@pulumi/gcp/kms/cryptoKeyIAMPolicy.d.ts

A Pulumi package for creating and managing Google Cloud Platform resources.

import * as pulumi from "@pulumi/pulumi";
/**
 * Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:
 *
 * * `gcp.kms.CryptoKeyIAMPolicy`: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
 * * `gcp.kms.CryptoKeyIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
 * * `gcp.kms.CryptoKeyIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.
 *
 * > **Note:** `gcp.kms.CryptoKeyIAMPolicy` **cannot** be used in conjunction with `gcp.kms.CryptoKeyIAMBinding` and `gcp.kms.CryptoKeyIAMMember` or they will fight over what your policy should be.
 *
 * > **Note:** `gcp.kms.CryptoKeyIAMBinding` resources **can be** used in conjunction with `gcp.kms.CryptoKeyIAMMember` resources **only if** they do not grant privilege to the same role.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const keyring = new gcp.kms.KeyRing("keyring", {
 *     name: "keyring-example",
 *     location: "global",
 * });
 * const key = new gcp.kms.CryptoKey("key", {
 *     name: "crypto-key-example",
 *     keyRing: keyring.id,
 *     rotationPeriod: "7776000s",
 * });
 * const admin = gcp.organizations.getIAMPolicy({
 *     bindings: [{
 *         role: "roles/cloudkms.cryptoKeyEncrypter",
 *         members: ["user:jane@example.com"],
 *     }],
 * });
 * const cryptoKey = new gcp.kms.CryptoKeyIAMPolicy("crypto_key", {
 *     cryptoKeyId: key.id,
 *     policyData: admin.then(admin => admin.policyData),
 * });
 * ```
 *
 * With IAM Conditions:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const admin = gcp.organizations.getIAMPolicy({
 *     bindings: [{
 *         role: "roles/cloudkms.cryptoKeyEncrypter",
 *         members: ["user:jane@example.com"],
 *         condition: {
 *             title: "expires_after_2019_12_31",
 *             description: "Expiring at midnight of 2019-12-31",
 *             expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
 *         },
 *     }],
 * });
 * ```
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("crypto_key", {
 *     cryptoKeyId: key.id,
 *     role: "roles/cloudkms.cryptoKeyEncrypter",
 *     members: ["user:jane@example.com"],
 * });
 * ```
 *
 * With IAM Conditions:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("crypto_key", {
 *     cryptoKeyId: key.id,
 *     role: "roles/cloudkms.cryptoKeyEncrypter",
 *     members: ["user:jane@example.com"],
 *     condition: {
 *         title: "expires_after_2019_12_31",
 *         description: "Expiring at midnight of 2019-12-31",
 *         expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
 *     },
 * });
 * ```
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const cryptoKey = new gcp.kms.CryptoKeyIAMMember("crypto_key", {
 *     cryptoKeyId: key.id,
 *     role: "roles/cloudkms.cryptoKeyEncrypter",
 *     member: "user:jane@example.com",
 * });
 * ```
 *
 * With IAM Conditions:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const cryptoKey = new gcp.kms.CryptoKeyIAMMember("crypto_key", {
 *     cryptoKeyId: key.id,
 *     role: "roles/cloudkms.cryptoKeyEncrypter",
 *     member: "user:jane@example.com",
 *     condition: {
 *         title: "expires_after_2019_12_31",
 *         description: "Expiring at midnight of 2019-12-31",
 *         expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
 *     },
 * });
 * ```
 *
 * ## Import
 *
 * ### Importing IAM policies
 *
 * IAM policy imports use the identifier of the KMS crypto key only. For example:
 *
 * * `{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}}`
 *
 * An `import` block (Terraform v1.5.0 and later) can be used to import IAM policies:
 *
 * tf
 *
 * import {
 *
 *   id = "{{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}}"
 *
 *   to = google_kms_crypto_key_iam_policy.default
 *
 * }
 *
 * The `pulumi import` command can also be used:
 *
 * ```sh
 * $ pulumi import gcp:kms/cryptoKeyIAMPolicy:CryptoKeyIAMPolicy default {{project_id}}/{{location}}/{{key_ring_name}}/{{crypto_key_name}}
 * ```
 */
export declare class CryptoKeyIAMPolicy extends pulumi.CustomResource {
    /**
     * Get an existing CryptoKeyIAMPolicy resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CryptoKeyIAMPolicyState, opts?: pulumi.CustomResourceOptions): CryptoKeyIAMPolicy;
    /**
     * Returns true if the given object is an instance of CryptoKeyIAMPolicy.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is CryptoKeyIAMPolicy;
    /**
     * The crypto key ID, in the form
     * `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or
     * `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form,
     * the provider's project setting will be used as a fallback.
     */
    readonly cryptoKeyId: pulumi.Output<string>;
    /**
     * (Computed) The etag of the project's IAM policy.
     */
    readonly etag: pulumi.Output<string>;
    /**
     * The policy data generated by
     * a `gcp.organizations.getIAMPolicy` data source.
     */
    readonly policyData: pulumi.Output<string>;
    /**
     * Create a CryptoKeyIAMPolicy resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: CryptoKeyIAMPolicyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering CryptoKeyIAMPolicy resources.
 */
export interface CryptoKeyIAMPolicyState {
    /**
     * The crypto key ID, in the form
     * `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or
     * `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form,
     * the provider's project setting will be used as a fallback.
     */
    cryptoKeyId?: pulumi.Input<string>;
    /**
     * (Computed) The etag of the project's IAM policy.
     */
    etag?: pulumi.Input<string>;
    /**
     * The policy data generated by
     * a `gcp.organizations.getIAMPolicy` data source.
     */
    policyData?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a CryptoKeyIAMPolicy resource.
 */
export interface CryptoKeyIAMPolicyArgs {
    /**
     * The crypto key ID, in the form
     * `{project_id}/{location_name}/{key_ring_name}/{crypto_key_name}` or
     * `{location_name}/{key_ring_name}/{crypto_key_name}`. In the second form,
     * the provider's project setting will be used as a fallback.
     */
    cryptoKeyId: pulumi.Input<string>;
    /**
     * The policy data generated by
     * a `gcp.organizations.getIAMPolicy` data source.
     */
    policyData: pulumi.Input<string>;
}