MongoDB Atlas v3.31.0, May 6 25

MongoDB Atlas v3.31.0 published on Tuesday, May 6, 2025 by Pulumi

mongodbatlas.EncryptionAtRest

Explore with Pulumi AI

MongoDB Atlas v3.31.0 published on Tuesday, May 6, 2025 by Pulumi

Create EncryptionAtRest Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new EncryptionAtRest(name: string, args: EncryptionAtRestArgs, opts?: CustomResourceOptions);

@overload
def EncryptionAtRest(resource_name: str,
                     args: EncryptionAtRestArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def EncryptionAtRest(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     project_id: Optional[str] = None,
                     aws_kms_config: Optional[EncryptionAtRestAwsKmsConfigArgs] = None,
                     azure_key_vault_config: Optional[EncryptionAtRestAzureKeyVaultConfigArgs] = None,
                     enabled_for_search_nodes: Optional[bool] = None,
                     google_cloud_kms_config: Optional[EncryptionAtRestGoogleCloudKmsConfigArgs] = None)

func NewEncryptionAtRest(ctx *Context, name string, args EncryptionAtRestArgs, opts ...ResourceOption) (*EncryptionAtRest, error)

public EncryptionAtRest(string name, EncryptionAtRestArgs args, CustomResourceOptions? opts = null)

public EncryptionAtRest(String name, EncryptionAtRestArgs args)
public EncryptionAtRest(String name, EncryptionAtRestArgs args, CustomResourceOptions options)

type: mongodbatlas:EncryptionAtRest
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args EncryptionAtRestArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args EncryptionAtRestArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args EncryptionAtRestArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args EncryptionAtRestArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args EncryptionAtRestArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var encryptionAtRestResource = new Mongodbatlas.EncryptionAtRest("encryptionAtRestResource", new()
{
    ProjectId = "string",
    AwsKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestAwsKmsConfigArgs
    {
        AccessKeyId = "string",
        CustomerMasterKeyId = "string",
        Enabled = false,
        Region = "string",
        RequirePrivateNetworking = false,
        RoleId = "string",
        SecretAccessKey = "string",
        Valid = false,
    },
    AzureKeyVaultConfig = new Mongodbatlas.Inputs.EncryptionAtRestAzureKeyVaultConfigArgs
    {
        AzureEnvironment = "string",
        ClientId = "string",
        Enabled = false,
        KeyIdentifier = "string",
        KeyVaultName = "string",
        RequirePrivateNetworking = false,
        ResourceGroupName = "string",
        Secret = "string",
        SubscriptionId = "string",
        TenantId = "string",
        Valid = false,
    },
    EnabledForSearchNodes = false,
    GoogleCloudKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestGoogleCloudKmsConfigArgs
    {
        Enabled = false,
        KeyVersionResourceId = "string",
        ServiceAccountKey = "string",
        Valid = false,
    },
});

example, err := mongodbatlas.NewEncryptionAtRest(ctx, "encryptionAtRestResource", &mongodbatlas.EncryptionAtRestArgs{
	ProjectId: pulumi.String("string"),
	AwsKmsConfig: &mongodbatlas.EncryptionAtRestAwsKmsConfigArgs{
		AccessKeyId:              pulumi.String("string"),
		CustomerMasterKeyId:      pulumi.String("string"),
		Enabled:                  pulumi.Bool(false),
		Region:                   pulumi.String("string"),
		RequirePrivateNetworking: pulumi.Bool(false),
		RoleId:                   pulumi.String("string"),
		SecretAccessKey:          pulumi.String("string"),
		Valid:                    pulumi.Bool(false),
	},
	AzureKeyVaultConfig: &mongodbatlas.EncryptionAtRestAzureKeyVaultConfigArgs{
		AzureEnvironment:         pulumi.String("string"),
		ClientId:                 pulumi.String("string"),
		Enabled:                  pulumi.Bool(false),
		KeyIdentifier:            pulumi.String("string"),
		KeyVaultName:             pulumi.String("string"),
		RequirePrivateNetworking: pulumi.Bool(false),
		ResourceGroupName:        pulumi.String("string"),
		Secret:                   pulumi.String("string"),
		SubscriptionId:           pulumi.String("string"),
		TenantId:                 pulumi.String("string"),
		Valid:                    pulumi.Bool(false),
	},
	EnabledForSearchNodes: pulumi.Bool(false),
	GoogleCloudKmsConfig: &mongodbatlas.EncryptionAtRestGoogleCloudKmsConfigArgs{
		Enabled:              pulumi.Bool(false),
		KeyVersionResourceId: pulumi.String("string"),
		ServiceAccountKey:    pulumi.String("string"),
		Valid:                pulumi.Bool(false),
	},
})

