google_kms_crypto_key resource

Syntax

A google_kms_crypto_key is used to test a Google CryptoKey resource

Examples

describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: 'kms-key') do
  it { should exist }
  its('crypto_key_name') { should cmp 'kms-key' }
  its('primary_state') { should eq "ENABLED" }
  its('purpose') { should eq "ENCRYPT_DECRYPT" }
  its('next_rotation_time') { should be > Time.now - 100000 }
  its('create_time') { should be > Time.now - 365*60*60*24*10 }
end

describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: "nonexistent") do
  it { should_not exist }
end

Test that a GCP KMS crypto key was created recently

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end

Test when the next rotation time for a GCP KMS crypto key is scheduled

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('next_rotation_time_date') { should be > Time.now - 100000 }
end

Check that the crypto key purpose is as expected

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('purpose') { should eq "ENCRYPT_DECRYPT" }
end

Check that the crypto key primary is in “ENABLED” state

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('primary_state') { should eq "ENABLED" }
end

Properties

Properties that can be accessed from the google_kms_crypto_key resource:

crypto_key_name
The resource name for the CryptoKey.
create_time
The time that this resource was created on the server. This is in RFC3339 text format.
labels
Labels with user-defined metadata to apply to this resource.
purpose
The immutable purpose of this CryptoKey. See the purpose reference for possible inputs.

Possible values:

  • ENCRYPT_DECRYPT
  • ASYMMETRIC_SIGN
  • ASYMMETRIC_DECRYPT
rotation_period
Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letter s (seconds). It must be greater than a day (ie, 86400).
version_template
A template describing settings for new crypto key versions.
algorithm
The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.
protection_level
The protection level to use when creating a version based on this template.

Possible values:

  • SOFTWARE
  • HSM
next_rotation_time
The time when KMS will create a new version of this Crypto Key.
key_ring
The KeyRing that this key belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.

GCP Permissions

Ensure the Cloud Key Management Service (KMS) API is enabled for the current project.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/google_kms_crypto_key/