diff --git a/mmv1/products/dlp/DeidentifyTemplate.yaml b/mmv1/products/dlp/DeidentifyTemplate.yaml index 224b31ff2c93..b979f7c360fb 100644 --- a/mmv1/products/dlp/DeidentifyTemplate.yaml +++ b/mmv1/products/dlp/DeidentifyTemplate.yaml @@ -987,6 +987,61 @@ properties: # A side-effect is null values when the field is unused, see: https://github.com/hashicorp/terraform-provider-google/issues/13201 send_empty_value: true allow_empty_object: true + - !ruby/object:Api::Type::NestedObject + name: cryptoHashConfig + description: | + Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. + Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). + Currently, only string and integer values can be hashed. + See https://cloud.google.com/dlp/docs/pseudonymization to learn more. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'cryptoKey' + description: | + The key used by the encryption function. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'transient' + description: | + Transient crypto key. Use this to have a random data crypto key generated. It will be discarded after the request finishes. + properties: + - !ruby/object:Api::Type::String + name: 'name' + required: true + description: | + Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). + - !ruby/object:Api::Type::NestedObject + name: 'unwrapped' + description: | + Unwrapped crypto key. Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. + properties: + - !ruby/object:Api::Type::String + name: 'key' + required: true + description: | + A 128/192/256 bit key. + + A base64-encoded string. + - !ruby/object:Api::Type::NestedObject + name: 'kmsWrapped' + description: | + KMS wrapped key. + Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt + For more information, see [Creating a wrapped key](https://cloud.google.com/dlp/docs/create-wrapped-key). + Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). + properties: + - !ruby/object:Api::Type::String + name: 'wrappedKey' + required: true + description: | + The wrapped data crypto key. + + A base64-encoded string. + - !ruby/object:Api::Type::String + name: 'cryptoKeyName' + required: true + description: | + The resource name of the KMS CryptoKey to use for unwrapping. - !ruby/object:Api::Type::NestedObject name: 'recordTransformations' description: diff --git a/mmv1/third_party/terraform/tests/resource_data_loss_prevention_deidentify_template_test.go b/mmv1/third_party/terraform/tests/resource_data_loss_prevention_deidentify_template_test.go index 5f1bd1509965..483bc61c4090 100644 --- a/mmv1/third_party/terraform/tests/resource_data_loss_prevention_deidentify_template_test.go +++ b/mmv1/third_party/terraform/tests/resource_data_loss_prevention_deidentify_template_test.go @@ -1243,6 +1243,38 @@ resource "google_data_loss_prevention_deidentify_template" "config" { } } + transformations { + info_types { + name = "CRYPTO_HASH_TRANSIENT_EXAMPLE" + } + + primitive_transformation { + crypto_hash_config { + crypto_key { + transient { + name = "beep" # Copy-pasting from existing test that uses this field + } + } + } + } + } + + transformations { + info_types { + name = "CRYPTO_HASH_UNWRAPPED_EXAMPLE" + } + + primitive_transformation { + crypto_hash_config { + crypto_key { + unwrapped { + key = "VVdWVWFGZHRXbkUwZERkM0lYb2xRdz09" + } + } + } + } + } + transformations { info_types { name = "REDACT_EXAMPLE" @@ -1369,6 +1401,40 @@ resource "google_data_loss_prevention_deidentify_template" "config" { } } + transformations { + info_types { + name = "CRYPTO_HASH_TRANSIENT_UPDATED_EXAMPLE" + } + + primitive_transformation { + crypto_hash_config { + crypto_key { + transient { + # update value + name = "beepy-beep-updated" + } + } + } + } + } + + transformations { + info_types { + name = "CRYPTO_HASH_WRAPPED_EXAMPLE" + } + + primitive_transformation { + crypto_hash_config { + crypto_key { + kms_wrapped { + wrapped_key = "B64/WRAPPED/TOKENIZATION/KEY" + crypto_key_name = "%{kms_key_name}" + } + } + } + } + } + # update to remove transformations block using redact_config } }