» google_kms_secret

This data source allows you to use data encrypted with Google Cloud KMS within your resource definitions.

For more information see the official documentation.

» Example Usage

First, create a KMS KeyRing and CryptoKey using the resource definitions:

resource "google_kms_key_ring" "my_key_ring" {
  project  = "my-project"
  name     = "my-key-ring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "my_crypto_key" {
  name     = "my-crypto-key"
  key_ring = "${google_kms_key_ring.my_key_ring.id}"
}

Next, use the Cloud SDK to encrypt some sensitive information:

$ echo -n my-secret-password | gcloud kms encrypt \
> --project my-project \
> --location us-central1 \
> --keyring my-key-ring \
> --key my-crypto-key \
> --plaintext-file - \
> --ciphertext-file - \
> | base64
CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=

Finally, reference the encrypted ciphertext in your resource definitions:

data "google_kms_secret" "sql_user_password" {
  crypto_key = "${google_kms_crypto_key.my_crypto_key.id}"
  ciphertext = "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU="
}

resource "google_sql_database_instance" "master" {
  name = "master-instance"

  settings {
    tier = "D0"
  }
}

resource "google_sql_user" "users" {
  name     = "me"
  instance = "${google_sql_database_instance.master.name}"
  host     = "me.com"
  password = "${data.google_kms_secret.sql_user_password.plaintext}"
}

This will result in a Cloud SQL user being created with password my-secret-password.

» Argument Reference

The following arguments are supported:

  • ciphertext (Required) - The ciphertext to be decrypted, encoded in base64
  • crypto_key (Required) - The id of the CryptoKey that will be used to decrypt the provided ciphertext. This is represented by the format {projectId}/{location}/{keyRingName}/{cryptoKeyName}.

» Attributes Reference

The following attribute is exported:

  • plaintext - Contains the result of decrypting the provided ciphertext.