getPolicyDocument

This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePolicyDocument = Output.Create(Vault.GetPolicyDocument.InvokeAsync(new Vault.GetPolicyDocumentArgs
        {
            Rules = 
            {
                new Vault.Inputs.GetPolicyDocumentRuleArgs
                {
                    Capabilities = 
                    {
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list",
                    },
                    Description = "allow all on secrets",
                    Path = "secret/*",
                },
            },
        }));
        var examplePolicy = new Vault.Policy("examplePolicy", new Vault.PolicyArgs
        {
            Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Hcl),
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-vault/sdk/v3/go/vault"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        examplePolicyDocument, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
            Rules: []vault.GetPolicyDocumentRule{
                vault.GetPolicyDocumentRule{
                    Capabilities: []string{
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list",
                    },
                    Description: "allow all on secrets",
                    Path:        "secret/*",
                },
            },
        }, nil)
        if err != nil {
            return err
        }
        _, err = vault.NewPolicy(ctx, "examplePolicy", &vault.PolicyArgs{
            Policy: pulumi.String(examplePolicyDocument.Hcl),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_vault as vault

example_policy_document = vault.get_policy_document(rules=[vault.GetPolicyDocumentRuleArgs(
    capabilities=[
        "create",
        "read",
        "update",
        "delete",
        "list",
    ],
    description="allow all on secrets",
    path="secret/*",
)])
example_policy = vault.Policy("examplePolicy", policy=example_policy_document.hcl)

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const examplePolicyDocument = pulumi.output(vault.getPolicyDocument({
    rules: [{
        capabilities: [
            "create",
            "read",
            "update",
            "delete",
            "list",
        ],
        description: "allow all on secrets",
        path: "secret/*",
    }],
}, { async: true }));
const examplePolicy = new vault.Policy("example", {
    policy: examplePolicyDocument.hcl,
});

Using getPolicyDocument

function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>

def get_policy_document(rules: Optional[Sequence[GetPolicyDocumentRuleArgs]] = None, opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult

func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)

Note: This function is named GetPolicyDocument in the Go SDK.

public static class GetPolicyDocument {
    public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
}

The following arguments are supported:

Rules List<GetPolicyDocumentRuleArgs>

Rules []GetPolicyDocumentRule

rules GetPolicyDocumentRule[]

rules Sequence[GetPolicyDocumentRuleArgs]

getPolicyDocument Result

The following output properties are available:

Hcl string: The above arguments serialized as a standard Vault HCL policy document.
Id string: The provider-assigned unique ID for this managed resource.
Rules List<GetPolicyDocumentRule>

Hcl string: The above arguments serialized as a standard Vault HCL policy document.
Id string: The provider-assigned unique ID for this managed resource.
Rules []GetPolicyDocumentRule

hcl string: The above arguments serialized as a standard Vault HCL policy document.
id string: The provider-assigned unique ID for this managed resource.
rules GetPolicyDocumentRule[]

hcl str: The above arguments serialized as a standard Vault HCL policy document.
id str: The provider-assigned unique ID for this managed resource.
rules Sequence[GetPolicyDocumentRule]

Supporting Types

GetPolicyDocumentRule

Capabilities List<string>: A list of capabilities that this rule apply to path. For example, [“read”, “write”].
Path string: A path in Vault that this rule applies to.
AllowedParameters List<GetPolicyDocumentRuleAllowedParameterArgs>: Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
DeniedParameters List<GetPolicyDocumentRuleDeniedParameterArgs>: Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
Description string: Description of the rule. Will be added as a comment to rendered rule.
MaxWrappingTtl string: The maximum allowed TTL that clients can specify for a wrapped response.
MinWrappingTtl string: The minimum allowed TTL that clients can specify for a wrapped response.
RequiredParameters List<string>: A list of parameters that must be specified.

Capabilities []string: A list of capabilities that this rule apply to path. For example, [“read”, “write”].
Path string: A path in Vault that this rule applies to.
AllowedParameters []GetPolicyDocumentRuleAllowedParameter: Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
DeniedParameters []GetPolicyDocumentRuleDeniedParameter: Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
Description string: Description of the rule. Will be added as a comment to rendered rule.
MaxWrappingTtl string: The maximum allowed TTL that clients can specify for a wrapped response.
MinWrappingTtl string: The minimum allowed TTL that clients can specify for a wrapped response.
RequiredParameters []string: A list of parameters that must be specified.

capabilities string[]: A list of capabilities that this rule apply to path. For example, [“read”, “write”].
path string: A path in Vault that this rule applies to.
allowedParameters GetPolicyDocumentRuleAllowedParameter[]: Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
deniedParameters GetPolicyDocumentRuleDeniedParameter[]: Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description string: Description of the rule. Will be added as a comment to rendered rule.
maxWrappingTtl string: The maximum allowed TTL that clients can specify for a wrapped response.
minWrappingTtl string: The minimum allowed TTL that clients can specify for a wrapped response.
requiredParameters string[]: A list of parameters that must be specified.

capabilities Sequence[str]: A list of capabilities that this rule apply to path. For example, [“read”, “write”].
path str: A path in Vault that this rule applies to.
allowed_parameters Sequence[GetPolicyDocumentRuleAllowedParameterArgs]: Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
denied_parameters Sequence[GetPolicyDocumentRuleDeniedParameterArgs]: Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description str: Description of the rule. Will be added as a comment to rendered rule.
max_wrapping_ttl str: The maximum allowed TTL that clients can specify for a wrapped response.
min_wrapping_ttl str: The minimum allowed TTL that clients can specify for a wrapped response.
required_parameters Sequence[str]: A list of parameters that must be specified.

GetPolicyDocumentRuleAllowedParameter

Key string: name of permitted or denied parameter.
Values List<string>: list of values what are permitted or denied by policy rule.

Key string: name of permitted or denied parameter.
Values []string: list of values what are permitted or denied by policy rule.

key string: name of permitted or denied parameter.
values string[]: list of values what are permitted or denied by policy rule.

key str: name of permitted or denied parameter.
values Sequence[str]: list of values what are permitted or denied by policy rule.

GetPolicyDocumentRuleDeniedParameter

Key string: name of permitted or denied parameter.
Values List<string>: list of values what are permitted or denied by policy rule.

Key string: name of permitted or denied parameter.
Values []string: list of values what are permitted or denied by policy rule.

key string: name of permitted or denied parameter.
values string[]: list of values what are permitted or denied by policy rule.

key str: name of permitted or denied parameter.
values Sequence[str]: list of values what are permitted or denied by policy rule.

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud