Account
Manages a Customer Managed Key for a Cognitive Services Account.
NOTE: It's possible to define a Customer Managed Key both within the
azure.cognitive.Accountresource via thecustomer_managed_keyblock and by using theazure.cognitive.AccountCustomerManagedKeyresource. However it's not possible to use both methods to manage a Customer Managed Key for a Cognitive Account, since there'll be conflicts.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.authorization.UserAssignedIdentity;
import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
import com.pulumi.azure.cognitive.Account;
import com.pulumi.azure.cognitive.AccountArgs;
import com.pulumi.azure.cognitive.inputs.AccountIdentityArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.cognitive.AccountCustomerManagedKey;
import com.pulumi.azure.cognitive.AccountCustomerManagedKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.location("West US")
.build());
var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()
.resourceGroupName(exampleResourceGroup.name())
.location(exampleResourceGroup.location())
.build());
var exampleAccount = new Account("exampleAccount", AccountArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.kind("Face")
.skuName("E0")
.customSubdomainName("example-account")
.identity(AccountIdentityArgs.builder()
.type("SystemAssigned, UserAssigned")
.identityIds(exampleUserAssignedIdentity.id())
.build())
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("standard")
.purgeProtectionEnabled(true)
.accessPolicies(
KeyVaultAccessPolicyArgs.builder()
.tenantId(exampleAccount.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleAccount.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Get",
"Create",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify")
.secretPermissions("Get")
.build(),
KeyVaultAccessPolicyArgs.builder()
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
"GetRotationPolicy")
.secretPermissions("Get")
.build(),
KeyVaultAccessPolicyArgs.builder()
.tenantId(exampleUserAssignedIdentity.tenantId())
.objectId(exampleUserAssignedIdentity.principalId())
.keyPermissions(
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify")
.secretPermissions("Get")
.build())
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build());
var exampleAccountCustomerManagedKey = new AccountCustomerManagedKey("exampleAccountCustomerManagedKey", AccountCustomerManagedKeyArgs.builder()
.cognitiveAccountId(exampleAccount.id())
.keyVaultKeyId(exampleKey.id())
.identityClientId(exampleUserAssignedIdentity.clientId())
.build());
}
}Content copied to clipboard
Import
Customer Managed Keys for a Cognitive Account can be imported using the resource id, e.g.
$ pulumi import azure:cognitive/accountCustomerManagedKey:AccountCustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.CognitiveServices/accounts/account1Content copied to clipboard