Confluent v2.24.0, Apr 19 25

Confluent v2.24.0 published on Saturday, Apr 19, 2025 by Pulumi

confluentcloud.SchemaRegistryKek

Explore with Pulumi AI

Confluent v2.24.0 published on Saturday, Apr 19, 2025 by Pulumi

Example Usage
Option #1: Manage multiple Schema Registry clusters in the same Pulumi Stack
Option #2: Manage a single Schema Registry cluster in the same Pulumi Stack
Getting Started
Create SchemaRegistryKek Resource
Constructor syntax
Constructor example
SchemaRegistryKek Resource Properties
Inputs
Outputs
Look up Existing SchemaRegistryKek Resource
Supporting Types
Import
Package Details

Request a Change

confluentcloud.SchemaRegistryKek provides a Schema Registry Key Encryption Key (KEK) resource that enables creating, editing, and deleting Schema Registry Key Encryption Keys on Confluent Cloud.

Example Usage

Option #1: Manage multiple Schema Registry clusters in the same Pulumi Stack

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as confluentcloud from "@pulumi/confluentcloud";

const awsKey = new confluentcloud.SchemaRegistryKek("aws_key", {
    schemaRegistryCluster: {
        id: essentials.id,
    },
    restEndpoint: essentials.restEndpoint,
    credentials: {
        key: "<Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>",
        secret: "<Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>",
    },
    name: "my_key",
    kmsType: "aws-kms",
    kmsKeyId: "key_id",
    doc: "test key",
    shared: false,
    hardDelete: true,
});

import pulumi
import pulumi_confluentcloud as confluentcloud

aws_key = confluentcloud.SchemaRegistryKek("aws_key",
    schema_registry_cluster={
        "id": essentials["id"],
    },
    rest_endpoint=essentials["restEndpoint"],
    credentials={
        "key": "<Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>",
        "secret": "<Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>",
    },
    name="my_key",
    kms_type="aws-kms",
    kms_key_id="key_id",
    doc="test key",
    shared=False,
    hard_delete=True)

package main

import (
	"github.com/pulumi/pulumi-confluentcloud/sdk/v2/go/confluentcloud"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := confluentcloud.NewSchemaRegistryKek(ctx, "aws_key", &confluentcloud.SchemaRegistryKekArgs{
			SchemaRegistryCluster: &confluentcloud.SchemaRegistryKekSchemaRegistryClusterArgs{
				Id: pulumi.Any(essentials.Id),
			},
			RestEndpoint: pulumi.Any(essentials.RestEndpoint),
			Credentials: &confluentcloud.SchemaRegistryKekCredentialsArgs{
				Key:    pulumi.String("<Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>"),
				Secret: pulumi.String("<Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>"),
			},
			Name:       pulumi.String("my_key"),
			KmsType:    pulumi.String("aws-kms"),
			KmsKeyId:   pulumi.String("key_id"),
			Doc:        pulumi.String("test key"),
			Shared:     pulumi.Bool(false),
			HardDelete: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ConfluentCloud = Pulumi.ConfluentCloud;

return await Deployment.RunAsync(() => 
{
    var awsKey = new ConfluentCloud.SchemaRegistryKek("aws_key", new()
    {
        SchemaRegistryCluster = new ConfluentCloud.Inputs.SchemaRegistryKekSchemaRegistryClusterArgs
        {
            Id = essentials.Id,
        },
        RestEndpoint = essentials.RestEndpoint,
        Credentials = new ConfluentCloud.Inputs.SchemaRegistryKekCredentialsArgs
        {
            Key = "<Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>",
            Secret = "<Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>",
        },
        Name = "my_key",
        KmsType = "aws-kms",
        KmsKeyId = "key_id",
        Doc = "test key",
        Shared = false,
        HardDelete = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.confluentcloud.SchemaRegistryKek;
import com.pulumi.confluentcloud.SchemaRegistryKekArgs;
import com.pulumi.confluentcloud.inputs.SchemaRegistryKekSchemaRegistryClusterArgs;
import com.pulumi.confluentcloud.inputs.SchemaRegistryKekCredentialsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var awsKey = new SchemaRegistryKek("awsKey", SchemaRegistryKekArgs.builder()
            .schemaRegistryCluster(SchemaRegistryKekSchemaRegistryClusterArgs.builder()
                .id(essentials.id())
                .build())
            .restEndpoint(essentials.restEndpoint())
            .credentials(SchemaRegistryKekCredentialsArgs.builder()
                .key("<Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>")
                .secret("<Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>")
                .build())
            .name("my_key")
            .kmsType("aws-kms")
            .kmsKeyId("key_id")
            .doc("test key")
            .shared(false)
            .hardDelete(true)
            .build());

