Docs Home
MongoDB Atlas v3.30.0 published on Friday, Mar 21, 2025 by Pulumi
mongodbatlas.getEncryptionAtRest
Explore with Pulumi AI
- # Data Source: mongodbatlas.EncryptionAtRest
- Example Usage
- S
- Configuring encryption at rest using customer key management in AWS
- Configuring encryption at rest using customer key management in Azure
- Configuring encryption at rest using customer key management in GCP
- Using getEncryptionAtRest
- getEncryptionAtRest Result
- Supporting Types
- Package Details
# Data Source: mongodbatlas.EncryptionAtRest
mongodbatlas.EncryptionAtRest describes encryption at rest configuration for an Atlas project with one of the following providers:
Amazon Web Services Key Management Service Azure Key Vault Google Cloud KMS
IMPORTANT By default, Atlas enables encryption at rest for all cluster storage and snapshot volumes.
IMPORTANT Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management
NOTE: Groups and projects are synonymous terms. You may find
groupIdin the official documentation.
Example Usage
S
Configuring encryption at rest using customer key management in AWS
import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";
const setupOnly = new mongodbatlas.CloudProviderAccessSetup("setup_only", {
projectId: atlasProjectId,
providerName: "AWS",
});
const authRole = new mongodbatlas.CloudProviderAccessAuthorization("auth_role", {
projectId: atlasProjectId,
roleId: setupOnly.roleId,
aws: {
iamAssumedRoleArn: testRole.arn,
},
});
const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
projectId: atlasProjectId,
awsKmsConfig: {
enabled: true,
customerMasterKeyId: kmsKey.id,
region: atlasRegion,
roleId: authRole.roleId,
},
});
const cluster = new mongodbatlas.AdvancedCluster("cluster", {
projectId: testEncryptionAtRest.projectId,
name: "MyCluster",
clusterType: "REPLICASET",
backupEnabled: true,
encryptionAtRestProvider: "AWS",
replicationSpecs: [{
regionConfigs: [{
priority: 7,
providerName: "AWS",
regionName: "US_EAST_1",
electableSpecs: {
instanceSize: "M10",
nodeCount: 3,
},
}],
}],
});
const test = mongodbatlas.getEncryptionAtRestOutput({
projectId: testEncryptionAtRest.projectId,
});
export const isAwsKmsEncryptionAtRestValid = test.apply(test => test.awsKmsConfig?.valid);
import pulumi
import pulumi_mongodbatlas as mongodbatlas
setup_only = mongodbatlas.CloudProviderAccessSetup("setup_only",
project_id=atlas_project_id,
provider_name="AWS")
auth_role = mongodbatlas.CloudProviderAccessAuthorization("auth_role",
project_id=atlas_project_id,
role_id=setup_only.role_id,
aws={
"iam_assumed_role_arn": test_role["arn"],
})
test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
project_id=atlas_project_id,
aws_kms_config={
"enabled": True,
"customer_master_key_id": kms_key["id"],
"region": atlas_region,
"role_id": auth_role.role_id,
})
cluster = mongodbatlas.AdvancedCluster("cluster",
project_id=test_encryption_at_rest.project_id,
name="MyCluster",
cluster_type="REPLICASET",
backup_enabled=True,
encryption_at_rest_provider="AWS",
replication_specs=[{
"region_configs": [{
"priority": 7,
"provider_name": "AWS",
"region_name": "US_EAST_1",
"electable_specs": {
"instance_size": "M10",
"node_count": 3,
},
}],
}])
test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
pulumi.export("isAwsKmsEncryptionAtRestValid", test.aws_kms_config.valid)
package main
import (
"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
setupOnly, err := mongodbatlas.NewCloudProviderAccessSetup(ctx, "setup_only", &mongodbatlas.CloudProviderAccessSetupArgs{
ProjectId: pulumi.Any(atlasProjectId),
ProviderName: pulumi.String("AWS"),
})
if err != nil {
return err
}
authRole, err := mongodbatlas.NewCloudProviderAccessAuthorization(ctx, "auth_role", &mongodbatlas.CloudProviderAccessAuthorizationArgs{
ProjectId: pulumi.Any(atlasProjectId),
RoleId: setupOnly.RoleId,
Aws: &mongodbatlas.CloudProviderAccessAuthorizationAwsArgs{
IamAssumedRoleArn: pulumi.Any(testRole.Arn),
},
})
if err != nil {
return err
}
testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
ProjectId: pulumi.Any(atlasProjectId),
AwsKmsConfig: &mongodbatlas.EncryptionAtRestAwsKmsConfigArgs{
Enabled: pulumi.Bool(true),
CustomerMasterKeyId: pulumi.Any(kmsKey.Id),
Region: pulumi.Any(atlasRegion),
RoleId: authRole.RoleId,
},
})
if err != nil {
return err
}
_, err = mongodbatlas.NewAdvancedCluster(ctx, "cluster", &mongodbatlas.AdvancedClusterArgs{
ProjectId: testEncryptionAtRest.ProjectId,
Name: pulumi.String("MyCluster"),
ClusterType: pulumi.String("REPLICASET"),
BackupEnabled: pulumi.Bool(true),
EncryptionAtRestProvider: pulumi.String("AWS"),
ReplicationSpecs: mongodbatlas.AdvancedClusterReplicationSpecArray{
&mongodbatlas.AdvancedClusterReplicationSpecArgs{
RegionConfigs: mongodbatlas.AdvancedClusterReplicationSpecRegionConfigArray{
&mongodbatlas.AdvancedClusterReplicationSpecRegionConfigArgs{
Priority: pulumi.Int(7),
ProviderName: pulumi.String("AWS"),
RegionName: pulumi.String("US_EAST_1"),
ElectableSpecs: &mongodbatlas.AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs{
InstanceSize: pulumi.String("M10"),
NodeCount: pulumi.Int(3),
},
},
},
},
},
})
if err != nil {
return err
}
test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
ProjectId: testEncryptionAtRest.ProjectId,
}, nil)
ctx.Export("isAwsKmsEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
return &test.AwsKmsConfig.Valid, nil
}).(pulumi.BoolPtrOutput))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;
return await Deployment.RunAsync(() =>
{
var setupOnly = new Mongodbatlas.CloudProviderAccessSetup("setup_only", new()
{
ProjectId = atlasProjectId,
ProviderName = "AWS",
});
var authRole = new Mongodbatlas.CloudProviderAccessAuthorization("auth_role", new()
{
ProjectId = atlasProjectId,
RoleId = setupOnly.RoleId,
Aws = new Mongodbatlas.Inputs.CloudProviderAccessAuthorizationAwsArgs
{
IamAssumedRoleArn = testRole.Arn,
},
});
var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
{
ProjectId = atlasProjectId,
AwsKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestAwsKmsConfigArgs
{
Enabled = true,
CustomerMasterKeyId = kmsKey.Id,
Region = atlasRegion,
RoleId = authRole.RoleId,
},
});
var cluster = new Mongodbatlas.AdvancedCluster("cluster", new()
{
ProjectId = testEncryptionAtRest.ProjectId,
Name = "MyCluster",
ClusterType = "REPLICASET",
BackupEnabled = true,
EncryptionAtRestProvider = "AWS",
ReplicationSpecs = new[]
{
new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecArgs
{
RegionConfigs = new[]
{
new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecRegionConfigArgs
{
Priority = 7,
ProviderName = "AWS",
RegionName = "US_EAST_1",
ElectableSpecs = new Mongodbatlas.Inputs.AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs
{
InstanceSize = "M10",
NodeCount = 3,
},
},
},
},
},
});
var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
{
ProjectId = testEncryptionAtRest.ProjectId,
});
return new Dictionary<string, object?>
{
["isAwsKmsEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.AwsKmsConfig?.Valid),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.CloudProviderAccessSetup;
import com.pulumi.mongodbatlas.CloudProviderAccessSetupArgs;
import com.pulumi.mongodbatlas.CloudProviderAccessAuthorization;
import com.pulumi.mongodbatlas.CloudProviderAccessAuthorizationArgs;
import com.pulumi.mongodbatlas.inputs.CloudProviderAccessAuthorizationAwsArgs;
import com.pulumi.mongodbatlas.EncryptionAtRest;
import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
import com.pulumi.mongodbatlas.inputs.EncryptionAtRestAwsKmsConfigArgs;
import com.pulumi.mongodbatlas.AdvancedCluster;
import com.pulumi.mongodbatlas.AdvancedClusterArgs;
