1. Packages
  2. Mongodbatlas Provider
  3. API Docs
  4. getEncryptionAtRest
MongoDB Atlas v3.20.4 published on Wednesday, Oct 30, 2024 by Pulumi

mongodbatlas.getEncryptionAtRest

Explore with Pulumi AI

mongodbatlas logo
MongoDB Atlas v3.20.4 published on Wednesday, Oct 30, 2024 by Pulumi

    # Data Source: mongodbatlas.EncryptionAtRest

    mongodbatlas.EncryptionAtRest describes encryption at rest configuration for an Atlas project with one of the following providers:

    Amazon Web Services Key Management Service Azure Key Vault Google Cloud KMS

    IMPORTANT By default, Atlas enables encryption at rest for all cluster storage and snapshot volumes.

    IMPORTANT Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management

    NOTE: Groups and projects are synonymous terms. You may find groupId in the official documentation.

    Example Usage

    S

    Configuring encryption at rest using customer key management in AWS

    import * as pulumi from "@pulumi/pulumi";
    import * as mongodbatlas from "@pulumi/mongodbatlas";
    
    const setupOnly = new mongodbatlas.CloudProviderAccessSetup("setup_only", {
        projectId: atlasProjectId,
        providerName: "AWS",
    });
    const authRole = new mongodbatlas.CloudProviderAccessAuthorization("auth_role", {
        projectId: atlasProjectId,
        roleId: setupOnly.roleId,
        aws: {
            iamAssumedRoleArn: testRole.arn,
        },
    });
    const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
        projectId: atlasProjectId,
        awsKmsConfig: {
            enabled: true,
            customerMasterKeyId: kmsKey.id,
            region: atlasRegion,
            roleId: authRole.roleId,
        },
    });
    const cluster = new mongodbatlas.AdvancedCluster("cluster", {
        projectId: testEncryptionAtRest.projectId,
        name: "MyCluster",
        clusterType: "REPLICASET",
        backupEnabled: true,
        encryptionAtRestProvider: "AWS",
        replicationSpecs: [{
            regionConfigs: [{
                priority: 7,
                providerName: "AWS",
                regionName: "US_EAST_1",
                electableSpecs: {
                    instanceSize: "M10",
                    nodeCount: 3,
                },
            }],
        }],
    });
    const test = mongodbatlas.getEncryptionAtRestOutput({
        projectId: testEncryptionAtRest.projectId,
    });
    export const isAwsKmsEncryptionAtRestValid = test.apply(test => test.awsKmsConfig?.valid);
    
