYMMETRIC_SIGN",
    version_template: {
        algorithm: "EC_SIGN_P384_SHA384",
    },
});

constructor

new CryptoKey(name: string, args: CryptoKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a CryptoKey resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyState, opts?: pulumi.CustomResourceOptions): CryptoKey

Get an existing CryptoKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is CryptoKey

Returns true if the given object is an instance of CryptoKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyRing

public keyRing: pulumi.Output<string>;

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

property labels

public labels: pulumi.Output<{[key: string]: string} | undefined>;

Labels with user-defined metadata to apply to this resource.

property name

public name: pulumi.Output<string>;

The resource name for the CryptoKey.

property purpose

public purpose: pulumi.Output<string | undefined>;

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

property rotationPeriod

public rotationPeriod: pulumi.Output<string | undefined>;

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

public selfLink: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property versionTemplate

public versionTemplate: pulumi.Output<CryptoKeyVersionTemplate>;

A template describing settings for new crypto key versions. Structure is documented below.

Resource CryptoKeyIAMBinding

class CryptoKeyIAMBinding extends CustomResource

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
  • gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
  • gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: gcp.kms.CryptoKeyIAMPolicy cannot be used in conjunction with gcp.kms.CryptoKeyIAMBinding and gcp.kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: gcp.kms.CryptoKeyIAMBinding resources can be used in conjunction with gcp.kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const key = new gcp.kms.CryptoKey("key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/cloudkms.cryptoKeyEncrypter",
        members: ["user:jane@example.com"],
    }],
});
const cryptoKey = new gcp.kms.CryptoKeyIAMPolicy("cryptoKey", {
    cryptoKeyId: key.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = pulumi.output(gcp.organizations.getIAMPolicy({
    bindings: [{
        condition: {
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            title: "expiresAfter20191231",
        },
        members: ["user:jane@example.com"],
        role: "roles/cloudkms.cryptoKeyEncrypter",
    }],
}, { async: true }));
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new CryptoKeyIAMBinding(name: string, args: CryptoKeyIAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a CryptoKeyIAMBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyIAMBindingState, opts?: pulumi.CustomResourceOptions): CryptoKeyIAMBinding

Get an existing CryptoKeyIAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is CryptoKeyIAMBinding

Returns true if the given object is an instance of CryptoKeyIAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<CryptoKeyIAMBindingCondition | undefined>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

public cryptoKeyId: pulumi.Output<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the project’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource CryptoKeyIAMMember

class CryptoKeyIAMMember extends CustomResource

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
  • gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
  • gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: gcp.kms.CryptoKeyIAMPolicy cannot be used in conjunction with gcp.kms.CryptoKeyIAMBinding and gcp.kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: gcp.kms.CryptoKeyIAMBinding resources can be used in conjunction with gcp.kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const key = new gcp.kms.CryptoKey("key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/cloudkms.cryptoKeyEncrypter",
        members: ["user:jane@example.com"],
    }],
});
const cryptoKey = new gcp.kms.CryptoKeyIAMPolicy("cryptoKey", {
    cryptoKeyId: key.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = pulumi.output(gcp.organizations.getIAMPolicy({
    bindings: [{
        condition: {
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            title: "expiresAfter20191231",
        },
        members: ["user:jane@example.com"],
        role: "roles/cloudkms.cryptoKeyEncrypter",
    }],
}, { async: true }));
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new CryptoKeyIAMMember(name: string, args: CryptoKeyIAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a CryptoKeyIAMMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyIAMMemberState, opts?: pulumi.CustomResourceOptions): CryptoKeyIAMMember

Get an existing CryptoKeyIAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is CryptoKeyIAMMember

Returns true if the given object is an instance of CryptoKeyIAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<CryptoKeyIAMMemberCondition | undefined>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

public cryptoKeyId: pulumi.Output<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the project’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource CryptoKeyIAMPolicy

class CryptoKeyIAMPolicy extends CustomResource

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
  • gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
  • gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: gcp.kms.CryptoKeyIAMPolicy cannot be used in conjunction with gcp.kms.CryptoKeyIAMBinding and gcp.kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: gcp.kms.CryptoKeyIAMBinding resources can be used in conjunction with gcp.kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const key = new gcp.kms.CryptoKey("key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/cloudkms.cryptoKeyEncrypter",
        members: ["user:jane@example.com"],
    }],
});
const cryptoKey = new gcp.kms.CryptoKeyIAMPolicy("cryptoKey", {
    cryptoKeyId: key.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = pulumi.output(gcp.organizations.getIAMPolicy({
    bindings: [{
        condition: {
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            title: "expiresAfter20191231",
        },
        members: ["user:jane@example.com"],
        role: "roles/cloudkms.cryptoKeyEncrypter",
    }],
}, { async: true }));
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new CryptoKeyIAMPolicy(name: string, args: CryptoKeyIAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a CryptoKeyIAMPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyIAMPolicyState, opts?: pulumi.CustomResourceOptions): CryptoKeyIAMPolicy

