import * as pulumi from "@pulumi/pulumi"; /** * Manages a Customer Managed Key for a Cognitive Services Account. * * > **Note:** It's possible to define a Customer Managed Key both within the `azure.cognitive.Account` resource via the `customerManagedKey` block and by using the `azure.cognitive.AccountCustomerManagedKey` resource. However it's not possible to use both methods to manage a Customer Managed Key for a Cognitive Account, since there'll be conflicts. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West US", * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * resourceGroupName: example.name, * location: example.location, * name: "example-identity", * }); * const exampleAccount = new azure.cognitive.Account("example", { * name: "example-account", * location: example.location, * resourceGroupName: example.name, * kind: "Face", * skuName: "E0", * customSubdomainName: "example-account", * identity: { * type: "SystemAssigned, UserAssigned", * identityIds: [exampleUserAssignedIdentity.id], * }, * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "example-vault", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "standard", * purgeProtectionEnabled: true, * accessPolicies: [ * { * tenantId: exampleAccount.identity.apply(identity => identity?.tenantId), * objectId: exampleAccount.identity.apply(identity => identity?.principalId), * keyPermissions: [ * "Get", * "Create", * "List", * "Restore", * "Recover", * "UnwrapKey", * "WrapKey", * "Purge", * "Encrypt", * "Decrypt", * "Sign", * "Verify", * ], * secretPermissions: ["Get"], * }, * { * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Get", * "Create", * "Delete", * "List", * "Restore", * "Recover", * "UnwrapKey", * "WrapKey", * "Purge", * "Encrypt", * "Decrypt", * "Sign", * "Verify", * "GetRotationPolicy", * ], * secretPermissions: ["Get"], * }, * { * tenantId: exampleUserAssignedIdentity.tenantId, * objectId: exampleUserAssignedIdentity.principalId, * keyPermissions: [ * "Get", * "Create", * "Delete", * "List", * "Restore", * "Recover", * "UnwrapKey", * "WrapKey", * "Purge", * "Encrypt", * "Decrypt", * "Sign", * "Verify", * ], * secretPermissions: ["Get"], * }, * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "example-key", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }); * const exampleAccountCustomerManagedKey = new azure.cognitive.AccountCustomerManagedKey("example", { * cognitiveAccountId: exampleAccount.id, * keyVaultKeyId: exampleKey.id, * identityClientId: exampleUserAssignedIdentity.clientId, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.CognitiveServices` - 2025-06-01 * * ## Import * * Customer Managed Keys for a Cognitive Account can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:cognitive/accountCustomerManagedKey:AccountCustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.CognitiveServices/accounts/account1 * ``` */ export declare class AccountCustomerManagedKey extends pulumi.CustomResource { /** * Get an existing AccountCustomerManagedKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AccountCustomerManagedKeyState, opts?: pulumi.CustomResourceOptions): AccountCustomerManagedKey; /** * Returns true if the given object is an instance of AccountCustomerManagedKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AccountCustomerManagedKey; /** * The ID of the Cognitive Account. Changing this forces a new resource to be created. */ readonly cognitiveAccountId: pulumi.Output; /** * The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the Cognitive Account. */ readonly identityClientId: pulumi.Output; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Cognitive Account. */ readonly keyVaultKeyId: pulumi.Output; /** * Create a AccountCustomerManagedKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccountCustomerManagedKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AccountCustomerManagedKey resources. */ export interface AccountCustomerManagedKeyState { /** * The ID of the Cognitive Account. Changing this forces a new resource to be created. */ cognitiveAccountId?: pulumi.Input; /** * The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the Cognitive Account. */ identityClientId?: pulumi.Input; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Cognitive Account. */ keyVaultKeyId?: pulumi.Input; } /** * The set of arguments for constructing a AccountCustomerManagedKey resource. */ export interface AccountCustomerManagedKeyArgs { /** * The ID of the Cognitive Account. Changing this forces a new resource to be created. */ cognitiveAccountId: pulumi.Input; /** * The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the Cognitive Account. */ identityClientId?: pulumi.Input; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Cognitive Account. */ keyVaultKeyId: pulumi.Input; }