@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Instances are deployed to an available Google Cloud region and are accessible via their web interface. * * To get more information about Instance, see: * * * [API documentation](https://cloud.google.com/secure-source-manager/docs/reference/rest/v1/projects.locations.instances) * * How-to Guides * * [Official Documentation](https://cloud.google.com/secure-source-manager/docs/create-instance) * * ## Example Usage * * ### Secure Source Manager Instance Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.securesourcemanager.Instance("default", { * location: "us-central1", * instanceId: "my-instance", * labels: { * foo: "bar", * }, * deletionPolicy: "PREVENT", * }); * ``` * ### Secure Source Manager Instance Cmek * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const project = gcp.organizations.getProject({}); * const cryptoKeyBinding = new gcp.kms.CryptoKeyIAMMember("crypto_key_binding", { * cryptoKeyId: "my-key", * role: "roles/cloudkms.cryptoKeyEncrypterDecrypter", * member: project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`), * }); * const _default = new gcp.securesourcemanager.Instance("default", { * location: "us-central1", * instanceId: "my-instance", * kmsKey: "my-key", * deletionPolicy: "PREVENT", * }, { * dependsOn: [cryptoKeyBinding], * }); * ``` * ### Secure Source Manager Instance Private * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as time from "@pulumiverse/time"; * * const caPool = new gcp.certificateauthority.CaPool("ca_pool", { * name: "ca-pool", * location: "us-central1", * tier: "ENTERPRISE", * publishingOptions: { * publishCaCert: true, * publishCrl: true, * }, * }); * const rootCa = new gcp.certificateauthority.Authority("root_ca", { * pool: caPool.name, * certificateAuthorityId: "root-ca", * location: "us-central1", * config: { * subjectConfig: { * subject: { * organization: "google", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * ignoreActiveCertificatesOnDeletion: true, * skipGracePeriod: true, * }); * const project = gcp.organizations.getProject({}); * const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", { * caPool: caPool.id, * role: "roles/privateca.certificateRequester", * members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)], * }); * // ca pool IAM permissions can take time to propagate * const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, { * dependsOn: [caPoolBinding], * }); * const _default = new gcp.securesourcemanager.Instance("default", { * instanceId: "my-instance", * location: "us-central1", * privateConfig: { * isPrivate: true, * caPool: caPool.id, * }, * deletionPolicy: "PREVENT", * }, { * dependsOn: [ * rootCa, * wait120Seconds, * ], * }); * ``` * ### Secure Source Manager Instance Private Psc Backend * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as time from "@pulumiverse/time"; * * const project = gcp.organizations.getProject({}); * const caPool = new gcp.certificateauthority.CaPool("ca_pool", { * name: "ca-pool", * location: "us-central1", * tier: "ENTERPRISE", * publishingOptions: { * publishCaCert: true, * publishCrl: true, * }, * }); * const rootCa = new gcp.certificateauthority.Authority("root_ca", { * pool: caPool.name, * certificateAuthorityId: "root-ca", * location: "us-central1", * config: { * subjectConfig: { * subject: { * organization: "google", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * ignoreActiveCertificatesOnDeletion: true, * skipGracePeriod: true, * }); * const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", { * caPool: caPool.id, * role: "roles/privateca.certificateRequester", * members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)], * }); * // ca pool IAM permissions can take time to propagate * const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, { * dependsOn: [caPoolBinding], * }); * // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api * const _default = new gcp.securesourcemanager.Instance("default", { * instanceId: "my-instance", * location: "us-central1", * privateConfig: { * isPrivate: true, * caPool: caPool.id, * }, * deletionPolicy: "PREVENT", * }, { * dependsOn: [ * rootCa, * wait120Seconds, * ], * }); * // Connect SSM private instance with