Get an existing CryptoKeyIAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is CryptoKeyIAMPolicy

Returns true if the given object is an instance of CryptoKeyIAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property cryptoKeyId

public cryptoKeyId: pulumi.Output<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the project’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource KeyRing

class KeyRing extends CustomResource

A KeyRing is a toplevel logical grouping of CryptoKeys.

Note: KeyRings cannot be deleted from Google Cloud Platform. Destroying a provider-managed KeyRing will remove it from state but will not delete the resource on the server.

To get more information about KeyRing, see:

Example Usage - Kms Key Ring Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const exampleKeyring = new gcp.kms.KeyRing("example-keyring", {
    location: "global",
});

constructor

new KeyRing(name: string, args: KeyRingArgs, opts?: pulumi.CustomResourceOptions)

Create a KeyRing resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyRingState, opts?: pulumi.CustomResourceOptions): KeyRing

Get an existing KeyRing resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is KeyRing

Returns true if the given object is an instance of KeyRing. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property location

public location: pulumi.Output<string>;

The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

property name

public name: pulumi.Output<string>;

The resource name for the KeyRing.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

public selfLink: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource KeyRingIAMBinding

class KeyRingIAMBinding extends CustomResource

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
  • gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
  • gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: gcp.kms.KeyRingIAMPolicy cannot be used in conjunction with gcp.kms.KeyRingIAMBinding and gcp.kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: gcp.kms.KeyRingIAMBinding resources can be used in conjunction with gcp.kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

google_kms_key_ring_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

google_kms_key_ring_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

google_kms_key_ring_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

constructor

new KeyRingIAMBinding(name: string, args: KeyRingIAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a KeyRingIAMBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyRingIAMBindingState, opts?: pulumi.CustomResourceOptions): KeyRingIAMBinding

Get an existing KeyRingIAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is KeyRingIAMBinding

Returns true if the given object is an instance of KeyRingIAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<KeyRingIAMBindingCondition | undefined>;

An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the key ring’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyRingId

public keyRingId: pulumi.Output<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource KeyRingIAMMember

class KeyRingIAMMember extends CustomResource

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
  • gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
  • gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: gcp.kms.KeyRingIAMPolicy cannot be used in conjunction with gcp.kms.KeyRingIAMBinding and gcp.kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: gcp.kms.KeyRingIAMBinding resources can be used in conjunction with gcp.kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

google_kms_key_ring_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

google_kms_key_ring_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

google_kms_key_ring_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

constructor

new KeyRingIAMMember(name: string, args: KeyRingIAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a KeyRingIAMMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyRingIAMMemberState, opts?: pulumi.CustomResourceOptions): KeyRingIAMMember

Get an existing KeyRingIAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is KeyRingIAMMember

Returns true if the given object is an instance of KeyRingIAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<KeyRingIAMMemberCondition | undefined>;

An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the key ring’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyRingId

public keyRingId: pulumi.Output<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource KeyRingIAMPolicy

class KeyRingIAMPolicy extends CustomResource

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • gcp.kms.KeyRingIAMPolicy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
  • gcp.kms.KeyRingIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
  • gcp.kms.KeyRingIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

Note: gcp.kms.KeyRingIAMPolicy cannot be used in conjunction with gcp.kms.KeyRingIAMBinding and gcp.kms.KeyRingIAMMember or they will fight over what your policy should be.

