UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

244 lines (243 loc) • 14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
import * as pulumi from "@pulumi/pulumi"; /** * Manages a single-Region or multi-Region primary KMS key that uses external key material. * To instead manage a single-Region or multi-Region primary KMS key where AWS automatically generates and potentially rotates key material, see the `aws.kms.Key` resource. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.kms.ExternalKey("example", {description: "KMS EXTERNAL for AMI encryption"}); * ``` * * ## Import * * Using `pulumi import`, import KMS External Keys using the `id`. For example: * * ```sh * $ pulumi import aws:kms/externalKey:ExternalKey a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab * ``` */ export declare class ExternalKey extends pulumi.CustomResource { /** * Get an existing ExternalKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ExternalKeyState, opts?: pulumi.CustomResourceOptions): ExternalKey; /** * Returns true if the given object is an instance of ExternalKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ExternalKey; /** * The Amazon Resource Name (ARN) of the key. */ readonly arn: pulumi.Output<string>; /** * Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`. */ readonly bypassPolicyLockoutSafetyCheck: pulumi.Output<boolean | undefined>; /** * Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`. */ readonly deletionWindowInDays: pulumi.Output<number | undefined>; /** * Description of the key. */ readonly description: pulumi.Output<string | undefined>; /** * Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired. */ readonly enabled: pulumi.Output<boolean>; /** * Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`. */ readonly expirationModel: pulumi.Output<string>; /** * Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material. */ readonly keyMaterialBase64: pulumi.Output<string | undefined>; /** * Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_224`, `HMAC_256`, `HMAC_384`, `HMAC_512`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, `ECC_SECG_P256K1`, `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`, or `SM2` (China Regions only). Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html). */ readonly keySpec: pulumi.Output<string>; /** * The state of the CMK. */ readonly keyState: pulumi.Output<string>; /** * Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`. Defaults to `ENCRYPT_DECRYPT`. */ readonly keyUsage: pulumi.Output<string>; /** * Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`. */ readonly multiRegion: pulumi.Output<boolean>; /** * A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. */ readonly policy: pulumi.Output<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; /** * A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ readonly tagsAll: pulumi.Output<{ [key: string]: string; }>; /** * Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`) */ readonly validTo: pulumi.Output<string | undefined>; /** * Create a ExternalKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: ExternalKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ExternalKey resources. */ export interface ExternalKeyState { /** * The Amazon Resource Name (ARN) of the key. */ arn?: pulumi.Input<string>; /** * Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`. */ bypassPolicyLockoutSafetyCheck?: pulumi.Input<boolean>; /** * Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`. */ deletionWindowInDays?: pulumi.Input<number>; /** * Description of the key. */ description?: pulumi.Input<string>; /** * Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired. */ enabled?: pulumi.Input<boolean>; /** * Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`. */ expirationModel?: pulumi.Input<string>; /** * Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material. */ keyMaterialBase64?: pulumi.Input<string>; /** * Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_224`, `HMAC_256`, `HMAC_384`, `HMAC_512`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, `ECC_SECG_P256K1`, `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`, or `SM2` (China Regions only). Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html). */ keySpec?: pulumi.Input<string>; /** * The state of the CMK. */ keyState?: pulumi.Input<string>; /** * Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`. Defaults to `ENCRYPT_DECRYPT`. */ keyUsage?: pulumi.Input<string>; /** * Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`. */ multiRegion?: pulumi.Input<boolean>; /** * A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. */ policy?: pulumi.Input<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ tagsAll?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`) */ validTo?: pulumi.Input<string>; } /** * The set of arguments for constructing a ExternalKey resource. */ export interface ExternalKeyArgs { /** * Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to `true` increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide. Defaults to `false`. */ bypassPolicyLockoutSafetyCheck?: pulumi.Input<boolean>; /** * Duration in days after which the key is deleted after destruction of the resource. Must be between `7` and `30` days. Defaults to `30`. */ deletionWindowInDays?: pulumi.Input<number>; /** * Description of the key. */ description?: pulumi.Input<string>; /** * Specifies whether the key is enabled. Keys pending import can only be `false`. Imported keys default to `true` unless expired. */ enabled?: pulumi.Input<boolean>; /** * Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material. */ keyMaterialBase64?: pulumi.Input<string>; /** * Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_224`, `HMAC_256`, `HMAC_384`, `HMAC_512`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, `ECC_SECG_P256K1`, `ML_DSA_44`, `ML_DSA_65`, `ML_DSA_87`, or `SM2` (China Regions only). Defaults to `SYMMETRIC_DEFAULT`. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html). */ keySpec?: pulumi.Input<string>; /** * Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `GENERATE_VERIFY_MAC`. Defaults to `ENCRYPT_DECRYPT`. */ keyUsage?: pulumi.Input<string>; /** * Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`. */ multiRegion?: pulumi.Input<boolean>; /** * A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. */ policy?: pulumi.Input<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * A key-value map of tags to assign to the key. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: [RFC3339 time string](https://tools.ietf.org/html/rfc3339#section-5.8) (`YYYY-MM-DDTHH:MM:SSZ`) */ validTo?: pulumi.Input<string>; }