    }
}

resources:
  awsKey:
    type: confluentcloud:SchemaRegistryKek
    name: aws_key
    properties:
      schemaRegistryCluster:
        id: ${essentials.id}
      restEndpoint: ${essentials.restEndpoint}
      credentials:
        key: <Schema Registry API Key for data.confluent_schema_registry_cluster.essentials>
        secret: <Schema Registry API Secret for data.confluent_schema_registry_cluster.essentials>
      name: my_key
      kmsType: aws-kms
      kmsKeyId: key_id
      doc: test key
      shared: false
      hardDelete: true

Option #2: Manage a single Schema Registry cluster in the same Pulumi Stack

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as confluentcloud from "@pulumi/confluentcloud";

const pii = new confluentcloud.SchemaRegistryKek("pii", {
    name: "my_key",
    kmsType: "aws-kms",
    kmsKeyId: "key_id",
    doc: "test key",
    shared: false,
    hardDelete: true,
});

import pulumi
import pulumi_confluentcloud as confluentcloud

pii = confluentcloud.SchemaRegistryKek("pii",
    name="my_key",
    kms_type="aws-kms",
    kms_key_id="key_id",
    doc="test key",
    shared=False,
    hard_delete=True)

package main

import (
	"github.com/pulumi/pulumi-confluentcloud/sdk/v2/go/confluentcloud"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := confluentcloud.NewSchemaRegistryKek(ctx, "pii", &confluentcloud.SchemaRegistryKekArgs{
			Name:       pulumi.String("my_key"),
			KmsType:    pulumi.String("aws-kms"),
			KmsKeyId:   pulumi.String("key_id"),
			Doc:        pulumi.String("test key"),
			Shared:     pulumi.Bool(false),
			HardDelete: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ConfluentCloud = Pulumi.ConfluentCloud;

return await Deployment.RunAsync(() => 
{
    var pii = new ConfluentCloud.SchemaRegistryKek("pii", new()
    {
        Name = "my_key",
        KmsType = "aws-kms",
        KmsKeyId = "key_id",
        Doc = "test key",
        Shared = false,
        HardDelete = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.confluentcloud.SchemaRegistryKek;
import com.pulumi.confluentcloud.SchemaRegistryKekArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pii = new SchemaRegistryKek("pii", SchemaRegistryKekArgs.builder()
            .name("my_key")
            .kmsType("aws-kms")
            .kmsKeyId("key_id")
            .doc("test key")
            .shared(false)
            .hardDelete(true)
            .build());

    }
}

resources:
  pii:
    type: confluentcloud:SchemaRegistryKek
    properties:
      name: my_key
      kmsType: aws-kms
      kmsKeyId: key_id
      doc: test key
      shared: false
      hardDelete: true

Getting Started

The following end-to-end example might help to get started with field-level encryption:

field-level-encryption-schema

Create SchemaRegistryKek Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new SchemaRegistryKek(name: string, args: SchemaRegistryKekArgs, opts?: CustomResourceOptions);