import com.pulumi.mongodbatlas.inputs.AdvancedClusterReplicationSpecArgs;
import com.pulumi.mongodbatlas.MongodbatlasFunctions;
import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var setupOnly = new CloudProviderAccessSetup("setupOnly", CloudProviderAccessSetupArgs.builder()
.projectId(atlasProjectId)
.providerName("AWS")
.build());
var authRole = new CloudProviderAccessAuthorization("authRole", CloudProviderAccessAuthorizationArgs.builder()
.projectId(atlasProjectId)
.roleId(setupOnly.roleId())
.aws(CloudProviderAccessAuthorizationAwsArgs.builder()
.iamAssumedRoleArn(testRole.arn())
.build())
.build());
var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
.projectId(atlasProjectId)
.awsKmsConfig(EncryptionAtRestAwsKmsConfigArgs.builder()
.enabled(true)
.customerMasterKeyId(kmsKey.id())
.region(atlasRegion)
.roleId(authRole.roleId())
.build())
.build());
var cluster = new AdvancedCluster("cluster", AdvancedClusterArgs.builder()
.projectId(testEncryptionAtRest.projectId())
.name("MyCluster")
.clusterType("REPLICASET")
.backupEnabled(true)
.encryptionAtRestProvider("AWS")
.replicationSpecs(AdvancedClusterReplicationSpecArgs.builder()
.regionConfigs(AdvancedClusterReplicationSpecRegionConfigArgs.builder()
.priority(7)
.providerName("AWS")
.regionName("US_EAST_1")
.electableSpecs(AdvancedClusterReplicationSpecRegionConfigElectableSpecsArgs.builder()
.instanceSize("M10")
.nodeCount(3)
.build())
.build())
.build())
.build());
final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
.projectId(testEncryptionAtRest.projectId())
.build());
ctx.export("isAwsKmsEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.awsKmsConfig().valid())));
}
}
resources:
setupOnly:
type: mongodbatlas:CloudProviderAccessSetup
name: setup_only
properties:
projectId: ${atlasProjectId}
providerName: AWS
authRole:
type: mongodbatlas:CloudProviderAccessAuthorization
name: auth_role
properties:
projectId: ${atlasProjectId}
roleId: ${setupOnly.roleId}
aws:
iamAssumedRoleArn: ${testRole.arn}
testEncryptionAtRest:
type: mongodbatlas:EncryptionAtRest
name: test
properties:
projectId: ${atlasProjectId}
awsKmsConfig:
enabled: true
customerMasterKeyId: ${kmsKey.id}
region: ${atlasRegion}
roleId: ${authRole.roleId}
cluster:
type: mongodbatlas:AdvancedCluster
properties:
projectId: ${testEncryptionAtRest.projectId}
name: MyCluster
clusterType: REPLICASET
backupEnabled: true
encryptionAtRestProvider: AWS
replicationSpecs:
- regionConfigs:
- priority: 7
providerName: AWS
regionName: US_EAST_1
electableSpecs:
instanceSize: M10
nodeCount: 3
variables:
test:
fn::invoke:
function: mongodbatlas:getEncryptionAtRest
arguments:
projectId: ${testEncryptionAtRest.projectId}
outputs:
isAwsKmsEncryptionAtRestValid: ${test.awsKmsConfig.valid}
Configuring encryption at rest using customer key management in Azure
import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";
const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
projectId: atlasProjectId,
azureKeyVaultConfig: {
enabled: true,
azureEnvironment: "AZURE",
tenantId: azureTenantId,
subscriptionId: azureSubscriptionId,
clientId: azureClientId,
secret: azureClientSecret,
resourceGroupName: azureResourceGroupName,
keyVaultName: azureKeyVaultName,
keyIdentifier: azureKeyIdentifier,
},
});
const test = mongodbatlas.getEncryptionAtRestOutput({
projectId: testEncryptionAtRest.projectId,
});
export const isAzureEncryptionAtRestValid = test.apply(test => test.azureKeyVaultConfig?.valid);
import pulumi
import pulumi_mongodbatlas as mongodbatlas
test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
project_id=atlas_project_id,
azure_key_vault_config={
"enabled": True,
"azure_environment": "AZURE",
"tenant_id": azure_tenant_id,
"subscription_id": azure_subscription_id,
"client_id": azure_client_id,
"secret": azure_client_secret,
"resource_group_name": azure_resource_group_name,
"key_vault_name": azure_key_vault_name,
"key_identifier": azure_key_identifier,
})
test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
pulumi.export("isAzureEncryptionAtRestValid", test.azure_key_vault_config.valid)
package main
import (
"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
ProjectId: pulumi.Any(atlasProjectId),
AzureKeyVaultConfig: &mongodbatlas.EncryptionAtRestAzureKeyVaultConfigArgs{
Enabled: pulumi.Bool(true),
AzureEnvironment: pulumi.String("AZURE"),
TenantId: pulumi.Any(azureTenantId),
SubscriptionId: pulumi.Any(azureSubscriptionId),
ClientId: pulumi.Any(azureClientId),
Secret: pulumi.Any(azureClientSecret),
ResourceGroupName: pulumi.Any(azureResourceGroupName),
KeyVaultName: pulumi.Any(azureKeyVaultName),
KeyIdentifier: pulumi.Any(azureKeyIdentifier),
},
})
if err != nil {
return err
}
test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
ProjectId: testEncryptionAtRest.ProjectId,
}, nil)
ctx.Export("isAzureEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
return &test.AzureKeyVaultConfig.Valid, nil
}).(pulumi.BoolPtrOutput))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;
return await Deployment.RunAsync(() =>
{
var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
{
ProjectId = atlasProjectId,
AzureKeyVaultConfig = new Mongodbatlas.Inputs.EncryptionAtRestAzureKeyVaultConfigArgs
{
Enabled = true,
AzureEnvironment = "AZURE",
TenantId = azureTenantId,
SubscriptionId = azureSubscriptionId,
ClientId = azureClientId,
Secret = azureClientSecret,
ResourceGroupName = azureResourceGroupName,
KeyVaultName = azureKeyVaultName,
KeyIdentifier = azureKeyIdentifier,
},
});
var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
{
ProjectId = testEncryptionAtRest.ProjectId,
});
return new Dictionary<string, object?>
{
["isAzureEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.AzureKeyVaultConfig?.Valid),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.EncryptionAtRest;
import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
import com.pulumi.mongodbatlas.inputs.EncryptionAtRestAzureKeyVaultConfigArgs;
import com.pulumi.mongodbatlas.MongodbatlasFunctions;
import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
.projectId(atlasProjectId)
.azureKeyVaultConfig(EncryptionAtRestAzureKeyVaultConfigArgs.builder()
.enabled(true)
.azureEnvironment("AZURE")
.tenantId(azureTenantId)
.subscriptionId(azureSubscriptionId)
.clientId(azureClientId)
.secret(azureClientSecret)
.resourceGroupName(azureResourceGroupName)
.keyVaultName(azureKeyVaultName)
.keyIdentifier(azureKeyIdentifier)
.build())
.build());
final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
.projectId(testEncryptionAtRest.projectId())
.build());
ctx.export("isAzureEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.azureKeyVaultConfig().valid())));
}
}
resources:
testEncryptionAtRest:
type: mongodbatlas:EncryptionAtRest
name: test
properties:
projectId: ${atlasProjectId}
azureKeyVaultConfig:
enabled: true
azureEnvironment: AZURE
tenantId: ${azureTenantId}
subscriptionId: ${azureSubscriptionId}
clientId: ${azureClientId}
secret: ${azureClientSecret}
resourceGroupName: ${azureResourceGroupName}
keyVaultName: ${azureKeyVaultName}
keyIdentifier: ${azureKeyIdentifier}
variables:
test:
fn::invoke:
function: mongodbatlas:getEncryptionAtRest
arguments:
projectId: ${testEncryptionAtRest.projectId}
outputs:
isAzureEncryptionAtRestValid: ${test.azureKeyVaultConfig.valid}
NOTE: It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the
azure_key_vault_config.require_private_networkingor theaws_kms_config.require_private_networkingattribute, together with the configuration of themongodbatlas.EncryptionAtRestPrivateEndpointresource. Please review themongodbatlas.EncryptionAtRestPrivateEndpointresource for details.