    import pulumi
    import pulumi_mongodbatlas as mongodbatlas
    
    setup_only = mongodbatlas.CloudProviderAccessSetup("setup_only",
        project_id=atlas_project_id,
        provider_name="AWS")
    auth_role = mongodbatlas.CloudProviderAccessAuthorization("auth_role",
        project_id=atlas_project_id,
        role_id=setup_only.role_id,
        aws={
            "iam_assumed_role_arn": test_role["arn"],
        })
    test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
        project_id=atlas_project_id,
        aws_kms_config={
            "enabled": True,
            "customer_master_key_id": kms_key["id"],
            "region": atlas_region,
            "role_id": auth_role.role_id,
        })
    cluster = mongodbatlas.AdvancedCluster("cluster",
        project_id=test_encryption_at_rest.project_id,
        name="MyCluster",
        cluster_type="REPLICASET",
        backup_enabled=True,
        encryption_at_rest_provider="AWS",
        replication_specs=[{
            "region_configs": [{
                "priority": 7,
                "provider_name": "AWS",
                "region_name": "US_EAST_1",
                "electable_specs": {
                    "instance_size": "M10",
                    "node_count": 3,
                },
            }],
        }])
    test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
    pulumi.export("isAwsKmsEncryptionAtRestValid", test.aws_kms_config.valid)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		setupOnly, err := mongodbatlas.NewCloudProviderAccessSetup(ctx, "setup_only", &mongodbatlas.CloudProviderAccessSetupArgs{
    			ProjectId:    pulumi.Any(atlasProjectId),
    			ProviderName: pulumi.String("AWS"),
    		})
    		if err != nil {
    			return err
    		}
    		authRole, err := mongodbatlas.NewCloudProviderAccessAuthorization(ctx, "auth_role", &mongodbatlas.CloudProviderAccessAuthorizationArgs{
    			ProjectId: pulumi.Any(atlasProjectId),
    			RoleId:    setupOnly.RoleId,
    			Aws: &mongodbatlas.CloudProviderAccessAuthorizationAwsArgs{
    				IamAssumedRoleArn: pulumi.Any(testRole.Arn),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
    			ProjectId: pulumi.Any(atlasProjectId),
    			AwsKmsConfig: &mongodbatlas.EncryptionAtRestAwsKmsConfigArgs{
    				Enabled:             pulumi.Bool(true),
    				CustomerMasterKeyId: pulumi.Any(kmsKey.Id),
    				Region:              pulumi.Any(atlasRegion),
    				RoleId:              authRole.RoleId,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = mongodbatlas.NewAdvancedCluster(ctx, "cluster", &mongodbatlas.AdvancedClusterArgs{
    			ProjectId:                testEncryptionAtRest.ProjectId,
    			Name:                     pulumi.String("MyCluster"),
    			ClusterType:              pulumi.String("REPLICASET"),
    			BackupEnabled:            pulumi.Bool(true),
    			EncryptionAtRestProvider: pulumi.String("AWS"),
    			ReplicationSpecs: mongodbatlas.AdvancedClusterReplicationSpecArray{
    				&mongodbatlas.AdvancedClusterReplicationSpecArgs{
    					RegionConfigs: mongodbatlas.AdvancedClusterReplicationSpecRegionConfigArray{
    						&mongodbatlas.AdvancedClusterReplicationSpecRegionConfigArgs{
    							Priority:     pulumi.Int(7),
    							ProviderName: pulumi.String("AWS"),
    							RegionName:   pulumi.String("US_EAST_1"),
    							ElectableSpecs: &mongodbatlas.AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs{
    								InstanceSize: pulumi.String("M10"),
    								NodeCount:    pulumi.Int(3),
    							},
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
    			ProjectId: testEncryptionAtRest.ProjectId,
    		}, nil)
    		ctx.Export("isAwsKmsEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
    			return &test.AwsKmsConfig.Valid, nil
    		}).(pulumi.BoolPtrOutput))
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Mongodbatlas = Pulumi.Mongodbatlas;
    
    return await Deployment.RunAsync(() => 
    {
        var setupOnly = new Mongodbatlas.CloudProviderAccessSetup("setup_only", new()
        {
            ProjectId = atlasProjectId,
            ProviderName = "AWS",
        });
    
        var authRole = new Mongodbatlas.CloudProviderAccessAuthorization("auth_role", new()
        {
            ProjectId = atlasProjectId,
            RoleId = setupOnly.RoleId,
            Aws = new Mongodbatlas.Inputs.CloudProviderAccessAuthorizationAwsArgs
            {
                IamAssumedRoleArn = testRole.Arn,
            },
        });
    
        var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
        {
            ProjectId = atlasProjectId,
            AwsKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestAwsKmsConfigArgs
            {
                Enabled = true,
                CustomerMasterKeyId = kmsKey.Id,
                Region = atlasRegion,
                RoleId = authRole.RoleId,
            },
        });
    
        var cluster = new Mongodbatlas.AdvancedCluster("cluster", new()
        {
            ProjectId = testEncryptionAtRest.ProjectId,
            Name = "MyCluster",
            ClusterType = "REPLICASET",
            BackupEnabled = true,
            EncryptionAtRestProvider = "AWS",
            ReplicationSpecs = new[]
            {
                new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecArgs
                {
                    RegionConfigs = new[]
                    {
                        new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecRegionConfigArgs
                        {
                            Priority = 7,
                            ProviderName = "AWS",
                            RegionName = "US_EAST_1",
                            ElectableSpecs = new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs
                            {
                                InstanceSize = "M10",
                                NodeCount = 3,
                            },
                        },
                    },
                },
            },
        });
    