L4 proxy ILB. * const network = new gcp.compute.Network("network", { * name: "my-network", * autoCreateSubnetworks: false, * }); * const subnet = new gcp.compute.Subnetwork("subnet", { * name: "my-subnet", * region: "us-central1", * network: network.id, * ipCidrRange: "10.0.1.0/24", * privateIpGoogleAccess: true, * }); * const pscNeg = new gcp.compute.RegionNetworkEndpointGroup("psc_neg", { * name: "my-neg", * region: "us-central1", * networkEndpointType: "PRIVATE_SERVICE_CONNECT", * pscTargetService: _default.privateConfig.apply(privateConfig => privateConfig?.httpServiceAttachment), * network: network.id, * subnetwork: subnet.id, * }); * const backendService = new gcp.compute.RegionBackendService("backend_service", { * name: "my-backend-service", * region: "us-central1", * protocol: "TCP", * loadBalancingScheme: "INTERNAL_MANAGED", * backends: [{ * group: pscNeg.id, * balancingMode: "UTILIZATION", * capacityScaler: 1, * }], * }); * const proxySubnet = new gcp.compute.Subnetwork("proxy_subnet", { * name: "my-proxy-subnet", * region: "us-central1", * network: network.id, * ipCidrRange: "10.0.2.0/24", * purpose: "REGIONAL_MANAGED_PROXY", * role: "ACTIVE", * }); * const targetProxy = new gcp.compute.RegionTargetTcpProxy("target_proxy", { * name: "my-target-proxy", * region: "us-central1", * backendService: backendService.id, * }); * const fwRuleTargetProxy = new gcp.compute.ForwardingRule("fw_rule_target_proxy", { * name: "fw-rule-target-proxy", * region: "us-central1", * loadBalancingScheme: "INTERNAL_MANAGED", * ipProtocol: "TCP", * portRange: "443", * target: targetProxy.id, * network: network.id, * subnetwork: subnet.id, * networkTier: "PREMIUM", * }, { * dependsOn: [proxySubnet], * }); * const privateZone = new gcp.dns.ManagedZone("private_zone", { * name: "my-dns-zone", * dnsName: "p.sourcemanager.dev.", * visibility: "private", * privateVisibilityConfig: { * networks: [{ * networkUrl: network.id, * }], * }, * }); * const ssmInstanceHtmlRecord = new gcp.dns.RecordSet("ssm_instance_html_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].html}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleTargetProxy.ipAddress], * }); * const ssmInstanceApiRecord = new gcp.dns.RecordSet("ssm_instance_api_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].api}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleTargetProxy.ipAddress], * }); * const ssmInstanceGitRecord = new gcp.dns.RecordSet("ssm_instance_git_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].gitHttp}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleTargetProxy.ipAddress], * }); * ``` * ### Secure Source Manager Instance Private Psc Endpoint * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as time from "@pulumiverse/time"; * * const project = gcp.organizations.getProject({}); * const caPool = new gcp.certificateauthority.CaPool("ca_pool", { * name: "ca-pool", * location: "us-central1", * tier: "ENTERPRISE", * publishingOptions: { * publishCaCert: true, * publishCrl: true, * }, * }); * const rootCa = new gcp.certificateauthority.Authority("root_ca", { * pool: caPool.name, * certificateAuthorityId: "root-ca", * location: "us-central1", * config: { * subjectConfig: { * subject: { * organization: "google", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * ignoreActiveCertificatesOnDeletion: true, * skipGracePeriod: true, * }); * const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", { * caPool: caPool.id, * role: "roles/privateca.certificateRequester", * members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)], * }); * // ca pool IAM permissions can take time to propagate * const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, { * dependsOn: [caPoolBinding], * }); * // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api * const _default = new gcp.securesourcemanager.Instance("default", { * instanceId: "my-instance", * location: "us-central1", * privateConfig: { * isPrivate: true, * caPool: caPool.id, * }, * deletionPolicy: "PREVENT", * }, { * dependsOn: [ * rootCa, * wait120Seconds, * ], * }); * // Connect SSM private instance with endpoint. * const network = new gcp.compute.Network("network", { * name: "my-network", * autoCreateSubnetworks: false, * }); * const subnet = new gcp.compute.Subnetwork("subnet", { * name: "my-subnet", * region: "us-central1", * network: network.id, * ipCidrRange: "10.0.60.0/24", * privateIpGoogleAccess: true, * }); * const address = new gcp.compute.Address("address", { * name: "my-address", * region: "us-central1", * address: "10.0.60.100", * addressType: "INTERNAL", * subnetwork: subnet.id, * }); * const fwRuleServiceAttachment = new gcp.compute.ForwardingRule("fw_rule_service_attachment", { * name: "fw-rule-service-attachment", * region: "us-central1", * loadBalancingScheme: "", * ipAddress: address.id, * network: network.id, * target: _default.privateConfig.apply(privateConfig => privateConfig?.httpServiceAttachment), * }); * const privateZone = new gcp.dns.ManagedZone("private_zone", { * name: "my-dns-zone", * dnsName: "p.sourcemanager.dev.", * visibility: "private", * privateVisibilityConfig: { * networks: [{ * networkUrl: network.id, * }], * }, * }); * const ssmInstanceHtmlRecord = new gcp.dns.RecordSet("ssm_instance_html_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].html}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleServiceAttachment.ipAddress], * }); * const ssmInstanceApiRecord = new gcp.dns.RecordSet("ssm_instance_api_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].api}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleServiceAttachment.ipAddress], * }); * const ssmInstanceGitRecord = new gcp.dns.RecordSet("ssm_instance_git_record", { * name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].gitHttp}.`), * type: "A", * ttl: 300, * managedZone: privateZone.name, * rrdatas: [fwRuleServiceAttachment.ipAddress], * }); * ``` * ### Secure Source Manager Instance Workforce Identity Federation * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.securesourcemanager.Instance("default", { * location: "us-central1", * instanceId: "my-instance", * workforceIdentityFederationConfig: { * enabled: true, * }, * deletionPolicy: "PREVENT", * }); * ``` * * ## Import * * Instance can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/instances/{{instance_id}}` * * * `{{project}}/{{location}}/{{instance_id}}` * * * `{{location}}/{{instance_id}}` * * * `{{instance_id}}` * * When using the `pulumi import` command, Instance can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:securesourcemanager/instance:Instance default projects/{{project}}/locations/{{location}}/instances/{{instance_id}} * ``` * * ```sh * $ pulumi import gcp:securesourcemanager/instance:Instance default {{project}}/{{location}}/{{instance_id}} * ``` * * ```sh * $ pulumi import gcp:securesourcemanager/instance:Instance default {{location}}/{{instance_id}} * ``` * * ```sh * $ pulumi import gcp:securesourcemanager/instance:Instance default {{instance_id}} * ``` */ export declare class Instance extends pulumi.CustomResource { /** * Get an existing Instance resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: InstanceState, opts?: pulumi.CustomResourceOptions): Instance; /** * Returns true if the given object is an instance of Instance. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Instance; /** * Time the Instance was created in UTC. */ readonly createTime: pulumi.Output<string>; /** * The deletion policy for the instance. Setting `ABANDON` allows the resource * to be abandoned, rather than deleted. Setting `DELETE` deletes the resource * and all its contents. Setting `PREVENT` prevents the resource from accidental * deletion by erroring out during plan. * Default is `PREVENT`. Possible values are: * * DELETE * * PREVENT * * ABANDON */ readonly deletionPolicy: pulumi.Output<string | undefined>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * A list of hostnames for this instance. * Structure is documented below. */ readonly hostConfigs: pulumi.Output<outputs.securesourcemanager.InstanceHostConfig[]>; /** * The name for the Instance. */ readonly instanceId: pulumi.Output<string>; /** * Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*. */ readonly kmsKey: pulumi.Output<string | undefined>; /** * Labels as key value pairs. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location for the Instance. */ readonly location: pulumi.Output<string>; /** * The resource name for the Instance. */ readonly name: pulumi.Output<string>; /** * Private settings for private instance. * Structure is documented below. */ readonly privateConfig: pulumi.Output<outputs.securesourcemanager.InstancePrivateConfig | undefined>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The current state of the Instance. */ readonly state: pulumi.Output<string>; /** * Provides information about the current instance state. */ readonly stateNote: pulumi.Output<string>; /** * Time the Instance was updated in UTC. */ readonly updateTime: pulumi.Output<string>; /** * Configuration for Workforce Identity Federation to support third party identity provider. * If unset, defaults to the Google OIDC IdP. * Structure is documented below. */ readonly workforceIdentityFederationConfig: pulumi.Output<outputs.securesourcemanager.InstanceWorkforceIdentityFederationConfig | undefined>; /** * Create a Instance resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: InstanceArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Instance resources. */ export interface InstanceState { /** * Time the Instance was created in UTC. */ createTime?: pulumi.Input<string>; /** * The deletion policy for the instance. Setting `ABANDON` allows the resource * to be abandoned, rather than deleted. Setting `DELETE` deletes the resource * and all its contents. Setting `PREVENT` prevents the resource from accidental * deletion by erroring out during plan. * Default is `PREVENT`. Possible values are: * * DELETE * * PREVENT * * ABANDON */ deletionPolicy?: pulumi.Input<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A list of hostnames for this instance. * Structure is documented below. */ hostConfigs?: pulumi.Input<pulumi.Input<inputs.securesourcemanager.InstanceHostConfig>[]>; /** * The name for the Instance. */ instanceId?: pulumi.Input<string>; /** * Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*. */ kmsKey?: pulumi.Input<string>; /** * Labels as key value pairs. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location for the Instance. */ location?: pulumi.Input<string>; /** * The resource name for the Instance. */ name?: pulumi.Input<string>; /** * Private settings for private instance. * Structure is documented below. */ privateConfig?: pulumi.Input<inputs.securesourcemanager.InstancePrivateConfig>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The current state of the Instance. */ state?: pulumi.Input<string>; /** * Provides information about the current instance state. */ stateNote?: pulumi.Input<string>; /** * Time the Instance was updated in UTC. */ updateTime?: pulumi.Input<string>; /** * Configuration for Workforce Identity Federation to support third party identity provider. * If unset, defaults to the Google OIDC IdP. * Structure is documented below. */ workforceIdentityFederationConfig?: pulumi.Input<inputs.securesourcemanager.InstanceWorkforceIdentityFederationConfig>; } /** * The set of arguments for constructing a Instance resource. */ export interface InstanceArgs { /** * The deletion policy for the instance. Setting `ABANDON` allows the resource * to be abandoned, rather than deleted. Setting `DELETE` deletes the resource * and all its contents. Setting `PREVENT` prevents the resource from accidental * deletion by erroring out during plan. * Default is `PREVENT`. Possible values are: * * DELETE * * PREVENT * * ABANDON */ deletionPolicy?: pulumi.Input<string>; /** * The name for the Instance. */ instanceId: pulumi.Input<string>; /** * Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*. */ kmsKey?: pulumi.Input<string>; /** * Labels as key value pairs. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location for the Instance. */ location: pulumi.Input<string>; /** * Private settings for private instance. * Structure is documented below. */ privateConfig?: pulumi.Input<inputs.securesourcemanager.InstancePrivateConfig>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Configuration for Workforce Identity Federation to support third party identity provider. * If unset, defaults to the Google OIDC IdP. * Structure is documented below. */ workforceIdentityFederationConfig?: pulumi.Input<inputs.securesourcemanager.InstanceWorkforceIdentityFederationConfig>; }