import * as pulumi from "@pulumi/pulumi"; /** * Manages a Key Vault Access Policy. * * > **NOTE:** It's possible to define Key Vault Access Policies both within the `azure.keyvault.KeyVault` resource via the `accessPolicy` block and by using the `azure.keyvault.AccessPolicy` resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. * * > **NOTE:** Azure permits a maximum of 1024 Access Policies per Key Vault - [more information can be found in this document](https://docs.microsoft.com/azure/key-vault/key-vault-secure-your-key-vault#data-plane-access-control). * * ## Import * * Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata. * * If both an `objectId` and `applicationId` are specified, then the Access Policy can be imported using the following code: * * ```sh * $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222 * ``` * * where `11111111-1111-1111-1111-111111111111` is the `objectId` and `22222222-2222-2222-2222-222222222222` is the `applicationId`. * * *** * * Access Policies with an `objectId` but no `applicationId` can be imported using the following command: * * ```sh * $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111 * ``` * * where `11111111-1111-1111-1111-111111111111` is the `objectId`. * * > **NOTE:** Both Identifiers are unique to this provider and don't map to an existing object within Azure. */ export declare class AccessPolicy extends pulumi.CustomResource { /** * Get an existing AccessPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AccessPolicyState, opts?: pulumi.CustomResourceOptions): AccessPolicy; /** * Returns true if the given object is an instance of AccessPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AccessPolicy; /** * The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created. */ readonly applicationId: pulumi.Output; /** * List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`. */ readonly certificatePermissions: pulumi.Output; /** * List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify`, `WrapKey`, `Release`, `Rotate`, `GetRotationPolicy` and `SetRotationPolicy`. */ readonly keyPermissions: pulumi.Output; /** * Specifies the id of the Key Vault resource. Changing this forces a new resource to be created. */ readonly keyVaultId: pulumi.Output; /** * The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from `azuread_service_principal.object_id`. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created. */ readonly objectId: pulumi.Output; /** * List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`. */ readonly secretPermissions: pulumi.Output; /** * List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`. */ readonly storagePermissions: pulumi.Output; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created. */ readonly tenantId: pulumi.Output; /** * Create a AccessPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccessPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AccessPolicy resources. */ export interface AccessPolicyState { /** * The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created. */ applicationId?: pulumi.Input; /** * List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`. */ certificatePermissions?: pulumi.Input[]>; /** * List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify`, `WrapKey`, `Release`, `Rotate`, `GetRotationPolicy` and `SetRotationPolicy`. */ keyPermissions?: pulumi.Input[]>; /** * Specifies the id of the Key Vault resource. Changing this forces a new resource to be created. */ keyVaultId?: pulumi.Input; /** * The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from `azuread_service_principal.object_id`. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created. */ objectId?: pulumi.Input; /** * List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`. */ secretPermissions?: pulumi.Input[]>; /** * List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`. */ storagePermissions?: pulumi.Input[]>; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created. */ tenantId?: pulumi.Input; } /** * The set of arguments for constructing a AccessPolicy resource. */ export interface AccessPolicyArgs { /** * The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created. */ applicationId?: pulumi.Input; /** * List of certificate permissions, must be one or more from the following: `Backup`, `Create`, `Delete`, `DeleteIssuers`, `Get`, `GetIssuers`, `Import`, `List`, `ListIssuers`, `ManageContacts`, `ManageIssuers`, `Purge`, `Recover`, `Restore`, `SetIssuers` and `Update`. */ certificatePermissions?: pulumi.Input[]>; /** * List of key permissions, must be one or more from the following: `Backup`, `Create`, `Decrypt`, `Delete`, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify`, `WrapKey`, `Release`, `Rotate`, `GetRotationPolicy` and `SetRotationPolicy`. */ keyPermissions?: pulumi.Input[]>; /** * Specifies the id of the Key Vault resource. Changing this forces a new resource to be created. */ keyVaultId: pulumi.Input; /** * The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from `azuread_service_principal.object_id`. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created. */ objectId: pulumi.Input; /** * List of secret permissions, must be one or more from the following: `Backup`, `Delete`, `Get`, `List`, `Purge`, `Recover`, `Restore` and `Set`. */ secretPermissions?: pulumi.Input[]>; /** * List of storage permissions, must be one or more from the following: `Backup`, `Delete`, `DeleteSAS`, `Get`, `GetSAS`, `List`, `ListSAS`, `Purge`, `Recover`, `RegenerateKey`, `Restore`, `Set`, `SetSAS` and `Update`. */ storagePermissions?: pulumi.Input[]>; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created. */ tenantId: pulumi.Input; }