import * as pulumi from "@pulumi/pulumi"; /** * Manages a Customer Managed Key for a EventHub Namespace. * * !> **Note:** In 2.x versions of the Azure Provider during deletion this resource will **delete and recreate the parent EventHub Namespace which may involve data loss** as it's not possible to remove the Customer Managed Key from the EventHub Namespace once it's been added. Version 3.0 of the Azure Provider will change this so that the Delete operation is a noop, requiring the parent EventHub Namespace is deleted/recreated to remove the Customer Managed Key. * * ## Example Usage * * ### With System Assigned Identity * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleCluster = new azure.eventhub.Cluster("example", { * name: "example-cluster", * resourceGroupName: example.name, * location: example.location, * skuName: "Dedicated_1", * }); * const exampleEventHubNamespace = new azure.eventhub.EventHubNamespace("example", { * name: "example-namespace", * location: example.location, * resourceGroupName: example.name, * sku: "Standard", * dedicatedClusterId: exampleCluster.id, * identity: { * type: "SystemAssigned", * }, * }); * const current = azure.core.getClientConfig({}); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "examplekv", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "standard", * purgeProtectionEnabled: true, * }); * const exampleAccessPolicy = new azure.keyvault.AccessPolicy("example", { * keyVaultId: exampleKeyVault.id, * tenantId: exampleEventHubNamespace.identity.apply(identity => identity?.tenantId), * objectId: exampleEventHubNamespace.identity.apply(identity => identity?.principalId), * keyPermissions: [ * "Get", * "UnwrapKey", * "WrapKey", * ], * }); * const example2 = new azure.keyvault.AccessPolicy("example2", { * keyVaultId: exampleKeyVault.id, * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "List", * "Purge", * "Recover", * "GetRotationPolicy", * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "examplekvkey", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }, { * dependsOn: [ * exampleAccessPolicy, * example2, * ], * }); * const exampleNamespaceCustomerManagedKey = new azure.eventhub.NamespaceCustomerManagedKey("example", { * eventhubNamespaceId: exampleEventHubNamespace.id, * keyVaultKeyIds: [exampleKey.id], * }); * ``` * * ### With User Assigned Identity * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleCluster = new azure.eventhub.Cluster("example", { * name: "example-cluster", * resourceGroupName: example.name, * location: example.location, * skuName: "Dedicated_1", * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * location: example.location, * name: "example", * resourceGroupName: example.name, * }); * const exampleEventHubNamespace = new azure.eventhub.EventHubNamespace("example", { * name: "example-namespace", * location: example.location, * resourceGroupName: example.name, * sku: "Standard", * dedicatedClusterId: exampleCluster.id, * identity: { * type: "UserAssigned", * identityIds: [exampleUserAssignedIdentity.id], * }, * }); * const current = azure.core.getClientConfig({}); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "examplekv", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "standard", * purgeProtectionEnabled: true, * }); * const exampleAccessPolicy = new azure.keyvault.AccessPolicy("example", { * keyVaultId: exampleKeyVault.id, * tenantId: test.tenantId, * objectId: test.principalId, * keyPermissions: [ * "Get", * "UnwrapKey", * "WrapKey", * ], * }); * const example2 = new azure.keyvault.AccessPolicy("example2", { * keyVaultId: exampleKeyVault.id, * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "List", * "Purge", * "Recover", * "GetRotationPolicy", * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "examplekvkey", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }, { * dependsOn: [ * exampleAccessPolicy, * example2, * ], * }); * const exampleNamespaceCustomerManagedKey = new azure.eventhub.NamespaceCustomerManagedKey("example", { * eventhubNamespaceId: exampleEventHubNamespace.id, * keyVaultKeyIds: [exampleKey.id], * userAssignedIdentityId: exampleUserAssignedIdentity.id, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.EventHub` - 2024-01-01 * * ## Import * * Customer Managed Keys for a EventHub Namespace can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:eventhub/namespaceCustomerManagedKey:NamespaceCustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.EventHub/namespaces/namespace1 * ``` */ export declare class NamespaceCustomerManagedKey extends pulumi.CustomResource { /** * Get an existing NamespaceCustomerManagedKey resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: NamespaceCustomerManagedKeyState, opts?: pulumi.CustomResourceOptions): NamespaceCustomerManagedKey; /** * Returns true if the given object is an instance of NamespaceCustomerManagedKey. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is NamespaceCustomerManagedKey; /** * The ID of the EventHub Namespace. Changing this forces a new resource to be created. */ readonly eventhubNamespaceId: pulumi.Output; /** * Whether to enable Infrastructure Encryption (Double Encryption). Changing this forces a new resource to be created. */ readonly infrastructureEncryptionEnabled: pulumi.Output; /** * The list of keys of Key Vault. */ readonly keyVaultKeyIds: pulumi.Output; /** * The ID of a User Managed Identity that will be used to access Key Vaults that contain the encryption keys. * * > **Note:** If using `userAssignedIdentityId`, ensure the User Assigned Identity is also assigned to the parent Event Hub. * * > **Note:** If using `userAssignedIdentityId`, make sure to assign the identity the appropriate permissions to access the Key Vault key. Failure to grant `Get, UnwrapKey, and WrapKey` will cause this resource to fail to apply. */ readonly userAssignedIdentityId: pulumi.Output; /** * Create a NamespaceCustomerManagedKey resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: NamespaceCustomerManagedKeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering NamespaceCustomerManagedKey resources. */ export interface NamespaceCustomerManagedKeyState { /** * The ID of the EventHub Namespace. Changing this forces a new resource to be created. */ eventhubNamespaceId?: pulumi.Input; /** * Whether to enable Infrastructure Encryption (Double Encryption). Changing this forces a new resource to be created. */ infrastructureEncryptionEnabled?: pulumi.Input; /** * The list of keys of Key Vault. */ keyVaultKeyIds?: pulumi.Input[]>; /** * The ID of a User Managed Identity that will be used to access Key Vaults that contain the encryption keys. * * > **Note:** If using `userAssignedIdentityId`, ensure the User Assigned Identity is also assigned to the parent Event Hub. * * > **Note:** If using `userAssignedIdentityId`, make sure to assign the identity the appropriate permissions to access the Key Vault key. Failure to grant `Get, UnwrapKey, and WrapKey` will cause this resource to fail to apply. */ userAssignedIdentityId?: pulumi.Input; } /** * The set of arguments for constructing a NamespaceCustomerManagedKey resource. */ export interface NamespaceCustomerManagedKeyArgs { /** * The ID of the EventHub Namespace. Changing this forces a new resource to be created. */ eventhubNamespaceId: pulumi.Input; /** * Whether to enable Infrastructure Encryption (Double Encryption). Changing this forces a new resource to be created. */ infrastructureEncryptionEnabled?: pulumi.Input; /** * The list of keys of Key Vault. */ keyVaultKeyIds: pulumi.Input[]>; /** * The ID of a User Managed Identity that will be used to access Key Vaults that contain the encryption keys. * * > **Note:** If using `userAssignedIdentityId`, ensure the User Assigned Identity is also assigned to the parent Event Hub. * * > **Note:** If using `userAssignedIdentityId`, make sure to assign the identity the appropriate permissions to access the Key Vault key. Failure to grant `Get, UnwrapKey, and WrapKey` will cause this resource to fail to apply. */ userAssignedIdentityId?: pulumi.Input; }