var encryptionAtRestResource = new EncryptionAtRest("encryptionAtRestResource", EncryptionAtRestArgs.builder()
    .projectId("string")
    .awsKmsConfig(EncryptionAtRestAwsKmsConfigArgs.builder()
        .accessKeyId("string")
        .customerMasterKeyId("string")
        .enabled(false)
        .region("string")
        .requirePrivateNetworking(false)
        .roleId("string")
        .secretAccessKey("string")
        .valid(false)
        .build())
    .azureKeyVaultConfig(EncryptionAtRestAzureKeyVaultConfigArgs.builder()
        .azureEnvironment("string")
        .clientId("string")
        .enabled(false)
        .keyIdentifier("string")
        .keyVaultName("string")
        .requirePrivateNetworking(false)
        .resourceGroupName("string")
        .secret("string")
        .subscriptionId("string")
        .tenantId("string")
        .valid(false)
        .build())
    .enabledForSearchNodes(false)
    .googleCloudKmsConfig(EncryptionAtRestGoogleCloudKmsConfigArgs.builder()
        .enabled(false)
        .keyVersionResourceId("string")
        .serviceAccountKey("string")
        .valid(false)
        .build())
    .build());

encryption_at_rest_resource = mongodbatlas.EncryptionAtRest("encryptionAtRestResource",
    project_id="string",
    aws_kms_config={
        "access_key_id": "string",
        "customer_master_key_id": "string",
        "enabled": False,
        "region": "string",
        "require_private_networking": False,
        "role_id": "string",
        "secret_access_key": "string",
        "valid": False,
    },
    azure_key_vault_config={
        "azure_environment": "string",
        "client_id": "string",
        "enabled": False,
        "key_identifier": "string",
        "key_vault_name": "string",
        "require_private_networking": False,
        "resource_group_name": "string",
        "secret": "string",
        "subscription_id": "string",
        "tenant_id": "string",
        "valid": False,
    },
    enabled_for_search_nodes=False,
    google_cloud_kms_config={
        "enabled": False,
        "key_version_resource_id": "string",
        "service_account_key": "string",
        "valid": False,
    })

const encryptionAtRestResource = new mongodbatlas.EncryptionAtRest("encryptionAtRestResource", {
    projectId: "string",
    awsKmsConfig: {
        accessKeyId: "string",
        customerMasterKeyId: "string",
        enabled: false,
        region: "string",
        requirePrivateNetworking: false,
        roleId: "string",
        secretAccessKey: "string",
        valid: false,
    },
    azureKeyVaultConfig: {
        azureEnvironment: "string",
        clientId: "string",
        enabled: false,
        keyIdentifier: "string",
        keyVaultName: "string",
        requirePrivateNetworking: false,
        resourceGroupName: "string",
        secret: "string",
        subscriptionId: "string",
        tenantId: "string",
        valid: false,
    },
    enabledForSearchNodes: false,
    googleCloudKmsConfig: {
        enabled: false,
        keyVersionResourceId: "string",
        serviceAccountKey: "string",
        valid: false,
    },
});

type: mongodbatlas:EncryptionAtRest
properties:
    awsKmsConfig:
        accessKeyId: string
        customerMasterKeyId: string
        enabled: false
        region: string
        requirePrivateNetworking: false
        roleId: string
        secretAccessKey: string
        valid: false
    azureKeyVaultConfig:
        azureEnvironment: string
        clientId: string
        enabled: false
        keyIdentifier: string
        keyVaultName: string
        requirePrivateNetworking: false
        resourceGroupName: string
        secret: string
        subscriptionId: string
        tenantId: string
        valid: false
    enabledForSearchNodes: false
    googleCloudKmsConfig:
        enabled: false
        keyVersionResourceId: string
        serviceAccountKey: string
        valid: false
    projectId: string

EncryptionAtRest Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The EncryptionAtRest resource accepts the following input properties:

ProjectId string: Unique 24-hexadecimal digit string that identifies your project.
AwsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
AzureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
EnabledForSearchNodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
GoogleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

ProjectId string: Unique 24-hexadecimal digit string that identifies your project.
AwsKmsConfig EncryptionAtRestAwsKmsConfigArgs: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
AzureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfigArgs: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
EnabledForSearchNodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
GoogleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfigArgs: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

projectId String: Unique 24-hexadecimal digit string that identifies your project.
awsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes Boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

projectId string: Unique 24-hexadecimal digit string that identifies your project.
awsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

project_id str: Unique 24-hexadecimal digit string that identifies your project.
aws_kms_config EncryptionAtRestAwsKmsConfigArgs: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azure_key_vault_config EncryptionAtRestAzureKeyVaultConfigArgs: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabled_for_search_nodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
google_cloud_kms_config EncryptionAtRestGoogleCloudKmsConfigArgs: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

projectId String: Unique 24-hexadecimal digit string that identifies your project.
awsKmsConfig Property Map: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig Property Map: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes Boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig Property Map: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

Outputs

All input properties are implicitly available as output properties. Additionally, the EncryptionAtRest resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing EncryptionAtRest Resource

Get an existing EncryptionAtRest resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EncryptionAtRestState, opts?: CustomResourceOptions): EncryptionAtRest

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        aws_kms_config: Optional[EncryptionAtRestAwsKmsConfigArgs] = None,
        azure_key_vault_config: Optional[EncryptionAtRestAzureKeyVaultConfigArgs] = None,
        enabled_for_search_nodes: Optional[bool] = None,
        google_cloud_kms_config: Optional[EncryptionAtRestGoogleCloudKmsConfigArgs] = None,
        project_id: Optional[str] = None) -> EncryptionAtRest

func GetEncryptionAtRest(ctx *Context, name string, id IDInput, state *EncryptionAtRestState, opts ...ResourceOption) (*EncryptionAtRest, error)

public static EncryptionAtRest Get(string name, Input<string> id, EncryptionAtRestState? state, CustomResourceOptions? opts = null)

public static EncryptionAtRest get(String name, Output<String> id, EncryptionAtRestState state, CustomResourceOptions options)

resources:  _:    type: mongodbatlas:EncryptionAtRest    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AwsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
AzureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
EnabledForSearchNodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
GoogleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
ProjectId string: Unique 24-hexadecimal digit string that identifies your project.

AwsKmsConfig EncryptionAtRestAwsKmsConfigArgs: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
AzureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfigArgs: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
EnabledForSearchNodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
GoogleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfigArgs: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
ProjectId string: Unique 24-hexadecimal digit string that identifies your project.

awsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes Boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
projectId String: Unique 24-hexadecimal digit string that identifies your project.

awsKmsConfig EncryptionAtRestAwsKmsConfig: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig EncryptionAtRestAzureKeyVaultConfig: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig EncryptionAtRestGoogleCloudKmsConfig: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
projectId string: Unique 24-hexadecimal digit string that identifies your project.

aws_kms_config EncryptionAtRestAwsKmsConfigArgs: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azure_key_vault_config EncryptionAtRestAzureKeyVaultConfigArgs: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabled_for_search_nodes bool: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
google_cloud_kms_config EncryptionAtRestGoogleCloudKmsConfigArgs: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
project_id str: Unique 24-hexadecimal digit string that identifies your project.

awsKmsConfig Property Map: Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
azureKeyVaultConfig Property Map: Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
enabledForSearchNodes Boolean: Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
googleCloudKmsConfig Property Map: Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
projectId String: Unique 24-hexadecimal digit string that identifies your project.

Supporting Types

EncryptionAtRestAwsKmsConfig, EncryptionAtRestAwsKmsConfigArgs

AccessKeyId string: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
CustomerMasterKeyId string: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
Region string: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
RequirePrivateNetworking bool: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
RoleId string: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
SecretAccessKey string: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
Valid bool: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

AccessKeyId string: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
CustomerMasterKeyId string: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
Region string: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
RequirePrivateNetworking bool: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
RoleId string: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
SecretAccessKey string: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
Valid bool: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

accessKeyId String: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
customerMasterKeyId String: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
region String: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
requirePrivateNetworking Boolean: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
roleId String: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
secretAccessKey String: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
valid Boolean: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

accessKeyId string: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
customerMasterKeyId string: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
enabled boolean: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
region string: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
requirePrivateNetworking boolean: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
roleId string: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
secretAccessKey string: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
valid boolean: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

access_key_id str: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
customer_master_key_id str: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
region str: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
require_private_networking bool: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
role_id str: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
secret_access_key str: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
valid bool: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

accessKeyId String: Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
customerMasterKeyId String: Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
region String: Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
requirePrivateNetworking Boolean: Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
roleId String: Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
secretAccessKey String: Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
valid Boolean: Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

EncryptionAtRestAzureKeyVaultConfig, EncryptionAtRestAzureKeyVaultConfigArgs

AzureEnvironment string: Azure environment in which your account credentials reside.
ClientId string: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
KeyIdentifier string: Web address with a unique key that identifies for your Azure Key Vault.
KeyVaultName string: Unique string that identifies the Azure Key Vault that contains your key.
RequirePrivateNetworking bool: Enable connection to your Azure Key Vault over private networking.
ResourceGroupName string: Name of the Azure resource group that contains your Azure Key Vault.
Secret string: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
SubscriptionId string: Unique 36-hexadecimal character string that identifies your Azure subscription.
TenantId string: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
Valid bool: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

