Deploy GPG Keypairs with Terraform

A GPG keypair stores an ASCII-armoured public key and private key pair. GPG keypairs are scoped to your organisation, versioned with rotation history, and can be attached to projects and containers.

Required fields

Read-only fields

Example

resource "bahriya_gpg_keypair" "signing_key" {
  handle      = "signing-key"
  name        = "Artifact Signing Key"
  public_key  = file("${path.module}/keys/signing.pub.asc")
  private_key = file("${path.module}/keys/signing.sec.asc")
}

Attach it to a project so it deploys to the project's regions:

resource "bahriya_project" "production" {
  handle  = "production"
  name    = "Production"
  regions = ["helsinki-1", "falkenstein-1"]
}
 
resource "bahriya_project_gpg_keypair_attachment" "signing_key" {
  project_id = bahriya_project.production.id
  handle     = bahriya_gpg_keypair.signing_key.handle
}

Then mount it on a container — the public and private key blocks land as files in mountpath:

resource "bahriya_container" "signer" {
  # ... other fields ...
 
  gpg_keypairs = [
    {
      handle    = bahriya_gpg_keypair.signing_key.handle
      mountpath = "/etc/bahriya/gpg"
    },
  ]
}

Rotation

To rotate key material, update the public_key and private_key fields in your Terraform config and run terraform apply. The Bahriya API creates a new version and marks it current. Previous versions are retained for rollback (default: last 5).

After rotation, file-mounted containers pick up the new keys automatically within about 60 seconds. No manual redeploy is needed for file-mounted keys.

Importing an existing keypair

terraform import bahriya_gpg_keypair.signing_key <uuid>

Pricing

GPG keypairs are billed at $0.02 per month while they exist in your organisation, plus $0.02 per region per month when attached to a project.