@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * The AssuredWorkloads Workload resource * * ## Example Usage * * ### Basic_workload * A basic test of a assuredworkloads api * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const primary = new gcp.assuredworkloads.Workload("primary", { * complianceRegime: "FEDRAMP_MODERATE", * displayName: "{{display}}", * location: "us-west1", * organization: "123456789", * billingAccount: "billingAccounts/000000-0000000-0000000-000000", * kmsSettings: { * nextRotationTime: "9999-10-02T15:01:23Z", * rotationPeriod: "10368000s", * }, * provisionedResourcesParent: "folders/519620126891", * resourceSettings: [ * { * displayName: "{{name}}", * resourceType: "CONSUMER_FOLDER", * }, * { * resourceType: "ENCRYPTION_KEYS_PROJECT", * }, * { * resourceId: "ring", * resourceType: "KEYRING", * }, * ], * violationNotificationsEnabled: true, * workloadOptions: { * kajEnrollmentType: "KEY_ACCESS_TRANSPARENCY_OFF", * }, * labels: { * "label-one": "value-one", * }, * }); * ``` * ### Sovereign_controls_workload * A Sovereign Controls test of the assuredworkloads api * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const primary = new gcp.assuredworkloads.Workload("primary", { * complianceRegime: "EU_REGIONS_AND_SUPPORT", * displayName: "display", * location: "europe-west9", * organization: "123456789", * billingAccount: "billingAccounts/000000-0000000-0000000-000000", * enableSovereignControls: true, * kmsSettings: { * nextRotationTime: "9999-10-02T15:01:23Z", * rotationPeriod: "10368000s", * }, * resourceSettings: [ * { * resourceType: "CONSUMER_FOLDER", * }, * { * resourceType: "ENCRYPTION_KEYS_PROJECT", * }, * { * resourceId: "ring", * resourceType: "KEYRING", * }, * ], * labels: { * "label-one": "value-one", * }, * }); * ``` * ### Split_billing_partner_workload * A Split billing partner test of the assuredworkloads api * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const primary = new gcp.assuredworkloads.Workload("primary", { * complianceRegime: "ASSURED_WORKLOADS_FOR_PARTNERS", * displayName: "display", * location: "europe-west8", * organization: "123456789", * billingAccount: "billingAccounts/000000-0000000-0000000-000000", * partner: "SOVEREIGN_CONTROLS_BY_PSN", * partnerPermissions: { * assuredWorkloadsMonitoring: true, * dataLogsViewer: true, * serviceAccessApprover: true, * }, * partnerServicesBillingAccount: "billingAccounts/01BF3F-2C6DE5-30C607", * resourceSettings: [ * { * resourceType: "CONSUMER_FOLDER", * }, * { * resourceType: "ENCRYPTION_KEYS_PROJECT", * }, * { * resourceId: "ring", * resourceType: "KEYRING", * }, * ], * violationNotificationsEnabled: true, * labels: { * "label-one": "value-one", * }, * }); * ``` * * ## Import * * Workload can be imported using any of these accepted formats: * * * `organizations/{{organization}}/locations/{{location}}/workloads/{{name}}` * * * `{{organization}}/{{location}}/{{name}}` * * When using the `pulumi import` command, Workload can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:assuredworkloads/workload:Workload default organizations/{{organization}}/locations/{{location}}/workloads/{{name}} * ``` * * ```sh * $ pulumi import gcp:assuredworkloads/workload:Workload default {{organization}}/{{location}}/{{name}} * ``` */ export declare class Workload extends pulumi.CustomResource { /** * Get an existing Workload resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WorkloadState, opts?: pulumi.CustomResourceOptions): Workload; /** * Returns true if the given object is an instance of Workload. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Workload; /** * Optional. Input only. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form `billingAccounts/{billing_account_id}`. For example, `billingAccounts/012345-567890-ABCDEF`. */ readonly billingAccount: pulumi.Output<string | undefined>; /** * Required. Immutable. Compliance Regime associated with this workload. Possible values: COMPLIANCE_REGIME_UNSPECIFIED, IL4, CJIS, FEDRAMP_HIGH, FEDRAMP_MODERATE, US_REGIONAL_ACCESS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, AU_REGIONS_AND_US_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, ISR_REGIONS, ISR_REGIONS_AND_SUPPORT, CA_PROTECTED_B, IL5, IL2, JP_REGIONS_AND_SUPPORT, KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS, REGIONAL_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT, IRS_1075 */ readonly complianceRegime: pulumi.Output<string>; /** * Output only. Count of active Violations in the Workload. */ readonly complianceStatuses: pulumi.Output<outputs.assuredworkloads.WorkloadComplianceStatus[]>; /** * Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke workloads.restrictAllowedResources endpoint to allow your project developers to use these services in their environment. */ readonly compliantButDisallowedServices: pulumi.Output<string[]>; /** * Output only. Immutable. The Workload creation timestamp. */ readonly createTime: pulumi.Output<string>; /** * Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload */ readonly displayName: pulumi.Output<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Optional. Represents the Ekm Provisioning State of the given workload. */ readonly ekmProvisioningResponses: pulumi.Output<outputs.assuredworkloads.WorkloadEkmProvisioningResponse[]>; /** * Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers. */ readonly enableSovereignControls: pulumi.Output<boolean>; /** * Output only. Represents the KAJ enrollment state of the given workload. Possible values: KAJ_ENROLLMENT_STATE_UNSPECIFIED, KAJ_ENROLLMENT_STATE_PENDING, KAJ_ENROLLMENT_STATE_COMPLETE */ readonly kajEnrollmentState: pulumi.Output<string>; /** * **DEPRECATED** Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. */ readonly kmsSettings: pulumi.Output<outputs.assuredworkloads.WorkloadKmsSettings | undefined>; /** * Optional. Labels applied to the workload. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location for the resource */ readonly location: pulumi.Output<string>; /** * Output only. The resource name of the workload. */ readonly name: pulumi.Output<string>; /** * The organization for the resource * * * * - - - */ readonly organization: pulumi.Output<string>; /** * Optional. Partner regime associated with this workload. Possible values: PARTNER_UNSPECIFIED, LOCAL_CONTROLS_BY_S3NS, SOVEREIGN_CONTROLS_BY_T_SYSTEMS, SOVEREIGN_CONTROLS_BY_SIA_MINSAIT, SOVEREIGN_CONTROLS_BY_PSN, SOVEREIGN_CONTROLS_BY_CNTXT, SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM */ readonly partner: pulumi.Output<string | undefined>; /** * Optional. Permissions granted to the AW Partner SA account for the customer workload */ readonly partnerPermissions: pulumi.Output<outputs.assuredworkloads.WorkloadPartnerPermissions | undefined>; /** * Optional. Input only. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC. */ readonly partnerServicesBillingAccount: pulumi.Output<string | undefined>; /** * Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id} */ readonly provisionedResourcesParent: pulumi.Output<string | undefined>; /** * The combination of labels configured directly on the resource and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional. */ readonly resourceSettings: pulumi.Output<outputs.assuredworkloads.WorkloadResourceSetting[] | undefined>; /** * Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only. */ readonly resources: pulumi.Output<outputs.assuredworkloads.WorkloadResource[]>; /** * Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during workloads.get call. In failure cases, user friendly error message is shown in SAA details page. */ readonly saaEnrollmentResponses: pulumi.Output<outputs.assuredworkloads.WorkloadSaaEnrollmentResponse[]>; /** * Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload. */ readonly violationNotificationsEnabled: pulumi.Output<boolean>; /** * Optional. Used to specify certain options for a workload during workload creation - currently only supporting KAT Optionality for Regional Controls workloads. */ readonly workloadOptions: pulumi.Output<outputs.assuredworkloads.WorkloadWorkloadOptions | undefined>; /** * Create a Workload resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkloadArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Workload resources. */ export interface WorkloadState { /** * Optional. Input only. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form `billingAccounts/{billing_account_id}`. For example, `billingAccounts/012345-567890-ABCDEF`. */ billingAccount?: pulumi.Input<string>; /** * Required. Immutable. Compliance Regime associated with this workload. Possible values: COMPLIANCE_REGIME_UNSPECIFIED, IL4, CJIS, FEDRAMP_HIGH, FEDRAMP_MODERATE, US_REGIONAL_ACCESS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, AU_REGIONS_AND_US_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, ISR_REGIONS, ISR_REGIONS_AND_SUPPORT, CA_PROTECTED_B, IL5, IL2, JP_REGIONS_AND_SUPPORT, KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS, REGIONAL_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT, IRS_1075 */ complianceRegime?: pulumi.Input<string>; /** * Output only. Count of active Violations in the Workload. */ complianceStatuses?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadComplianceStatus>[]>; /** * Output only. Urls for services which are compliant for this Assured Workload, but which are currently disallowed by the ResourceUsageRestriction org policy. Invoke workloads.restrictAllowedResources endpoint to allow your project developers to use these services in their environment. */ compliantButDisallowedServices?: pulumi.Input<pulumi.Input<string>[]>; /** * Output only. Immutable. The Workload creation timestamp. */ createTime?: pulumi.Input<string>; /** * Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload */ displayName?: pulumi.Input<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Optional. Represents the Ekm Provisioning State of the given workload. */ ekmProvisioningResponses?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadEkmProvisioningResponse>[]>; /** * Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers. */ enableSovereignControls?: pulumi.Input<boolean>; /** * Output only. Represents the KAJ enrollment state of the given workload. Possible values: KAJ_ENROLLMENT_STATE_UNSPECIFIED, KAJ_ENROLLMENT_STATE_PENDING, KAJ_ENROLLMENT_STATE_COMPLETE */ kajEnrollmentState?: pulumi.Input<string>; /** * **DEPRECATED** Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. */ kmsSettings?: pulumi.Input<inputs.assuredworkloads.WorkloadKmsSettings>; /** * Optional. Labels applied to the workload. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location for the resource */ location?: pulumi.Input<string>; /** * Output only. The resource name of the workload. */ name?: pulumi.Input<string>; /** * The organization for the resource * * * * - - - */ organization?: pulumi.Input<string>; /** * Optional. Partner regime associated with this workload. Possible values: PARTNER_UNSPECIFIED, LOCAL_CONTROLS_BY_S3NS, SOVEREIGN_CONTROLS_BY_T_SYSTEMS, SOVEREIGN_CONTROLS_BY_SIA_MINSAIT, SOVEREIGN_CONTROLS_BY_PSN, SOVEREIGN_CONTROLS_BY_CNTXT, SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM */ partner?: pulumi.Input<string>; /** * Optional. Permissions granted to the AW Partner SA account for the customer workload */ partnerPermissions?: pulumi.Input<inputs.assuredworkloads.WorkloadPartnerPermissions>; /** * Optional. Input only. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC. */ partnerServicesBillingAccount?: pulumi.Input<string>; /** * Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id} */ provisionedResourcesParent?: pulumi.Input<string>; /** * The combination of labels configured directly on the resource and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional. */ resourceSettings?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadResourceSetting>[]>; /** * Output only. The resources associated with this workload. These resources will be created when creating the workload. If any of the projects already exist, the workload creation will fail. Always read only. */ resources?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadResource>[]>; /** * Output only. Represents the SAA enrollment response of the given workload. SAA enrollment response is queried during workloads.get call. In failure cases, user friendly error message is shown in SAA details page. */ saaEnrollmentResponses?