Configuring encryption at rest using customer key management in GCP
import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";
const testEncryptionAtRest = new mongodbatlas.EncryptionAtRest("test", {
projectId: atlasProjectId,
googleCloudKmsConfig: {
enabled: true,
serviceAccountKey: "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
keyVersionResourceId: "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
},
});
const test = mongodbatlas.getEncryptionAtRestOutput({
projectId: testEncryptionAtRest.projectId,
});
export const isGcpEncryptionAtRestValid = test.apply(test => test.googleCloudKmsConfig?.valid);
import pulumi
import pulumi_mongodbatlas as mongodbatlas
test_encryption_at_rest = mongodbatlas.EncryptionAtRest("test",
project_id=atlas_project_id,
google_cloud_kms_config={
"enabled": True,
"service_account_key": "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
"key_version_resource_id": "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
})
test = mongodbatlas.get_encryption_at_rest_output(project_id=test_encryption_at_rest.project_id)
pulumi.export("isGcpEncryptionAtRestValid", test.google_cloud_kms_config.valid)
package main
import (
"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testEncryptionAtRest, err := mongodbatlas.NewEncryptionAtRest(ctx, "test", &mongodbatlas.EncryptionAtRestArgs{
ProjectId: pulumi.Any(atlasProjectId),
GoogleCloudKmsConfig: &mongodbatlas.EncryptionAtRestGoogleCloudKmsConfigArgs{
Enabled: pulumi.Bool(true),
ServiceAccountKey: pulumi.String("{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}"),
KeyVersionResourceId: pulumi.String("projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"),
},
})
if err != nil {
return err
}
test := mongodbatlas.LookupEncryptionAtRestOutput(ctx, mongodbatlas.GetEncryptionAtRestOutputArgs{
ProjectId: testEncryptionAtRest.ProjectId,
}, nil)
ctx.Export("isGcpEncryptionAtRestValid", test.ApplyT(func(test mongodbatlas.GetEncryptionAtRestResult) (*bool, error) {
return &test.GoogleCloudKmsConfig.Valid, nil
}).(pulumi.BoolPtrOutput))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;
return await Deployment.RunAsync(() =>
{
var testEncryptionAtRest = new Mongodbatlas.EncryptionAtRest("test", new()
{
ProjectId = atlasProjectId,
GoogleCloudKmsConfig = new Mongodbatlas.Inputs.EncryptionAtRestGoogleCloudKmsConfigArgs
{
Enabled = true,
ServiceAccountKey = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}",
KeyVersionResourceId = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
},
});
var test = Mongodbatlas.GetEncryptionAtRest.Invoke(new()
{
ProjectId = testEncryptionAtRest.ProjectId,
});
return new Dictionary<string, object?>
{
["isGcpEncryptionAtRestValid"] = test.Apply(getEncryptionAtRestResult => getEncryptionAtRestResult.GoogleCloudKmsConfig?.Valid),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.EncryptionAtRest;
import com.pulumi.mongodbatlas.EncryptionAtRestArgs;
import com.pulumi.mongodbatlas.inputs.EncryptionAtRestGoogleCloudKmsConfigArgs;
import com.pulumi.mongodbatlas.MongodbatlasFunctions;
import com.pulumi.mongodbatlas.inputs.GetEncryptionAtRestArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testEncryptionAtRest = new EncryptionAtRest("testEncryptionAtRest", EncryptionAtRestArgs.builder()
.projectId(atlasProjectId)
.googleCloudKmsConfig(EncryptionAtRestGoogleCloudKmsConfigArgs.builder()
.enabled(true)
.serviceAccountKey("{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"my-email-kms-0@my-project-common-0.iam.gserviceaccount.com\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}")
.keyVersionResourceId("projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1")
.build())
.build());
final var test = MongodbatlasFunctions.getEncryptionAtRest(GetEncryptionAtRestArgs.builder()
.projectId(testEncryptionAtRest.projectId())
.build());
ctx.export("isGcpEncryptionAtRestValid", test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult).applyValue(test -> test.applyValue(getEncryptionAtRestResult -> getEncryptionAtRestResult.googleCloudKmsConfig().valid())));
}
}
resources:
testEncryptionAtRest:
type: mongodbatlas:EncryptionAtRest
name: test
properties:
projectId: ${atlasProjectId}
googleCloudKmsConfig:
enabled: true
serviceAccountKey: '{"type": "service_account","project_id": "my-project-common-0","private_key_id": "e120598ea4f88249469fcdd75a9a785c1bb3","private_key": "-----BEGIN PRIVATE KEY-----\nMIIEuwIBA(truncated)SfecnS0mT94D9\n-----END PRIVATE KEY-----\n","client_email": "my-email-kms-0@my-project-common-0.iam.gserviceaccount.com","client_id": "10180967717292066","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com"}'
keyVersionResourceId: projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1
variables:
test:
fn::invoke:
function: mongodbatlas:getEncryptionAtRest
arguments:
projectId: ${testEncryptionAtRest.projectId}
outputs:
isGcpEncryptionAtRestValid: ${test.googleCloudKmsConfig.valid}
Using getEncryptionAtRest
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getEncryptionAtRest(args: GetEncryptionAtRestArgs, opts?: InvokeOptions): Promise<GetEncryptionAtRestResult>
function getEncryptionAtRestOutput(args: GetEncryptionAtRestOutputArgs, opts?: InvokeOptions): Output<GetEncryptionAtRestResult>def get_encryption_at_rest(project_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetEncryptionAtRestResult
def get_encryption_at_rest_output(project_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetEncryptionAtRestResult]func LookupEncryptionAtRest(ctx *Context, args *LookupEncryptionAtRestArgs, opts ...InvokeOption) (*LookupEncryptionAtRestResult, error)
func LookupEncryptionAtRestOutput(ctx *Context, args *LookupEncryptionAtRestOutputArgs, opts ...InvokeOption) LookupEncryptionAtRestResultOutput> Note: This function is named LookupEncryptionAtRest in the Go SDK.
public static class GetEncryptionAtRest
{
public static Task<GetEncryptionAtRestResult> InvokeAsync(GetEncryptionAtRestArgs args, InvokeOptions? opts = null)
public static Output<GetEncryptionAtRestResult> Invoke(GetEncryptionAtRestInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetEncryptionAtRestResult> getEncryptionAtRest(GetEncryptionAtRestArgs args, InvokeOptions options)
public static Output<GetEncryptionAtRestResult> getEncryptionAtRest(GetEncryptionAtRestArgs args, InvokeOptions options)
fn::invoke:
function: mongodbatlas:index/getEncryptionAtRest:getEncryptionAtRest
arguments:
# arguments dictionaryThe following arguments are supported:
- Project
Id This property is required. string - Unique 24-hexadecimal digit string that identifies your project.
- Project
Id This property is required. string - Unique 24-hexadecimal digit string that identifies your project.
- project
Id This property is required. String - Unique 24-hexadecimal digit string that identifies your project.
- project
Id This property is required. string - Unique 24-hexadecimal digit string that identifies your project.
- project_
id This property is required. str - Unique 24-hexadecimal digit string that identifies your project.
- project
Id This property is required. String - Unique 24-hexadecimal digit string that identifies your project.
getEncryptionAtRest Result
The following output properties are available:
- Aws
Kms GetConfig Encryption At Rest Aws Kms Config - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- Azure
Key GetVault Config Encryption At Rest Azure Key Vault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- Google
Cloud GetKms Config Encryption At Rest Google Cloud Kms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- Id string
- The ID of this resource.
- Project
Id string - Unique 24-hexadecimal digit string that identifies your project.
- Aws
Kms GetConfig Encryption At Rest Aws Kms Config - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- Azure
Key GetVault Config Encryption At Rest Azure Key Vault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- Google
Cloud GetKms Config Encryption At Rest Google Cloud Kms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- Id string
- The ID of this resource.
- Project
Id string - Unique 24-hexadecimal digit string that identifies your project.
- aws
Kms GetConfig Encryption At Rest Aws Kms Config - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- azure
Key GetVault Config Encryption At Rest Azure Key Vault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- google
Cloud GetKms Config Encryption At Rest Google Cloud Kms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- id String
- The ID of this resource.
- project
Id String - Unique 24-hexadecimal digit string that identifies your project.
- aws
Kms GetConfig Encryption At Rest Aws Kms Config - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- azure
Key GetVault Config Encryption At Rest Azure Key Vault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- google
Cloud GetKms Config Encryption At Rest Google Cloud Kms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- id string
- The ID of this resource.
- project
Id string - Unique 24-hexadecimal digit string that identifies your project.
