Docs Home
ibm 1.77.1 published on Monday, Apr 14, 2025 by ibm-cloud
ibm.KmsKeyRings
Explore with Pulumi AI
Create, modify, or delete a key rings for hs-crypto and key protect services. Key rings created through this resource can be used to associate to KMS key resource when a standard or a root key gets created or imported. For more information, about key management rings, see creating key rings.
Example Usage
Sample example to provision key ring and associate a key management service key.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const kmsInstance = new ibm.ResourceInstance("kmsInstance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const keyRing = new ibm.KmsKeyRings("keyRing", {
instanceId: kmsInstance.guid,
keyRingId: "key-ring-id",
});
const key = new ibm.KmsKey("key", {
instanceId: ibm_resource_instance.kp_instance.guid,
keyName: "key",
keyRingId: keyRing.keyRingId,
standardKey: false,
payload: "aW1wb3J0ZWQucGF5bG9hZA==",
});
import pulumi
import pulumi_ibm as ibm
kms_instance = ibm.ResourceInstance("kmsInstance",
service="kms",
plan="tiered-pricing",
location="us-south")
key_ring = ibm.KmsKeyRings("keyRing",
instance_id=kms_instance.guid,
key_ring_id="key-ring-id")
key = ibm.KmsKey("key",
instance_id=ibm_resource_instance["kp_instance"]["guid"],
key_name="key",
key_ring_id=key_ring.key_ring_id,
standard_key=False,
payload="aW1wb3J0ZWQucGF5bG9hZA==")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kmsInstance, err := ibm.NewResourceInstance(ctx, "kmsInstance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
keyRing, err := ibm.NewKmsKeyRings(ctx, "keyRing", &ibm.KmsKeyRingsArgs{
InstanceId: kmsInstance.Guid,
KeyRingId: pulumi.String("key-ring-id"),
})
if err != nil {
return err
}
_, err = ibm.NewKmsKey(ctx, "key", &ibm.KmsKeyArgs{
InstanceId: pulumi.Any(ibm_resource_instance.Kp_instance.Guid),
KeyName: pulumi.String("key"),
KeyRingId: keyRing.KeyRingId,
StandardKey: pulumi.Bool(false),
Payload: pulumi.String("aW1wb3J0ZWQucGF5bG9hZA=="),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var kmsInstance = new Ibm.ResourceInstance("kmsInstance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var keyRing = new Ibm.KmsKeyRings("keyRing", new()
{
InstanceId = kmsInstance.Guid,
KeyRingId = "key-ring-id",
});
var key = new Ibm.KmsKey("key", new()
{
InstanceId = ibm_resource_instance.Kp_instance.Guid,
KeyName = "key",
KeyRingId = keyRing.KeyRingId,
StandardKey = false,
Payload = "aW1wb3J0ZWQucGF5bG9hZA==",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.KmsKeyRings;
import com.pulumi.ibm.KmsKeyRingsArgs;
import com.pulumi.ibm.KmsKey;
import com.pulumi.ibm.KmsKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kmsInstance = new ResourceInstance("kmsInstance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var keyRing = new KmsKeyRings("keyRing", KmsKeyRingsArgs.builder()
.instanceId(kmsInstance.guid())
.keyRingId("key-ring-id")
.build());
var key = new KmsKey("key", KmsKeyArgs.builder()
.instanceId(ibm_resource_instance.kp_instance().guid())
.keyName("key")
.keyRingId(keyRing.keyRingId())
.standardKey(false)
.payload("aW1wb3J0ZWQucGF5bG9hZA==")
.build());
}
}
resources:
kmsInstance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
keyRing:
type: ibm:KmsKeyRings
properties:
instanceId: ${kmsInstance.guid}
keyRingId: key-ring-id
key:
type: ibm:KmsKey
properties:
instanceId: ${ibm_resource_instance.kp_instance.guid}
keyName: key
keyRingId: ${keyRing.keyRingId}
standardKey: false
payload: aW1wb3J0ZWQucGF5bG9hZA==
~>Deprecated:
force_delete argument will no longer be supported. Users are advised to remove references to force_delete from all ibm.KmsKeyRings configurations by July 30th 2025. New default behavior of deleting a key ring is to move keys with state equals to 5 (destroyed) to the default key ring.