Note: gcp.kms.KeyRingIAMBinding resources can be used in conjunction with gcp.kms.KeyRingIAMMember resources only if they do not grant privilege to the same role.

google_kms_key_ring_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/editor",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const keyRing = new gcp.kms.KeyRingIAMPolicy("keyRing", {
    keyRingId: keyring.id,
    policyData: admin.then(admin => admin.policyData),
});

google_kms_key_ring_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMBinding("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    members: ["user:jane@example.com"],
    role: "roles/editor",
});

google_kms_key_ring_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyRing = new gcp.kms.KeyRingIAMMember("keyRing", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    keyRingId: "your-key-ring-id",
    member: "user:jane@example.com",
    role: "roles/editor",
});

constructor

new KeyRingIAMPolicy(name: string, args: KeyRingIAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a KeyRingIAMPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyRingIAMPolicyState, opts?: pulumi.CustomResourceOptions): KeyRingIAMPolicy

Get an existing KeyRingIAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is KeyRingIAMPolicy

Returns true if the given object is an instance of KeyRingIAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the key ring’s IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyRingId

public keyRingId: pulumi.Output<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Registry

DEPRECATED gcp.kms.Registry has been deprecated in favor of gcp.iot.Registry
class Registry extends CustomResource
A Google Cloud IoT Core device registry. To get more information about DeviceRegistry, see: * [API documentation](https://cloud.google.com/iot/docs/reference/cloudiot/rest/) * How-to Guides * [Official Documentation](https://cloud.google.com/iot/docs/) #### Example Usage - Cloudiot Device Registry Basic ```typescript import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; const testRegistry = new gcp.iot.Registry("test-registry", {}); ``` #### Example Usage - Cloudiot Device Registry Single Event Notification Configs ```typescript import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; const defaultTelemetry = new gcp.pubsub.Topic("default-telemetry", {}); const testRegistry = new gcp.iot.Registry("test-registry", {event_notification_configs: [{ pubsubTopicName: default_telemetry.id, subfolderMatches: "", }]}); ``` #### Example Usage - Cloudiot Device Registry Full ```typescript import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; import * from "fs"; const defaultDevicestatus = new gcp.pubsub.Topic("default-devicestatus", {}); const defaultTelemetry = new gcp.pubsub.Topic("default-telemetry", {}); const additionalTelemetry = new gcp.pubsub.Topic("additional-telemetry", {}); const testRegistry = new gcp.iot.Registry("test-registry", { event_notification_configs: [ { pubsubTopicName: additional_telemetry.id, subfolderMatches: "test/path", }, { pubsubTopicName: default_telemetry.id, subfolderMatches: "", }, ], stateNotificationConfig: { pubsub_topic_name: default_devicestatus.id, }, mqttConfig: { mqtt_enabled_state: "MQTT_ENABLED", }, httpConfig: { http_enabled_state: "HTTP_ENABLED", }, logLevel: "INFO", credentials: [{ publicKeyCertificate: { format: "X509_CERTIFICATE_PEM", certificate: fs.readFileSync("test-fixtures/rsa_cert.pem"), }, }], }); ```

constructor

DEPRECATED gcp.kms.Registry has been deprecated in favor of gcp.iot.Registry

DEPRECATED gcp.kms.Registry has been deprecated in favor of gcp.iot.Registry
new Registry(name: string, args?: RegistryArgs, opts?: pulumi.CustomResourceOptions)

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RegistryState, opts?: pulumi.CustomResourceOptions): Registry

Get an existing Registry resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Registry

Returns true if the given object is an instance of Registry. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property credentials

public credentials: pulumi.Output<RegistryCredential[] | undefined>;

List of public key certificates to authenticate devices. The structure is documented below.

property eventNotificationConfigs

public eventNotificationConfigs: pulumi.Output<RegistryEventNotificationConfigItem[]>;

List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

property httpConfig

public httpConfig: pulumi.Output<RegistryHttpConfig>;

Activate or deactivate HTTP. The structure is documented below.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property logLevel

public logLevel: pulumi.Output<string | undefined>;

The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

property mqttConfig

public mqttConfig: pulumi.Output<RegistryMqttConfig>;

Activate or deactivate MQTT. The structure is documented below.

property name

public name: pulumi.Output<string>;

A unique name for the resource, required by device registry.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property region

public region: pulumi.Output<string>;

The region in which the created registry should reside. If it is not provided, the provider region is used.

property stateNotificationConfig

public stateNotificationConfig: pulumi.Output<RegistryStateNotificationConfig | undefined>;

A PubSub topic to publish device state updates. The structure is documented below.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretCiphertext

class SecretCiphertext extends CustomResource

Encrypts secret data with Google Cloud KMS and provides access to the ciphertext.

NOTE: Using this resource will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

To get more information about SecretCiphertext, see:

Warning: All arguments including plaintext and additionalAuthenticatedData will be stored in the raw state as plain-text. Read more about secrets in state.

Example Usage - Kms Secret Ciphertext Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const cryptokey = new gcp.kms.CryptoKey("cryptokey", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});
const myPassword = new gcp.kms.SecretCiphertext("myPassword", {
    cryptoKey: cryptokey.id,
    plaintext: "my-secret-password",
});
const instance = new gcp.compute.Instance("instance", {
    machineType: "n1-standard-1",
    zone: "us-central1-a",
    boot_disk: {
        initialize_params: {
            image: "debian-cloud/debian-9",
        },
    },
    network_interface: [{
        network: "default",
        access_config: [{}],
    }],
    metadata: {
        password: myPassword.ciphertext,
    },
});

constructor

new SecretCiphertext(name: string, args: SecretCiphertextArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretCiphertext resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretCiphertextState, opts?: pulumi.CustomResourceOptions): SecretCiphertext

Get an existing SecretCiphertext resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretCiphertext

Returns true if the given object is an instance of SecretCiphertext. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property additionalAuthenticatedData

public additionalAuthenticatedData: pulumi.Output<string | undefined>;

The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

property ciphertext

public ciphertext: pulumi.Output<string>;

Contains the result of encrypting the provided plaintext, encoded in base64.

property cryptoKey

public cryptoKey: pulumi.Output<string>;

The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property plaintext

public plaintext: pulumi.Output<string>;

The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getKMSCryptoKey

getKMSCryptoKey(args: GetKMSCryptoKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSCryptoKeyResult>

Provides access to a Google Cloud Platform KMS CryptoKey. For more information see the official documentation and API.

A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a Google Cloud KMS KeyRing.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myKeyRing = gcp.kms.getKMSKeyRing({
    name: "my-key-ring",
    location: "us-central1",
});
const myCryptoKey = myKeyRing.then(myKeyRing => gcp.kms.getKMSCryptoKey({
    name: "my-crypto-key",
    keyRing: myKeyRing.selfLink,
}));

Function getKMSCryptoKeyVersion

getKMSCryptoKeyVersion(args: GetKMSCryptoKeyVersionArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSCryptoKeyVersionResult>

Provides access to a Google Cloud Platform KMS CryptoKeyVersion. For more information see the official documentation and API.

A CryptoKeyVersion represents an individual cryptographic key, and the associated key material.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myKeyRing = gcp.kms.getKMSKeyRing({
    name: "my-key-ring",
    location: "us-central1",
});
const myCryptoKey = myKeyRing.then(myKeyRing => gcp.kms.getKMSCryptoKey({
    name: "my-crypto-key",
    keyRing: myKeyRing.selfLink,
}));
const myCryptoKeyVersion = gcp.kms.getKMSCryptoKeyVersion({
    cryptoKey: data.google_kms_key.my_key.self_link,
});

Function getKMSKeyRing

getKMSKeyRing(args: GetKMSKeyRingArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSKeyRingResult>

Provides access to Google Cloud Platform KMS KeyRing. For more information see the official documentation and API.

A KeyRing is a grouping of CryptoKeys for organizational purposes. A KeyRing belongs to a Google Cloud Platform Project and resides in a specific location.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myKeyRing = pulumi.output(gcp.kms.getKMSKeyRing({
    location: "us-central1",
    name: "my-key-ring",
}, { async: true }));

Function getKMSSecret

getKMSSecret(args: GetKMSSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSSecretResult>

This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions.

For more information see the official documentation.

NOTE: Using this data provider will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Function getKMSSecretCiphertext

getKMSSecretCiphertext(args: GetKMSSecretCiphertextArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSSecretCiphertextResult>

!> Warning: This data source is deprecated. Use the gcp.kms.SecretCiphertext resource instead.

This data source allows you to encrypt data with Google Cloud KMS and use the ciphertext within your resource definitions.

For more information see the official documentation.

NOTE: Using this data source will allow you to conceal secret data within your resource definitions, but it does not take care of protecting that data in the logging output, plan output, or state output. Please take care to secure your secret data outside of resource definitions.

