UNPKG

@pulumi/gcp

Version:

A Pulumi package for creating and managing Google Cloud Platform resources.

pulumi.io

pulumi/pulumi-gcp

290 lines • 13.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
import * as pulumi from "@pulumi/pulumi"; /** * Creates and manages service account keys, which allow the use of a service account with Google Cloud. * * > **Warning**: This resource persists a sensitive credential in plaintext in the remote state used by Terraform. * Please take appropriate measures to protect your remote state. * * * [API documentation](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys) * * How-to Guides * * [Official Documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) * * ## Example Usage * * ### Creating A New Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * const mykey = new gcp.serviceaccount.Key("mykey", { * serviceAccountId: myaccount.name, * publicKeyType: "TYPE_X509_PEM_FILE", * }); * ``` * * ### Creating And Regularly Rotating A Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as time from "@pulumiverse/time"; * * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * // note this requires the terraform to be run regularly * const mykeyRotation = new time.Rotating("mykey_rotation", {rotationDays: 30}); * const mykey = new gcp.serviceaccount.Key("mykey", { * serviceAccountId: myaccount.name, * keepers: { * rotation_time: mykeyRotation.rotationRfc3339, * }, * }); * ``` * * ### Save Key In Kubernetes Secret - DEPRECATED * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as kubernetes from "@pulumi/kubernetes"; * import * as std from "@pulumi/std"; * * // Workload Identity is the recommended way of accessing Google Cloud APIs from pods. * // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * const mykey = new gcp.serviceaccount.Key("mykey", {serviceAccountId: myaccount.name}); * const google_application_credentials = new kubernetes.index.Secret("google-application-credentials", { * metadata: [{ * name: "google-application-credentials", * }], * data: { * "credentials.json": std.base64decodeOutput({ * input: mykey.privateKey, * }).result, * }, * }); * ``` * * ## Import * * This resource does not support import. */ export declare class Key extends pulumi.CustomResource { /** * Get an existing Key resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key; /** * Returns true if the given object is an instance of Key. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Key; /** * Whether Terraform will be prevented from destroying the resource. Defaults to "DELETE". * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output<string>; /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ readonly keepers: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ readonly keyAlgorithm: pulumi.Output<string | undefined>; /** * The name used for this key pair */ readonly name: pulumi.Output<string>; /** * The private key in JSON format, base64 encoded. This is what you normally get as a file when creating * service account keys through the CLI or web console. This is only populated when creating a new key. */ readonly privateKey: pulumi.Output<string>; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ readonly privateKeyType: pulumi.Output<string | undefined>; /** * The public key, base64 encoded */ readonly publicKey: pulumi.Output<string>; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ readonly publicKeyData: pulumi.Output<string | undefined>; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ readonly publicKeyType: pulumi.Output<string | undefined>; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ readonly serviceAccountId: pulumi.Output<string>; /** * The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ readonly validAfter: pulumi.Output<string>; /** * The key can be used before this timestamp. * A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ readonly validBefore: pulumi.Output<string>; /** * Create a Key resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Key resources. */ export interface KeyState { /** * Whether Terraform will be prevented from destroying the resource. Defaults to "DELETE". * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ keepers?: pulumi.Input<{ [key: string]: pulumi.Input<string>; } | undefined>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ keyAlgorithm?: pulumi.Input<string | undefined>; /** * The name used for this key pair */ name?: pulumi.Input<string | undefined>; /** * The private key in JSON format, base64 encoded. This is what you normally get as a file when creating * service account keys through the CLI or web console. This is only populated when creating a new key. */ privateKey?: pulumi.Input<string | undefined>; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ privateKeyType?: pulumi.Input<string | undefined>; /** * The public key, base64 encoded */ publicKey?: pulumi.Input<string | undefined>; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ publicKeyData?: pulumi.Input<string | undefined>; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ publicKeyType?: pulumi.Input<string | undefined>; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ serviceAccountId?: pulumi.Input<string | undefined>; /** * The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ validAfter?: pulumi.Input<string | undefined>; /** * The key can be used before this timestamp. * A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ validBefore?: pulumi.Input<string | undefined>; } /** * The set of arguments for constructing a Key resource. */ export interface KeyArgs { /** * Whether Terraform will be prevented from destroying the resource. Defaults to "DELETE". * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input<string | undefined>; /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ keepers?: pulumi.Input<{ [key: string]: pulumi.Input<string>; } | undefined>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ keyAlgorithm?: pulumi.Input<string | undefined>; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ privateKeyType?: pulumi.Input<string | undefined>; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ publicKeyData?: pulumi.Input<string | undefined>; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ publicKeyType?: pulumi.Input<string | undefined>; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ serviceAccountId: pulumi.Input<string>; } //# sourceMappingURL=key.d.ts.map