Create KmsKeyRings Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KmsKeyRings(name: string, args: KmsKeyRingsArgs, opts?: CustomResourceOptions);@overload
def KmsKeyRings(resource_name: str,
args: KmsKeyRingsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KmsKeyRings(resource_name: str,
opts: Optional[ResourceOptions] = None,
instance_id: Optional[str] = None,
key_ring_id: Optional[str] = None,
endpoint_type: Optional[str] = None,
force_delete: Optional[bool] = None,
kms_key_rings_id: Optional[str] = None)func NewKmsKeyRings(ctx *Context, name string, args KmsKeyRingsArgs, opts ...ResourceOption) (*KmsKeyRings, error)public KmsKeyRings(string name, KmsKeyRingsArgs args, CustomResourceOptions? opts = null)
public KmsKeyRings(String name, KmsKeyRingsArgs args)
public KmsKeyRings(String name, KmsKeyRingsArgs args, CustomResourceOptions options)
type: ibm:KmsKeyRings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KmsKeyRingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KmsKeyRingsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KmsKeyRingsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KmsKeyRingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KmsKeyRingsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kmsKeyRingsResource = new Ibm.KmsKeyRings("kmsKeyRingsResource", new()
{
InstanceId = "string",
KeyRingId = "string",
EndpointType = "string",
KmsKeyRingsId = "string",
});
example, err := ibm.NewKmsKeyRings(ctx, "kmsKeyRingsResource", &ibm.KmsKeyRingsArgs{
InstanceId: pulumi.String("string"),
KeyRingId: pulumi.String("string"),
EndpointType: pulumi.String("string"),
KmsKeyRingsId: pulumi.String("string"),
})
var kmsKeyRingsResource = new KmsKeyRings("kmsKeyRingsResource", KmsKeyRingsArgs.builder()
.instanceId("string")
.keyRingId("string")
.endpointType("string")
.kmsKeyRingsId("string")
.build());
kms_key_rings_resource = ibm.KmsKeyRings("kmsKeyRingsResource",
instance_id="string",
key_ring_id="string",
endpoint_type="string",
kms_key_rings_id="string")
const kmsKeyRingsResource = new ibm.KmsKeyRings("kmsKeyRingsResource", {
instanceId: "string",
keyRingId: "string",
endpointType: "string",
kmsKeyRingsId: "string",
});
type: ibm:KmsKeyRings
properties:
endpointType: string
instanceId: string
keyRingId: string
kmsKeyRingsId: string
KmsKeyRings Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KmsKeyRings resource accepts the following input properties:
- Instance
Id string - The hs-crypto or key protect instance GUID.
- Key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - Endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- Force
Delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- Kms
Key stringRings Id
- Instance
Id string - The hs-crypto or key protect instance GUID.
- Key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - Endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- Force
Delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- Kms
Key stringRings Id
- instance
Id String - The hs-crypto or key protect instance GUID.
- key
Ring StringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - endpoint
Type String - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete Boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- kms
Key StringRings Id
- instance
Id string - The hs-crypto or key protect instance GUID.
- key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- kms
Key stringRings Id
- instance_
id str - The hs-crypto or key protect instance GUID.
- key_
ring_ strid - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - endpoint_
type str - The type of the public endpoint, or private endpoint to be used for creating keys.
- force_
delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- kms_
key_ strrings_ id
- instance
Id String - The hs-crypto or key protect instance GUID.
- key
Ring StringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - endpoint
Type String - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete Boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- kms
Key StringRings Id
Outputs
All input properties are implicitly available as output properties. Additionally, the KmsKeyRings resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing KmsKeyRings Resource
Get an existing KmsKeyRings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KmsKeyRingsState, opts?: CustomResourceOptions): KmsKeyRings@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
endpoint_type: Optional[str] = None,
force_delete: Optional[bool] = None,
instance_id: Optional[str] = None,
key_ring_id: Optional[str] = None,
kms_key_rings_id: Optional[str] = None) -> KmsKeyRingsfunc GetKmsKeyRings(ctx *Context, name string, id IDInput, state *KmsKeyRingsState, opts ...ResourceOption) (*KmsKeyRings, error)public static KmsKeyRings Get(string name, Input<string> id, KmsKeyRingsState? state, CustomResourceOptions? opts = null)public static KmsKeyRings get(String name, Output<String> id, KmsKeyRingsState state, CustomResourceOptions options)resources: _: type: ibm:KmsKeyRings get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- Force
Delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- Instance
Id string - The hs-crypto or key protect instance GUID.
- Key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - Kms
Key stringRings Id
- Endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- Force
Delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- Instance
Id string - The hs-crypto or key protect instance GUID.
- Key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - Kms
Key stringRings Id
- endpoint
Type String - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete Boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- instance
Id String - The hs-crypto or key protect instance GUID.
- key
Ring StringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - kms
Key StringRings Id
- endpoint
Type string - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- instance
Id string - The hs-crypto or key protect instance GUID.
- key
Ring stringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - kms
Key stringRings Id
- endpoint_
type str - The type of the public endpoint, or private endpoint to be used for creating keys.
- force_
delete bool - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- instance_
id str - The hs-crypto or key protect instance GUID.
- key_
ring_ strid - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - kms_
key_ strrings_ id
- endpoint
Type String - The type of the public endpoint, or private endpoint to be used for creating keys.
- force
Delete Boolean - (Deprecated) set to true to force delete this key ring. This allows key ring deletion as long as all keys inside have key state equals to 5 (destroyed). Keys are moved to the default key ring.
- instance
Id String - The hs-crypto or key protect instance GUID.
- key
Ring StringId - The ID that identifies the key ring. Each ID is unique within the given instance and is not reserved across the key protect service. Constraints
2 ≤ length ≤ 100. Value must match regular expression of^[a-zA-Z0-9-]*$. - kms
Key StringRings Id
Package Details
- Repository
- ibm ibm-cloud/terraform-provider-ibm
- License
- Notes
- This Pulumi package is based on the
ibmTerraform Provider.