@overload
def SchemaRegistryKek(resource_name: str,
                      args: SchemaRegistryKekArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SchemaRegistryKek(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      kms_key_id: Optional[str] = None,
                      kms_type: Optional[str] = None,
                      credentials: Optional[SchemaRegistryKekCredentialsArgs] = None,
                      doc: Optional[str] = None,
                      hard_delete: Optional[bool] = None,
                      name: Optional[str] = None,
                      properties: Optional[Mapping[str, str]] = None,
                      rest_endpoint: Optional[str] = None,
                      schema_registry_cluster: Optional[SchemaRegistryKekSchemaRegistryClusterArgs] = None,
                      shared: Optional[bool] = None)

func NewSchemaRegistryKek(ctx *Context, name string, args SchemaRegistryKekArgs, opts ...ResourceOption) (*SchemaRegistryKek, error)

public SchemaRegistryKek(string name, SchemaRegistryKekArgs args, CustomResourceOptions? opts = null)

public SchemaRegistryKek(String name, SchemaRegistryKekArgs args)
public SchemaRegistryKek(String name, SchemaRegistryKekArgs args, CustomResourceOptions options)

type: confluentcloud:SchemaRegistryKek
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SchemaRegistryKekArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SchemaRegistryKekArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SchemaRegistryKekArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SchemaRegistryKekArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SchemaRegistryKekArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var schemaRegistryKekResource = new ConfluentCloud.SchemaRegistryKek("schemaRegistryKekResource", new()
{
    KmsKeyId = "string",
    KmsType = "string",
    Credentials = new ConfluentCloud.Inputs.SchemaRegistryKekCredentialsArgs
    {
        Key = "string",
        Secret = "string",
    },
    Doc = "string",
    HardDelete = false,
    Name = "string",
    Properties = 
    {
        { "string", "string" },
    },
    RestEndpoint = "string",
    SchemaRegistryCluster = new ConfluentCloud.Inputs.SchemaRegistryKekSchemaRegistryClusterArgs
    {
        Id = "string",
    },
    Shared = false,
});

example, err := confluentcloud.NewSchemaRegistryKek(ctx, "schemaRegistryKekResource", &confluentcloud.SchemaRegistryKekArgs{
	KmsKeyId: pulumi.String("string"),
	KmsType:  pulumi.String("string"),
	Credentials: &confluentcloud.SchemaRegistryKekCredentialsArgs{
		Key:    pulumi.String("string"),
		Secret: pulumi.String("string"),
	},
	Doc:        pulumi.String("string"),
	HardDelete: pulumi.Bool(false),
	Name:       pulumi.String("string"),
	Properties: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	RestEndpoint: pulumi.String("string"),
	SchemaRegistryCluster: &confluentcloud.SchemaRegistryKekSchemaRegistryClusterArgs{
		Id: pulumi.String("string"),
	},
	Shared: pulumi.Bool(false),
})

var schemaRegistryKekResource = new SchemaRegistryKek("schemaRegistryKekResource", SchemaRegistryKekArgs.builder()
    .kmsKeyId("string")
    .kmsType("string")
    .credentials(SchemaRegistryKekCredentialsArgs.builder()
        .key("string")
        .secret("string")
        .build())
    .doc("string")
    .hardDelete(false)
    .name("string")
    .properties(Map.of("string", "string"))
    .restEndpoint("string")
    .schemaRegistryCluster(SchemaRegistryKekSchemaRegistryClusterArgs.builder()
        .id("string")
        .build())
    .shared(false)
    .build());

schema_registry_kek_resource = confluentcloud.SchemaRegistryKek("schemaRegistryKekResource",
    kms_key_id="string",
    kms_type="string",
    credentials={
        "key": "string",
        "secret": "string",
    },
    doc="string",
    hard_delete=False,
    name="string",
    properties={
        "string": "string",
    },
    rest_endpoint="string",
    schema_registry_cluster={
        "id": "string",
    },
    shared=False)

