Google Cloud v8.21.0, Mar 5 25

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

gcp.kms.EkmConnection

Explore with Pulumi AI

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Kms Ekm Connection Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example_ekmconnection = new gcp.kms.EkmConnection("example-ekmconnection", {
    name: "ekmconnection_example",
    location: "us-central1",
    keyManagementMode: "MANUAL",
    serviceResolvers: [{
        serviceDirectoryService: "projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name",
        hostname: "example-ekm.goog",
        serverCertificates: [{
            rawDer: "==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY==",
        }],
    }],
});

import pulumi
import pulumi_gcp as gcp

example_ekmconnection = gcp.kms.EkmConnection("example-ekmconnection",
    name="ekmconnection_example",
    location="us-central1",
    key_management_mode="MANUAL",
    service_resolvers=[{
        "service_directory_service": "projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name",
        "hostname": "example-ekm.goog",
        "server_certificates": [{
            "raw_der": "==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY==",
        }],
    }])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewEkmConnection(ctx, "example-ekmconnection", &kms.EkmConnectionArgs{
			Name:              pulumi.String("ekmconnection_example"),
			Location:          pulumi.String("us-central1"),
			KeyManagementMode: pulumi.String("MANUAL"),
			ServiceResolvers: kms.EkmConnectionServiceResolverArray{
				&kms.EkmConnectionServiceResolverArgs{
					ServiceDirectoryService: pulumi.String("projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name"),
					Hostname:                pulumi.String("example-ekm.goog"),
					ServerCertificates: kms.EkmConnectionServiceResolverServerCertificateArray{
						&kms.EkmConnectionServiceResolverServerCertificateArgs{
							RawDer: pulumi.String("==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY=="),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example_ekmconnection = new Gcp.Kms.EkmConnection("example-ekmconnection", new()
    {
        Name = "ekmconnection_example",
        Location = "us-central1",
        KeyManagementMode = "MANUAL",
        ServiceResolvers = new[]
        {
            new Gcp.Kms.Inputs.EkmConnectionServiceResolverArgs
            {
                ServiceDirectoryService = "projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name",
                Hostname = "example-ekm.goog",
                ServerCertificates = new[]
                {
                    new Gcp.Kms.Inputs.EkmConnectionServiceResolverServerCertificateArgs
                    {
                        RawDer = "==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY==",
                    },
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.EkmConnection;
import com.pulumi.gcp.kms.EkmConnectionArgs;
import com.pulumi.gcp.kms.inputs.EkmConnectionServiceResolverArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example_ekmconnection = new EkmConnection("example-ekmconnection", EkmConnectionArgs.builder()
            .name("ekmconnection_example")
            .location("us-central1")
            .keyManagementMode("MANUAL")
            .serviceResolvers(EkmConnectionServiceResolverArgs.builder()
                .serviceDirectoryService("projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name")
                .hostname("example-ekm.goog")
                .serverCertificates(EkmConnectionServiceResolverServerCertificateArgs.builder()
                    .rawDer("==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY==")
                    .build())
                .build())
            .build());

    }
}

resources:
  example-ekmconnection:
    type: gcp:kms:EkmConnection
    properties:
      name: ekmconnection_example
      location: us-central1
      keyManagementMode: MANUAL
      serviceResolvers:
        - serviceDirectoryService: projects/project_id/locations/us-central1/namespaces/namespace_name/services/service_name
          hostname: example-ekm.goog
          serverCertificates:
            - rawDer: ==HAwIBCCAr6gAwIBAgIUWR+EV4lqiV7Ql12VY==

Create EkmConnection Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new EkmConnection(name: string, args: EkmConnectionArgs, opts?: CustomResourceOptions);

@overload
def EkmConnection(resource_name: str,
                  args: EkmConnectionArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def EkmConnection(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  location: Optional[str] = None,
                  service_resolvers: Optional[Sequence[EkmConnectionServiceResolverArgs]] = None,
                  crypto_space_path: Optional[str] = None,
                  etag: Optional[str] = None,
                  key_management_mode: Optional[str] = None,
                  name: Optional[str] = None,
                  project: Optional[str] = None)

func NewEkmConnection(ctx *Context, name string, args EkmConnectionArgs, opts ...ResourceOption) (*EkmConnection, error)

public EkmConnection(string name, EkmConnectionArgs args, CustomResourceOptions? opts = null)

public EkmConnection(String name, EkmConnectionArgs args)
public EkmConnection(String name, EkmConnectionArgs args, CustomResourceOptions options)

type: gcp:kms:EkmConnection
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args EkmConnectionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args EkmConnectionArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args EkmConnectionArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args EkmConnectionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args EkmConnectionArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var ekmConnectionResource = new Gcp.Kms.EkmConnection("ekmConnectionResource", new()
{
    Location = "string",
    ServiceResolvers = new[]
    {
        new Gcp.Kms.Inputs.EkmConnectionServiceResolverArgs
        {
            Hostname = "string",
            ServerCertificates = new[]
            {
                new Gcp.Kms.Inputs.EkmConnectionServiceResolverServerCertificateArgs
                {
                    RawDer = "string",
                    Issuer = "string",
                    NotAfterTime = "string",
                    NotBeforeTime = "string",
                    Parsed = false,
                    SerialNumber = "string",
                    Sha256Fingerprint = "string",
                    Subject = "string",
                    SubjectAlternativeDnsNames = new[]
                    {
                        "string",
                    },
                },
            },
            ServiceDirectoryService = "string",
            EndpointFilter = "string",
        },
    },
    CryptoSpacePath = "string",
    Etag = "string",
    KeyManagementMode = "string",
    Name = "string",
    Project = "string",
});

example, err := kms.NewEkmConnection(ctx, "ekmConnectionResource", &kms.EkmConnectionArgs{
	Location: pulumi.String("string"),
	ServiceResolvers: kms.EkmConnectionServiceResolverArray{
		&kms.EkmConnectionServiceResolverArgs{
			Hostname: pulumi.String("string"),
			ServerCertificates: kms.EkmConnectionServiceResolverServerCertificateArray{
				&kms.EkmConnectionServiceResolverServerCertificateArgs{
					RawDer:            pulumi.String("string"),
					Issuer:            pulumi.String("string"),
					NotAfterTime:      pulumi.String("string"),
					NotBeforeTime:     pulumi.String("string"),
					Parsed:            pulumi.Bool(false),
					SerialNumber:      pulumi.String("string"),
					Sha256Fingerprint: pulumi.String("string"),
					Subject:           pulumi.String("string"),
					SubjectAlternativeDnsNames: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			ServiceDirectoryService: pulumi.String("string"),
			EndpointFilter:          pulumi.String("string"),
		},
	},
	CryptoSpacePath:   pulumi.String("string"),
	Etag:              pulumi.String("string"),
	KeyManagementMode: pulumi.String("string"),
	Name:              pulumi.String("string"),
	Project:           pulumi.String("string"),
})

var ekmConnectionResource = new EkmConnection("ekmConnectionResource", EkmConnectionArgs.builder()
    .location("string")
    .serviceResolvers(EkmConnectionServiceResolverArgs.builder()
        .hostname("string")
        .serverCertificates(EkmConnectionServiceResolverServerCertificateArgs.builder()
            .rawDer("string")
            .issuer("string")
            .notAfterTime("string")
            .notBeforeTime("string")
            .parsed(false)
            .serialNumber("string")
            .sha256Fingerprint("string")
            .subject("string")
            .subjectAlternativeDnsNames("string")
            .build())
        .serviceDirectoryService("string")
        .endpointFilter("string")
        .build())
    .cryptoSpacePath("string")
    .etag("string")
    .keyManagementMode("string")
    .name("string")
    .project("string")
    .build());

ekm_connection_resource = gcp.kms.EkmConnection("ekmConnectionResource",
    location="string",
    service_resolvers=[{
        "hostname": "string",
        "server_certificates": [{
            "raw_der": "string",
            "issuer": "string",
            "not_after_time": "string",
            "not_before_time": "string",
            "parsed": False,
            "serial_number": "string",
            "sha256_fingerprint": "string",
            "subject": "string",
            "subject_alternative_dns_names": ["string"],
        }],
        "service_directory_service": "string",
        "endpoint_filter": "string",
    }],
    crypto_space_path="string",
    etag="string",
    key_management_mode="string",
    name="string",
    project="string")

const ekmConnectionResource = new gcp.kms.EkmConnection("ekmConnectionResource", {
    location: "string",
    serviceResolvers: [{
        hostname: "string",
        serverCertificates: [{
            rawDer: "string",
            issuer: "string",
            notAfterTime: "string",
            notBeforeTime: "string",
            parsed: false,
            serialNumber: "string",
            sha256Fingerprint: "string",
            subject: "string",
            subjectAlternativeDnsNames: ["string"],
        }],
        serviceDirectoryService: "string",
        endpointFilter: "string",
    }],
    cryptoSpacePath: "string",
    etag: "string",
    keyManagementMode: "string",
    name: "string",
    project: "string",
});

type: gcp:kms:EkmConnection
properties:
    cryptoSpacePath: string
    etag: string
    keyManagementMode: string
    location: string
    name: string
    project: string
    serviceResolvers:
        - endpointFilter: string
          hostname: string
          serverCertificates:
            - issuer: string
              notAfterTime: string
              notBeforeTime: string
              parsed: false
              rawDer: string
              serialNumber: string
              sha256Fingerprint: string
              subject: string
              subjectAlternativeDnsNames:
                - string
          serviceDirectoryService: string

EkmConnection Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The EkmConnection resource accepts the following input properties:

Location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
ServiceResolvers List<EkmConnectionServiceResolver>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
CryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
Etag string: Optional. Etag of the currently stored EkmConnection.
KeyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
Name string: The resource name for the EkmConnection.
Project string

Location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
ServiceResolvers []EkmConnectionServiceResolverArgs: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
CryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
Etag string: Optional. Etag of the currently stored EkmConnection.
KeyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
Name string: The resource name for the EkmConnection.
Project string

location String: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
serviceResolvers List<EkmConnectionServiceResolver>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
cryptoSpacePath String: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag String: Optional. Etag of the currently stored EkmConnection.
keyManagementMode String: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
name String: The resource name for the EkmConnection.
project String

location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
serviceResolvers EkmConnectionServiceResolver[]: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
cryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag string: Optional. Etag of the currently stored EkmConnection.
keyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
name string: The resource name for the EkmConnection.
project string

location str: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
service_resolvers Sequence[EkmConnectionServiceResolverArgs]: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
crypto_space_path str: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag str: Optional. Etag of the currently stored EkmConnection.
key_management_mode str: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
name str: The resource name for the EkmConnection.
project str

location String: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
serviceResolvers List<Property Map>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.
cryptoSpacePath String: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag String: Optional. Etag of the currently stored EkmConnection.
keyManagementMode String: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
name String: The resource name for the EkmConnection.
project String

Outputs

All input properties are implicitly available as output properties. Additionally, the EkmConnection resource produces the following output properties:

CreateTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Id string: The provider-assigned unique ID for this managed resource.

CreateTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Id string: The provider-assigned unique ID for this managed resource.

createTime String: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
id String: The provider-assigned unique ID for this managed resource.

createTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
id string: The provider-assigned unique ID for this managed resource.

create_time str: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
id str: The provider-assigned unique ID for this managed resource.

createTime String: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
id String: The provider-assigned unique ID for this managed resource.

Look up Existing EkmConnection Resource

Get an existing EkmConnection resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EkmConnectionState, opts?: CustomResourceOptions): EkmConnection

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        create_time: Optional[str] = None,
        crypto_space_path: Optional[str] = None,
        etag: Optional[str] = None,
        key_management_mode: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        project: Optional[str] = None,
        service_resolvers: Optional[Sequence[EkmConnectionServiceResolverArgs]] = None) -> EkmConnection

func GetEkmConnection(ctx *Context, name string, id IDInput, state *EkmConnectionState, opts ...ResourceOption) (*EkmConnection, error)

public static EkmConnection Get(string name, Input<string> id, EkmConnectionState? state, CustomResourceOptions? opts = null)

public static EkmConnection get(String name, Output<String> id, EkmConnectionState state, CustomResourceOptions options)

resources:  _:    type: gcp:kms:EkmConnection    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CreateTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
CryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
Etag string: Optional. Etag of the currently stored EkmConnection.
KeyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
Location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
Name string: The resource name for the EkmConnection.
Project string
ServiceResolvers List<EkmConnectionServiceResolver>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

CreateTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
CryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
Etag string: Optional. Etag of the currently stored EkmConnection.
KeyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
Location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
Name string: The resource name for the EkmConnection.
Project string
ServiceResolvers []EkmConnectionServiceResolverArgs: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

createTime String: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
cryptoSpacePath String: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag String: Optional. Etag of the currently stored EkmConnection.
keyManagementMode String: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
location String: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
name String: The resource name for the EkmConnection.
project String
serviceResolvers List<EkmConnectionServiceResolver>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

createTime string: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
cryptoSpacePath string: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag string: Optional. Etag of the currently stored EkmConnection.
keyManagementMode string: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
location string: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
name string: The resource name for the EkmConnection.
project string
serviceResolvers EkmConnectionServiceResolver[]: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

create_time str: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
crypto_space_path str: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag str: Optional. Etag of the currently stored EkmConnection.
key_management_mode str: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
location str: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
name str: The resource name for the EkmConnection.
project str
service_resolvers Sequence[EkmConnectionServiceResolverArgs]: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

createTime String: Output only. The time at which the EkmConnection was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
cryptoSpacePath String: Optional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
etag String: Optional. Etag of the currently stored EkmConnection.
keyManagementMode String: Optional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL Default value: "MANUAL" Possible values: ["MANUAL", "CLOUD_KMS"]
location String: The location for the EkmConnection. A full list of valid locations can be found by running gcloud kms locations list.
name String: The resource name for the EkmConnection.
project String
serviceResolvers List<Property Map>: A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported Structure is documented below.

Supporting Types

EkmConnectionServiceResolver, EkmConnectionServiceResolverArgs

Hostname string: Required. The hostname of the EKM replica used at TLS and HTTP layers.
ServerCertificates List<EkmConnectionServiceResolverServerCertificate>: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
ServiceDirectoryService string: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
EndpointFilter string: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

Hostname string: Required. The hostname of the EKM replica used at TLS and HTTP layers.
ServerCertificates []EkmConnectionServiceResolverServerCertificate: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
ServiceDirectoryService string: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
EndpointFilter string: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

hostname String: Required. The hostname of the EKM replica used at TLS and HTTP layers.
serverCertificates List<EkmConnectionServiceResolverServerCertificate>: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
serviceDirectoryService String: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
endpointFilter String: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

hostname string: Required. The hostname of the EKM replica used at TLS and HTTP layers.
serverCertificates EkmConnectionServiceResolverServerCertificate[]: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
serviceDirectoryService string: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
endpointFilter string: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

hostname str: Required. The hostname of the EKM replica used at TLS and HTTP layers.
server_certificates Sequence[EkmConnectionServiceResolverServerCertificate]: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
service_directory_service str: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
endpoint_filter str: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

hostname String: Required. The hostname of the EKM replica used at TLS and HTTP layers.
serverCertificates List<Property Map>: Required. A list of leaf server certificates used to authenticate HTTPS connections to the EKM replica. Currently, a maximum of 10 Certificate is supported. Structure is documented below.
serviceDirectoryService String: Required. The resource name of the Service Directory service pointing to an EKM replica, in the format projects//locations//namespaces//services/
endpointFilter String: Optional. The filter applied to the endpoints of the resolved service. If no filter is specified, all endpoints will be considered. An endpoint will be chosen arbitrarily from the filtered list for each request. For endpoint filter syntax and examples, see https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.

EkmConnectionServiceResolverServerCertificate, EkmConnectionServiceResolverServerCertificateArgs

RawDer string: Required. The raw certificate bytes in DER format. A base64-encoded string.
Issuer string: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
NotAfterTime string: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
NotBeforeTime string: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Parsed bool: (Output) Output only. True if the certificate was parsed successfully.
SerialNumber string: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
Sha256Fingerprint string: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
Subject string: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
SubjectAlternativeDnsNames List<string>: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

RawDer string: Required. The raw certificate bytes in DER format. A base64-encoded string.
Issuer string: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
NotAfterTime string: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
NotBeforeTime string: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Parsed bool: (Output) Output only. True if the certificate was parsed successfully.
SerialNumber string: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
Sha256Fingerprint string: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
Subject string: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
SubjectAlternativeDnsNames []string: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

rawDer String: Required. The raw certificate bytes in DER format. A base64-encoded string.
issuer String: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
notAfterTime String: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
notBeforeTime String: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
parsed Boolean: (Output) Output only. True if the certificate was parsed successfully.
serialNumber String: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
sha256Fingerprint String: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
subject String: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
subjectAlternativeDnsNames List<String>: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

rawDer string: Required. The raw certificate bytes in DER format. A base64-encoded string.
issuer string: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
notAfterTime string: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
notBeforeTime string: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
parsed boolean: (Output) Output only. True if the certificate was parsed successfully.
serialNumber string: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
sha256Fingerprint string: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
subject string: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
subjectAlternativeDnsNames string[]: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

raw_der str: Required. The raw certificate bytes in DER format. A base64-encoded string.
issuer str: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
not_after_time str: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
not_before_time str: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
parsed bool: (Output) Output only. True if the certificate was parsed successfully.
serial_number str: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
sha256_fingerprint str: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
subject str: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
subject_alternative_dns_names Sequence[str]: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

rawDer String: Required. The raw certificate bytes in DER format. A base64-encoded string.
issuer String: (Output) Output only. The issuer distinguished name in RFC 2253 format. Only present if parsed is true.
notAfterTime String: (Output) Output only. The certificate is not valid after this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
notBeforeTime String: (Output) Output only. The certificate is not valid before this time. Only present if parsed is true. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
parsed Boolean: (Output) Output only. True if the certificate was parsed successfully.
serialNumber String: (Output) Output only. The certificate serial number as a hex string. Only present if parsed is true.
sha256Fingerprint String: (Output) Output only. The SHA-256 certificate fingerprint as a hex string. Only present if parsed is true.
subject String: (Output) Output only. The subject distinguished name in RFC 2253 format. Only present if parsed is true.
subjectAlternativeDnsNames List<String>: (Output) Output only. The subject Alternative DNS names. Only present if parsed is true.

Import

EkmConnection can be imported using any of these accepted formats:

projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}

When using the pulumi import command, EkmConnection can be imported using one of the formats above. For example:

$ pulumi import gcp:kms/ekmConnection:EkmConnection default projects/{{project}}/locations/{{location}}/ekmConnections/{{name}}

$ pulumi import gcp:kms/ekmConnection:EkmConnection default {{project}}/{{location}}/{{name}}

$ pulumi import gcp:kms/ekmConnection:EkmConnection default {{location}}/{{name}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.kms.EkmConnection

On this page

On this page

Example Usage

Kms Ekm Connection Basic

Create EkmConnection Resource

Constructor syntax

Parameters

Constructor example

EkmConnection Resource Properties

Inputs

Outputs

Look up Existing EkmConnection Resource

Supporting Types

EkmConnectionServiceResolver, EkmConnectionServiceResolverArgs

EkmConnectionServiceResolverServerCertificate, EkmConnectionServiceResolverServerCertificateArgs

Import

Package Details

On this page

On this page