1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. kms
  5. KeyHandle
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.kms.KeyHandle

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    Example Usage

    Kms Key Handle Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as time from "@pulumi/time";
    
    // Create Folder in GCP Organization
    const autokmsFolder = new gcp.organizations.Folder("autokms_folder", {
        displayName: "my-folder",
        parent: "organizations/123456789",
        deletionProtection: false,
    });
    // Create the key project
    const keyProject = new gcp.organizations.Project("key_project", {
        projectId: "key-proj",
        name: "key-proj",
        folderId: autokmsFolder.folderId,
        billingAccount: "000000-0000000-0000000-000000",
        deletionPolicy: "DELETE",
    }, {
        dependsOn: [autokmsFolder],
    });
    // Create the resource project
    const resourceProject = new gcp.organizations.Project("resource_project", {
        projectId: "res-proj",
        name: "res-proj",
        folderId: autokmsFolder.folderId,
        billingAccount: "000000-0000000-0000000-000000",
        deletionPolicy: "DELETE",
    }, {
        dependsOn: [autokmsFolder],
    });
    // Enable the Cloud KMS API
    const kmsApiService = new gcp.projects.Service("kms_api_service", {
        service: "cloudkms.googleapis.com",
        project: keyProject.projectId,
        disableOnDestroy: false,
        disableDependentServices: true,
    }, {
        dependsOn: [keyProject],
    });
    // Wait delay after enabling APIs
    const waitEnableServiceApi = new time.index.Sleep("wait_enable_service_api", {createDuration: "30s"}, {
        dependsOn: [kmsApiService],
    });
    //Create KMS Service Agent
    const kmsServiceAgent = new gcp.projects.ServiceIdentity("kms_service_agent", {
        service: "cloudkms.googleapis.com",
        project: keyProject.number,
    }, {
        dependsOn: [waitEnableServiceApi],
    });
    // Wait delay after creating service agent.
    const waitServiceAgent = new time.index.Sleep("wait_service_agent", {createDuration: "10s"}, {
        dependsOn: [kmsServiceAgent],
    });
    //Grant the KMS Service Agent the Cloud KMS Admin role
    const autokeyProjectAdmin = new gcp.projects.IAMMember("autokey_project_admin", {
        project: keyProject.projectId,
        role: "roles/cloudkms.admin",
        member: pulumi.interpolate`serviceAccount:service-${keyProject.number}@gcp-sa-cloudkms.iam.gserviceaccount.com`,
    }, {
        dependsOn: [waitServiceAgent],
    });
    // Wait delay after granting IAM permissions
    const waitSrvAccPermissions = new time.index.Sleep("wait_srv_acc_permissions", {createDuration: "10s"}, {
        dependsOn: [autokeyProjectAdmin],
    });
    const autokeyConfig = new gcp.kms.AutokeyConfig("autokey_config", {
        folder: autokmsFolder.folderId,
        keyProject: pulumi.interpolate`projects/${keyProject.projectId}`,
    }, {
        dependsOn: [waitSrvAccPermissions],
    });
    // Wait delay for autokey config to take effect
    const waitAutokeyConfig = new time.index.Sleep("wait_autokey_config", {createDuration: "10s"}, {
        dependsOn: [autokeyConfig],
    });
    const example_keyhandle = new gcp.kms.KeyHandle("example-keyhandle", {
        project: resourceProject.projectId,
        name: "tf-test-key-handle",
        location: "global",
        resourceTypeSelector: "storage.googleapis.com/Bucket",
    }, {
        dependsOn: [waitAutokeyConfig],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_time as time
    
