google_kms_crypto_key resource
Syntax
A google_kms_crypto_key
is used to test a Google CryptoKey resource
Examples
describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: 'kms-key') do
it { should exist }
its('crypto_key_name') { should cmp 'kms-key' }
its('primary_state') { should eq "ENABLED" }
its('purpose') { should eq "ENCRYPT_DECRYPT" }
its('next_rotation_time') { should be > Time.now - 100000 }
its('create_time') { should be > Time.now - 365*60*60*24*10 }
end
describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: "nonexistent") do
it { should_not exist }
end
Test that a GCP KMS crypto key was created recently
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end
Test when the next rotation time for a GCP KMS crypto key is scheduled
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('next_rotation_time_date') { should be > Time.now - 100000 }
end
Check that the crypto key purpose is as expected
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('purpose') { should eq "ENCRYPT_DECRYPT" }
end
Check that the crypto key primary is in “ENABLED” state
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('primary_state') { should eq "ENABLED" }
end
Properties
Properties that can be accessed from the google_kms_crypto_key
resource:
crypto_key_name
- The resource name for the CryptoKey.
create_time
- The time that this resource was created on the server. This is in RFC3339 text format.
labels
- Labels with user-defined metadata to apply to this resource.
purpose
- The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.
Possible values:
- ENCRYPT_DECRYPT
- ASYMMETRIC_SIGN
- ASYMMETRIC_DECRYPT
rotation_period
- Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter
s
(seconds). It must be greater than a day (ie, 86400). version_template
- A template describing settings for new crypto key versions.
algorithm
- The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protection_level
- The protection level to use when creating a version based on this template.
Possible values:
- SOFTWARE
- HSM
next_rotation_time
- The time when KMS will create a new version of this Crypto Key.
key_ring
- The KeyRing that this key belongs to. Format:
'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
.
GCP Permissions
Ensure the Cloud Key Management Service (KMS) API is enabled for the current project.