        var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
        {
            ProjectId = testEncryptionAtRest.ProjectId,
        });
    
        return new Dictionary<string, object?>
        {
            ["isAwsKmsEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.AwsKmsConfig?.Valid),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.mongodbatlas.CloudProviderAccessSetup;
    import com.pulumi.mongodbatlas.CloudProviderAccessSetupArgs;
    import com.pulumi.mongodbatlas.CloudProviderAccessAuthorization;
    import com.pulumi.mongodbatlas.CloudProviderAccessAuthorizationArgs;
    import com.pulumi.mongodbatlas.inputs.CloudProviderAccessAuthorizationAwsArgs;
    import com.pulumi.mongodbatlas.EncryptionAtRest;
    import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
    import com.pulumi.mongodbatlas.inputs.EncryptionAtRestAwsKmsConfigArgs;
    import com.pulumi.mongodbatlas.AdvancedCluster;
    import com.pulumi.mongodbatlas.AdvancedClusterArgs;
    import com.pulumi.mongodbatlas.inputs.AdvancedClusterReplicationSpecArgs;
    import com.pulumi.mongodbatlas.MongodbatlasFunctions;
    import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var setupOnly = new CloudProviderAccessSetup("setupOnly", CloudProviderAccessSetupArgs.builder()
                .projectId(atlasProjectId)
                .providerName("AWS")
                .build());
    
            var authRole = new CloudProviderAccessAuthorization("authRole", CloudProviderAccessAuthorizationArgs.builder()
                .projectId(atlasProjectId)
                .roleId(setupOnly.roleId())
                .aws(CloudProviderAccessAuthorizationAwsArgs.builder()
                    .iamAssumedRoleArn(testRole.arn())
                    .build())
                .build());
    
            var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
                .projectId(atlasProjectId)
                .awsKmsConfig(EncryptionAtRestAwsKmsConfigArgs.builder()
                    .enabled(true)
                    .customerMasterKeyId(kmsKey.id())
                    .region(atlasRegion)
                    .roleId(authRole.roleId())
                    .build())
                .build());
    
            var cluster = new AdvancedCluster("cluster", AdvancedClusterArgs.builder()
                .projectId(testEncryptionAtRest.projectId())
                .name("MyCluster")
                .clusterType("REPLICASET")
                .backupEnabled(true)
                .encryptionAtRestProvider("AWS")
                .replicationSpecs(AdvancedClusterReplicationSpecArgs.builder()
                    .regionConfigs(AdvancedClusterReplicationSpecRegionConfigArgs.builder()
                        .priority(7)
                        .providerName("AWS")
                        .regionName("US_EAST_1")
                        .electableSpecs(AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs.builder()
                            .instanceSize("M10")
                            .nodeCount(3)
                            .build())
                        .build())
                    .build())
                .build());
    
            final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
                .projectId(testEncryptionAtRest.projectId())
                .build());
    
            ctx.export("isAwsKmsEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.awsKmsConfig().valid())));
        }
    }
    