    # Create Folder in GCP Organization
    autokms_folder = gcp.organizations.Folder("autokms_folder",
        display_name="my-folder",
        parent="organizations/123456789",
        deletion_protection=False)
    # Create the key project
    key_project = gcp.organizations.Project("key_project",
        project_id="key-proj",
        name="key-proj",
        folder_id=autokms_folder.folder_id,
        billing_account="000000-0000000-0000000-000000",
        deletion_policy="DELETE",
        opts = pulumi.ResourceOptions(depends_on=[autokms_folder]))
    # Create the resource project
    resource_project = gcp.organizations.Project("resource_project",
        project_id="res-proj",
        name="res-proj",
        folder_id=autokms_folder.folder_id,
        billing_account="000000-0000000-0000000-000000",
        deletion_policy="DELETE",
        opts = pulumi.ResourceOptions(depends_on=[autokms_folder]))
    # Enable the Cloud KMS API
    kms_api_service = gcp.projects.Service("kms_api_service",
        service="cloudkms.googleapis.com",
        project=key_project.project_id,
        disable_on_destroy=False,
        disable_dependent_services=True,
        opts = pulumi.ResourceOptions(depends_on=[key_project]))
    # Wait delay after enabling APIs
    wait_enable_service_api = time.index.Sleep("wait_enable_service_api", create_duration=30s,
    opts = pulumi.ResourceOptions(depends_on=[kms_api_service]))
    #Create KMS Service Agent
    kms_service_agent = gcp.projects.ServiceIdentity("kms_service_agent",
        service="cloudkms.googleapis.com",
        project=key_project.number,
        opts = pulumi.ResourceOptions(depends_on=[wait_enable_service_api]))
    # Wait delay after creating service agent.
    wait_service_agent = time.index.Sleep("wait_service_agent", create_duration=10s,
    opts = pulumi.ResourceOptions(depends_on=[kms_service_agent]))
    #Grant the KMS Service Agent the Cloud KMS Admin role
    autokey_project_admin = gcp.projects.IAMMember("autokey_project_admin",
        project=key_project.project_id,
        role="roles/cloudkms.admin",
        member=key_project.number.apply(lambda number: f"serviceAccount:service-{number}@gcp-sa-cloudkms.iam.gserviceaccount.com"),
        opts = pulumi.ResourceOptions(depends_on=[wait_service_agent]))
    # Wait delay after granting IAM permissions
    wait_srv_acc_permissions = time.index.Sleep("wait_srv_acc_permissions", create_duration=10s,
    opts = pulumi.ResourceOptions(depends_on=[autokey_project_admin]))
    autokey_config = gcp.kms.AutokeyConfig("autokey_config",
        folder=autokms_folder.folder_id,
        key_project=key_project.project_id.apply(lambda project_id: f"projects/{project_id}"),
        opts = pulumi.ResourceOptions(depends_on=[wait_srv_acc_permissions]))
    # Wait delay for autokey config to take effect
    wait_autokey_config = time.index.Sleep("wait_autokey_config", create_duration=10s,
    opts = pulumi.ResourceOptions(depends_on=[autokey_config]))
    example_keyhandle = gcp.kms.KeyHandle("example-keyhandle",
        project=resource_project.project_id,
        name="tf-test-key-handle",
        location="global",
        resource_type_selector="storage.googleapis.com/Bucket",
        opts = pulumi.ResourceOptions(depends_on=[wait_autokey_config]))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/projects"
    	"github.com/pulumi/pulumi-time/sdk/go/time"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// Create Folder in GCP Organization
    		autokmsFolder, err := organizations.NewFolder(ctx, "autokms_folder", &organizations.FolderArgs{
    			DisplayName:        pulumi.String("my-folder"),
    			Parent:             pulumi.String("organizations/123456789"),
    			DeletionProtection: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		// Create the key project
    		keyProject, err := organizations.NewProject(ctx, "key_project", &organizations.ProjectArgs{
    			ProjectId:      pulumi.String("key-proj"),
    			Name:           pulumi.String("key-proj"),
    			FolderId:       autokmsFolder.FolderId,
    			BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
    			DeletionPolicy: pulumi.String("DELETE"),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			autokmsFolder,