Others

interface CryptoKeyArgs

interface CryptoKeyArgs

The set of arguments for constructing a CryptoKey resource.

property keyRing

keyRing: pulumi.Input<string>;

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Labels with user-defined metadata to apply to this resource.

property name

name?: pulumi.Input<string>;

The resource name for the CryptoKey.

property purpose

purpose?: pulumi.Input<string>;

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

property rotationPeriod

rotationPeriod?: pulumi.Input<string>;

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

property versionTemplate

versionTemplate?: pulumi.Input<CryptoKeyVersionTemplate>;

A template describing settings for new crypto key versions. Structure is documented below.

interface CryptoKeyIAMBindingArgs

interface CryptoKeyIAMBindingArgs

The set of arguments for constructing a CryptoKeyIAMBinding resource.

property condition

condition?: pulumi.Input<CryptoKeyIAMBindingCondition>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

cryptoKeyId: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface CryptoKeyIAMBindingState

interface CryptoKeyIAMBindingState

Input properties used for looking up and filtering CryptoKeyIAMBinding resources.

property condition

condition?: pulumi.Input<CryptoKeyIAMBindingCondition>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

cryptoKeyId?: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the project’s IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface CryptoKeyIAMMemberArgs

interface CryptoKeyIAMMemberArgs

The set of arguments for constructing a CryptoKeyIAMMember resource.

property condition

condition?: pulumi.Input<CryptoKeyIAMMemberCondition>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

cryptoKeyId: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface CryptoKeyIAMMemberState

interface CryptoKeyIAMMemberState

Input properties used for looking up and filtering CryptoKeyIAMMember resources.

property condition

condition?: pulumi.Input<CryptoKeyIAMMemberCondition>;

An IAM Condition for a given binding. Structure is documented below.

property cryptoKeyId

cryptoKeyId?: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the project’s IAM policy.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface CryptoKeyIAMPolicyArgs

interface CryptoKeyIAMPolicyArgs

The set of arguments for constructing a CryptoKeyIAMPolicy resource.

property cryptoKeyId

cryptoKeyId: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface CryptoKeyIAMPolicyState

interface CryptoKeyIAMPolicyState

Input properties used for looking up and filtering CryptoKeyIAMPolicy resources.

property cryptoKeyId

cryptoKeyId?: pulumi.Input<string>;

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider’s project setting will be used as a fallback.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the project’s IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface CryptoKeyState

interface CryptoKeyState

Input properties used for looking up and filtering CryptoKey resources.

property keyRing

keyRing?: pulumi.Input<string>;

The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

Labels with user-defined metadata to apply to this resource.

property name

name?: pulumi.Input<string>;

The resource name for the CryptoKey.

property purpose

purpose?: pulumi.Input<string>;

The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

property rotationPeriod

rotationPeriod?: pulumi.Input<string>;

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).

selfLink?: pulumi.Input<string>;

property versionTemplate

versionTemplate?: pulumi.Input<CryptoKeyVersionTemplate>;

A template describing settings for new crypto key versions. Structure is documented below.

interface GetKMSCryptoKeyArgs

interface GetKMSCryptoKeyArgs

A collection of arguments for invoking getKMSCryptoKey.

property keyRing

keyRing: string;

The selfLink of the Google Cloud Platform KeyRing to which the key belongs.

property name

name: string;

The CryptoKey’s name. A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression [a-zA-Z0-9_-]{1,63}

interface GetKMSCryptoKeyResult

interface GetKMSCryptoKeyResult

A collection of values returned by getKMSCryptoKey.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyRing

keyRing: string;

property labels

labels: {[key: string]: string};

property name

name: string;

property purpose

purpose: string;

Defines the cryptographic capabilities of the key.

property rotationPeriod

rotationPeriod: string;

Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds).

selfLink: string;

The self link of the created CryptoKey. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}/cryptoKeys/{cryptoKeyName}.

property versionTemplates

versionTemplates: GetKMSCryptoKeyVersionTemplate[];

interface GetKMSCryptoKeyVersionArgs

interface GetKMSCryptoKeyVersionArgs

A collection of arguments for invoking getKMSCryptoKeyVersion.

property cryptoKey

cryptoKey: string;

The selfLink of the Google Cloud Platform CryptoKey to which the key version belongs.

property version

version?: undefined | number;

The version number for this CryptoKeyVersion. Defaults to 1.

interface GetKMSCryptoKeyVersionResult

interface GetKMSCryptoKeyVersionResult

A collection of values returned by getKMSCryptoKeyVersion.

property algorithm

algorithm: string;

The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.

property cryptoKey

cryptoKey: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property protectionLevel

protectionLevel: string;

