import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Key Vault. * * ## Disclaimers * * > **Note:** It's possible to define Key Vault Access Policies both within the `azure.keyvault.KeyVault` resource via the `accessPolicy` block and by using the `azure.keyvault.AccessPolicy` resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. * * > **Note:** It's possible to define Key Vault Certificate Contacts both within the `azure.keyvault.KeyVault` resource via the `contact` block and by using the `azure.keyvault.CertificateContacts` resource. However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "examplekeyvault", * location: example.location, * resourceGroupName: example.name, * enabledForDiskEncryption: true, * tenantId: current.then(current => current.tenantId), * softDeleteRetentionDays: 7, * purgeProtectionEnabled: false, * skuName: "standard", * accessPolicies: [{ * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: ["Get"], * secretPermissions: ["Get"], * storagePermissions: ["Get"], * }], * }); * ``` * * ## Import * * Key Vault's can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1 * ``` */ export declare class KeyVault extends pulumi.CustomResource { /** * Get an existing KeyVault resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: KeyVaultState, opts?: pulumi.CustomResourceOptions): KeyVault; /** * Returns true if the given object is an instance of KeyVault. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is KeyVault; /** * A list of up to 1024 objects describing access policies, as described below. * * > **Note:** Since `accessPolicy` can be configured both inline and via the separate `azure.keyvault.AccessPolicy` resource, we have to explicitly set it to empty slice (`[]`) to remove it. */ readonly accessPolicies: pulumi.Output; /** * @deprecated As the `contact` property uses a data plane API, to better support private endpoints and key vaults with public network access disabled, new key vaults with the `contact` field defined in the configuration file will now be required to use the `azure.keyvault.CertificateContacts` resource instead of the exposed `contact` field in the key vault resource itself. This field will be removed in v5.0 of the provider. */ readonly contacts: pulumi.Output; /** * @deprecated This property has been renamed to `rbacAuthorizationEnabled` and will be removed in v5.0 of the provider */ readonly enableRbacAuthorization: pulumi.Output; /** * Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. */ readonly enabledForDeployment: pulumi.Output; /** * Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. */ readonly enabledForDiskEncryption: pulumi.Output; /** * Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. */ readonly enabledForTemplateDeployment: pulumi.Output; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. */ readonly name: pulumi.Output; /** * A `networkAcls` block as defined below. */ readonly networkAcls: pulumi.Output; /** * Whether public network access is allowed for this Key Vault. Defaults to `true`. */ readonly publicNetworkAccessEnabled: pulumi.Output; /** * Is Purge Protection enabled for this Key Vault? * * !> **Note:** Once Purge Protection has been Enabled it's not possible to Disable it. Support for [disabling purge protection is being tracked in this Azure API issue](https://github.com/Azure/azure-rest-api-specs/issues/8075). Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days). */ readonly purgeProtectionEnabled: pulumi.Output; /** * Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. * * > **Note:** Changing the permission model requires unrestricted (no conditions on the role assignment) `Microsoft.Authorization/roleAssignments/write` permission, which is part of the `Owner` and `User Access Administrator` roles. Classic subscription administrator roles like `Service Administrator` and `Co-Administrator`, or restricted `Key Vault Data Access Administrator` cannot be used to change the permission model. For more information, please see the [product documentation](https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault:~:text=Enable%20Azure%20RBAC,change%20permission%20model). */ readonly rbacAuthorizationEnabled: pulumi.Output; /** * The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * The Name of the SKU used for this Key Vault. Possible values are `standard` and `premium`. */ readonly skuName: pulumi.Output; /** * The number of days that items should be retained for once soft-deleted. This value can be between `7` and `90` (the default) days. * * > **Note:** This field can only be configured one time and cannot be updated. */ readonly softDeleteRetentionDays: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. */ readonly tenantId: pulumi.Output; /** * The URI of the Key Vault, used for performing operations on keys and secrets. */ readonly vaultUri: pulumi.Output; /** * Create a KeyVault resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KeyVaultArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering KeyVault resources. */ export interface KeyVaultState { /** * A list of up to 1024 objects describing access policies, as described below. * * > **Note:** Since `accessPolicy` can be configured both inline and via the separate `azure.keyvault.AccessPolicy` resource, we have to explicitly set it to empty slice (`[]`) to remove it. */ accessPolicies?: pulumi.Input[]>; /** * @deprecated As the `contact` property uses a data plane API, to better support private endpoints and key vaults with public network access disabled, new key vaults with the `contact` field defined in the configuration file will now be required to use the `azure.keyvault.CertificateContacts` resource instead of the exposed `contact` field in the key vault resource itself. This field will be removed in v5.0 of the provider. */ contacts?: pulumi.Input[]>; /** * @deprecated This property has been renamed to `rbacAuthorizationEnabled` and will be removed in v5.0 of the provider */ enableRbacAuthorization?: pulumi.Input; /** * Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. */ enabledForDeployment?: pulumi.Input; /** * Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. */ enabledForDiskEncryption?: pulumi.Input; /** * Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. */ enabledForTemplateDeployment?: pulumi.Input; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. */ name?: pulumi.Input; /** * A `networkAcls` block as defined below. */ networkAcls?: pulumi.Input; /** * Whether public network access is allowed for this Key Vault. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * Is Purge Protection enabled for this Key Vault? * * !> **Note:** Once Purge Protection has been Enabled it's not possible to Disable it. Support for [disabling purge protection is being tracked in this Azure API issue](https://github.com/Azure/azure-rest-api-specs/issues/8075). Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days). */ purgeProtectionEnabled?: pulumi.Input; /** * Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. * * > **Note:** Changing the permission model requires unrestricted (no conditions on the role assignment) `Microsoft.Authorization/roleAssignments/write` permission, which is part of the `Owner` and `User Access Administrator` roles. Classic subscription administrator roles like `Service Administrator` and `Co-Administrator`, or restricted `Key Vault Data Access Administrator` cannot be used to change the permission model. For more information, please see the [product documentation](https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault:~:text=Enable%20Azure%20RBAC,change%20permission%20model). */ rbacAuthorizationEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * The Name of the SKU used for this Key Vault. Possible values are `standard` and `premium`. */ skuName?: pulumi.Input; /** * The number of days that items should be retained for once soft-deleted. This value can be between `7` and `90` (the default) days. * * > **Note:** This field can only be configured one time and cannot be updated. */ softDeleteRetentionDays?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. */ tenantId?: pulumi.Input; /** * The URI of the Key Vault, used for performing operations on keys and secrets. */ vaultUri?: pulumi.Input; } /** * The set of arguments for constructing a KeyVault resource. */ export interface KeyVaultArgs { /** * A list of up to 1024 objects describing access policies, as described below. * * > **Note:** Since `accessPolicy` can be configured both inline and via the separate `azure.keyvault.AccessPolicy` resource, we have to explicitly set it to empty slice (`[]`) to remove it. */ accessPolicies?: pulumi.Input[]>; /** * @deprecated As the `contact` property uses a data plane API, to better support private endpoints and key vaults with public network access disabled, new key vaults with the `contact` field defined in the configuration file will now be required to use the `azure.keyvault.CertificateContacts` resource instead of the exposed `contact` field in the key vault resource itself. This field will be removed in v5.0 of the provider. */ contacts?: pulumi.Input[]>; /** * @deprecated This property has been renamed to `rbacAuthorizationEnabled` and will be removed in v5.0 of the provider */ enableRbacAuthorization?: pulumi.Input; /** * Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. */ enabledForDeployment?: pulumi.Input; /** * Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. */ enabledForDiskEncryption?: pulumi.Input; /** * Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. */ enabledForTemplateDeployment?: pulumi.Input; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. */ name?: pulumi.Input; /** * A `networkAcls` block as defined below. */ networkAcls?: pulumi.Input; /** * Whether public network access is allowed for this Key Vault. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * Is Purge Protection enabled for this Key Vault? * * !> **Note:** Once Purge Protection has been Enabled it's not possible to Disable it. Support for [disabling purge protection is being tracked in this Azure API issue](https://github.com/Azure/azure-rest-api-specs/issues/8075). Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days). */ purgeProtectionEnabled?: pulumi.Input; /** * Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. * * > **Note:** Changing the permission model requires unrestricted (no conditions on the role assignment) `Microsoft.Authorization/roleAssignments/write` permission, which is part of the `Owner` and `User Access Administrator` roles. Classic subscription administrator roles like `Service Administrator` and `Co-Administrator`, or restricted `Key Vault Data Access Administrator` cannot be used to change the permission model. For more information, please see the [product documentation](https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault:~:text=Enable%20Azure%20RBAC,change%20permission%20model). */ rbacAuthorizationEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * The Name of the SKU used for this Key Vault. Possible values are `standard` and `premium`. */ skuName: pulumi.Input; /** * The number of days that items should be retained for once soft-deleted. This value can be between `7` and `90` (the default) days. * * > **Note:** This field can only be configured one time and cannot be updated. */ softDeleteRetentionDays?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. */ tenantId: pulumi.Input; }