import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Key Vault Key. * * ## Example Usage * * > **Note:** To use this resource, your client should have RBAC roles with permissions like `Key Vault Crypto Officer` or `Key Vault Administrator` or an assigned Key Vault Access Policy with permissions `Create`,`Delete`,`Get`,`Purge`,`Recover`,`Update` and `GetRotationPolicy` for keys without Rotation Policy. Include `SetRotationPolicy` for keys with Rotation Policy. * * > **Note:** The Azure Provider includes a Feature Toggle which will purge a Key Vault Key resource on destroy, rather than the default soft-delete. See `purgeSoftDeletedKeysOnDestroy` for more information. * * ### Additional Examples * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "examplekeyvault", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "premium", * softDeleteRetentionDays: 7, * accessPolicies: [{ * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "GetRotationPolicy", * "SetRotationPolicy", * ], * secretPermissions: ["Set"], * }], * }); * const generated = new azure.keyvault.Key("generated", { * name: "generated-certificate", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * rotationPolicy: { * automatic: { * timeBeforeExpiry: "P30D", * }, * expireAfter: "P90D", * notifyBeforeExpiry: "P29D", * }, * }); * ``` * * ## Import * * Key Vault Key which is Enabled can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:keyvault/key:Key example "https://example-keyvault.vault.azure.net/keys/example/fdf067c93bbb4b22bff4d8b7a9a56217" * ``` */ export declare class Key extends pulumi.CustomResource { /** * Get an existing Key resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key; /** * Returns true if the given object is an instance of Key. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Key; /** * Specifies the curve to use when creating an `EC` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field will be required in a future release if `keyType` is `EC` or `EC-HSM`. The API will default to `P-256` if nothing is specified. Changing this forces a new resource to be created. */ readonly curve: pulumi.Output; /** * The RSA public exponent of this Key Vault Key. */ readonly e: pulumi.Output; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Removing this field from the config forces a new resource to be created. */ readonly expirationDate: pulumi.Output; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. */ readonly keyOpts: pulumi.Output; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA` or `RSA-HSM`. Changing this forces a new resource to be created. */ readonly keySize: pulumi.Output; /** * Specifies the Key Type to use for this Key Vault Key. Possible values are `EC` (Elliptic Curve), `EC-HSM`, `RSA` and `RSA-HSM`. Changing this forces a new resource to be created. */ readonly keyType: pulumi.Output; /** * The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created. */ readonly keyVaultId: pulumi.Output; /** * The RSA modulus of this Key Vault Key. */ readonly n: pulumi.Output; /** * Specifies the name of the Key Vault Key. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ readonly notBeforeDate: pulumi.Output; /** * The OpenSSH encoded public key of this Key Vault Key. */ readonly publicKeyOpenssh: pulumi.Output; /** * The PEM encoded public key of this Key Vault Key. */ readonly publicKeyPem: pulumi.Output; /** * The (Versioned) ID for this Key Vault Key. This property points to a specific version of a Key Vault Key, as such using this won't auto-rotate values if used in other Azure Services. */ readonly resourceId: pulumi.Output; /** * The Versionless ID of the Key Vault Key. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Key is updated. */ readonly resourceVersionlessId: pulumi.Output; /** * A `rotationPolicy` block as defined below. */ readonly rotationPolicy: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The current version of the Key Vault Key. */ readonly version: pulumi.Output; /** * The Base ID of the Key Vault Key. */ readonly versionlessId: pulumi.Output; /** * The EC X component of this Key Vault Key. */ readonly x: pulumi.Output; /** * The EC Y component of this Key Vault Key. */ readonly y: pulumi.Output; /** * Create a Key resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Key resources. */ export interface KeyState { /** * Specifies the curve to use when creating an `EC` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field will be required in a future release if `keyType` is `EC` or `EC-HSM`. The API will default to `P-256` if nothing is specified. Changing this forces a new resource to be created. */ curve?: pulumi.Input; /** * The RSA public exponent of this Key Vault Key. */ e?: pulumi.Input; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Removing this field from the config forces a new resource to be created. */ expirationDate?: pulumi.Input; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. */ keyOpts?: pulumi.Input[]>; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA` or `RSA-HSM`. Changing this forces a new resource to be created. */ keySize?: pulumi.Input; /** * Specifies the Key Type to use for this Key Vault Key. Possible values are `EC` (Elliptic Curve), `EC-HSM`, `RSA` and `RSA-HSM`. Changing this forces a new resource to be created. */ keyType?: pulumi.Input; /** * The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created. */ keyVaultId?: pulumi.Input; /** * The RSA modulus of this Key Vault Key. */ n?: pulumi.Input; /** * Specifies the name of the Key Vault Key. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ notBeforeDate?: pulumi.Input; /** * The OpenSSH encoded public key of this Key Vault Key. */ publicKeyOpenssh?: pulumi.Input; /** * The PEM encoded public key of this Key Vault Key. */ publicKeyPem?: pulumi.Input; /** * The (Versioned) ID for this Key Vault Key. This property points to a specific version of a Key Vault Key, as such using this won't auto-rotate values if used in other Azure Services. */ resourceId?: pulumi.Input; /** * The Versionless ID of the Key Vault Key. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Key is updated. */ resourceVersionlessId?: pulumi.Input; /** * A `rotationPolicy` block as defined below. */ rotationPolicy?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The current version of the Key Vault Key. */ version?: pulumi.Input; /** * The Base ID of the Key Vault Key. */ versionlessId?: pulumi.Input; /** * The EC X component of this Key Vault Key. */ x?: pulumi.Input; /** * The EC Y component of this Key Vault Key. */ y?: pulumi.Input; } /** * The set of arguments for constructing a Key resource. */ export interface KeyArgs { /** * Specifies the curve to use when creating an `EC` key. Possible values are `P-256`, `P-256K`, `P-384`, and `P-521`. This field will be required in a future release if `keyType` is `EC` or `EC-HSM`. The API will default to `P-256` if nothing is specified. Changing this forces a new resource to be created. */ curve?: pulumi.Input; /** * Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Removing this field from the config forces a new resource to be created. */ expirationDate?: pulumi.Input; /** * A list of JSON web key operations. Possible values include: `decrypt`, `encrypt`, `sign`, `unwrapKey`, `verify` and `wrapKey`. Please note these values are case sensitive. */ keyOpts: pulumi.Input[]>; /** * Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. *Note*: This field is required if `keyType` is `RSA` or `RSA-HSM`. Changing this forces a new resource to be created. */ keySize?: pulumi.Input; /** * Specifies the Key Type to use for this Key Vault Key. Possible values are `EC` (Elliptic Curve), `EC-HSM`, `RSA` and `RSA-HSM`. Changing this forces a new resource to be created. */ keyType: pulumi.Input; /** * The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created. */ keyVaultId: pulumi.Input; /** * Specifies the name of the Key Vault Key. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). * * > **Note:** Once `expirationDate` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key. */ notBeforeDate?: pulumi.Input; /** * A `rotationPolicy` block as defined below. */ rotationPolicy?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; }