Skip to main content
← back to extensions

@swamp/gcp/cloudkms

v2026.04.23.1

Google Cloud cloudkms infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

gcpgoogle-cloudcloudkmscloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/gcp/cloudkms

@swamp/gcp/cloudkms/ekmconnectionsv2026.04.23.1ekmconnections.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
cryptoSpacePath?stringOptional. Identifies the EKM Crypto Space that this EkmConnection maps to. Note: This field is required if KeyManagementMode is CLOUD_KMS.
keyManagementMode?enumOptional. Describes who can perform control plane operations on the EKM. If unset, this defaults to MANUAL.
serviceResolvers?arrayOptional. A list of ServiceResolvers where the EKM can be reached. There should be one ServiceResolver per EKM replica. Currently, only a single ServiceResolver is supported.
ekmConnectionId?stringRequired. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a ekmConnections
getGet a ekmConnections
ArgumentTypeDescription
identifierstringThe name of the ekmConnections
updateUpdate ekmConnections attributes
syncSync ekmConnections state from GCP
verify_connectivityverify connectivity

Resources

state(infinite)— An EkmConnection represents an individual EKM connection. It can be used for ...
@swamp/gcp/cloudkms/keyhandlesv2026.04.23.1keyhandles.ts

Global Arguments

ArgumentTypeDescription
name?stringIdentifier. Name of the KeyHandle resource, e.g. `projects/{PROJECT_ID}/locations/{LOCATION}/keyHandles/{KEY_HANDLE_ID}`.
resourceTypeSelector?stringRequired. Indicates the resource type that the resulting CryptoKey is meant to protect, e.g. `{SERVICE}.googleapis.com/{TYPE}`. See documentation for supported resource types.
keyHandleId?stringOptional. Id of the KeyHandle. Must be unique to the resource project and location. If not provided by the caller, a new UUID is used.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a keyHandles
getGet a keyHandles
ArgumentTypeDescription
identifierstringThe name of the keyHandles
syncSync keyHandles state from GCP

Resources

state(infinite)— Resource-oriented representation of a request to Cloud KMS Autokey and the re...
@swamp/gcp/cloudkms/keyringsv2026.04.23.1keyrings.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
keyRingId?stringRequired. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a keyRings
getGet a keyRings
ArgumentTypeDescription
identifierstringThe name of the keyRings
syncSync keyRings state from GCP

Resources

state(infinite)— A KeyRing is a toplevel logical grouping of CryptoKeys.
@swamp/gcp/cloudkms/keyrings-cryptokeysv2026.04.23.1keyrings_cryptokeys.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
cryptoKeyBackend?stringImmutable. The resource name of the backend environment where the key material for all CryptoKeyVersions associated with this CryptoKey reside and where all related cryptographic operations are performed. Only applicable if CryptoKeyVersions have a ProtectionLevel of EXTERNAL_VPC, with the resource name in the format `projects/*/locations/*/ekmConnections/*`. Only applicable if CryptoKeyVersions have a ProtectionLevel of HSM_SINGLE_TENANT, with the resource name in the format `projects/*/locatio
destroyScheduledDuration?stringImmutable. The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. If not specified at creation time, the default duration is 30 days.
importOnly?booleanImmutable. Whether this key may contain imported versions only.
keyAccessJustificationsPolicy?objectA KeyAccessJustificationsPolicy specifies zero or more allowed AccessReason values for encrypt, decrypt, and sign operations on a CryptoKey or KeyAccessJustificationsPolicyConfig (the default Key Access Justifications policy).
labels?recordLabels with user-defined metadata. For more information, see [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
nextRotationTime?stringAt next_rotation_time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2. Mark the new version as primary. Key rotations performed manually via CreateCryptoKeyVersion and UpdateCryptoKeyPrimaryVersion do not affect next_rotation_time. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
primary?objectA CryptoKeyVersion represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a CryptoKeyVersion can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.
purpose?enumImmutable. The immutable purpose of this CryptoKey.
rotationPeriod?stringnext_rotation_time will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If rotation_period is set, next_rotation_time must also be set. Keys with purpose ENCRYPT_DECRYPT support automatic rotation. For other keys, this field must be omitted.
versionTemplate?objectA CryptoKeyVersionTemplate specifies the properties to use when creating a new CryptoKeyVersion, either manually with CreateCryptoKeyVersion or automatically as a result of auto-rotation.
cryptoKeyId?stringRequired. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
skipInitialVersionCreation?stringIf set to true, the request will create a CryptoKey without any CryptoKeyVersions. You must manually call CreateCryptoKeyVersion or ImportCryptoKeyVersion before you can use this CryptoKey.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a cryptoKeys
getGet a cryptoKeys
ArgumentTypeDescription
identifierstringThe name of the cryptoKeys
updateUpdate cryptoKeys attributes
deleteDelete the cryptoKeys
ArgumentTypeDescription
identifierstringThe name of the cryptoKeys
syncSync cryptoKeys state from GCP
decryptdecrypt
ArgumentTypeDescription
additionalAuthenticatedData?any
additionalAuthenticatedDataCrc32c?any
ciphertext?any
ciphertextCrc32c?any
encryptencrypt
ArgumentTypeDescription
additionalAuthenticatedData?any
additionalAuthenticatedDataCrc32c?any
plaintext?any
plaintextCrc32c?any
update_primary_versionupdate primary version
ArgumentTypeDescription
cryptoKeyVersionId?any

