pulumi-azure-kotlin/com.pulumi.azure.storage.kotlin/CustomerManagedKeyArgs

CustomerManagedKeyArgs

data class CustomerManagedKeyArgs(val federatedIdentityClientId: Output<String>? = null, val keyName: Output<String>? = null, val keyVaultId: Output<String>? = null, val keyVaultUri: Output<String>? = null, val keyVersion: Output<String>? = null, val storageAccountId: Output<String>? = null, val userAssignedIdentityId: Output<String>? = null) : ConvertibleToJava<CustomerManagedKeyArgs>

Manages a Customer Managed Key for a Storage Account.

NOTE: It's possible to define a Customer Managed Key both within the azure.storage.Account resource via the customer_managed_key block and by using the azure.storage.CustomerManagedKey resource. However it's not possible to use both methods to manage a Customer Managed Key for a Storage Account, since there'll be conflicts.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.storage.Account;
import com.pulumi.azure.storage.AccountArgs;
import com.pulumi.azure.storage.inputs.AccountIdentityArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.storage.CustomerManagedKey;
import com.pulumi.azure.storage.CustomerManagedKeyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var current = CoreFunctions.getClientConfig();
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
            .location("West Europe")
            .build());
        var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .skuName("standard")
            .purgeProtectionEnabled(true)
            .build());
        var exampleAccount = new Account("exampleAccount", AccountArgs.builder()
            .resourceGroupName(exampleResourceGroup.name())
            .location(exampleResourceGroup.location())
            .accountTier("Standard")
            .accountReplicationType("GRS")
            .identity(AccountIdentityArgs.builder()
                .type("SystemAssigned")
                .build())
            .build());
        var storage = new AccessPolicy("storage", AccessPolicyArgs.builder()
            .keyVaultId(exampleKeyVault.id())
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .objectId(exampleAccount.identity().applyValue(identity -> identity.principalId()))
            .secretPermissions("Get")
            .keyPermissions(
                "Get",
                "UnwrapKey",
                "WrapKey")
            .build());
        var client = new AccessPolicy("client", AccessPolicyArgs.builder()
            .keyVaultId(exampleKeyVault.id())
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .secretPermissions("Get")
            .keyPermissions(
                "Get",
                "Create",
                "Delete",
                "List",
                "Restore",
                "Recover",
                "UnwrapKey",
                "WrapKey",
                "Purge",
                "Encrypt",
                "Decrypt",
                "Sign",
                "Verify",
                "GetRotationPolicy",
                "SetRotationPolicy")
            .build());
        var exampleKey = new Key("exampleKey", KeyArgs.builder()
            .keyVaultId(exampleKeyVault.id())
            .keyType("RSA")
            .keySize(2048)
            .keyOpts(
                "decrypt",
                "encrypt",
                "sign",
                "unwrapKey",
                "verify",
                "wrapKey")
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    client,
                    storage)
                .build());
        var exampleCustomerManagedKey = new CustomerManagedKey("exampleCustomerManagedKey", CustomerManagedKeyArgs.builder()
            .storageAccountId(exampleAccount.id())
            .keyVaultId(exampleKeyVault.id())
            .keyName(exampleKey.name())
            .build());
    }
}
Content copied to clipboard

Import

Customer Managed Keys for a Storage Account can be imported using the resource id of the Storage Account, e.g.

$ pulumi import azure:storage/customerManagedKey:CustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount
Content copied to clipboard

Constructors

Link copied to clipboard
fun CustomerManagedKeyArgs(federatedIdentityClientId: Output<String>? = null, keyName: Output<String>? = null, keyVaultId: Output<String>? = null, keyVaultUri: Output<String>? = null, keyVersion: Output<String>? = null, storageAccountId: Output<String>? = null, userAssignedIdentityId: Output<String>? = null)

Functions

Link copied to clipboard
open override fun toJava(): CustomerManagedKeyArgs

Properties

Link copied to clipboard
val federatedIdentityClientId: Output<String>? = null

The Client ID of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.

Link copied to clipboard
val keyName: Output<String>? = null

The name of Key Vault Key.

Link copied to clipboard
val keyVaultId: Output<String>? = null
Link copied to clipboard
val keyVaultUri: Output<String>? = null

URI pointing at the Key Vault. Required when using federated_identity_client_id. Exactly one of key_vault_id, or key_vault_uri must be specified.

Link copied to clipboard
val keyVersion: Output<String>? = null

The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.

Link copied to clipboard
val storageAccountId: Output<String>? = null

The ID of the Storage Account. Changing this forces a new resource to be created.

Link copied to clipboard
val userAssignedIdentityId: Output<String>? = null

The ID of a user assigned identity.