import * as pulumi from "@pulumi/pulumi"; /** * Manages a Customer Managed Key for the Databricks Workspaces Root Databricks File System (DBFS) * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "examplekeyvault", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "premium", * purgeProtectionEnabled: true, * softDeleteRetentionDays: 7, * }); * const terraform = new azure.keyvault.AccessPolicy("terraform", { * keyVaultId: exampleKeyVault.id, * tenantId: exampleKeyVault.tenantId, * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * "GetRotationPolicy", * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "example-certificate", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }, { * dependsOn: [terraform], * }); * const exampleWorkspace = new azure.databricks.Workspace("example", { * name: "example-workspace", * resourceGroupName: example.name, * location: example.location, * sku: "premium", * customerManagedKeyEnabled: true, * }); * const databricks = new azure.keyvault.AccessPolicy("databricks", { * keyVaultId: exampleKeyVault.id, * tenantId: exampleWorkspace.storageAccountIdentities.apply(storageAccountIdentities => storageAccountIdentities[0].tenantId), * objectId: exampleWorkspace.storageAccountIdentities.apply(storageAccountIdentities => storageAccountIdentities[0].principalId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * ], * }, { * dependsOn: [exampleWorkspace], * }); * const exampleWorkspaceRootDbfsCustomerManagedKey = new azure.databricks.WorkspaceRootDbfsCustomerManagedKey("example", { * workspaceId: exampleWorkspace.id, * keyVaultKeyId: exampleKey.id, * }, { * dependsOn: [databricks], * }); * ``` * * ## Example HCL Configurations * * * Databricks Workspace with Root Databricks File System Customer Managed Keys * * Databricks Workspace with Root Databricks File System Customer Managed Keys in a Different Subscription * * Databricks Workspace with Private Endpoint, Customer Managed Keys for Managed Services and Root Databricks File System Customer Managed Keys * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Databricks` - 2026-01-01 * * ## Import * * Databricks Workspace Root DBFS Customer Managed Key can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:databricks/workspaceRootDbfsCustomerManagedKey:WorkspaceRootDbfsCustomerManagedKey workspace1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Databricks/workspaces/workspace1 * ``` */ export declare class WorkspaceRootDbfsCustomerManagedKey extends pulumi.CustomResource { /** * Get an existing WorkspaceRootDbfsCustomerManagedKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: WorkspaceRootDbfsCustomerManagedKeyState, opts?: pulumi.CustomResourceOptions): WorkspaceRootDbfsCustomerManagedKey; /** * Returns true if the given object is an instance of WorkspaceRootDbfsCustomerManagedKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WorkspaceRootDbfsCustomerManagedKey; /** * Specifies the Resource ID of the Key Vault which contains the `keyVaultKeyId`. * * > **Note:** The `keyVaultId` field only needs to be specified if the Key Vault which contains the `keyVaultKeyId` exists in a different subscription than the Databricks Workspace. If the `keyVaultId` field is not specified it is assumed that the `keyVaultKeyId` is hosted in the same subscription as the Databricks Workspace. Does not apply to managed HSM vaults. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ readonly keyVaultId: pulumi.Output; /** * The ID of the Key Vault Key to be used. */ readonly keyVaultKeyId: pulumi.Output; /** * The Resource ID of the Databricks Workspace. */ readonly workspaceId: pulumi.Output; /** * Create a WorkspaceRootDbfsCustomerManagedKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkspaceRootDbfsCustomerManagedKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WorkspaceRootDbfsCustomerManagedKey resources. */ export interface WorkspaceRootDbfsCustomerManagedKeyState { /** * Specifies the Resource ID of the Key Vault which contains the `keyVaultKeyId`. * * > **Note:** The `keyVaultId` field only needs to be specified if the Key Vault which contains the `keyVaultKeyId` exists in a different subscription than the Databricks Workspace. If the `keyVaultId` field is not specified it is assumed that the `keyVaultKeyId` is hosted in the same subscription as the Databricks Workspace. Does not apply to managed HSM vaults. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ keyVaultId?: pulumi.Input; /** * The ID of the Key Vault Key to be used. */ keyVaultKeyId?: pulumi.Input; /** * The Resource ID of the Databricks Workspace. */ workspaceId?: pulumi.Input; } /** * The set of arguments for constructing a WorkspaceRootDbfsCustomerManagedKey resource. */ export interface WorkspaceRootDbfsCustomerManagedKeyArgs { /** * Specifies the Resource ID of the Key Vault which contains the `keyVaultKeyId`. * * > **Note:** The `keyVaultId` field only needs to be specified if the Key Vault which contains the `keyVaultKeyId` exists in a different subscription than the Databricks Workspace. If the `keyVaultId` field is not specified it is assumed that the `keyVaultKeyId` is hosted in the same subscription as the Databricks Workspace. Does not apply to managed HSM vaults. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ keyVaultId?: pulumi.Input; /** * The ID of the Key Vault Key to be used. */ keyVaultKeyId: pulumi.Input; /** * The Resource ID of the Databricks Workspace. */ workspaceId: pulumi.Input; }