Syntax
A google_kms_crypto_key
is used to test a Google CryptoKey resource
Examples
describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: 'kms-key') do
it { should exist }
its('crypto_key_name') { should cmp 'kms-key' }
its('primary_state') { should eq "ENABLED" }
its('purpose') { should eq "ENCRYPT_DECRYPT" }
its('next_rotation_time') { should be > Time.now - 100000 }
its('create_time') { should be > Time.now - 365*60*60*24*10 }
end
describe google_kms_crypto_key(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring_name: 'kms-key-ring', name: "nonexistent") do
it { should_not exist }
end
Test that a GCP KMS crypto key was created recently
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end
Test when the next rotation time for a GCP KMS crypto key is scheduled
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('next_rotation_time_date') { should be > Time.now - 100000 }
end
Check that the crypto key purpose is as expected
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('purpose') { should eq "ENCRYPT_DECRYPT" }
end
Check that the crypto key primary is in “ENABLED” state
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('primary_state') { should eq "ENABLED" }
end
Properties
Properties that can be accessed from the google_kms_crypto_key
resource:
crypto_key_name
: The resource name for the CryptoKey.create_time
: The time that this resource was created on the server. This is in RFC3339 text format.labels
: Labels with user-defined metadata to apply to this resource.purpose
: The immutable purpose of this CryptoKey. See the purpose reference for possible inputs. Possible values:- ENCRYPT_DECRYPT
- ASYMMETRIC_SIGN
- ASYMMETRIC_DECRYPT
rotation_period
: Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. The first rotation will take place after the specified period. The rotation period has the format of a decimal number with up to 9 fractional digits, followed by the letters
(seconds). It must be greater than a day (ie, 86400).version_template
: A template describing settings for new crypto key versions.algorithm
: The algorithm to use when creating a version based on this template. See the algorithm reference for possible inputs.protection_level
: The protection level to use when creating a version based on this template. Possible values:- SOFTWARE
- HSM
next_rotation_time
: The time when KMS will create a new version of this Crypto Key.key_ring
: The KeyRing that this key belongs to. Format:'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'
.
GCP Permissions
Ensure the Cloud Key Management Service (KMS) API is enabled for the current project.