- aws_
kms_ Getconfig Encryption At Rest Aws Kms Config - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- azure_
key_ Getvault_ config Encryption At Rest Azure Key Vault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- google_
cloud_ Getkms_ config Encryption At Rest Google Cloud Kms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- id str
- The ID of this resource.
- project_
id str - Unique 24-hexadecimal digit string that identifies your project.
- aws
Kms Property MapConfig - Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.
- azure
Key Property MapVault Config - Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).
- google
Cloud Property MapKms Config - Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).
- id String
- The ID of this resource.
- project
Id String - Unique 24-hexadecimal digit string that identifies your project.
Supporting Types
GetEncryptionAtRestAwsKmsConfig
- Access
Key Id This property is required. string - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- Customer
Master Key Id This property is required. string - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Region
This property is required. string - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- Require
Private Networking This property is required. bool - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- Role
Id This property is required. string - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- Secret
Access Key This property is required. string - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- Valid
This property is required. bool - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
- Access
Key Id This property is required. string - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- Customer
Master Key Id This property is required. string - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Region
This property is required. string - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- Require
Private Networking This property is required. bool - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- Role
Id This property is required. string - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- Secret
Access Key This property is required. string - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- Valid
This property is required. bool - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
- access
Key Id This property is required. String - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- customer
Master Key Id This property is required. String - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - region
This property is required. String - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- require
Private Networking This property is required. Boolean - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- role
Id This property is required. String - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- secret
Access Key This property is required. String - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- valid
This property is required. Boolean - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
- access
Key Id This property is required. string - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- customer
Master Key Id This property is required. string - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- enabled
This property is required. boolean - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - region
This property is required. string - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- require
Private Networking This property is required. boolean - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- role
Id This property is required. string - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- secret
Access Key This property is required. string - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- valid
This property is required. boolean - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
- access_
key_ id This property is required. str - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- customer_
master_ key_ id This property is required. str - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - region
This property is required. str - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- require_
private_ networking This property is required. bool - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- role_
id This property is required. str - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- secret_
access_ key This property is required. str - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- valid
This property is required. bool - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
- access
Key Id This property is required. String - Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
- customer
Master Key Id This property is required. String - Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - region
This property is required. String - Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
- require
Private Networking This property is required. Boolean - Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
- role
Id This property is required. String - Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
- secret
Access Key This property is required. String - Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
- valid
This property is required. Boolean - Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
GetEncryptionAtRestAzureKeyVaultConfig
- Azure
Environment This property is required. string - Azure environment in which your account credentials reside.
- Client
Id This property is required. string - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Key
Identifier This property is required. string - Web address with a unique key that identifies for your Azure Key Vault.
- Key
Vault Name This property is required. string - Unique string that identifies the Azure Key Vault that contains your key.
- Require
Private Networking This property is required. bool - Enable connection to your Azure Key Vault over private networking.
- Resource
Group Name This property is required. string - Name of the Azure resource group that contains your Azure Key Vault.
- Secret
This property is required. string - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- Subscription
Id This property is required. string - Unique 36-hexadecimal character string that identifies your Azure subscription.
- Tenant
Id This property is required. string - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- Valid
This property is required. bool - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
- Azure
Environment This property is required. string - Azure environment in which your account credentials reside.
- Client
Id This property is required. string - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Key
Identifier This property is required. string - Web address with a unique key that identifies for your Azure Key Vault.
- Key
Vault Name This property is required. string - Unique string that identifies the Azure Key Vault that contains your key.
- Require
Private Networking This property is required. bool - Enable connection to your Azure Key Vault over private networking.
- Resource
Group Name This property is required. string - Name of the Azure resource group that contains your Azure Key Vault.
- Secret
This property is required. string - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- Subscription
Id This property is required. string - Unique 36-hexadecimal character string that identifies your Azure subscription.
- Tenant
Id This property is required. string - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- Valid
This property is required. bool - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
- azure
Environment This property is required. String - Azure environment in which your account credentials reside.
- client
Id This property is required. String - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Identifier This property is required. String - Web address with a unique key that identifies for your Azure Key Vault.
- key
Vault Name This property is required. String - Unique string that identifies the Azure Key Vault that contains your key.
- require
Private Networking This property is required. Boolean - Enable connection to your Azure Key Vault over private networking.
