Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

getPolicyDocument

This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePolicyDocument = Output.Create(Vault.GetPolicyDocument.InvokeAsync(new Vault.GetPolicyDocumentArgs
        {
            Rules = 
            {
                new Vault.Inputs.GetPolicyDocumentRuleArgs
                {
                    Capabilities = 
                    {
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list",
                    },
                    Description = "allow all on secrets",
                    Path = "secret/*",
                },
            },
        }));
        var examplePolicy = new Vault.Policy("examplePolicy", new Vault.PolicyArgs
        {
            Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Hcl),
        });
    }

}
package main

import (
    "github.com/pulumi/pulumi-vault/sdk/v3/go/vault"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        examplePolicyDocument, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
            Rules: []vault.GetPolicyDocumentRule{
                vault.GetPolicyDocumentRule{
                    Capabilities: []string{
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list",
                    },
                    Description: "allow all on secrets",
                    Path:        "secret/*",
                },
            },
        }, nil)
        if err != nil {
            return err
        }
        _, err = vault.NewPolicy(ctx, "examplePolicy", &vault.PolicyArgs{
            Policy: pulumi.String(examplePolicyDocument.Hcl),
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_vault as vault

example_policy_document = vault.get_policy_document(rules=[vault.GetPolicyDocumentRuleArgs(
    capabilities=[
        "create",
        "read",
        "update",
        "delete",
        "list",
    ],
    description="allow all on secrets",
    path="secret/*",
)])
example_policy = vault.Policy("examplePolicy", policy=example_policy_document.hcl)
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const examplePolicyDocument = pulumi.output(vault.getPolicyDocument({
    rules: [{
        capabilities: [
            "create",
            "read",
            "update",
            "delete",
            "list",
        ],
        description: "allow all on secrets",
        path: "secret/*",
    }],
}, { async: true }));
const examplePolicy = new vault.Policy("example", {
    policy: examplePolicyDocument.hcl,
});

Using getPolicyDocument

function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
def get_policy_document(rules: Optional[Sequence[GetPolicyDocumentRuleArgs]] = None, opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)

Note: This function is named GetPolicyDocument in the Go SDK.

public static class GetPolicyDocument {
    public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
}

The following arguments are supported:

getPolicyDocument Result

The following output properties are available:

Hcl string

The above arguments serialized as a standard Vault HCL policy document.

Id string

The provider-assigned unique ID for this managed resource.

Rules List<GetPolicyDocumentRule>
Hcl string

The above arguments serialized as a standard Vault HCL policy document.

Id string

The provider-assigned unique ID for this managed resource.

Rules []GetPolicyDocumentRule
hcl string

The above arguments serialized as a standard Vault HCL policy document.

id string

The provider-assigned unique ID for this managed resource.

rules GetPolicyDocumentRule[]
hcl str

The above arguments serialized as a standard Vault HCL policy document.

id str

The provider-assigned unique ID for this managed resource.

rules Sequence[GetPolicyDocumentRule]

Supporting Types

GetPolicyDocumentRule

Capabilities List<string>

A list of capabilities that this rule apply to path. For example, [“read”, “write”].

Path string

A path in Vault that this rule applies to.

AllowedParameters List<GetPolicyDocumentRuleAllowedParameterArgs>

Whitelists a list of keys and values that are permitted on the given path. See Parameters below.

DeniedParameters List<GetPolicyDocumentRuleDeniedParameterArgs>

Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.

Description string

Description of the rule. Will be added as a comment to rendered rule.

MaxWrappingTtl string

The maximum allowed TTL that clients can specify for a wrapped response.

MinWrappingTtl string

The minimum allowed TTL that clients can specify for a wrapped response.

RequiredParameters List<string>

A list of parameters that must be specified.

Capabilities []string

A list of capabilities that this rule apply to path. For example, [“read”, “write”].

Path string

A path in Vault that this rule applies to.

AllowedParameters []GetPolicyDocumentRuleAllowedParameter

Whitelists a list of keys and values that are permitted on the given path. See Parameters below.

DeniedParameters []GetPolicyDocumentRuleDeniedParameter

Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.

Description string

Description of the rule. Will be added as a comment to rendered rule.

MaxWrappingTtl string

The maximum allowed TTL that clients can specify for a wrapped response.

MinWrappingTtl string

The minimum allowed TTL that clients can specify for a wrapped response.

RequiredParameters []string

A list of parameters that must be specified.

capabilities string[]

A list of capabilities that this rule apply to path. For example, [“read”, “write”].

path string

A path in Vault that this rule applies to.

allowedParameters GetPolicyDocumentRuleAllowedParameter[]

Whitelists a list of keys and values that are permitted on the given path. See Parameters below.

deniedParameters GetPolicyDocumentRuleDeniedParameter[]

Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.

description string

Description of the rule. Will be added as a comment to rendered rule.

maxWrappingTtl string

The maximum allowed TTL that clients can specify for a wrapped response.

minWrappingTtl string

The minimum allowed TTL that clients can specify for a wrapped response.

requiredParameters string[]

A list of parameters that must be specified.

capabilities Sequence[str]

A list of capabilities that this rule apply to path. For example, [“read”, “write”].

path str

A path in Vault that this rule applies to.

allowed_parameters Sequence[GetPolicyDocumentRuleAllowedParameterArgs]

Whitelists a list of keys and values that are permitted on the given path. See Parameters below.

denied_parameters Sequence[GetPolicyDocumentRuleDeniedParameterArgs]

Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.

description str

Description of the rule. Will be added as a comment to rendered rule.

max_wrapping_ttl str

The maximum allowed TTL that clients can specify for a wrapped response.

min_wrapping_ttl str

The minimum allowed TTL that clients can specify for a wrapped response.

required_parameters Sequence[str]

A list of parameters that must be specified.

GetPolicyDocumentRuleAllowedParameter

Key string

name of permitted or denied parameter.

Values List<string>

list of values what are permitted or denied by policy rule.

Key string

name of permitted or denied parameter.

Values []string

list of values what are permitted or denied by policy rule.

key string

name of permitted or denied parameter.

values string[]

list of values what are permitted or denied by policy rule.

key str

name of permitted or denied parameter.

values Sequence[str]

list of values what are permitted or denied by policy rule.

GetPolicyDocumentRuleDeniedParameter

Key string

name of permitted or denied parameter.

Values List<string>

list of values what are permitted or denied by policy rule.

Key string

name of permitted or denied parameter.

Values []string

list of values what are permitted or denied by policy rule.

key string

name of permitted or denied parameter.

values string[]

list of values what are permitted or denied by policy rule.

key str

name of permitted or denied parameter.

values Sequence[str]

list of values what are permitted or denied by policy rule.

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.