@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; /** * !> **Warning:** This data source is deprecated. Use the `gcp.kms.SecretCiphertext` **resource** instead. * * This data source allows you to encrypt data with Google Cloud KMS and use the * ciphertext within your resource definitions. * * For more information see * [the official documentation](https://cloud.google.com/kms/docs/encrypt-decrypt). * * > **NOTE:** Using this data source will allow you to conceal secret data within your * resource definitions, but it does not take care of protecting that data in the * logging output, plan output, or state output. Please take care to secure your secret * data outside of resource definitions. * * ## Example Usage * * First, create a KMS KeyRing and CryptoKey using the resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myKeyRing = new gcp.kms.KeyRing("my_key_ring", { * project: "my-project", * name: "my-key-ring", * location: "us-central1", * }); * const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", { * name: "my-crypto-key", * keyRing: myKeyRing.id, * }); * ``` * * Next, encrypt some sensitive information and use the encrypted data in your resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myPassword = gcp.kms.getKMSSecretCiphertext({ * cryptoKey: myCryptoKey.id, * plaintext: "my-secret-password", * }); * const instance = new gcp.compute.Instance("instance", { * networkInterfaces: [{ * accessConfigs: [{}], * network: "default", * }], * name: "test", * machineType: "e2-medium", * zone: "us-central1-a", * bootDisk: { * initializeParams: { * image: "debian-cloud/debian-11", * }, * }, * metadata: { * password: myPassword.then(myPassword => myPassword.ciphertext), * }, * }); * ``` * * The resulting instance can then access the encrypted password from its metadata * and decrypt it, e.g. using the [Cloud SDK](https://cloud.google.com/sdk/gcloud/reference/kms/decrypt)): */ export declare function getKMSSecretCiphertext(args: GetKMSSecretCiphertextArgs, opts?: pulumi.InvokeOptions): Promise<GetKMSSecretCiphertextResult>; /** * A collection of arguments for invoking getKMSSecretCiphertext. */ export interface GetKMSSecretCiphertextArgs { /** * The id of the CryptoKey that will be used to * encrypt the provided plaintext. This is represented by the format * `{projectId}/{location}/{keyRingName}/{cryptoKeyName}`. */ cryptoKey: string; /** * The plaintext to be encrypted */ plaintext: string; } /** * A collection of values returned by getKMSSecretCiphertext. */ export interface GetKMSSecretCiphertextResult { /** * Contains the result of encrypting the provided plaintext, encoded in base64. */ readonly ciphertext: string; readonly cryptoKey: string; /** * The provider-assigned unique ID for this managed resource. */ readonly id: string; readonly plaintext: string; } /** * !> **Warning:** This data source is deprecated. Use the `gcp.kms.SecretCiphertext` **resource** instead. * * This data source allows you to encrypt data with Google Cloud KMS and use the * ciphertext within your resource definitions. * * For more information see * [the official documentation](https://cloud.google.com/kms/docs/encrypt-decrypt). * * > **NOTE:** Using this data source will allow you to conceal secret data within your * resource definitions, but it does not take care of protecting that data in the * logging output, plan output, or state output. Please take care to secure your secret * data outside of resource definitions. * * ## Example Usage * * First, create a KMS KeyRing and CryptoKey using the resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myKeyRing = new gcp.kms.KeyRing("my_key_ring", { * project: "my-project", * name: "my-key-ring", * location: "us-central1", * }); * const myCryptoKey = new gcp.kms.CryptoKey("my_crypto_key", { * name: "my-crypto-key", * keyRing: myKeyRing.id, * }); * ``` * * Next, encrypt some sensitive information and use the encrypted data in your resource definitions: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myPassword = gcp.kms.getKMSSecretCiphertext({ * cryptoKey: myCryptoKey.id, * plaintext: "my-secret-password", * }); * const instance = new gcp.compute.Instance("instance", { * networkInterfaces: [{ * accessConfigs: [{}], * network: "default", * }], * name: "test", * machineType: "e2-medium", * zone: "us-central1-a", * bootDisk: { * initializeParams: { * image: "debian-cloud/debian-11", * }, * }, * metadata: { * password: myPassword.then(myPassword => myPassword.ciphertext), * }, * }); * ``` * * The resulting instance can then access the encrypted password from its metadata * and decrypt it, e.g. using the [Cloud SDK](https://cloud.google.com/sdk/gcloud/reference/kms/decrypt)): */ export declare function getKMSSecretCiphertextOutput(args: GetKMSSecretCiphertextOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetKMSSecretCiphertextResult>; /** * A collection of arguments for invoking getKMSSecretCiphertext. */ export interface GetKMSSecretCiphertextOutputArgs { /** * The id of the CryptoKey that will be used to * encrypt the provided plaintext. This is represented by the format * `{projectId}/{location}/{keyRingName}/{cryptoKeyName}`. */ cryptoKey: pulumi.Input<string>; /** * The plaintext to be encrypted */ plaintext: pulumi.Input<string>; }