    resources:
      setupOnly:
        type: mongodbatlas:CloudProviderAccessSetup
        name: setup_only
        properties:
          projectId: ${atlasProjectId}
          providerName: AWS
      authRole:
        type: mongodbatlas:CloudProviderAccessAuthorization
        name: auth_role
        properties:
          projectId: ${atlasProjectId}
          roleId: ${setupOnly.roleId}
          aws:
            iamAssumedRoleArn: ${testRole.arn}
      testEncryptionAtRest:
        type: mongodbatlas:EncryptionAtRest
        name: test
        properties:
          projectId: ${atlasProjectId}
          awsKmsConfig:
            enabled: true
            customerMasterKeyId: ${kmsKey.id}
            region: ${atlasRegion}
            roleId: ${authRole.roleId}
      cluster:
        type: mongodbatlas:AdvancedCluster
        properties:
          projectId: ${testEncryptionAtRest.projectId}
          name: MyCluster
          clusterType: REPLICASET
          backupEnabled: true
          encryptionAtRestProvider: AWS
          replicationSpecs:
            - regionConfigs:
                - priority: 7
                  providerName: AWS
                  regionName: US_EAST_1
                  electableSpecs:
                    instanceSize: M10
                    nodeCount: 3
    variables:
      test:
        fn::invoke:
          Function: mongodbatlas:getEncryptionAtRest
          Arguments:
            projectId: ${testEncryptionAtRest.projectId}
    outputs:
      isAwsKmsEncryptionAtRestValid: ${test.awsKmsConfig.valid}
    

    Configuring encryption at rest using customer key management in Azure

    import * as pulumi from "@pulumi/pulumi";
    import * as mongodbatlas from "@pulumi/mongodbatlas";
    
    const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
        projectId: atlasProjectId,
        azureKeyVaultConfig: {
            enabled: true,
            azureEnvironment: "AZURE",
            tenantId: azureTenantId,
            subscriptionId: azureSubscriptionId,
            clientId: azureClientId,
            secret: azureClientSecret,
            resourceGroupName: azureResourceGroupName,
            keyVaultName: azureKeyVaultName,
            keyIdentifier: azureKeyIdentifier,
        },
    });
    const test = mongodbatlas.getEncryptionAtRestOutput({
        projectId: testEncryptionAtRest.projectId,
    });
    export const isAzureEncryptionAtRestValid = test.apply(test => test.azureKeyVaultConfig?.valid);
    
    import pulumi
    import pulumi_mongodbatlas as mongodbatlas
    
    test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
        project_id=atlas_project_id,
        azure_key_vault_config={
            "enabled": True,
            "azure_environment": "AZURE",
            "tenant_id": azure_tenant_id,
            "subscription_id": azure_subscription_id,
            "client_id": azure_client_id,
            "secret": azure_client_secret,
            "resource_group_name": azure_resource_group_name,
            "key_vault_name": azure_key_vault_name,
            "key_identifier": azure_key_identifier,
        })
    test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
    pulumi.export("isAzureEncryptionAtRestValid", test.azure_key_vault_config.valid)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
    			ProjectId: pulumi.Any(atlasProjectId),
    			AzureKeyVaultConfig: &mongodbatlas.EncryptionAtRestAzureKeyVaultConfigArgs{
    				Enabled:           pulumi.Bool(true),
    				AzureEnvironment:  pulumi.String("AZURE"),
    				TenantId:          pulumi.Any(azureTenantId),
    				SubscriptionId:    pulumi.Any(azureSubscriptionId),
    				ClientId:          pulumi.Any(azureClientId),
    				Secret:            pulumi.Any(azureClientSecret),
    				ResourceGroupName: pulumi.Any(azureResourceGroupName),
    				KeyVaultName:      pulumi.Any(azureKeyVaultName),
    				KeyIdentifier:     pulumi.Any(azureKeyIdentifier),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
    			ProjectId: testEncryptionAtRest.ProjectId,
    		}, nil)
    		ctx.Export("isAzureEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
    			return &test.AzureKeyVaultConfig.Valid, nil
    		}).(pulumi.BoolPtrOutput))
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Mongodbatlas = Pulumi.Mongodbatlas;
    
    return await Deployment.RunAsync(() => 
    {
        var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
        {
            ProjectId = atlasProjectId,
            AzureKeyVaultConfig = new Mongodbatlas.Inputs.EncryptionAtRestAzureKeyVaultConfigArgs
            {
                Enabled = true,
                AzureEnvironment = "AZURE",
                TenantId = azureTenantId,
                SubscriptionId = azureSubscriptionId,
                ClientId = azureClientId,
                Secret = azureClientSecret,
                ResourceGroupName = azureResourceGroupName,
                KeyVaultName = azureKeyVaultName,
                KeyIdentifier = azureKeyIdentifier,
            },
        });
    