Resources

state(infinite)— A CryptoKey represents a logical key that can be used for cryptographic opera...
@swamp/gcp/cloudkms/keyrings-cryptokeys-cryptokeyversionsv2026.04.23.1keyrings_cryptokeys_cryptokeyversions.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
attestation?objectContains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).
externalProtectionLevelOptions?objectExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
state?enumThe current state of the CryptoKeyVersion.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a cryptoKeyVersions
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a cryptoKeyVersions
ArgumentTypeDescription
identifierstringThe name of the cryptoKeyVersions
updateUpdate cryptoKeyVersions attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the cryptoKeyVersions
ArgumentTypeDescription
identifierstringThe name of the cryptoKeyVersions
syncSync cryptoKeyVersions state from GCP
asymmetric_decryptasymmetric decrypt
ArgumentTypeDescription
ciphertext?any
ciphertextCrc32c?any
asymmetric_signasymmetric sign
ArgumentTypeDescription
data?any
dataCrc32c?any
digest?any
digestCrc32c?any
decapsulatedecapsulate
ArgumentTypeDescription
ciphertext?any
ciphertextCrc32c?any
destroydestroy
get_public_keyget public key
importimport
ArgumentTypeDescription
algorithm?any
cryptoKeyVersion?any
importJob?any
rsaAesWrappedKey?any
wrappedKey?any
mac_signmac sign
ArgumentTypeDescription
data?any
dataCrc32c?any
mac_verifymac verify
ArgumentTypeDescription
data?any
dataCrc32c?any
mac?any
macCrc32c?any
raw_decryptraw decrypt
ArgumentTypeDescription
additionalAuthenticatedData?any
additionalAuthenticatedDataCrc32c?any
ciphertext?any
ciphertextCrc32c?any
initializationVector?any
initializationVectorCrc32c?any
tagLength?any
raw_encryptraw encrypt
ArgumentTypeDescription
additionalAuthenticatedData?any
additionalAuthenticatedDataCrc32c?any
initializationVector?any
initializationVectorCrc32c?any
plaintext?any
plaintextCrc32c?any
restorerestore

Resources

state(infinite)— A CryptoKeyVersion represents an individual cryptographic key, and the associ...
@swamp/gcp/cloudkms/keyrings-importjobsv2026.04.23.1keyrings_importjobs.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
attestation?objectContains an HSM-generated attestation about a key operation. For more information, see [Verifying attestations] (https://cloud.google.com/kms/docs/attest-key).
cryptoKeyBackend?stringImmutable. The resource name of the backend environment where the key material for the wrapping key resides and where all related cryptographic operations are performed. Currently, this field is only populated for keys stored in HSM_SINGLE_TENANT. Note, this list is non-exhaustive and may apply to additional ProtectionLevels in the future. Supported resources: * `"projects/*/locations/*/singleTenantHsmInstances/*"`
importMethod?enumRequired. Immutable. The wrapping method to be used for incoming key material.
protectionLevel?enumRequired. Immutable. The protection level of the ImportJob. This must match the protection_level of the version_template on the CryptoKey you attempt to import into.
publicKey?objectThe public key component of the wrapping key. For details of the type of key this public key corresponds to, see the ImportMethod.
importJobId?stringRequired. It must be unique within a KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a importJobs
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a importJobs
ArgumentTypeDescription
identifierstringThe name of the importJobs
syncSync importJobs state from GCP

Resources

state(infinite)— An ImportJob can be used to create CryptoKeys and CryptoKeyVersions using pre...
@swamp/gcp/cloudkms/locationsv2026.04.23.1locations.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a locations
ArgumentTypeDescription
identifierstringThe name of the locations
syncSync locations state from GCP
generate_random_bytesgenerate random bytes
ArgumentTypeDescription
lengthBytes?any
protectionLevel?any
get_ekm_configget ekm config
update_ekm_configupdate ekm config
ArgumentTypeDescription
defaultEkmConnection?any
name?any

