Google CloudCloud KMSgoogle_kms_crypto_keyPro

How to Import an Google Cloud KMS Crypto Key into Terraform

To import an existing Google Cloud KMS Crypto Key into Terraform, scan it with Terraback and run terraback gcp import --method bulk. Terraback writes the matching google_kms_crypto_key resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the full path projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{name} (for example, projects/my-project/locations/us-central1/keyRings/app-ring/cryptoKeys/data-key).

Import Google Cloud KMS Crypto Key with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Cloud KMS resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Google Cloud KMS Crypto Key to managed Terraform.

1

Scan your Google Cloud account

terraback scan all gcp --project my-gcp-project
2

Generate import blocks and import into state

terraback gcp import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = google_kms_crypto_key.data
  id = "projects/my-project/locations/us-central1/keyRings/app-ring/cryptoKeys/data-key"
}

Example google_kms_crypto_key configuration

Here is a realistic Google Cloud KMS Crypto Key block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "google_kms_crypto_key" "data" {
  name            = "data-key"
  key_ring        = google_kms_key_ring.app.id
  rotation_period = "7776000s"

  lifecycle {
    prevent_destroy = true
  }
}

Gotchas when importing a Google Cloud KMS Crypto Key

  • The import ID is the full keyRings/.../cryptoKeys/... path; the key_ring attribute in HCL is that parent key ring ID.
  • Crypto keys and their versions cannot truly be deleted, so Terraform destroy only schedules version destruction; prevent_destroy is recommended.
  • rotation_period is a seconds string such as 7776000s (90 days), not a duration like 90d.
  • purpose and version_template.algorithm are immutable; changing them forces a new key.

Doing it manually with terraform import

The native approach is to write the google_kms_crypto_key block by hand, then run terraform import google_kms_crypto_key.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole Google Cloud account in minutes

Terraback scans 80+ Google Cloud resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.