        var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
        {
            ProjectId = testEncryptionAtRest.ProjectId,
        });
    
        return new Dictionary<string, object?>
        {
            ["isAzureEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.AzureKeyVaultConfig?.Valid),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.mongodbatlas.EncryptionAtRest;
    import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
    import com.pulumi.mongodbatlas.inputs.EncryptionAtRestAzureKeyVaultConfigArgs;
    import com.pulumi.mongodbatlas.MongodbatlasFunctions;
    import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
                .projectId(atlasProjectId)
                .azureKeyVaultConfig(EncryptionAtRestAzureKeyVaultConfigArgs.builder()
                    .enabled(true)
                    .azureEnvironment("AZURE")
                    .tenantId(azureTenantId)
                    .subscriptionId(azureSubscriptionId)
                    .clientId(azureClientId)
                    .secret(azureClientSecret)
                    .resourceGroupName(azureResourceGroupName)
                    .keyVaultName(azureKeyVaultName)
                    .keyIdentifier(azureKeyIdentifier)
                    .build())
                .build());
    
            final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
                .projectId(testEncryptionAtRest.projectId())
                .build());
    
            ctx.export("isAzureEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.azureKeyVaultConfig().valid())));
        }
    }
    
    resources:
      testEncryptionAtRest:
        type: mongodbatlas:EncryptionAtRest
        name: test
        properties:
          projectId: ${atlasProjectId}
          azureKeyVaultConfig:
            enabled: true
            azureEnvironment: AZURE
            tenantId: ${azureTenantId}
            subscriptionId: ${azureSubscriptionId}
            clientId: ${azureClientId}
            secret: ${azureClientSecret}
            resourceGroupName: ${azureResourceGroupName}
            keyVaultName: ${azureKeyVaultName}
            keyIdentifier: ${azureKeyIdentifier}
    variables:
      test:
        fn::invoke:
          Function: mongodbatlas:getEncryptionAtRest
          Arguments:
            projectId: ${testEncryptionAtRest.projectId}
    outputs:
      isAzureEncryptionAtRestValid: ${test.azureKeyVaultConfig.valid}
    

    NOTE: It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review mongodbatlas.EncryptionAtRestPrivateEndpoint resource for details.

    Configuring encryption at rest using customer key management in GCP

    import * as pulumi from "@pulumi/pulumi";
    import * as mongodbatlas from "@pulumi/mongodbatlas";
    
    const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
        projectId: atlasProjectId,
        googleCloudKmsConfig: {
            enabled: true,
            serviceAccountKey: "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
            keyVersionResourceId: "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
        },
    });
    const test = mongodbatlas.getEncryptionAtRestOutput({
        projectId: testEncryptionAtRest.projectId,
    });
    export const isGcpEncryptionAtRestValid = test.apply(test => test.googleCloudKmsConfig?.valid);
    
    import pulumi
    import pulumi_mongodbatlas as mongodbatlas
    
    test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
        project_id=atlas_project_id,
        google_cloud_kms_config={
            "enabled": True,
            "service_account_key": "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
            "key_version_resource_id": "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
        })
    test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
    pulumi.export("isGcpEncryptionAtRestValid", test.google_cloud_kms_config.valid)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
    			ProjectId: pulumi.Any(atlasProjectId),
    			GoogleCloudKmsConfig: &mongodbatlas.EncryptionAtRestGoogleCloudKmsConfigArgs{
    				Enabled:              pulumi.Bool(true),
    				ServiceAccountKey:    pulumi.String("{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}"),
    				KeyVersionResourceId: pulumi.String("projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
    			ProjectId: testEncryptionAtRest.ProjectId,
    		}, nil)
    		ctx.Export("isGcpEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
    			return &test.GoogleCloudKmsConfig.Valid, nil
    		}).(pulumi.BoolPtrOutput))
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Mongodbatlas = Pulumi.Mongodbatlas;
    