    		}))
    		if err != nil {
    			return err
    		}
    		// Create the resource project
    		resourceProject, err := organizations.NewProject(ctx, "resource_project", &organizations.ProjectArgs{
    			ProjectId:      pulumi.String("res-proj"),
    			Name:           pulumi.String("res-proj"),
    			FolderId:       autokmsFolder.FolderId,
    			BillingAccount: pulumi.String("000000-0000000-0000000-000000"),
    			DeletionPolicy: pulumi.String("DELETE"),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			autokmsFolder,
    		}))
    		if err != nil {
    			return err
    		}
    		// Enable the Cloud KMS API
    		kmsApiService, err := projects.NewService(ctx, "kms_api_service", &projects.ServiceArgs{
    			Service:                  pulumi.String("cloudkms.googleapis.com"),
    			Project:                  keyProject.ProjectId,
    			DisableOnDestroy:         pulumi.Bool(false),
    			DisableDependentServices: pulumi.Bool(true),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			keyProject,
    		}))
    		if err != nil {
    			return err
    		}
    		// Wait delay after enabling APIs
    		waitEnableServiceApi, err := time.NewSleep(ctx, "wait_enable_service_api", &time.SleepArgs{
    			CreateDuration: "30s",
    		}, pulumi.DependsOn([]pulumi.Resource{
    			kmsApiService,
    		}))
    		if err != nil {
    			return err
    		}
    		// Create KMS Service Agent
    		kmsServiceAgent, err := projects.NewServiceIdentity(ctx, "kms_service_agent", &projects.ServiceIdentityArgs{
    			Service: pulumi.String("cloudkms.googleapis.com"),
    			Project: keyProject.Number,
    		}, pulumi.DependsOn([]pulumi.Resource{
    			waitEnableServiceApi,
    		}))
    		if err != nil {
    			return err
    		}
    		// Wait delay after creating service agent.
    		waitServiceAgent, err := time.NewSleep(ctx, "wait_service_agent", &time.SleepArgs{
    			CreateDuration: "10s",
    		}, pulumi.DependsOn([]pulumi.Resource{
    			kmsServiceAgent,
    		}))
    		if err != nil {
    			return err
    		}
    		// Grant the KMS Service Agent the Cloud KMS Admin role
    		autokeyProjectAdmin, err := projects.NewIAMMember(ctx, "autokey_project_admin", &projects.IAMMemberArgs{
    			Project: keyProject.ProjectId,
    			Role:    pulumi.String("roles/cloudkms.admin"),
    			Member: keyProject.Number.ApplyT(func(number string) (string, error) {
    				return fmt.Sprintf("serviceAccount:service-%v@gcp-sa-cloudkms.iam.gserviceaccount.com", number), nil
    			}).(pulumi.StringOutput),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			waitServiceAgent,
    		}))
    		if err != nil {
    			return err
    		}
    		// Wait delay after granting IAM permissions
    		waitSrvAccPermissions, err := time.NewSleep(ctx, "wait_srv_acc_permissions", &time.SleepArgs{
    			CreateDuration: "10s",
    		}, pulumi.DependsOn([]pulumi.Resource{
    			autokeyProjectAdmin,
    		}))
    		if err != nil {
    			return err
    		}
    		autokeyConfig, err := kms.NewAutokeyConfig(ctx, "autokey_config", &kms.AutokeyConfigArgs{
    			Folder: autokmsFolder.FolderId,
    			KeyProject: keyProject.ProjectId.ApplyT(func(projectId string) (string, error) {
    				return fmt.Sprintf("projects/%v", projectId), nil
    			}).(pulumi.StringOutput),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			waitSrvAccPermissions,
    		}))
    		if err != nil {
    			return err
    		}
    		// Wait delay for autokey config to take effect
    		waitAutokeyConfig, err := time.NewSleep(ctx, "wait_autokey_config", &time.SleepArgs{
    			CreateDuration: "10s",
    		}, pulumi.DependsOn([]pulumi.Resource{
    			autokeyConfig,
    		}))
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewKeyHandle(ctx, "example-keyhandle", &kms.KeyHandleArgs{
    			Project:              resourceProject.ProjectId,
    			Name:                 pulumi.String("tf-test-key-handle"),
    			Location:             pulumi.String("global"),
    			ResourceTypeSelector: pulumi.String("storage.googleapis.com/Bucket"),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			waitAutokeyConfig,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Time = Pulumi.Time;
    