AzureEnvironment string: Azure environment in which your account credentials reside.
ClientId string: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
KeyIdentifier string: Web address with a unique key that identifies for your Azure Key Vault.
KeyVaultName string: Unique string that identifies the Azure Key Vault that contains your key.
RequirePrivateNetworking bool: Enable connection to your Azure Key Vault over private networking.
ResourceGroupName string: Name of the Azure resource group that contains your Azure Key Vault.
Secret string: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
SubscriptionId string: Unique 36-hexadecimal character string that identifies your Azure subscription.
TenantId string: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
Valid bool: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

azureEnvironment String: Azure environment in which your account credentials reside.
clientId String: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyIdentifier String: Web address with a unique key that identifies for your Azure Key Vault.
keyVaultName String: Unique string that identifies the Azure Key Vault that contains your key.
requirePrivateNetworking Boolean: Enable connection to your Azure Key Vault over private networking.
resourceGroupName String: Name of the Azure resource group that contains your Azure Key Vault.
secret String: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
subscriptionId String: Unique 36-hexadecimal character string that identifies your Azure subscription.
tenantId String: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
valid Boolean: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

azureEnvironment string: Azure environment in which your account credentials reside.
clientId string: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
enabled boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyIdentifier string: Web address with a unique key that identifies for your Azure Key Vault.
keyVaultName string: Unique string that identifies the Azure Key Vault that contains your key.
requirePrivateNetworking boolean: Enable connection to your Azure Key Vault over private networking.
resourceGroupName string: Name of the Azure resource group that contains your Azure Key Vault.
secret string: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
subscriptionId string: Unique 36-hexadecimal character string that identifies your Azure subscription.
tenantId string: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
valid boolean: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

azure_environment str: Azure environment in which your account credentials reside.
client_id str: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
key_identifier str: Web address with a unique key that identifies for your Azure Key Vault.
key_vault_name str: Unique string that identifies the Azure Key Vault that contains your key.
require_private_networking bool: Enable connection to your Azure Key Vault over private networking.
resource_group_name str: Name of the Azure resource group that contains your Azure Key Vault.
secret str: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
subscription_id str: Unique 36-hexadecimal character string that identifies your Azure subscription.
tenant_id str: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
valid bool: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

azureEnvironment String: Azure environment in which your account credentials reside.
clientId String: Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyIdentifier String: Web address with a unique key that identifies for your Azure Key Vault.
keyVaultName String: Unique string that identifies the Azure Key Vault that contains your key.
requirePrivateNetworking Boolean: Enable connection to your Azure Key Vault over private networking.
resourceGroupName String: Name of the Azure resource group that contains your Azure Key Vault.
secret String: Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
subscriptionId String: Unique 36-hexadecimal character string that identifies your Azure subscription.
tenantId String: Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
valid Boolean: Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

EncryptionAtRestGoogleCloudKmsConfig, EncryptionAtRestGoogleCloudKmsConfigArgs

Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
KeyVersionResourceId string: Resource path that displays the key version resource ID for your Google Cloud KMS.
ServiceAccountKey string: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
Valid bool: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

Enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
KeyVersionResourceId string: Resource path that displays the key version resource ID for your Google Cloud KMS.
ServiceAccountKey string: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
Valid bool: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyVersionResourceId String: Resource path that displays the key version resource ID for your Google Cloud KMS.
serviceAccountKey String: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
valid Boolean: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

enabled boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyVersionResourceId string: Resource path that displays the key version resource ID for your Google Cloud KMS.
serviceAccountKey string: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
valid boolean: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

enabled bool: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
key_version_resource_id str: Resource path that displays the key version resource ID for your Google Cloud KMS.
service_account_key str: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
valid bool: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

enabled Boolean: Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.
keyVersionResourceId String: Resource path that displays the key version resource ID for your Google Cloud KMS.
serviceAccountKey String: JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
valid Boolean: Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.

Package Details

Repository: MongoDB Atlas pulumi/pulumi-mongodbatlas
License: Apache-2.0
Notes: This Pulumi package is based on the mongodbatlas Terraform Provider.

MongoDB Atlas v3.31.0 published on Tuesday, May 6, 2025 by Pulumi

pulumi/pulumi-mongodbatlas

mongodbatlas.EncryptionAtRest

On this page

On this page

Create EncryptionAtRest Resource

Constructor syntax

Parameters

Constructor example

EncryptionAtRest Resource Properties

Inputs

Outputs

Look up Existing EncryptionAtRest Resource

Supporting Types

EncryptionAtRestAwsKmsConfig, EncryptionAtRestAwsKmsConfigArgs

EncryptionAtRestAzureKeyVaultConfig, EncryptionAtRestAzureKeyVaultConfigArgs

EncryptionAtRestGoogleCloudKmsConfig, EncryptionAtRestGoogleCloudKmsConfigArgs

Package Details

On this page

On this page