    return await Deployment.RunAsync(() => 
    {
        var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
        {
            ProjectId = atlasProjectId,
            GoogleCloudKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestGoogleCloudKmsConfigArgs
            {
                Enabled = true,
                ServiceAccountKey = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
                KeyVersionResourceId = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
            },
        });
    
        var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
        {
            ProjectId = testEncryptionAtRest.ProjectId,
        });
    
        return new Dictionary<string, object?>
        {
            ["isGcpEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.GoogleCloudKmsConfig?.Valid),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.mongodbatlas.EncryptionAtRest;
    import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
    import com.pulumi.mongodbatlas.inputs.EncryptionAtRestGoogleCloudKmsConfigArgs;
    import com.pulumi.mongodbatlas.MongodbatlasFunctions;
    import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
                .projectId(atlasProjectId)
                .googleCloudKmsConfig(EncryptionAtRestGoogleCloudKmsConfigArgs.builder()
                    .enabled(true)
                    .serviceAccountKey("{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}")
                    .keyVersionResourceId("projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1")
                    .build())
                .build());
    
            final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
                .projectId(testEncryptionAtRest.projectId())
                .build());
    
            ctx.export("isGcpEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.googleCloudKmsConfig().valid())));
        }
    }
    
    resources:
      testEncryptionAtRest:
        type: mongodbatlas:EncryptionAtRest
        name: test
        properties:
          projectId: ${atlasProjectId}
          googleCloudKmsConfig:
            enabled: true
            serviceAccountKey: '{"type": "service_account","project_id": "my-project-common-0","private_key_id": "e120598ea4f88249469fcdd75a9a785c1bb3","private_key": "-----BEGIN PRIVATE KEY-----\nMIIEuwIBA(truncated)SfecnS0mT94D9\n-----END PRIVATE KEY-----\n","client_email": "my-email-kms-0@my-project-common-0.iam.gserviceaccount.com","client_id": "10180967717292066","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com"}'
            keyVersionResourceId: projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1
    variables:
      test:
        fn::invoke:
          Function: mongodbatlas:getEncryptionAtRest
          Arguments:
            projectId: ${testEncryptionAtRest.projectId}
    outputs:
      isGcpEncryptionAtRestValid: ${test.googleCloudKmsConfig.valid}
    

    Using getEncryptionAtRest

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getEncryptionAtRest(args: GetEncryptionAtRestArgs, opts?: InvokeOptions): Promise<GetEncryptionAtRestResult>
    function getEncryptionAtRestOutput(args: GetEncryptionAtRestOutputArgs, opts?: InvokeOptions): Output<GetEncryptionAtRestResult>
    def get_encryption_at_rest(project_id: Optional[str] = None,
                               opts: Optional[InvokeOptions] = None) -> GetEncryptionAtRestResult
    def get_encryption_at_rest_output(project_id: Optional[pulumi.Input[str]] = None,
                               opts: Optional[InvokeOptions] = None) -> Output[GetEncryptionAtRestResult]
    func LookupEncryptionAtRest(ctx *Context, args *LookupEncryptionAtRestArgs, opts ...InvokeOption) (*LookupEncryptionAtRestResult, error)
    func LookupEncryptionAtRestOutput(ctx *Context, args *LookupEncryptionAtRestOutputArgs, opts ...InvokeOption) LookupEncryptionAtRestResultOutput

    > Note: This function is named LookupEncryptionAtRest in the Go SDK.

    public static class GetEncryptionAtRest 
    {
        public static Task<GetEncryptionAtRestResult> InvokeAsync(GetEncryptionAtRestArgs args, InvokeOptions? opts = null)
        public static Output<GetEncryptionAtRestResult> Invoke(GetEncryptionAtRestInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetEncryptionAtRestResult> getEncryptionAtRest(GetEncryptionAtRestArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: mongodbatlas:index/getEncryptionAtRest:getEncryptionAtRest
      arguments:
        # arguments dictionary

    The following arguments are supported:

    ProjectId string
    Unique 24-hexadecimal digit string that identifies your project.
    ProjectId string
    Unique 24-hexadecimal digit string that identifies your project.
    projectId String
    Unique 24-hexadecimal digit string that identifies your project.
    projectId string
    Unique 24-hexadecimal digit string that identifies your project.
    project_id str
    Unique 24-hexadecimal digit string that identifies your project.
    projectId String
    Unique 24-hexadecimal digit string that identifies your project.

    getEncryptionAtRest Result

    The following output properties are available:

    AwsKmsConfig GetEncryptionAtRestAwsKmsConfig
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    AzureKeyVaultConfig GetEncryptionAtRestAzureKeyVaultConfig
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    GoogleCloudKmsConfig GetEncryptionAtRestGoogleCloudKmsConfig
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    Id string
    The ID of this resource.
    ProjectId string
    Unique 24-hexadecimal digit string that identifies your project.
    AwsKmsConfig GetEncryptionAtRestAwsKmsConfig
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    AzureKeyVaultConfig GetEncryptionAtRestAzureKeyVaultConfig
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    GoogleCloudKmsConfig GetEncryptionAtRestGoogleCloudKmsConfig
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    Id string
    The ID of this resource.
    ProjectId string
    Unique 24-hexadecimal digit string that identifies your project.
    awsKmsConfig GetEncryptionAtRestAwsKmsConfig
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    azureKeyVaultConfig GetEncryptionAtRestAzureKeyVaultConfig
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    googleCloudKmsConfig GetEncryptionAtRestGoogleCloudKmsConfig
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    id String
    The ID of this resource.
    projectId String
    Unique 24-hexadecimal digit string that identifies your project.
    awsKmsConfig GetEncryptionAtRestAwsKmsConfig
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    azureKeyVaultConfig GetEncryptionAtRestAzureKeyVaultConfig
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    googleCloudKmsConfig GetEncryptionAtRestGoogleCloudKmsConfig
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    id string
    The ID of this resource.
    projectId string
    Unique 24-hexadecimal digit string that identifies your project.
    aws_kms_config GetEncryptionAtRestAwsKmsConfig
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    azure_key_vault_config GetEncryptionAtRestAzureKeyVaultConfig
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    google_cloud_kms_config GetEncryptionAtRestGoogleCloudKmsConfig
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    id str
    The ID of this resource.
    project_id str
    Unique 24-hexadecimal digit string that identifies your project.
    awsKmsConfig Property Map
    Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
    azureKeyVaultConfig Property Map
    Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
    googleCloudKmsConfig Property Map
    Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
    id String
    The ID of this resource.
    projectId String
    Unique 24-hexadecimal digit string that identifies your project.

    Supporting Types

    GetEncryptionAtRestAwsKmsConfig

    AccessKeyId string
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    CustomerMasterKeyId string
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    Region string
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    RoleId string
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    SecretAccessKey string
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    Valid bool
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
    AccessKeyId string
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    CustomerMasterKeyId string
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    Region string
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    RoleId string
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    SecretAccessKey string
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    Valid bool
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
    accessKeyId String
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    customerMasterKeyId String
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    region String
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    roleId String
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    secretAccessKey String
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    valid Boolean
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
    accessKeyId string
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    customerMasterKeyId string
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    enabled boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    region string
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    roleId string
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    secretAccessKey string
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    valid boolean
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
    access_key_id str
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    customer_master_key_id str
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    region str
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    role_id str
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    secret_access_key str
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    valid bool
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
    accessKeyId String
    Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
    customerMasterKeyId String
    Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    region String
    Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
    roleId String
    Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
    secretAccessKey String
    Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
    valid Boolean
    Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