The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. See the protectionLevel reference for possible outputs.

property publicKey

publicKey: GetKMSCryptoKeyVersionPublicKey;

If the enclosing CryptoKey has purpose ASYMMETRIC_SIGN or ASYMMETRIC_DECRYPT, this block contains details about the public key associated to this CryptoKeyVersion. Structure is documented below.

property state

state: string;

The current state of the CryptoKeyVersion. See the state reference for possible outputs.

property version

version?: undefined | number;

interface GetKMSKeyRingArgs

interface GetKMSKeyRingArgs

A collection of arguments for invoking getKMSKeyRing.

property location

location: string;

The Google Cloud Platform location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

property name

name: string;

The KeyRing’s name. A KeyRing name must exist within the provided location and match the regular expression [a-zA-Z0-9_-]{1,63}

property project

project?: undefined | string;

The project in which the resource belongs. If it is not provided, the provider project is used.

interface GetKMSKeyRingResult

interface GetKMSKeyRingResult

A collection of values returned by getKMSKeyRing.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property location

location: string;

property name

name: string;

property project

project?: undefined | string;
selfLink: string;

The self link of the created KeyRing. Its format is projects/{projectId}/locations/{location}/keyRings/{keyRingName}.

interface GetKMSSecretArgs

interface GetKMSSecretArgs

A collection of arguments for invoking getKMSSecret.

property additionalAuthenticatedData

additionalAuthenticatedData?: undefined | string;

The additional authenticated data used for integrity checks during encryption and decryption.

property ciphertext

ciphertext: string;

The ciphertext to be decrypted, encoded in base64

property cryptoKey

cryptoKey: string;

The id of the CryptoKey that will be used to decrypt the provided ciphertext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

interface GetKMSSecretCiphertextArgs

interface GetKMSSecretCiphertextArgs

A collection of arguments for invoking getKMSSecretCiphertext.

property cryptoKey

cryptoKey: string;

The id of the CryptoKey that will be used to encrypt the provided plaintext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

property plaintext

plaintext: string;

The plaintext to be encrypted

interface GetKMSSecretCiphertextResult

interface GetKMSSecretCiphertextResult

A collection of values returned by getKMSSecretCiphertext.

property ciphertext

ciphertext: string;

Contains the result of encrypting the provided plaintext, encoded in base64.

property cryptoKey

cryptoKey: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property plaintext

plaintext: string;

interface GetKMSSecretResult

interface GetKMSSecretResult

A collection of values returned by getKMSSecret.

property additionalAuthenticatedData

additionalAuthenticatedData?: undefined | string;

property ciphertext

ciphertext: string;

property cryptoKey

cryptoKey: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property plaintext

plaintext: string;

Contains the result of decrypting the provided ciphertext.

interface KeyRingArgs

interface KeyRingArgs

The set of arguments for constructing a KeyRing resource.

property location

location: pulumi.Input<string>;

The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

property name

name?: pulumi.Input<string>;

The resource name for the KeyRing.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

interface KeyRingIAMBindingArgs

interface KeyRingIAMBindingArgs

The set of arguments for constructing a KeyRingIAMBinding resource.

property condition

condition?: pulumi.Input<KeyRingIAMBindingCondition>;

An IAM Condition for a given binding. Structure is documented below.

property keyRingId

keyRingId: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface KeyRingIAMBindingState

interface KeyRingIAMBindingState

Input properties used for looking up and filtering KeyRingIAMBinding resources.

property condition

condition?: pulumi.Input<KeyRingIAMBindingCondition>;

An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the key ring’s IAM policy.

property keyRingId

keyRingId?: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface KeyRingIAMMemberArgs

interface KeyRingIAMMemberArgs

The set of arguments for constructing a KeyRingIAMMember resource.

property condition

condition?: pulumi.Input<KeyRingIAMMemberCondition>;

An IAM Condition for a given binding. Structure is documented below.

property keyRingId

keyRingId: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface KeyRingIAMMemberState

interface KeyRingIAMMemberState

Input properties used for looking up and filtering KeyRingIAMMember resources.

property condition

condition?: pulumi.Input<KeyRingIAMMemberCondition>;

An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the key ring’s IAM policy.

property keyRingId

keyRingId?: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.kms.KeyRingIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface KeyRingIAMPolicyArgs

interface KeyRingIAMPolicyArgs

The set of arguments for constructing a KeyRingIAMPolicy resource.

