UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi.io

pulumi/pulumi-gcp

359 lines (358 loc) • 16.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A `CryptoKey` represents a logical key that can be used for cryptographic operations. * * > **Note:** CryptoKeys cannot be deleted from Google Cloud Platform. * Destroying a provider-managed CryptoKey will remove it from state * and delete all CryptoKeyVersions, rendering the key unusable, but *will * not delete the resource from the project.* When the provider destroys these keys, * any data previously encrypted with these keys will be irrecoverable. * For this reason, it is strongly recommended that you use Pulumi's [protect resource option](https://www.pulumi.com/docs/concepts/options/protect/). * * To get more information about CryptoKey, see: * * * [API documentation](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys) * * How-to Guides * * [Creating a key](https://cloud.google.com/kms/docs/creating-keys#create_a_key) * * ## Example Usage * * ### Kms Crypto Key Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const keyring = new gcp.kms.KeyRing("keyring", { * name: "keyring-example", * location: "global", * }); * const example_key = new gcp.kms.CryptoKey("example-key", { * name: "crypto-key-example", * keyRing: keyring.id, * rotationPeriod: "7776000s", * }); * ``` * ### Kms Crypto Key Asymmetric Sign * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const keyring = new gcp.kms.KeyRing("keyring", { * name: "keyring-example", * location: "global", * }); * const example_asymmetric_sign_key = new gcp.kms.CryptoKey("example-asymmetric-sign-key", { * name: "crypto-key-example", * keyRing: keyring.id, * purpose: "ASYMMETRIC_SIGN", * versionTemplate: { * algorithm: "EC_SIGN_P384_SHA384", * }, * }); * ``` * * ## Import * * CryptoKey can be imported using any of these accepted formats: * * * `{{key_ring}}/cryptoKeys/{{name}}` * * * `{{key_ring}}/{{name}}` * * When using the `pulumi import` command, CryptoKey can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/cryptoKeys/{{name}} * ``` * * ```sh * $ pulumi import gcp:kms/cryptoKey:CryptoKey default {{key_ring}}/{{name}} * ``` */ export declare class CryptoKey extends pulumi.CustomResource { /** * Get an existing CryptoKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyState, opts?: pulumi.CustomResourceOptions): CryptoKey; /** * Returns true if the given object is an instance of CryptoKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CryptoKey; /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*&#47;locations/*&#47;ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ readonly cryptoKeyBackend: pulumi.Output<string>; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ readonly destroyScheduledDuration: pulumi.Output<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Whether this key may contain imported versions only. */ readonly importOnly: pulumi.Output<boolean>; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ readonly keyAccessJustificationsPolicy: pulumi.Output<outputs.kms.CryptoKeyKeyAccessJustificationsPolicy>; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. */ readonly keyRing: pulumi.Output<string>; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The resource name for the CryptoKey. */ readonly name: pulumi.Output<string>; /** * A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. * Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. * Structure is documented below. */ readonly primaries: pulumi.Output<outputs.kms.CryptoKeyPrimary[]>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ readonly purpose: pulumi.Output<string | undefined>; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ readonly rotationPeriod: pulumi.Output<string | undefined>; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. * This field is only applicable during initial CryptoKey creation. */ readonly skipInitialVersionCreation: pulumi.Output<boolean | undefined>; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ readonly versionTemplate: pulumi.Output<outputs.kms.CryptoKeyVersionTemplate>; /** * Create a CryptoKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CryptoKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CryptoKey resources. */ export interface CryptoKeyState { /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*&#47;locations/*&#47;ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ cryptoKeyBackend?: pulumi.Input<string>; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ destroyScheduledDuration?: pulumi.Input<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Whether this key may contain imported versions only. */ importOnly?: pulumi.Input<boolean>; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ keyAccessJustificationsPolicy?: pulumi.Input<inputs.kms.CryptoKeyKeyAccessJustificationsPolicy>; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. */ keyRing?: pulumi.Input<string>; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The resource name for the CryptoKey. */ name?: pulumi.Input<string>; /** * A copy of the primary CryptoKeyVersion that will be used by cryptoKeys.encrypt when this CryptoKey is given in EncryptRequest.name. * Keys with purpose ENCRYPT_DECRYPT may have a primary. For other keys, this field will be unset. * Structure is documented below. */ primaries?: pulumi.Input<pulumi.Input<inputs.kms.CryptoKeyPrimary>[]>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ purpose?: pulumi.Input<string>; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ rotationPeriod?: pulumi.Input<string>; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. * This field is only applicable during initial CryptoKey creation. */ skipInitialVersionCreation?: pulumi.Input<boolean>; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ versionTemplate?: pulumi.Input<inputs.kms.CryptoKeyVersionTemplate>; } /** * The set of arguments for constructing a CryptoKey resource. */ export interface CryptoKeyArgs { /** * The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey. * The resource name is in the format "projects/*&#47;locations/*&#47;ekmConnections/*" and only applies to "EXTERNAL_VPC" keys. */ cryptoKeyBackend?: pulumi.Input<string>; /** * The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED. * If not specified at creation time, the default duration is 30 days. */ destroyScheduledDuration?: pulumi.Input<string>; /** * Whether this key may contain imported versions only. */ importOnly?: pulumi.Input<boolean>; /** * The policy used for Key Access Justifications Policy Enforcement. If this * field is present and this key is enrolled in Key Access Justifications * Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and * sign operations, and the operation will fail if rejected by the policy. The * policy is defined by specifying zero or more allowed justification codes. * https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes * By default, this field is absent, and all justification codes are allowed. * This field is currently in beta and is subject to change. * Structure is documented below. */ keyAccessJustificationsPolicy?: pulumi.Input<inputs.kms.CryptoKeyKeyAccessJustificationsPolicy>; /** * The KeyRing that this key belongs to. * Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. */ keyRing: pulumi.Input<string>; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The resource name for the CryptoKey. */ name?: pulumi.Input<string>; /** * The immutable purpose of this CryptoKey. See the * [purpose reference](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) * for possible inputs. * Default value is "ENCRYPT_DECRYPT". */ purpose?: pulumi.Input<string>; /** * Every time this period passes, generate a new CryptoKeyVersion and set it as the primary. * The first rotation will take place after the specified period. The rotation period has * the format of a decimal number with up to 9 fractional digits, followed by the * letter `s` (seconds). It must be greater than a day (ie, 86400). */ rotationPeriod?: pulumi.Input<string>; /** * If set to true, the request will create a CryptoKey without any CryptoKeyVersions. * You must use the `gcp.kms.CryptoKeyVersion` resource to create a new CryptoKeyVersion * or `gcp.kms.KeyRingImportJob` resource to import the CryptoKeyVersion. * This field is only applicable during initial CryptoKey creation. */ skipInitialVersionCreation?: pulumi.Input<boolean>; /** * A template describing settings for new crypto key versions. * Structure is documented below. */ versionTemplate?: pulumi.Input<inputs.kms.CryptoKeyVersionTemplate>; }