const schemaRegistryKekResource = new confluentcloud.SchemaRegistryKek("schemaRegistryKekResource", {
    kmsKeyId: "string",
    kmsType: "string",
    credentials: {
        key: "string",
        secret: "string",
    },
    doc: "string",
    hardDelete: false,
    name: "string",
    properties: {
        string: "string",
    },
    restEndpoint: "string",
    schemaRegistryCluster: {
        id: "string",
    },
    shared: false,
});

type: confluentcloud:SchemaRegistryKek
properties:
    credentials:
        key: string
        secret: string
    doc: string
    hardDelete: false
    kmsKeyId: string
    kmsType: string
    name: string
    properties:
        string: string
    restEndpoint: string
    schemaRegistryCluster:
        id: string
    shared: false

SchemaRegistryKek Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SchemaRegistryKek resource accepts the following input properties:

KmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

KmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

Credentials Pulumi.ConfluentCloud.Inputs.SchemaRegistryKekCredentials

The Cluster API Credentials.

Doc string

The optional description for the KEK.

HardDelete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

Name string

The name for the KEK.

Properties Dictionary<string, string>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

RestEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

SchemaRegistryCluster Pulumi.ConfluentCloud.Inputs.SchemaRegistryKekSchemaRegistryCluster

Shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

KmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

KmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

Credentials SchemaRegistryKekCredentialsArgs

The Cluster API Credentials.

Doc string

The optional description for the KEK.

HardDelete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

Name string

The name for the KEK.

Properties map[string]string

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

RestEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

SchemaRegistryCluster SchemaRegistryKekSchemaRegistryClusterArgs

Shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

kmsKeyId String

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType String

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

credentials SchemaRegistryKekCredentials

The Cluster API Credentials.

doc String

The optional description for the KEK.

hardDelete Boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

name String

The name for the KEK.

properties Map<String,String>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint String

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster SchemaRegistryKekSchemaRegistryCluster

shared Boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

kmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

credentials SchemaRegistryKekCredentials

The Cluster API Credentials.

doc string

The optional description for the KEK.

hardDelete boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

name string

The name for the KEK.

properties {[key: string]: string}

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster SchemaRegistryKekSchemaRegistryCluster

shared boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

kms_key_id str

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kms_type str

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

credentials SchemaRegistryKekCredentialsArgs

The Cluster API Credentials.

doc str

The optional description for the KEK.

hard_delete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

name str

The name for the KEK.

properties Mapping[str, str]

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

rest_endpoint str

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schema_registry_cluster SchemaRegistryKekSchemaRegistryClusterArgs

shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

kmsKeyId String

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType String

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

credentials Property Map

The Cluster API Credentials.

doc String

The optional description for the KEK.

hardDelete Boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

name String

The name for the KEK.

properties Map<String>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint String

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster Property Map

shared Boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

Outputs

All input properties are implicitly available as output properties. Additionally, the SchemaRegistryKek resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SchemaRegistryKek Resource

Get an existing SchemaRegistryKek resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: SchemaRegistryKekState, opts?: CustomResourceOptions): SchemaRegistryKek

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        credentials: Optional[SchemaRegistryKekCredentialsArgs] = None,
        doc: Optional[str] = None,
        hard_delete: Optional[bool] = None,
        kms_key_id: Optional[str] = None,
        kms_type: Optional[str] = None,
        name: Optional[str] = None,
        properties: Optional[Mapping[str, str]] = None,
        rest_endpoint: Optional[str] = None,
        schema_registry_cluster: Optional[SchemaRegistryKekSchemaRegistryClusterArgs] = None,
        shared: Optional[bool] = None) -> SchemaRegistryKek

func GetSchemaRegistryKek(ctx *Context, name string, id IDInput, state *SchemaRegistryKekState, opts ...ResourceOption) (*SchemaRegistryKek, error)

public static SchemaRegistryKek Get(string name, Input<string> id, SchemaRegistryKekState? state, CustomResourceOptions? opts = null)

public static SchemaRegistryKek get(String name, Output<String> id, SchemaRegistryKekState state, CustomResourceOptions options)

resources:  _:    type: confluentcloud:SchemaRegistryKek    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Credentials Pulumi.ConfluentCloud.Inputs.SchemaRegistryKekCredentials

The Cluster API Credentials.