property keyRingId

keyRingId: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface KeyRingIAMPolicyState

interface KeyRingIAMPolicyState

Input properties used for looking up and filtering KeyRingIAMPolicy resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the key ring’s IAM policy.

property keyRingId

keyRingId?: pulumi.Input<string>;

The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider’s project setting will be used as a fallback.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface KeyRingState

interface KeyRingState

Input properties used for looking up and filtering KeyRing resources.

property location

location?: pulumi.Input<string>;

The location for the KeyRing. A full list of valid locations can be found by running gcloud kms locations list.

property name

name?: pulumi.Input<string>;

The resource name for the KeyRing.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

selfLink?: pulumi.Input<string>;

interface RegistryArgs

interface RegistryArgs

The set of arguments for constructing a Registry resource.

property credentials

credentials?: pulumi.Input<pulumi.Input<RegistryCredential>[]>;

List of public key certificates to authenticate devices. The structure is documented below.

property eventNotificationConfigs

eventNotificationConfigs?: pulumi.Input<pulumi.Input<RegistryEventNotificationConfigItem>[]>;

List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

property httpConfig

httpConfig?: pulumi.Input<RegistryHttpConfig>;

Activate or deactivate HTTP. The structure is documented below.

property logLevel

logLevel?: pulumi.Input<string>;

The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

property mqttConfig

mqttConfig?: pulumi.Input<RegistryMqttConfig>;

Activate or deactivate MQTT. The structure is documented below.

property name

name?: pulumi.Input<string>;

A unique name for the resource, required by device registry.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property region

region?: pulumi.Input<string>;

The region in which the created registry should reside. If it is not provided, the provider region is used.

property stateNotificationConfig

stateNotificationConfig?: pulumi.Input<RegistryStateNotificationConfig>;

A PubSub topic to publish device state updates. The structure is documented below.

interface RegistryState

interface RegistryState

Input properties used for looking up and filtering Registry resources.

property credentials

credentials?: pulumi.Input<pulumi.Input<RegistryCredential>[]>;

List of public key certificates to authenticate devices. The structure is documented below.

property eventNotificationConfigs

eventNotificationConfigs?: pulumi.Input<pulumi.Input<RegistryEventNotificationConfigItem>[]>;

List of configurations for event notifications, such as PubSub topics to publish device events to. Structure is documented below.

property httpConfig

httpConfig?: pulumi.Input<RegistryHttpConfig>;

Activate or deactivate HTTP. The structure is documented below.

property logLevel

logLevel?: pulumi.Input<string>;

The default logging verbosity for activity from devices in this registry. Specifies which events should be written to logs. For example, if the LogLevel is ERROR, only events that terminate in errors will be logged. LogLevel is inclusive; enabling INFO logging will also enable ERROR logging.

property mqttConfig

mqttConfig?: pulumi.Input<RegistryMqttConfig>;

Activate or deactivate MQTT. The structure is documented below.

property name

name?: pulumi.Input<string>;

A unique name for the resource, required by device registry.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property region

region?: pulumi.Input<string>;

The region in which the created registry should reside. If it is not provided, the provider region is used.

property stateNotificationConfig

stateNotificationConfig?: pulumi.Input<RegistryStateNotificationConfig>;

A PubSub topic to publish device state updates. The structure is documented below.

interface SecretCiphertextArgs

interface SecretCiphertextArgs

The set of arguments for constructing a SecretCiphertext resource.

property additionalAuthenticatedData

additionalAuthenticatedData?: pulumi.Input<string>;

The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

property cryptoKey

cryptoKey: pulumi.Input<string>;

The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

property plaintext

plaintext: pulumi.Input<string>;

The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.

interface SecretCiphertextState

interface SecretCiphertextState

Input properties used for looking up and filtering SecretCiphertext resources.

property additionalAuthenticatedData

additionalAuthenticatedData?: pulumi.Input<string>;

The additional authenticated data used for integrity checks during encryption and decryption. Note: This property is sensitive and will not be displayed in the plan.

property ciphertext

ciphertext?: pulumi.Input<string>;

Contains the result of encrypting the provided plaintext, encoded in base64.

property cryptoKey

cryptoKey?: pulumi.Input<string>;

The full name of the CryptoKey that will be used to encrypt the provided plaintext. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'

property plaintext

plaintext?: pulumi.Input<string>;

The plaintext to be encrypted. Note: This property is sensitive and will not be displayed in the plan.