    return await Deployment.RunAsync(() => 
    {
        // Create Folder in GCP Organization
        var autokmsFolder = new Gcp.Organizations.Folder("autokms_folder", new()
        {
            DisplayName = "my-folder",
            Parent = "organizations/123456789",
            DeletionProtection = false,
        });
    
        // Create the key project
        var keyProject = new Gcp.Organizations.Project("key_project", new()
        {
            ProjectId = "key-proj",
            Name = "key-proj",
            FolderId = autokmsFolder.FolderId,
            BillingAccount = "000000-0000000-0000000-000000",
            DeletionPolicy = "DELETE",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                autokmsFolder,
            },
        });
    
        // Create the resource project
        var resourceProject = new Gcp.Organizations.Project("resource_project", new()
        {
            ProjectId = "res-proj",
            Name = "res-proj",
            FolderId = autokmsFolder.FolderId,
            BillingAccount = "000000-0000000-0000000-000000",
            DeletionPolicy = "DELETE",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                autokmsFolder,
            },
        });
    
        // Enable the Cloud KMS API
        var kmsApiService = new Gcp.Projects.Service("kms_api_service", new()
        {
            ServiceName = "cloudkms.googleapis.com",
            Project = keyProject.ProjectId,
            DisableOnDestroy = false,
            DisableDependentServices = true,
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                keyProject,
            },
        });
    
        // Wait delay after enabling APIs
        var waitEnableServiceApi = new Time.Index.Sleep("wait_enable_service_api", new()
        {
            CreateDuration = "30s",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                kmsApiService,
            },
        });
    
        //Create KMS Service Agent
        var kmsServiceAgent = new Gcp.Projects.ServiceIdentity("kms_service_agent", new()
        {
            Service = "cloudkms.googleapis.com",
            Project = keyProject.Number,
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                waitEnableServiceApi,
            },
        });
    
        // Wait delay after creating service agent.
        var waitServiceAgent = new Time.Index.Sleep("wait_service_agent", new()
        {
            CreateDuration = "10s",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                kmsServiceAgent,
            },
        });
    
        //Grant the KMS Service Agent the Cloud KMS Admin role
        var autokeyProjectAdmin = new Gcp.Projects.IAMMember("autokey_project_admin", new()
        {
            Project = keyProject.ProjectId,
            Role = "roles/cloudkms.admin",
            Member = keyProject.Number.Apply(number => $"serviceAccount:service-{number}@gcp-sa-cloudkms.iam.gserviceaccount.com"),
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                waitServiceAgent,
            },
        });
    
        // Wait delay after granting IAM permissions
        var waitSrvAccPermissions = new Time.Index.Sleep("wait_srv_acc_permissions", new()
        {
            CreateDuration = "10s",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                autokeyProjectAdmin,
            },
        });
    
        var autokeyConfig = new Gcp.Kms.AutokeyConfig("autokey_config", new()
        {
            Folder = autokmsFolder.FolderId,
            KeyProject = keyProject.ProjectId.Apply(projectId => $"projects/{projectId}"),
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                waitSrvAccPermissions,
            },
        });
    
        // Wait delay for autokey config to take effect
        var waitAutokeyConfig = new Time.Index.Sleep("wait_autokey_config", new()
        {
            CreateDuration = "10s",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                autokeyConfig,
            },
        });
    
        var example_keyhandle = new Gcp.Kms.KeyHandle("example-keyhandle", new()
        {
            Project = resourceProject.ProjectId,
            Name = "tf-test-key-handle",
            Location = "global",
            ResourceTypeSelector = "storage.googleapis.com/Bucket",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                waitAutokeyConfig,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.Folder;
    import com.pulumi.gcp.organizations.FolderArgs;
    import com.pulumi.gcp.organizations.Project;
    import com.pulumi.gcp.organizations.ProjectArgs;
    import com.pulumi.gcp.projects.Service;
    import com.pulumi.gcp.projects.ServiceArgs;
    import com.pulumi.time.sleep;
    import com.pulumi.time.SleepArgs;
    import com.pulumi.gcp.projects.ServiceIdentity;
    import com.pulumi.gcp.projects.ServiceIdentityArgs;
    import com.pulumi.gcp.projects.IAMMember;
    import com.pulumi.gcp.projects.IAMMemberArgs;
    import com.pulumi.gcp.kms.AutokeyConfig;
    import com.pulumi.gcp.kms.AutokeyConfigArgs;
    import com.pulumi.gcp.kms.KeyHandle;
    import com.pulumi.gcp.kms.KeyHandleArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            // Create Folder in GCP Organization
            var autokmsFolder = new Folder("autokmsFolder", FolderArgs.builder()
                .displayName("my-folder")
                .parent("organizations/123456789")
                .deletionProtection(false)
                .build());
    