Doc string

The optional description for the KEK.

HardDelete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

KmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

KmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

Name string

The name for the KEK.

Properties Dictionary<string, string>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

RestEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

SchemaRegistryCluster Pulumi.ConfluentCloud.Inputs.SchemaRegistryKekSchemaRegistryCluster

Shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

Credentials SchemaRegistryKekCredentialsArgs

The Cluster API Credentials.

Doc string

The optional description for the KEK.

HardDelete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

KmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

KmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

Name string

The name for the KEK.

Properties map[string]string

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

RestEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

SchemaRegistryCluster SchemaRegistryKekSchemaRegistryClusterArgs

Shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

credentials SchemaRegistryKekCredentials

The Cluster API Credentials.

doc String

The optional description for the KEK.

hardDelete Boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

kmsKeyId String

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType String

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

name String

The name for the KEK.

properties Map<String,String>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint String

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster SchemaRegistryKekSchemaRegistryCluster

shared Boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

credentials SchemaRegistryKekCredentials

The Cluster API Credentials.

doc string

The optional description for the KEK.

hardDelete boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

kmsKeyId string

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType string

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

name string

The name for the KEK.

properties {[key: string]: string}

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint string

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster SchemaRegistryKekSchemaRegistryCluster

shared boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

credentials SchemaRegistryKekCredentialsArgs

The Cluster API Credentials.

doc str

The optional description for the KEK.

hard_delete bool

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

kms_key_id str

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kms_type str

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

name str

The name for the KEK.

properties Mapping[str, str]

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

rest_endpoint str

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schema_registry_cluster SchemaRegistryKekSchemaRegistryClusterArgs

shared bool

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

credentials Property Map

The Cluster API Credentials.

doc String

The optional description for the KEK.

hardDelete Boolean

Controls whether a kek should be soft or hard deleted. Set it to true if you want to hard delete a schema registry kek on destroy. Defaults to false (soft delete).

kmsKeyId String

The ID of the key from KMS.

When using the AWS KMS, this is an ARN, for example, arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc.
When using the Azure Key Vault, this is a Key Identifier (URI), for example, https://test-keyvault1.vault.azure.net/keys/test-key1/1234567890abcdef1234567890abcdef.
When using the GCP KMS, this is a resource name, for example, projects/test-project1/locations/us-central1/keyRings/test-keyRing1/cryptoKeys/test-key1.

kmsType String

The type of Key Management Service (KMS). The supported values include aws-kms, azure-kms, and gcp-kms. Additionally, custom KMS types are supported as well.

name String

The name for the KEK.

properties Map<String>

The custom properties to set (for example, KeyUsage=ENCRYPT_DECRYPT, KeyState=Enabled):

restEndpoint String

The REST endpoint of the Schema Registry cluster, for example, https://psrc-00000.us-central1.gcp.confluent.cloud:443).

schemaRegistryCluster Property Map

shared Boolean

The optional flag to control whether the DEK Registry has shared access to the KMS. Defaults to false.

Supporting Types

SchemaRegistryKekCredentials
, SchemaRegistryKekCredentialsArgs

Key string: The Schema Registry API Key.
Secret string: The Schema Registry API Secret.

Key string: The Schema Registry API Key.
Secret string: The Schema Registry API Secret.

key String: The Schema Registry API Key.
secret String: The Schema Registry API Secret.

key string: The Schema Registry API Key.
secret string: The Schema Registry API Secret.

key str: The Schema Registry API Key.
secret str: The Schema Registry API Secret.

key String: The Schema Registry API Key.
secret String: The Schema Registry API Secret.

