import * as pulumi from "@pulumi/pulumi"; /** * This data source allows you to use data encrypted with Google Cloud KMS * within your resource definitions. * * For more information see * [the official documentation](https://cloud.google.com/kms/docs/encrypt-decrypt). * * > **NOTE:** Using this data provider will allow you to conceal secret data within your * resource definitions, but it does not take care of protecting that data in the * logging output, plan output, or state output. Please take care to secure your secret * data outside of resource definitions. * * ## Example Usage * * First, create a KMS KeyRing and CryptoKey using the resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myKeyRing = new gcp.kms.KeyRing("my_key_ring", { * project: "my-project", * name: "my-key-ring", * location: "us-central1", * }); * const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", { * name: "my-crypto-key", * keyRing: myKeyRing.id, * }); * ``` * * Next, use the [Cloud SDK](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) to encrypt some * sensitive information: * * Finally, reference the encrypted ciphertext in your resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as random from "@pulumi/random"; * * const sqlUserPassword = gcp.kms.getKMSSecret({ * cryptoKey: myCryptoKey.id, * ciphertext: "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=", * }); * const dbNameSuffix = new random.RandomId("db_name_suffix", {byteLength: 4}); * const main = new gcp.sql.DatabaseInstance("main", { * name: pulumi.interpolate`main-instance-${dbNameSuffix.hex}`, * databaseVersion: "MYSQL_5_7", * settings: { * tier: "db-f1-micro", * }, * }); * const users = new gcp.sql.User("users", { * name: "me", * instance: main.name, * host: "me.com", * password: sqlUserPassword.then(sqlUserPassword => sqlUserPassword.plaintext), * }); * ``` * * This will result in a Cloud SQL user being created with password `my-secret-password`. */ export declare function getKMSSecret(args: GetKMSSecretArgs, opts?: pulumi.InvokeOptions): Promise; /** * A collection of arguments for invoking getKMSSecret. */ export interface GetKMSSecretArgs { /** * The [additional authenticated data](https://cloud.google.com/kms/docs/additional-authenticated-data) used for integrity checks during encryption and decryption. */ additionalAuthenticatedData?: string; /** * The ciphertext to be decrypted, encoded in base64 */ ciphertext: string; /** * The id of the CryptoKey that will be used to * decrypt the provided ciphertext. This is represented by the format * `{projectId}/{location}/{keyRingName}/{cryptoKeyName}`. */ cryptoKey: string; } /** * A collection of values returned by getKMSSecret. */ export interface GetKMSSecretResult { readonly additionalAuthenticatedData?: string; readonly ciphertext: string; readonly cryptoKey: string; /** * The provider-assigned unique ID for this managed resource. */ readonly id: string; /** * Contains the result of decrypting the provided ciphertext. */ readonly plaintext: string; } /** * This data source allows you to use data encrypted with Google Cloud KMS * within your resource definitions. * * For more information see * [the official documentation](https://cloud.google.com/kms/docs/encrypt-decrypt). * * > **NOTE:** Using this data provider will allow you to conceal secret data within your * resource definitions, but it does not take care of protecting that data in the * logging output, plan output, or state output. Please take care to secure your secret * data outside of resource definitions. * * ## Example Usage * * First, create a KMS KeyRing and CryptoKey using the resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myKeyRing = new gcp.kms.KeyRing("my_key_ring", { * project: "my-project", * name: "my-key-ring", * location: "us-central1", * }); * const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", { * name: "my-crypto-key", * keyRing: myKeyRing.id, * }); * ``` * * Next, use the [Cloud SDK](https://cloud.google.com/sdk/gcloud/reference/kms/encrypt) to encrypt some * sensitive information: * * Finally, reference the encrypted ciphertext in your resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as random from "@pulumi/random"; * * const sqlUserPassword = gcp.kms.getKMSSecret({ * cryptoKey: myCryptoKey.id, * ciphertext: "CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=", * }); * const dbNameSuffix = new random.RandomId("db_name_suffix", {byteLength: 4}); * const main = new gcp.sql.DatabaseInstance("main", { * name: pulumi.interpolate`main-instance-${dbNameSuffix.hex}`, * databaseVersion: "MYSQL_5_7", * settings: { * tier: "db-f1-micro", * }, * }); * const users = new gcp.sql.User("users", { * name: "me", * instance: main.name, * host: "me.com", * password: sqlUserPassword.then(sqlUserPassword => sqlUserPassword.plaintext), * }); * ``` * * This will result in a Cloud SQL user being created with password `my-secret-password`. */ export declare function getKMSSecretOutput(args: GetKMSSecretOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output; /** * A collection of arguments for invoking getKMSSecret. */ export interface GetKMSSecretOutputArgs { /** * The [additional authenticated data](https://cloud.google.com/kms/docs/additional-authenticated-data) used for integrity checks during encryption and decryption. */ additionalAuthenticatedData?: pulumi.Input; /** * The ciphertext to be decrypted, encoded in base64 */ ciphertext: pulumi.Input; /** * The id of the CryptoKey that will be used to * decrypt the provided ciphertext. This is represented by the format * `{projectId}/{location}/{keyRingName}/{cryptoKeyName}`. */ cryptoKey: pulumi.Input; }