- resource
Group Name This property is required. String - Name of the Azure resource group that contains your Azure Key Vault.
- secret
This property is required. String - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- subscription
Id This property is required. String - Unique 36-hexadecimal character string that identifies your Azure subscription.
- tenant
Id This property is required. String - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- valid
This property is required. Boolean - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
- azure
Environment This property is required. string - Azure environment in which your account credentials reside.
- client
Id This property is required. string - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- enabled
This property is required. boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Identifier This property is required. string - Web address with a unique key that identifies for your Azure Key Vault.
- key
Vault Name This property is required. string - Unique string that identifies the Azure Key Vault that contains your key.
- require
Private Networking This property is required. boolean - Enable connection to your Azure Key Vault over private networking.
- resource
Group Name This property is required. string - Name of the Azure resource group that contains your Azure Key Vault.
- secret
This property is required. string - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- subscription
Id This property is required. string - Unique 36-hexadecimal character string that identifies your Azure subscription.
- tenant
Id This property is required. string - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- valid
This property is required. boolean - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
- azure_
environment This property is required. str - Azure environment in which your account credentials reside.
- client_
id This property is required. str - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key_
identifier This property is required. str - Web address with a unique key that identifies for your Azure Key Vault.
- key_
vault_ name This property is required. str - Unique string that identifies the Azure Key Vault that contains your key.
- require_
private_ networking This property is required. bool - Enable connection to your Azure Key Vault over private networking.
- resource_
group_ name This property is required. str - Name of the Azure resource group that contains your Azure Key Vault.
- secret
This property is required. str - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- subscription_
id This property is required. str - Unique 36-hexadecimal character string that identifies your Azure subscription.
- tenant_
id This property is required. str - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- valid
This property is required. bool - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
- azure
Environment This property is required. String - Azure environment in which your account credentials reside.
- client
Id This property is required. String - Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Identifier This property is required. String - Web address with a unique key that identifies for your Azure Key Vault.
- key
Vault Name This property is required. String - Unique string that identifies the Azure Key Vault that contains your key.
- require
Private Networking This property is required. Boolean - Enable connection to your Azure Key Vault over private networking.
- resource
Group Name This property is required. String - Name of the Azure resource group that contains your Azure Key Vault.
- secret
This property is required. String - Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (azureKeyVault.tenantID). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
- subscription
Id This property is required. String - Unique 36-hexadecimal character string that identifies your Azure subscription.
- tenant
Id This property is required. String - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
- valid
This property is required. Boolean - Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
GetEncryptionAtRestGoogleCloudKmsConfig
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Key
Version Resource Id This property is required. string - Resource path that displays the key version resource ID for your Google Cloud KMS.
- Service
Account Key This property is required. string - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- Valid
This property is required. bool - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
- Enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - Key
Version Resource Id This property is required. string - Resource path that displays the key version resource ID for your Google Cloud KMS.
- Service
Account Key This property is required. string - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- Valid
This property is required. bool - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Version Resource Id This property is required. String - Resource path that displays the key version resource ID for your Google Cloud KMS.
- service
Account Key This property is required. String - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- valid
This property is required. Boolean - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
- enabled
This property is required. boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Version Resource Id This property is required. string - Resource path that displays the key version resource ID for your Google Cloud KMS.
- service
Account Key This property is required. string - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- valid
This property is required. boolean - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
- enabled
This property is required. bool - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key_
version_ resource_ id This property is required. str - Resource path that displays the key version resource ID for your Google Cloud KMS.
- service_
account_ key This property is required. str - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- valid
This property is required. bool - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
- enabled
This property is required. Boolean - Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of
false. - key
Version Resource Id This property is required. String - Resource path that displays the key version resource ID for your Google Cloud KMS.
- service
Account Key This property is required. String - JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
- valid
This property is required. Boolean - Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
Package Details
- Repository
- MongoDB Atlas pulumi/pulumi-mongodbatlas
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
mongodbatlasTerraform Provider.
- # Data Source: mongodbatlas.EncryptionAtRest
- Example Usage
- S
- Configuring encryption at rest using customer key management in AWS
- Configuring encryption at rest using customer key management in Azure
- Configuring encryption at rest using customer key management in GCP
- Using getEncryptionAtRest
- getEncryptionAtRest Result
- Supporting Types
- Package Details