import * as pulumi from "@pulumi/pulumi";
/**
 * Manages a Customer Managed Key for a Storage Account.
 *
 * > **Note:** It's possible to define a Customer Managed Key both within the `azure.storage.Account` resource via the `customerManagedKey` block and by using the `azure.storage.CustomerManagedKey` resource. However it's not possible to use both methods to manage a Customer Managed Key for a Storage Account, since there'll be conflicts.
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azure from "@pulumi/azure";
 *
 * const current = azure.core.getClientConfig({});
 * const example = new azure.core.ResourceGroup("example", {
 *     name: "example-resources",
 *     location: "West Europe",
 * });
 * const exampleKeyVault = new azure.keyvault.KeyVault("example", {
 *     name: "examplekv",
 *     location: example.location,
 *     resourceGroupName: example.name,
 *     tenantId: current.then(current => current.tenantId),
 *     skuName: "standard",
 *     purgeProtectionEnabled: true,
 * });
 * const exampleAccount = new azure.storage.Account("example", {
 *     name: "examplestor",
 *     resourceGroupName: example.name,
 *     location: example.location,
 *     accountTier: "Standard",
 *     accountReplicationType: "GRS",
 *     identity: {
 *         type: "SystemAssigned",
 *     },
 * });
 * const storage = new azure.keyvault.AccessPolicy("storage", {
 *     keyVaultId: exampleKeyVault.id,
 *     tenantId: current.then(current => current.tenantId),
 *     objectId: exampleAccount.identity.apply(identity => identity?.principalId),
 *     secretPermissions: ["Get"],
 *     keyPermissions: [
 *         "Get",
 *         "UnwrapKey",
 *         "WrapKey",
 *     ],
 * });
 * const client = new azure.keyvault.AccessPolicy("client", {
 *     keyVaultId: exampleKeyVault.id,
 *     tenantId: current.then(current => current.tenantId),
 *     objectId: current.then(current => current.objectId),
 *     secretPermissions: ["Get"],
 *     keyPermissions: [
 *         "Get",
 *         "Create",
 *         "Delete",
 *         "List",
 *         "Restore",
 *         "Recover",
 *         "UnwrapKey",
 *         "WrapKey",
 *         "Purge",
 *         "Encrypt",
 *         "Decrypt",
 *         "Sign",
 *         "Verify",
 *         "GetRotationPolicy",
 *         "SetRotationPolicy",
 *     ],
 * });
 * const exampleKey = new azure.keyvault.Key("example", {
 *     name: "tfex-key",
 *     keyVaultId: exampleKeyVault.id,
 *     keyType: "RSA",
 *     keySize: 2048,
 *     keyOpts: [
 *         "decrypt",
 *         "encrypt",
 *         "sign",
 *         "unwrapKey",
 *         "verify",
 *         "wrapKey",
 *     ],
 * }, {
 *     dependsOn: [
 *         client,
 *         storage,
 *     ],
 * });
 * const exampleCustomerManagedKey = new azure.storage.CustomerManagedKey("example", {
 *     storageAccountId: exampleAccount.id,
 *     keyVaultKeyId: exampleKey.id,
 * });
 * ```
 *
 * ## API Providers
 *
 * <!-- This section is generated, changes will be overwritten -->
 * This resource uses the following Azure API Providers:
 *
 * * `Microsoft.Storage` - 2025-06-01
 *
 * ## Import
 *
 * Customer Managed Keys for a Storage Account can be imported using the `resource id` of the Storage Account, e.g.
 *
 * ```sh
 * $ pulumi import azure:storage/customerManagedKey:CustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount
 * ```
 */
export declare class CustomerManagedKey extends pulumi.CustomResource {
    /**
     * Get an existing CustomerManagedKey resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CustomerManagedKeyState, opts?: pulumi.CustomResourceOptions): CustomerManagedKey;
    /**
     * Returns true if the given object is an instance of CustomerManagedKey.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is CustomerManagedKey;
    /**
     * The Client ID of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
     */
    readonly federatedIdentityClientId: pulumi.Output<string | undefined>;
    /**
     * @deprecated `keyName` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    readonly keyName: pulumi.Output<string>;
    /**
     * @deprecated `keyVaultId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    readonly keyVaultId: pulumi.Output<string>;
    /**
     * The ID of the Key Vault Key.
     */
    readonly keyVaultKeyId: pulumi.Output<string>;
    /**
     * @deprecated `keyVaultUri` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    readonly keyVaultUri: pulumi.Output<string>;
    /**
     * @deprecated `keyVersion` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    readonly keyVersion: pulumi.Output<string>;
    /**
     * @deprecated `managedHsmKeyId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    readonly managedHsmKeyId: pulumi.Output<string>;
    /**
     * The ID of the Storage Account. Changing this forces a new resource to be created.
     */
    readonly storageAccountId: pulumi.Output<string>;
    /**
     * The ID of a user assigned identity.
     */
    readonly userAssignedIdentityId: pulumi.Output<string | undefined>;
    /**
     * Create a CustomerManagedKey resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: CustomerManagedKeyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering CustomerManagedKey resources.
 */
export interface CustomerManagedKeyState {
    /**
     * The Client ID of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
     */
    federatedIdentityClientId?: pulumi.Input<string>;
    /**
     * @deprecated `keyName` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyName?: pulumi.Input<string>;
    /**
     * @deprecated `keyVaultId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVaultId?: pulumi.Input<string>;
    /**
     * The ID of the Key Vault Key.
     */
    keyVaultKeyId?: pulumi.Input<string>;
    /**
     * @deprecated `keyVaultUri` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVaultUri?: pulumi.Input<string>;
    /**
     * @deprecated `keyVersion` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVersion?: pulumi.Input<string>;
    /**
     * @deprecated `managedHsmKeyId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    managedHsmKeyId?: pulumi.Input<string>;
    /**
     * The ID of the Storage Account. Changing this forces a new resource to be created.
     */
    storageAccountId?: pulumi.Input<string>;
    /**
     * The ID of a user assigned identity.
     */
    userAssignedIdentityId?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a CustomerManagedKey resource.
 */
export interface CustomerManagedKeyArgs {
    /**
     * The Client ID of the multi-tenant application to be used in conjunction with the user-assigned identity for cross-tenant customer-managed-keys server-side encryption on the storage account.
     */
    federatedIdentityClientId?: pulumi.Input<string>;
    /**
     * @deprecated `keyName` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyName?: pulumi.Input<string>;
    /**
     * @deprecated `keyVaultId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVaultId?: pulumi.Input<string>;
    /**
     * The ID of the Key Vault Key.
     */
    keyVaultKeyId?: pulumi.Input<string>;
    /**
     * @deprecated `keyVaultUri` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVaultUri?: pulumi.Input<string>;
    /**
     * @deprecated `keyVersion` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    keyVersion?: pulumi.Input<string>;
    /**
     * @deprecated `managedHsmKeyId` has been deprecated in favour of `keyVaultKeyId` and will be removed in v5.0 of the AzureRM provider
     */
    managedHsmKeyId?: pulumi.Input<string>;
    /**
     * The ID of the Storage Account. Changing this forces a new resource to be created.
     */
    storageAccountId: pulumi.Input<string>;
    /**
     * The ID of a user assigned identity.
     */
    userAssignedIdentityId?: pulumi.Input<string>;
}