            // Create the key project
            var keyProject = new Project("keyProject", ProjectArgs.builder()
                .projectId("key-proj")
                .name("key-proj")
                .folderId(autokmsFolder.folderId())
                .billingAccount("000000-0000000-0000000-000000")
                .deletionPolicy("DELETE")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(autokmsFolder)
                    .build());
    
            // Create the resource project
            var resourceProject = new Project("resourceProject", ProjectArgs.builder()
                .projectId("res-proj")
                .name("res-proj")
                .folderId(autokmsFolder.folderId())
                .billingAccount("000000-0000000-0000000-000000")
                .deletionPolicy("DELETE")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(autokmsFolder)
                    .build());
    
            // Enable the Cloud KMS API
            var kmsApiService = new Service("kmsApiService", ServiceArgs.builder()
                .service("cloudkms.googleapis.com")
                .project(keyProject.projectId())
                .disableOnDestroy(false)
                .disableDependentServices(true)
                .build(), CustomResourceOptions.builder()
                    .dependsOn(keyProject)
                    .build());
    
            // Wait delay after enabling APIs
            var waitEnableServiceApi = new Sleep("waitEnableServiceApi", SleepArgs.builder()
                .createDuration("30s")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(kmsApiService)
                    .build());
    
            //Create KMS Service Agent
            var kmsServiceAgent = new ServiceIdentity("kmsServiceAgent", ServiceIdentityArgs.builder()
                .service("cloudkms.googleapis.com")
                .project(keyProject.number())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(waitEnableServiceApi)
                    .build());
    
            // Wait delay after creating service agent.
            var waitServiceAgent = new Sleep("waitServiceAgent", SleepArgs.builder()
                .createDuration("10s")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(kmsServiceAgent)
                    .build());
    
            //Grant the KMS Service Agent the Cloud KMS Admin role
            var autokeyProjectAdmin = new IAMMember("autokeyProjectAdmin", IAMMemberArgs.builder()
                .project(keyProject.projectId())
                .role("roles/cloudkms.admin")
                .member(keyProject.number().applyValue(number -> String.format("serviceAccount:service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com", number)))
                .build(), CustomResourceOptions.builder()
                    .dependsOn(waitServiceAgent)
                    .build());
    
            // Wait delay after granting IAM permissions
            var waitSrvAccPermissions = new Sleep("waitSrvAccPermissions", SleepArgs.builder()
                .createDuration("10s")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(autokeyProjectAdmin)
                    .build());
    
            var autokeyConfig = new AutokeyConfig("autokeyConfig", AutokeyConfigArgs.builder()
                .folder(autokmsFolder.folderId())
                .keyProject(keyProject.projectId().applyValue(projectId -> String.format("projects/%s", projectId)))
                .build(), CustomResourceOptions.builder()
                    .dependsOn(waitSrvAccPermissions)
                    .build());
    
            // Wait delay for autokey config to take effect
            var waitAutokeyConfig = new Sleep("waitAutokeyConfig", SleepArgs.builder()
                .createDuration("10s")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(autokeyConfig)
                    .build());
    
            var example_keyhandle = new KeyHandle("example-keyhandle", KeyHandleArgs.builder()
                .project(resourceProject.projectId())
                .name("tf-test-key-handle")
                .location("global")
                .resourceTypeSelector("storage.googleapis.com/Bucket")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(waitAutokeyConfig)
                    .build());
    
