1. Docs
  2. Get Started
  3. Google Cloud
  4. Modify the Program

Modify the Program

Now that we have an instance of our Pulumi program deployed, let’s update it to use our own encryption key instead of the default Google-managed one.

You must enable the Google KMS API for your project on the GCP console before proceeding. You can enable the API by following this link: https://console.cloud.google.com/security/kms/noaccess?project={your_project_id}. Be sure to replace the {your_project_id} with your actual Google project ID.

Replace the entire contents of index.jsindex.ts__main__.pymain.goProgram.csProgram.fsProgram.vb with the following:

TypeScript JavaScript Python C# PREVIEW 
"use strict";
const pulumi = require("@pulumi/pulumi");
const gcp = require("@pulumi/gcp");

// Let's create a customer managed key and use that for encryption instead of the default Google-managed key.
const keyRing = new gcp.kms.KeyRing("my-keyring", {
    location: "global",
});

const cryptoKey = new gcp.kms.CryptoKey("my-cryptokey", {
    keyRing: keyRing.selfLink,
    rotationPeriod: "100000s",
});

// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", {
    encryption: {
        defaultKmsKeyName: cryptoKey.selfLink,
    }
});

// Export the DNS name of the bucket
exports.bucketName = bucket.url;

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Let's create a customer managed key and use that for encryption instead of the default Google-managed key.
const keyRing = new gcp.kms.KeyRing("my-keyring", {
    location: "global",
});

const cryptoKey = new gcp.kms.CryptoKey("my-cryptokey", {
    keyRing: keyRing.selfLink,
    rotationPeriod: "100000s",
});

// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", {
    encryption: {
        defaultKmsKeyName: cryptoKey.selfLink,
    }
});

// Export the DNS name of the bucket
export const bucketName = bucket.url;
import pulumi
from pulumi_gcp import storage, kms

# Create a KMS KeyRing and CryptoKey to use with the Bucket
keyRing = kms.KeyRing('my-keyring', location='global')
cryptoKey = kms.CryptoKey('my-cryptokey',
                          key_ring=keyRing.self_link,
                          rotation_period="100000s")

# Create a GCP resource (Storage Bucket) with customer-managed encryption key
bucket = storage.Bucket('my-bucket',
                        encryption={'defaultKmsKeyName': cryptoKey.self_link})

# Export the DNS name of the bucket
pulumi.export('bucket_name',  bucket.url)
using System.Collections.Generic;
using System.Threading.Tasks;
using Pulumi;
using Gcp = Pulumi.Gcp;

class Program
{
    static Task Main()
    {
        return Deployment.RunAsync(() =>
        {
            // Let's create a customer managed key and use that for encryption
            // instead of the default Google-managed key.
            var keyRing = new Gcp.Kms.KeyRing("my-keyring", new Gcp.Kms.KeyRingArgs
            {
                Location = "global",
            });

            var cryptoKey = new Gcp.Kms.CryptoKey("my-cryptokey", new Gcp.Kms.CryptoKeyArgs
            {
                KeyRing = keyRing.SelfLink,
                RotationPeriod = "100000s",
            });

            // Create a GCP resource (Storage Bucket)
            var bucket = new Gcp.Storage.Bucket("my-bucket", new Gcp.Storage.BucketArgs
            {
                Encryption = new Gcp.Storage.Inputs.BucketEncryptionArgs
                {
                    DefaultKmsKeyName = cryptoKey.SelfLink,
                },
            });

            // Export the DNS name of the bucket
            return new Dictionary<string, object> {
                { "bucketName", bucket.Url },
            };
        });
    }
}

Next, we’ll deploy the changes.

< PREVIOUS STEP NEXT STEP >