import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A `CryptoKey` represents a logical key that can be used for cryptographic operations. * * > **Note:** CryptoKeys cannot be deleted from Google Cloud Platform. * Destroying a provider-managed CryptoKey will remove it from state * and delete all CryptoKeyVersions, rendering the key unusable, but *will * not delete the resource from the project.* When the provider destroys these keys, * any data previously encrypted with these keys will be irrecoverable. * For this reason, it is strongly recommended that you use Pulumi's [protect resource option](https://www.pulumi.com/docs/concepts/options/protect/). * * To get more information about CryptoKey, see: * * * [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys) * * How-to Guides * * [Creating a key](https://cloud.google.com/kms/docs/creating-keys#create_a_key) * * ## Example Usage * * ### Kms Crypto Key Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const keyring = new gcp.kms.KeyRing("keyring", { * name: "keyring-example", * location: "global", * }); * const example_key = new gcp.kms.CryptoKey("example-key", { * name: "crypto-key-example", * keyRing: keyring.id, * rotationPeriod: "7776000s", * }); * ``` * ### Kms Crypto Key Asymmetric Sign * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const keyring = new gcp.kms.KeyRing("keyring", { * name: "keyring-example", * location: "global", * }); * const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", { * name: "crypto-key-example", * keyRing: keyring.id, * purpose: "ASYMMETRIC_SIGN", * versionTemplate: { * algorithm: "EC_SIGN_P384_SHA384", * }, * }); * ``` * * ## Import * * CryptoKey can be imported using any of these accepted formats: * * * `{{key_ring}}/cryptoKeys/{{name}}` * * * `{{key_ring}}/{{name}}` * * When using the `pulumi import` command, CryptoKey can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}} * ``` * * ```sh * $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}} * ``` */ export declare class CryptoKey extends pulumi.CustomResource { /** * Get an existing CryptoKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CryptoKeyState, opts?: pulumi.CustomResourceOptions): CryptoKey; /** * Returns true if the given object is an instance of CryptoKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CryptoKey; /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ readonly cryptoKeyBackend: pulumi.Output; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ readonly destroyScheduledDuration: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Whether this key may contain imported versions only. */ readonly importOnly: pulumi.Output; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ readonly keyAccessJustificationsPolicy: pulumi.Output; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. * * * - - - */ readonly keyRing: pulumi.Output; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The resource name for the CryptoKey. */ readonly name: pulumi.Output; /** * A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. * Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. * Structure is documented below. */ readonly primaries: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ readonly purpose: pulumi.Output; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ readonly rotationPeriod: pulumi.Output; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. */ readonly skipInitialVersionCreation: pulumi.Output; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ readonly versionTemplate: pulumi.Output; /** * Create a CryptoKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CryptoKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CryptoKey resources. */ export interface CryptoKeyState { /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ cryptoKeyBackend?: pulumi.Input; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ destroyScheduledDuration?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Whether this key may contain imported versions only. */ importOnly?: pulumi.Input; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ keyAccessJustificationsPolicy?: pulumi.Input; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. * * * - - - */ keyRing?: pulumi.Input; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The resource name for the CryptoKey. */ name?: pulumi.Input; /** * A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. * Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. * Structure is documented below. */ primaries?: pulumi.Input[]>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ purpose?: pulumi.Input; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ rotationPeriod?: pulumi.Input; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. */ skipInitialVersionCreation?: pulumi.Input; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ versionTemplate?: pulumi.Input; } /** * The set of arguments for constructing a CryptoKey resource. */ export interface CryptoKeyArgs { /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ cryptoKeyBackend?: pulumi.Input; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ destroyScheduledDuration?: pulumi.Input; /** * Whether this key may contain imported versions only. */ importOnly?: pulumi.Input; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ keyAccessJustificationsPolicy?: pulumi.Input; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. * * * - - - */ keyRing: pulumi.Input; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The resource name for the CryptoKey. */ name?: pulumi.Input; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ purpose?: pulumi.Input; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ rotationPeriod?: pulumi.Input; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. */ skipInitialVersionCreation?: pulumi.Input; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ versionTemplate?: pulumi.Input; }