        }
    }
    
    resources:
      # Create Folder in GCP Organization
      autokmsFolder:
        type: gcp:organizations:Folder
        name: autokms_folder
        properties:
          displayName: my-folder
          parent: organizations/123456789
          deletionProtection: false
      # Create the key project
      keyProject:
        type: gcp:organizations:Project
        name: key_project
        properties:
          projectId: key-proj
          name: key-proj
          folderId: ${autokmsFolder.folderId}
          billingAccount: 000000-0000000-0000000-000000
          deletionPolicy: DELETE
        options:
          dependson:
            - ${autokmsFolder}
      # Create the resource project
      resourceProject:
        type: gcp:organizations:Project
        name: resource_project
        properties:
          projectId: res-proj
          name: res-proj
          folderId: ${autokmsFolder.folderId}
          billingAccount: 000000-0000000-0000000-000000
          deletionPolicy: DELETE
        options:
          dependson:
            - ${autokmsFolder}
      # Enable the Cloud KMS API
      kmsApiService:
        type: gcp:projects:Service
        name: kms_api_service
        properties:
          service: cloudkms.googleapis.com
          project: ${keyProject.projectId}
          disableOnDestroy: false
          disableDependentServices: true
        options:
          dependson:
            - ${keyProject}
      # Wait delay after enabling APIs
      waitEnableServiceApi:
        type: time:sleep
        name: wait_enable_service_api
        properties:
          createDuration: 30s
        options:
          dependson:
            - ${kmsApiService}
      #Create KMS Service Agent
      kmsServiceAgent:
        type: gcp:projects:ServiceIdentity
        name: kms_service_agent
        properties:
          service: cloudkms.googleapis.com
          project: ${keyProject.number}
        options:
          dependson:
            - ${waitEnableServiceApi}
      # Wait delay after creating service agent.
      waitServiceAgent:
        type: time:sleep
        name: wait_service_agent
        properties:
          createDuration: 10s
        options:
          dependson:
            - ${kmsServiceAgent}
      #Grant the KMS Service Agent the Cloud KMS Admin role
      autokeyProjectAdmin:
        type: gcp:projects:IAMMember
        name: autokey_project_admin
        properties:
          project: ${keyProject.projectId}
          role: roles/cloudkms.admin
          member: serviceAccount:service-${keyProject.number}@gcp-sa-cloudkms.iam.gserviceaccount.com
        options:
          dependson:
            - ${waitServiceAgent}
      # Wait delay after granting IAM permissions
      waitSrvAccPermissions:
        type: time:sleep
        name: wait_srv_acc_permissions
        properties:
          createDuration: 10s
        options:
          dependson:
            - ${autokeyProjectAdmin}
      autokeyConfig:
        type: gcp:kms:AutokeyConfig
        name: autokey_config
        properties:
          folder: ${autokmsFolder.folderId}
          keyProject: projects/${keyProject.projectId}
        options:
          dependson:
            - ${waitSrvAccPermissions}
      # Wait delay for autokey config to take effect
      waitAutokeyConfig:
        type: time:sleep
        name: wait_autokey_config
        properties:
          createDuration: 10s
        options:
          dependson:
            - ${autokeyConfig}
      example-keyhandle:
        type: gcp:kms:KeyHandle
        properties:
          project: ${resourceProject.projectId}
          name: tf-test-key-handle
          location: global
          resourceTypeSelector: storage.googleapis.com/Bucket
        options:
          dependson:
            - ${waitAutokeyConfig}
    

    Create KeyHandle Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new KeyHandle(name: string, args: KeyHandleArgs, opts?: CustomResourceOptions);
    @overload
    def KeyHandle(resource_name: str,
                  args: KeyHandleArgs,
                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def KeyHandle(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  location: Optional[str] = None,
                  resource_type_selector: Optional[str] = None,
                  name: Optional[str] = None,
                  project: Optional[str] = None)
    func NewKeyHandle(ctx *Context, name string, args KeyHandleArgs, opts ...ResourceOption) (*KeyHandle, error)
    public KeyHandle(string name, KeyHandleArgs args, CustomResourceOptions? opts = null)
    public KeyHandle(String name, KeyHandleArgs args)
    public KeyHandle(String name, KeyHandleArgs args, CustomResourceOptions options)
    
    type: gcp:kms:KeyHandle
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KeyHandleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeyHandleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeyHandleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeyHandleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeyHandleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keyHandleResource = new Gcp.Kms.KeyHandle("keyHandleResource", new()
    {
        Location = "string",
        ResourceTypeSelector = "string",
        Name = "string",
        Project = "string",
    });
    