Resources

state(infinite)— A resource that represents a Google Cloud location.
@swamp/gcp/cloudkms/retiredresourcesv2026.04.23.1retiredresources.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
getGet a retiredResources
ArgumentTypeDescription
identifierstringThe name of the retiredResources
syncSync retiredResources state from GCP

Resources

state(infinite)— A RetiredResource resource represents the record of a deleted CryptoKey. Its ...
@swamp/gcp/cloudkms/singletenanthsminstancesv2026.04.23.1singletenanthsminstances.ts

Global Arguments

ArgumentTypeDescription
keyPortabilityEnabled?booleanOptional. Immutable. Indicates whether key portability is enabled for the SingleTenantHsmInstance. This can only be set at creation time. Key portability features are disabled by default and not yet available in GA.
name?stringIdentifier. The resource name for this SingleTenantHsmInstance in the format `projects/*/locations/*/singleTenantHsmInstances/*`.
quorumAuth?objectConfiguration for M of N quorum auth.
singleTenantHsmInstanceId?stringOptional. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a singleTenantHsmInstances
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a singleTenantHsmInstances
ArgumentTypeDescription
identifierstringThe name of the singleTenantHsmInstances
syncSync singleTenantHsmInstances state from GCP

Resources

state(infinite)— A SingleTenantHsmInstance represents a single-tenant HSM instance. It can be ...
@swamp/gcp/cloudkms/singletenanthsminstances-proposalsv2026.04.23.1singletenanthsminstances_proposals.ts

Global Arguments

ArgumentTypeDescription
addQuorumMember?objectAdd a quorum member to the SingleTenantHsmInstance. This will increase the total_approver_count by 1. The SingleTenantHsmInstance must be in the ACTIVE state to perform this operation.
deleteSingleTenantHsmInstance?objectDelete the SingleTenantHsmInstance. Deleting a SingleTenantHsmInstance will make all CryptoKeys attached to the SingleTenantHsmInstance unusable. The SingleTenantHsmInstance must not be in the DELETING or DELETED state to perform this operation.
disableSingleTenantHsmInstance?objectDisable the SingleTenantHsmInstance. The SingleTenantHsmInstance must be in the ACTIVE state to perform this operation.
enableSingleTenantHsmInstance?objectEnable the SingleTenantHsmInstance. The SingleTenantHsmInstance must be in the DISABLED state to perform this operation.
expireTime?stringThe time at which the SingleTenantHsmInstanceProposal will expire if not approved and executed.
name?stringIdentifier. The resource name for this SingleTenantHsmInstance in the format `projects/*/locations/*/singleTenantHsmInstances/*/proposals/*`.
quorumParameters?objectParameters of quorum approval for the SingleTenantHsmInstanceProposal.
refreshSingleTenantHsmInstance?objectRefreshes the SingleTenantHsmInstance. This operation must be performed periodically to keep the SingleTenantHsmInstance active. This operation must be performed before unrefreshed_duration_until_disable has passed. The SingleTenantHsmInstance must be in the ACTIVE state to perform this operation.
registerTwoFactorAuthKeys?objectRegister 2FA keys for the SingleTenantHsmInstance. This operation requires all Challenges to be signed by 2FA keys. The SingleTenantHsmInstance must be in the PENDING_TWO_FACTOR_AUTH_REGISTRATION state to perform this operation.
removeQuorumMember?objectRemove a quorum member from the SingleTenantHsmInstance. This will reduce total_approver_count by 1. The SingleTenantHsmInstance must be in the ACTIVE state to perform this operation.
requiredActionQuorumParameters?objectParameters for an approval that has both required challenges and a quorum.
ttl?stringInput only. The TTL for the SingleTenantHsmInstanceProposal. Proposals will expire after this duration.
singleTenantHsmInstanceProposalId?stringOptional. It must be unique within a location and match the regular expression `[a-zA-Z0-9_-]{1,63}`.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
createCreate a proposals
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
getGet a proposals
ArgumentTypeDescription
identifierstringThe name of the proposals
deleteDelete the proposals
ArgumentTypeDescription
identifierstringThe name of the proposals
syncSync proposals state from GCP
approveapprove
ArgumentTypeDescription
quorumReply?any
requiredActionQuorumReply?any
executeexecute

Resources

state(infinite)— A SingleTenantHsmInstanceProposal represents a proposal to perform an operati...