SchemaRegistryKekSchemaRegistryCluster
, SchemaRegistryKekSchemaRegistryClusterArgs

Id string: The ID of the Schema Registry cluster, for example, lsrc-abc123.

Id string: The ID of the Schema Registry cluster, for example, lsrc-abc123.

id String: The ID of the Schema Registry cluster, for example, lsrc-abc123.

id string: The ID of the Schema Registry cluster, for example, lsrc-abc123.

id str: The ID of the Schema Registry cluster, for example, lsrc-abc123.

id String: The ID of the Schema Registry cluster, for example, lsrc-abc123.

Import

You can import a Schema Registry Key by using the Schema Registry cluster ID, Kek name in the format <Schema Registry cluster ID>/<Kek name>, for example:

$ export IMPORT_SCHEMA_REGISTRY_API_KEY="<schema_registry_api_key>"

$ export IMPORT_SCHEMA_REGISTRY_API_SECRET="<schema_registry_api_secret>"

$ export IMPORT_SCHEMA_REGISTRY_REST_ENDPOINT="<schema_registry_rest_endpoint>"

$ pulumi import confluentcloud:index/schemaRegistryKek:SchemaRegistryKek aws_key lsrc-8wrx70/aws_key

!> Warning: Do not forget to delete terminal command history afterwards for security purposes.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Confluent Cloud pulumi/pulumi-confluentcloud
License: Apache-2.0
Notes: This Pulumi package is based on the confluent Terraform Provider.

Confluent v2.24.0 published on Saturday, Apr 19, 2025 by Pulumi

pulumi/pulumi-confluentcloud

Example Usage
Option #1: Manage multiple Schema Registry clusters in the same Pulumi Stack
Option #2: Manage a single Schema Registry cluster in the same Pulumi Stack
Getting Started
Create SchemaRegistryKek Resource
Constructor syntax
Constructor example
SchemaRegistryKek Resource Properties
Inputs
Outputs
Look up Existing SchemaRegistryKek Resource
Supporting Types
Import
Package Details

Request a Change

confluentcloud.SchemaRegistryKek

On this page

On this page

Example Usage

Option #1: Manage multiple Schema Registry clusters in the same Pulumi Stack

Option #2: Manage a single Schema Registry cluster in the same Pulumi Stack

Getting Started

Create SchemaRegistryKek Resource

Constructor syntax

Parameters

Constructor example

SchemaRegistryKek Resource Properties

Inputs

Outputs

Look up Existing SchemaRegistryKek Resource

Supporting Types

SchemaRegistryKekCredentials
, SchemaRegistryKekCredentialsArgs

SchemaRegistryKekSchemaRegistryCluster
, SchemaRegistryKekSchemaRegistryClusterArgs

Import

Package Details

On this page

On this page

confluentcloud.SchemaRegistryKek

On this page

On this page

Example Usage

Option #1: Manage multiple Schema Registry clusters in the same Pulumi Stack

Option #2: Manage a single Schema Registry cluster in the same Pulumi Stack

Getting Started

Create SchemaRegistryKek Resource

Constructor syntax

Parameters

Constructor example

SchemaRegistryKek Resource Properties

Inputs

Outputs

Look up Existing SchemaRegistryKek Resource

Supporting Types

SchemaRegistryKekCredentials, SchemaRegistryKekCredentialsArgs

SchemaRegistryKekSchemaRegistryCluster, SchemaRegistryKekSchemaRegistryClusterArgs

Import

Package Details

On this page

On this page

SchemaRegistryKekCredentials
, SchemaRegistryKekCredentialsArgs

SchemaRegistryKekSchemaRegistryCluster
, SchemaRegistryKekSchemaRegistryClusterArgs