    GetEncryptionAtRestAzureKeyVaultConfig

    AzureEnvironment string
    Azure environment in which your account credentials reside.
    ClientId string
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    KeyIdentifier string
    Web address with a unique key that identifies for your Azure Key Vault.
    KeyVaultName string
    Unique string that identifies the Azure Key Vault that contains your key.
    RequirePrivateNetworking bool
    Enable connection to your Azure Key Vault over private networking.
    ResourceGroupName string
    Name of the Azure resource group that contains your Azure Key Vault.
    Secret string
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    SubscriptionId string
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    TenantId string
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    Valid bool
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
    AzureEnvironment string
    Azure environment in which your account credentials reside.
    ClientId string
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    KeyIdentifier string
    Web address with a unique key that identifies for your Azure Key Vault.
    KeyVaultName string
    Unique string that identifies the Azure Key Vault that contains your key.
    RequirePrivateNetworking bool
    Enable connection to your Azure Key Vault over private networking.
    ResourceGroupName string
    Name of the Azure resource group that contains your Azure Key Vault.
    Secret string
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    SubscriptionId string
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    TenantId string
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    Valid bool
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
    azureEnvironment String
    Azure environment in which your account credentials reside.
    clientId String
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyIdentifier String
    Web address with a unique key that identifies for your Azure Key Vault.
    keyVaultName String
    Unique string that identifies the Azure Key Vault that contains your key.
    requirePrivateNetworking Boolean
    Enable connection to your Azure Key Vault over private networking.
    resourceGroupName String
    Name of the Azure resource group that contains your Azure Key Vault.
    secret String
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    subscriptionId String
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    tenantId String
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    valid Boolean
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
    azureEnvironment string
    Azure environment in which your account credentials reside.
    clientId string
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    enabled boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyIdentifier string
    Web address with a unique key that identifies for your Azure Key Vault.
    keyVaultName string
    Unique string that identifies the Azure Key Vault that contains your key.
    requirePrivateNetworking boolean
    Enable connection to your Azure Key Vault over private networking.
    resourceGroupName string
    Name of the Azure resource group that contains your Azure Key Vault.
    secret string
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    subscriptionId string
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    tenantId string
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    valid boolean
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
    azure_environment str
    Azure environment in which your account credentials reside.
    client_id str
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    key_identifier str
    Web address with a unique key that identifies for your Azure Key Vault.
    key_vault_name str
    Unique string that identifies the Azure Key Vault that contains your key.
    require_private_networking bool
    Enable connection to your Azure Key Vault over private networking.
    resource_group_name str
    Name of the Azure resource group that contains your Azure Key Vault.
    secret str
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    subscription_id str
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    tenant_id str
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    valid bool
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
    azureEnvironment String
    Azure environment in which your account credentials reside.
    clientId String
    Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyIdentifier String
    Web address with a unique key that identifies for your Azure Key Vault.
    keyVaultName String
    Unique string that identifies the Azure Key Vault that contains your key.
    requirePrivateNetworking Boolean
    Enable connection to your Azure Key Vault over private networking.
    resourceGroupName String
    Name of the Azure resource group that contains your Azure Key Vault.
    secret String
    Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
    subscriptionId String
    Unique 36-hexadecimal character string that identifies your Azure subscription.
    tenantId String
    Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
    valid Boolean
    Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

    GetEncryptionAtRestGoogleCloudKmsConfig

    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    KeyVersionResourceId string
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    ServiceAccountKey string
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    Valid bool
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
    Enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    KeyVersionResourceId string
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    ServiceAccountKey string
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    Valid bool
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyVersionResourceId String
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    serviceAccountKey String
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    valid Boolean
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
    enabled boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyVersionResourceId string
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    serviceAccountKey string
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    valid boolean
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
    enabled bool
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    key_version_resource_id str
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    service_account_key str
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    valid bool
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
    enabled Boolean
    Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
    keyVersionResourceId String
    Resource path that displays the key version resource ID for your Google Cloud KMS.
    serviceAccountKey String
    JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
    valid Boolean
    Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

    Package Details

    Repository
    MongoDB Atlas pulumi/pulumi-mongodbatlas
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the mongodbatlas Terraform Provider.
    mongodbatlas logo
    MongoDB Atlas v3.20.4 published on Wednesday, Oct 30, 2024 by Pulumi