import * as pulumi from "@pulumi/pulumi"; /** * Manages a Backup Vault Customer Managed Key. * * !> **Note:** It is not possible to remove the Customer Managed Key from the Backup Vault once it's been added. To remove the Customer Managed Key, the parent Data Protection Backup Vault must be deleted and recreated. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleBackupVault = new azure.dataprotection.BackupVault("example", { * name: "example-backup-vault", * resourceGroupName: example.name, * location: example.location, * datastoreType: "VaultStore", * redundancy: "LocallyRedundant", * identity: { * type: "SystemAssigned", * }, * }); * const current = azure.core.getClientConfig({}); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "example-key-vault", * location: example.location, * resourceGroupName: example.name, * enabledForDiskEncryption: true, * tenantId: current.then(current => current.tenantId), * softDeleteRetentionDays: 7, * purgeProtectionEnabled: true, * skuName: "standard", * accessPolicies: [ * { * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Decrypt", * "Encrypt", * "Delete", * "Get", * "List", * "Purge", * "UnwrapKey", * "WrapKey", * "Verify", * "GetRotationPolicy", * ], * secretPermissions: ["Set"], * }, * { * tenantId: exampleBackupVault.identity.apply(identity => identity?.tenantId), * objectId: exampleBackupVault.identity.apply(identity => identity?.principalId), * keyPermissions: [ * "Create", * "Decrypt", * "Encrypt", * "Delete", * "Get", * "List", * "Purge", * "UnwrapKey", * "WrapKey", * "Verify", * "GetRotationPolicy", * ], * secretPermissions: ["Set"], * }, * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "example-key", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }); * const exampleBackupVaultCustomerManagedKey = new azure.dataprotection.BackupVaultCustomerManagedKey("example", { * dataProtectionBackupVaultId: exampleBackupVault.id, * keyVaultKeyId: exampleKey.id, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.DataProtection` - 2025-07-01 * * ## Import * * Backup Vault Customer Managed Keys can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:dataprotection/backupVaultCustomerManagedKey:BackupVaultCustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.DataProtection/backupVaults/vault1 * ``` */ export declare class BackupVaultCustomerManagedKey extends pulumi.CustomResource { /** * Get an existing BackupVaultCustomerManagedKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: BackupVaultCustomerManagedKeyState, opts?: pulumi.CustomResourceOptions): BackupVaultCustomerManagedKey; /** * Returns true if the given object is an instance of BackupVaultCustomerManagedKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is BackupVaultCustomerManagedKey; /** * The ID of the Backup Vault. Changing this forces a new resource to be created. */ readonly dataProtectionBackupVaultId: pulumi.Output; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Backup Vault. */ readonly keyVaultKeyId: pulumi.Output; /** * Create a BackupVaultCustomerManagedKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: BackupVaultCustomerManagedKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering BackupVaultCustomerManagedKey resources. */ export interface BackupVaultCustomerManagedKeyState { /** * The ID of the Backup Vault. Changing this forces a new resource to be created. */ dataProtectionBackupVaultId?: pulumi.Input; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Backup Vault. */ keyVaultKeyId?: pulumi.Input; } /** * The set of arguments for constructing a BackupVaultCustomerManagedKey resource. */ export interface BackupVaultCustomerManagedKeyArgs { /** * The ID of the Backup Vault. Changing this forces a new resource to be created. */ dataProtectionBackupVaultId: pulumi.Input; /** * The ID of the Key Vault Key which should be used to Encrypt the data in this Backup Vault. */ keyVaultKeyId: pulumi.Input; }