    example, err := kms.NewKeyHandle(ctx, "keyHandleResource", &kms.KeyHandleArgs{
    	Location:             pulumi.String("string"),
    	ResourceTypeSelector: pulumi.String("string"),
    	Name:                 pulumi.String("string"),
    	Project:              pulumi.String("string"),
    })
    
    var keyHandleResource = new KeyHandle("keyHandleResource", KeyHandleArgs.builder()
        .location("string")
        .resourceTypeSelector("string")
        .name("string")
        .project("string")
        .build());
    
    key_handle_resource = gcp.kms.KeyHandle("keyHandleResource",
        location="string",
        resource_type_selector="string",
        name="string",
        project="string")
    
    const keyHandleResource = new gcp.kms.KeyHandle("keyHandleResource", {
        location: "string",
        resourceTypeSelector: "string",
        name: "string",
        project: "string",
    });
    
    type: gcp:kms:KeyHandle
    properties:
        location: string
        name: string
        project: string
        resourceTypeSelector: string
    

    KeyHandle Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The KeyHandle resource accepts the following input properties:

    Location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    ResourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    Name string
    The resource name for the KeyHandle.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    ResourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    Name string
    The resource name for the KeyHandle.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location String
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    resourceTypeSelector String
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    name String
    The resource name for the KeyHandle.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    resourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    name string
    The resource name for the KeyHandle.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location str
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    resource_type_selector str
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    name str
    The resource name for the KeyHandle.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    location String
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    resourceTypeSelector String
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    name String
    The resource name for the KeyHandle.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KeyHandle resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    KmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    Id string
    The provider-assigned unique ID for this managed resource.
    KmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    id String
    The provider-assigned unique ID for this managed resource.
    kmsKey String
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    id string
    The provider-assigned unique ID for this managed resource.
    kmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    id str
    The provider-assigned unique ID for this managed resource.
    kms_key str
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    id String
    The provider-assigned unique ID for this managed resource.
    kmsKey String
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff

    Look up Existing KeyHandle Resource

    Get an existing KeyHandle resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeyHandleState, opts?: CustomResourceOptions): KeyHandle
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            kms_key: Optional[str] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            project: Optional[str] = None,
            resource_type_selector: Optional[str] = None) -> KeyHandle
    func GetKeyHandle(ctx *Context, name string, id IDInput, state *KeyHandleState, opts ...ResourceOption) (*KeyHandle, error)
    public static KeyHandle Get(string name, Input<string> id, KeyHandleState? state, CustomResourceOptions? opts = null)
    public static KeyHandle get(String name, Output<String> id, KeyHandleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    KmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    Location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    Name string
    The resource name for the KeyHandle.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    ResourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    KmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    Location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    Name string
    The resource name for the KeyHandle.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    ResourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    kmsKey String
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    location String
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    name String
    The resource name for the KeyHandle.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    resourceTypeSelector String
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    kmsKey string
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    location string
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    name string
    The resource name for the KeyHandle.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    resourceTypeSelector string
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    kms_key str
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    location str
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    name str
    The resource name for the KeyHandle.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    resource_type_selector str
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.
    kmsKey String
    A reference to a Cloud KMS CryptoKey that can be used for CMEK in the requested product/project/location, for example projects/1/locations/us-east1/keyRings/foo/cryptoKeys/bar-ffffff
    location String
    The location for the KeyHandle. A full list of valid locations can be found by running gcloud kms locations list.


    name String
    The resource name for the KeyHandle.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    resourceTypeSelector String
    Selector of the resource type where we want to protect resources. For example, storage.googleapis.com/Bucket.

    Import

    KeyHandle can be imported using any of these accepted formats:

    • projects/{{project}}/locations/{{location}}/keyHandles/{{name}}

    • {{project}}/{{location}}/{{name}}

    • {{location}}/{{name}}

    When using the pulumi import command, KeyHandle can be imported using one of the formats above. For example:

    $ pulumi import gcp:kms/keyHandle:KeyHandle default projects/{{project}}/locations/{{location}}/keyHandles/{{name}}
    
    $ pulumi import gcp:kms/keyHandle:KeyHandle default {{project}}/{{location}}/{{name}}
    
    $ pulumi import gcp:kms/keyHandle:KeyHandle default {{location}}/{{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi