Docs Home
CockroachDB v0.9.4 published on Friday, Mar 21, 2025 by pulumiverse
cockroach.Cmek
Explore with Pulumi AI
Customer-managed encryption keys (CMEK) resource for a single cluster.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as cockroach from "@pulumiverse/cockroach";
const advanced = new cockroach.Cmek("advanced", {
clusterId: advancedCockroachCluster.id,
regions: [{
region: "us-central-1",
key: {
authPrincipal: "arn:aws:iam::account:role/role-name-with-path",
type: "AWS_KMS",
uri: "arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key",
},
}],
});
import pulumi
import pulumiverse_cockroach as cockroach
advanced = cockroach.Cmek("advanced",
cluster_id=advanced_cockroach_cluster["id"],
regions=[{
"region": "us-central-1",
"key": {
"auth_principal": "arn:aws:iam::account:role/role-name-with-path",
"type": "AWS_KMS",
"uri": "arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key",
},
}])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-cockroach/sdk/go/cockroach"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cockroach.NewCmek(ctx, "advanced", &cockroach.CmekArgs{
ClusterId: pulumi.Any(advancedCockroachCluster.Id),
Regions: cockroach.CmekRegionArray{
&cockroach.CmekRegionArgs{
Region: pulumi.String("us-central-1"),
Key: &cockroach.CmekRegionKeyArgs{
AuthPrincipal: pulumi.String("arn:aws:iam::account:role/role-name-with-path"),
Type: pulumi.String("AWS_KMS"),
Uri: pulumi.String("arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Cockroach = Pulumiverse.Cockroach;
return await Deployment.RunAsync(() =>
{
var advanced = new Cockroach.Cmek("advanced", new()
{
ClusterId = advancedCockroachCluster.Id,
Regions = new[]
{
new Cockroach.Inputs.CmekRegionArgs
{
Region = "us-central-1",
Key = new Cockroach.Inputs.CmekRegionKeyArgs
{
AuthPrincipal = "arn:aws:iam::account:role/role-name-with-path",
Type = "AWS_KMS",
Uri = "arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cockroach.Cmek;
import com.pulumi.cockroach.CmekArgs;
import com.pulumi.cockroach.inputs.CmekRegionArgs;
import com.pulumi.cockroach.inputs.CmekRegionKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var advanced = new Cmek("advanced", CmekArgs.builder()
.clusterId(advancedCockroachCluster.id())
.regions(CmekRegionArgs.builder()
.region("us-central-1")
.key(CmekRegionKeyArgs.builder()
.authPrincipal("arn:aws:iam::account:role/role-name-with-path")
.type("AWS_KMS")
.uri("arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key")
.build())
.build())
.build());
}
}
resources:
advanced:
type: cockroach:Cmek
properties:
clusterId: ${advancedCockroachCluster.id}
regions:
- region: us-central-1
key:
authPrincipal: arn:aws:iam::account:role/role-name-with-path
type: AWS_KMS
uri: arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key
Create Cmek Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Cmek(name: string, args: CmekArgs, opts?: CustomResourceOptions);@overload
def Cmek(resource_name: str,
args: CmekArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Cmek(resource_name: str,
opts: Optional[ResourceOptions] = None,
cluster_id: Optional[str] = None,
regions: Optional[Sequence[CmekRegionArgs]] = None,
additional_regions: Optional[Sequence[CmekAdditionalRegionArgs]] = None,
status: Optional[str] = None)func NewCmek(ctx *Context, name string, args CmekArgs, opts ...ResourceOption) (*Cmek, error)public Cmek(string name, CmekArgs args, CustomResourceOptions? opts = null)type: cockroach:Cmek
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CmekArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CmekArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CmekArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CmekArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CmekArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var cmekResource = new Cockroach.Cmek("cmekResource", new()
{
ClusterId = "string",
Regions = new[]
{
new Cockroach.Inputs.CmekRegionArgs
{
Key = new Cockroach.Inputs.CmekRegionKeyArgs
{
AuthPrincipal = "string",
Type = "string",
Uri = "string",
CreatedAt = "string",
Status = "string",
UpdatedAt = "string",
UserMessage = "string",
},
Region = "string",
Status = "string",
},
},
AdditionalRegions = new[]
{
new Cockroach.Inputs.CmekAdditionalRegionArgs
{
Name = "string",
InternalDns = "string",
NodeCount = 0,
Primary = false,
SqlDns = "string",
UiDns = "string",
},
},
Status = "string",
});
example, err := cockroach.NewCmek(ctx, "cmekResource", &cockroach.CmekArgs{
ClusterId: pulumi.String("string"),
Regions: cockroach.CmekRegionArray{
&cockroach.CmekRegionArgs{
Key: &cockroach.CmekRegionKeyArgs{
AuthPrincipal: pulumi.String("string"),
Type: pulumi.String("string"),
Uri: pulumi.String("string"),
CreatedAt: pulumi.String("string"),
Status: pulumi.String("string"),
UpdatedAt: pulumi.String("string"),
UserMessage: pulumi.String("string"),
},
Region: pulumi.String("string"),
Status: pulumi.String("string"),
},
},
AdditionalRegions: cockroach.CmekAdditionalRegionArray{
&cockroach.CmekAdditionalRegionArgs{
Name: pulumi.String("string"),
InternalDns: pulumi.String("string"),
NodeCount: pulumi.Int(0),
Primary: pulumi.Bool(false),
SqlDns: pulumi.String("string"),
UiDns: pulumi.String("string"),
},
},
Status: pulumi.String("string"),
})
var cmekResource = new Cmek("cmekResource", CmekArgs.builder()
.clusterId("string")
.regions(CmekRegionArgs.builder()
.key(CmekRegionKeyArgs.builder()
.authPrincipal("string")
.type("string")
.uri("string")
.createdAt("string")
.status("string")
.updatedAt("string")
.userMessage("string")
.build())
.region("string")
.status("string")
.build())
.additionalRegions(CmekAdditionalRegionArgs.builder()
.name("string")
.internalDns("string")
.nodeCount(0)
.primary(false)
.sqlDns("string")
.uiDns("string")
.build())
.status("string")
.build());
cmek_resource = cockroach.Cmek("cmekResource",
cluster_id="string",
regions=[{
"key": {
"auth_principal": "string",
"type": "string",
"uri": "string",
"created_at": "string",
"status": "string",
"updated_at": "string",
"user_message": "string",
},
"region": "string",
"status": "string",
}],
additional_regions=[{
"name": "string",
"internal_dns": "string",
"node_count": 0,
"primary": False,
"sql_dns": "string",
"ui_dns": "string",
}],
status="string")
const cmekResource = new cockroach.Cmek("cmekResource", {
clusterId: "string",
regions: [{
key: {
authPrincipal: "string",
type: "string",
uri: "string",
createdAt: "string",
status: "string",
updatedAt: "string",
userMessage: "string",
},
region: "string",
status: "string",
}],
additionalRegions: [{
name: "string",
internalDns: "string",
nodeCount: 0,
primary: false,
sqlDns: "string",
uiDns: "string",
}],
status: "string",
});
type: cockroach:Cmek
properties:
additionalRegions:
- internalDns: string
name: string
nodeCount: 0
primary: false
sqlDns: string
uiDns: string
clusterId: string
regions:
- key:
authPrincipal: string
createdAt: string
status: string
type: string
updatedAt: string
uri: string
userMessage: string
region: string
status: string
status: string
Cmek Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Cmek resource accepts the following input properties:
- Cluster
Id string - Cluster ID.
- Regions
List<Pulumiverse.
Cockroach. Inputs. Cmek Region> - Additional
Regions List<Pulumiverse.Cockroach. Inputs. Cmek Additional Region> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- Status string
- Aggregated status of the cluster's encryption key(s).
- Cluster
Id string - Cluster ID.
- Regions
[]Cmek
Region Args - Additional
Regions []CmekAdditional Region Args - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- Status string
- Aggregated status of the cluster's encryption key(s).
- cluster
Id String - Cluster ID.
- regions
List<Cmek
Region> - additional
Regions List<CmekAdditional Region> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- status String
- Aggregated status of the cluster's encryption key(s).
- cluster
Id string - Cluster ID.
- regions
Cmek
Region[] - additional
Regions CmekAdditional Region[] - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- status string
- Aggregated status of the cluster's encryption key(s).
- cluster_
id str - Cluster ID.
- regions
Sequence[Cmek
Region Args] - additional_
regions Sequence[CmekAdditional Region Args] - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- status str
- Aggregated status of the cluster's encryption key(s).
- cluster
Id String - Cluster ID.
- regions List<Property Map>
- additional
Regions List<Property Map> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- status String
- Aggregated status of the cluster's encryption key(s).
Outputs
All input properties are implicitly available as output properties. Additionally, the Cmek resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Cmek Resource
Get an existing Cmek resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CmekState, opts?: CustomResourceOptions): Cmek@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
additional_regions: Optional[Sequence[CmekAdditionalRegionArgs]] = None,
cluster_id: Optional[str] = None,
regions: Optional[Sequence[CmekRegionArgs]] = None,
status: Optional[str] = None) -> Cmekfunc GetCmek(ctx *Context, name string, id IDInput, state *CmekState, opts ...ResourceOption) (*Cmek, error)public static Cmek Get(string name, Input<string> id, CmekState? state, CustomResourceOptions? opts = null)public static Cmek get(String name, Output<String> id, CmekState state, CustomResourceOptions options)resources: _: type: cockroach:Cmek get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Additional
Regions List<Pulumiverse.Cockroach. Inputs. Cmek Additional Region> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- Cluster
Id string - Cluster ID.
- Regions
List<Pulumiverse.
Cockroach. Inputs. Cmek Region> - Status string
- Aggregated status of the cluster's encryption key(s).
- Additional
Regions []CmekAdditional Region Args - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- Cluster
Id string - Cluster ID.
- Regions
[]Cmek
Region Args - Status string
- Aggregated status of the cluster's encryption key(s).
- additional
Regions List<CmekAdditional Region> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- cluster
Id String - Cluster ID.
- regions
List<Cmek
Region> - status String
- Aggregated status of the cluster's encryption key(s).
- additional
Regions CmekAdditional Region[] - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- cluster
Id string - Cluster ID.
- regions
Cmek
Region[] - status string
- Aggregated status of the cluster's encryption key(s).
- additional_
regions Sequence[CmekAdditional Region Args] - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- cluster_
id str - Cluster ID.
- regions
Sequence[Cmek
Region Args] - status str
- Aggregated status of the cluster's encryption key(s).
- additional
Regions List<Property Map> - Once CMEK is enabled for a cluster, no new regions can be added to the cluster resource, since they need encryption key info stored in the CMEK resource. New regions can be added and maintained here instead.
- cluster
Id String - Cluster ID.
- regions List<Property Map>
- status String
- Aggregated status of the cluster's encryption key(s).
Supporting Types
CmekAdditionalRegion, CmekAdditionalRegionArgs
- Name string
- Name of the region. Should match the region code used by the cluster's cloud provider.
- Internal
Dns string - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- Node
Count int - Number of nodes in the region. Valid for Advanced clusters only.
- Primary bool
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- Sql
Dns string - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- Ui
Dns string - DNS name used when connecting to the DB Console for the cluster.
- Name string
- Name of the region. Should match the region code used by the cluster's cloud provider.
- Internal
Dns string - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- Node
Count int - Number of nodes in the region. Valid for Advanced clusters only.
- Primary bool
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- Sql
Dns string - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- Ui
Dns string - DNS name used when connecting to the DB Console for the cluster.
- name String
- Name of the region. Should match the region code used by the cluster's cloud provider.
- internal
Dns String - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- node
Count Integer - Number of nodes in the region. Valid for Advanced clusters only.
- primary Boolean
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- sql
Dns String - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- ui
Dns String - DNS name used when connecting to the DB Console for the cluster.
- name string
- Name of the region. Should match the region code used by the cluster's cloud provider.
- internal
Dns string - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- node
Count number - Number of nodes in the region. Valid for Advanced clusters only.
- primary boolean
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- sql
Dns string - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- ui
Dns string - DNS name used when connecting to the DB Console for the cluster.
- name str
- Name of the region. Should match the region code used by the cluster's cloud provider.
- internal_
dns str - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- node_
count int - Number of nodes in the region. Valid for Advanced clusters only.
- primary bool
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- sql_
dns str - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- ui_
dns str - DNS name used when connecting to the DB Console for the cluster.
- name String
- Name of the region. Should match the region code used by the cluster's cloud provider.
- internal
Dns String - Internal DNS name of the cluster within the cloud provider's network. Used to connect to the cluster with PrivateLink or VPC peering.
- node
Count Number - Number of nodes in the region. Valid for Advanced clusters only.
- primary Boolean
- Set to true to mark this region as the primary for a serverless cluster. Exactly one region must be primary. Dedicated clusters expect to have no primary region.
- sql
Dns String - DNS name of the cluster's SQL interface. Used to connect to the cluster with IP allowlisting.
- ui
Dns String - DNS name used when connecting to the DB Console for the cluster.
CmekRegion, CmekRegionArgs
- Key
Pulumiverse.
Cockroach. Inputs. Cmek Region Key - Region string
- Cloud provider region code.
- Status string
- Describes the status of the current encryption key within the region.
- Key
Cmek
Region Key - Region string
- Cloud provider region code.
- Status string
- Describes the status of the current encryption key within the region.
- key
Cmek
Region Key - region String
- Cloud provider region code.
- status String
- Describes the status of the current encryption key within the region.
- key
Cmek
Region Key - region string
- Cloud provider region code.
- status string
- Describes the status of the current encryption key within the region.
- key
Cmek
Region Key - region str
- Cloud provider region code.
- status str
- Describes the status of the current encryption key within the region.
- key Property Map
- region String
- Cloud provider region code.
- status String
- Describes the status of the current encryption key within the region.
CmekRegionKey, CmekRegionKeyArgs
- Auth
Principal string - Principal to authenticate as in order to access the key.
- Type string
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- Uri string
- Provider-specific URI pointing to the encryption key.
- Created
At string - Indicates when the key was created.
- Status string
- Current status of this key.
- Updated
At string - Indicates when the key was last updated.
- User
Message string - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
- Auth
Principal string - Principal to authenticate as in order to access the key.
- Type string
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- Uri string
- Provider-specific URI pointing to the encryption key.
- Created
At string - Indicates when the key was created.
- Status string
- Current status of this key.
- Updated
At string - Indicates when the key was last updated.
- User
Message string - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
- auth
Principal String - Principal to authenticate as in order to access the key.
- type String
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- uri String
- Provider-specific URI pointing to the encryption key.
- created
At String - Indicates when the key was created.
- status String
- Current status of this key.
- updated
At String - Indicates when the key was last updated.
- user
Message String - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
- auth
Principal string - Principal to authenticate as in order to access the key.
- type string
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- uri string
- Provider-specific URI pointing to the encryption key.
- created
At string - Indicates when the key was created.
- status string
- Current status of this key.
- updated
At string - Indicates when the key was last updated.
- user
Message string - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
- auth_
principal str - Principal to authenticate as in order to access the key.
- type str
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- uri str
- Provider-specific URI pointing to the encryption key.
- created_
at str - Indicates when the key was created.
- status str
- Current status of this key.
- updated_
at str - Indicates when the key was last updated.
- user_
message str - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
- auth
Principal String - Principal to authenticate as in order to access the key.
- type String
- Type of encryption key. Current allowed values are:
- AWS_KMS
- GCP_CLOUD_KMS
- NULL_KMS
- uri String
- Provider-specific URI pointing to the encryption key.
- created
At String - Indicates when the key was created.
- status String
- Current status of this key.
- updated
At String - Indicates when the key was last updated.
- user
Message String - Elaborates on the key's status and hints at how to fix issues that may have occurred during asynchronous key operations.
Import
format:
$ pulumi import cockroach:index/cmek:Cmek advanced 1f69fdd2-600a-4cfc-a9ba-16995df0d77d
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- cockroach pulumiverse/pulumi-cockroach
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
cockroachTerraform Provider.