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadSaaEnrollmentResponse>[]>; /** * Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload. */ violationNotificationsEnabled?: pulumi.Input<boolean>; /** * Optional. Used to specify certain options for a workload during workload creation - currently only supporting KAT Optionality for Regional Controls workloads. */ workloadOptions?: pulumi.Input<inputs.assuredworkloads.WorkloadWorkloadOptions>; } /** * The set of arguments for constructing a Workload resource. */ export interface WorkloadArgs { /** * Optional. Input only. The billing account used for the resources which are direct children of workload. This billing account is initially associated with the resources created as part of Workload creation. After the initial creation of these resources, the customer can change the assigned billing account. The resource name has the form `billingAccounts/{billing_account_id}`. For example, `billingAccounts/012345-567890-ABCDEF`. */ billingAccount?: pulumi.Input<string>; /** * Required. Immutable. Compliance Regime associated with this workload. Possible values: COMPLIANCE_REGIME_UNSPECIFIED, IL4, CJIS, FEDRAMP_HIGH, FEDRAMP_MODERATE, US_REGIONAL_ACCESS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, AU_REGIONS_AND_US_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, ISR_REGIONS, ISR_REGIONS_AND_SUPPORT, CA_PROTECTED_B, IL5, IL2, JP_REGIONS_AND_SUPPORT, KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS, REGIONAL_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT, IRS_1075 */ complianceRegime: pulumi.Input<string>; /** * Required. The user-assigned display name of the Workload. When present it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, and spaces. Example: My Workload */ displayName: pulumi.Input<string>; /** * Optional. Indicates the sovereignty status of the given workload. Currently meant to be used by Europe/Canada customers. */ enableSovereignControls?: pulumi.Input<boolean>; /** * **DEPRECATED** Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS CMEK key is provisioned. This field is deprecated as of Feb 28, 2022. In order to create a Keyring, callers should specify, ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. */ kmsSettings?: pulumi.Input<inputs.assuredworkloads.WorkloadKmsSettings>; /** * Optional. Labels applied to the workload. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location for the resource */ location: pulumi.Input<string>; /** * The organization for the resource * * * * - - - */ organization: pulumi.Input<string>; /** * Optional. Partner regime associated with this workload. Possible values: PARTNER_UNSPECIFIED, LOCAL_CONTROLS_BY_S3NS, SOVEREIGN_CONTROLS_BY_T_SYSTEMS, SOVEREIGN_CONTROLS_BY_SIA_MINSAIT, SOVEREIGN_CONTROLS_BY_PSN, SOVEREIGN_CONTROLS_BY_CNTXT, SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM */ partner?: pulumi.Input<string>; /** * Optional. Permissions granted to the AW Partner SA account for the customer workload */ partnerPermissions?: pulumi.Input<inputs.assuredworkloads.WorkloadPartnerPermissions>; /** * Optional. Input only. Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC. */ partnerServicesBillingAccount?: pulumi.Input<string>; /** * Input only. The parent resource for the resources managed by this Assured Workload. May be either empty or a folder resource which is a child of the Workload parent. If not specified all resources are created under the parent organization. Format: folders/{folder_id} */ provisionedResourcesParent?: pulumi.Input<string>; /** * Input only. Resource properties that are used to customize workload resources. These properties (such as custom project id) will be used to create workload resources if possible. This field is optional. */ resourceSettings?: pulumi.Input<pulumi.Input<inputs.assuredworkloads.WorkloadResourceSetting>[]>; /** * Optional. Indicates whether the e-mail notification for a violation is enabled for a workload. This value will be by default True, and if not present will be considered as true. This should only be updated via updateWorkload call. Any Changes to this field during the createWorkload call will not be honored. This will always be true while creating the workload. */ violationNotificationsEnabled?: pulumi.Input<boolean>; /** * Optional. Used to specify certain options for a workload during workload creation - currently only supporting KAT Optionality for Regional Controls workloads. */ workloadOptions?: pulumi.Input<inputs.assuredworkloads.WorkloadWorkloadOptions>; }