import * as pulumi from "@pulumi/pulumi"; /** * Manages a NetApp Account Encryption Resource. * * For more information about Azure NetApp Files Customer-Managed Keys feature, please refer to [Configure customer-managed keys for Azure NetApp Files volume encryption](https://learn.microsoft.com/en-us/azure/azure-netapp-files/configure-customer-managed-keys) * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const current = azure.core.getClientConfig({}); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * name: "anf-user-assigned-identity", * location: example.location, * resourceGroupName: example.name, * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "anfcmkakv", * location: example.location, * resourceGroupName: example.name, * enabledForDiskEncryption: true, * enabledForDeployment: true, * enabledForTemplateDeployment: true, * purgeProtectionEnabled: true, * tenantId: "00000000-0000-0000-0000-000000000000", * skuName: "standard", * accessPolicies: [ * { * tenantId: "00000000-0000-0000-0000-000000000000", * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Get", * "Create", * "Delete", * "WrapKey", * "UnwrapKey", * "GetRotationPolicy", * "SetRotationPolicy", * ], * }, * { * tenantId: "00000000-0000-0000-0000-000000000000", * objectId: exampleUserAssignedIdentity.principalId, * keyPermissions: [ * "Get", * "Encrypt", * "Decrypt", * ], * }, * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "anfencryptionkey", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }); * const exampleAccount = new azure.netapp.Account("example", { * name: "netappaccount", * location: example.location, * resourceGroupName: example.name, * identity: { * type: "UserAssigned", * identityIds: [exampleUserAssignedIdentity.id], * }, * }); * const exampleAccountEncryption = new azure.netapp.AccountEncryption("example", { * netappAccountId: exampleAccount.id, * userAssignedIdentityId: exampleUserAssignedIdentity.id, * encryptionKey: exampleKey.versionlessId, * federatedClientId: exampleUserAssignedIdentity.clientId, * }); * ``` * * ## Cross-Tenant Usage * * For scenarios where the key vault is in a different Entra ID tenant: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const crossTenant = new azure.netapp.AccountEncryption("cross_tenant", { * netappAccountId: example.id, * userAssignedIdentityId: exampleAzurermUserAssignedIdentity.id, * encryptionKey: "https://keyvault-in-other-tenant.vault.azure.net/keys/encryption-key", * federatedClientId: "12345678-1234-1234-1234-123456789012", * crossTenantKeyVaultResourceId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/remote-rg/providers/Microsoft.KeyVault/vaults/keyvault-in-other-tenant", * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.NetApp` - 2025-12-01 * * ## Import * * Account Encryption Resources can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:netapp/accountEncryption:AccountEncryption example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.NetApp/netAppAccounts/account1 * ``` */ export declare class AccountEncryption extends pulumi.CustomResource { /** * Get an existing AccountEncryption resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AccountEncryptionState, opts?: pulumi.CustomResourceOptions): AccountEncryption; /** * Returns true if the given object is an instance of AccountEncryption. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is AccountEncryption; /** * The full resource ID of the cross-tenant key vault. This is recommended when using `federatedClientId` for cross-tenant scenarios to ensure proper validation by Azure APIs. */ readonly crossTenantKeyVaultResourceId: pulumi.Output; /** * Specify the versionless ID of the encryption key. */ readonly encryptionKey: pulumi.Output; /** * The Client ID of the multi-tenant Entra ID application used to access cross-tenant key vaults. This is only required when accessing a key vault in a different tenant than the NetApp account. */ readonly federatedClientId: pulumi.Output; /** * The ID of the NetApp account where volume under it will have customer managed keys-based encryption enabled. */ readonly netappAccountId: pulumi.Output; /** * The ID of the System Assigned Manged Identity. Conflicts with `userAssignedIdentityId`. */ readonly systemAssignedIdentityPrincipalId: pulumi.Output; /** * The ID of the User Assigned Managed Identity. Conflicts with `systemAssignedIdentityPrincipalId`. */ readonly userAssignedIdentityId: pulumi.Output; /** * Create a AccountEncryption resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccountEncryptionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering AccountEncryption resources. */ export interface AccountEncryptionState { /** * The full resource ID of the cross-tenant key vault. This is recommended when using `federatedClientId` for cross-tenant scenarios to ensure proper validation by Azure APIs. */ crossTenantKeyVaultResourceId?: pulumi.Input; /** * Specify the versionless ID of the encryption key. */ encryptionKey?: pulumi.Input; /** * The Client ID of the multi-tenant Entra ID application used to access cross-tenant key vaults. This is only required when accessing a key vault in a different tenant than the NetApp account. */ federatedClientId?: pulumi.Input; /** * The ID of the NetApp account where volume under it will have customer managed keys-based encryption enabled. */ netappAccountId?: pulumi.Input; /** * The ID of the System Assigned Manged Identity. Conflicts with `userAssignedIdentityId`. */ systemAssignedIdentityPrincipalId?: pulumi.Input; /** * The ID of the User Assigned Managed Identity. Conflicts with `systemAssignedIdentityPrincipalId`. */ userAssignedIdentityId?: pulumi.Input; } /** * The set of arguments for constructing a AccountEncryption resource. */ export interface AccountEncryptionArgs { /** * The full resource ID of the cross-tenant key vault. This is recommended when using `federatedClientId` for cross-tenant scenarios to ensure proper validation by Azure APIs. */ crossTenantKeyVaultResourceId?: pulumi.Input; /** * Specify the versionless ID of the encryption key. */ encryptionKey: pulumi.Input; /** * The Client ID of the multi-tenant Entra ID application used to access cross-tenant key vaults. This is only required when accessing a key vault in a different tenant than the NetApp account. */ federatedClientId?: pulumi.Input; /** * The ID of the NetApp account where volume under it will have customer managed keys-based encryption enabled. */ netappAccountId: pulumi.Input; /** * The ID of the System Assigned Manged Identity. Conflicts with `userAssignedIdentityId`. */ systemAssignedIdentityPrincipalId?: pulumi.Input; /** * The ID of the User Assigned Managed Identity. Conflicts with `systemAssignedIdentityPrincipalId`. */ userAssignedIdentityId?: pulumi.Input; }