The aws:verifiedaccess/instance:Instance resource, part of the Pulumi AWS provider, provisions a Verified Access Instance that serves as the container for trust providers, access groups, and endpoints. This guide focuses on three capabilities: basic instance creation, FIPS compliance enablement, and custom subdomain configuration.
Verified Access Instances are foundational resources. Trust providers, access groups, and endpoints are configured separately and attach to the instance. The examples are intentionally small. Combine them with your own trust providers and access policies.
Create a Verified Access Instance with tags
Most deployments start by creating an instance with optional metadata for organization and cost tracking.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {
description: "example",
tags: {
Name: "example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example",
description="example",
tags={
"Name": "example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
Description: pulumi.String("example"),
Tags: pulumi.StringMap{
"Name": pulumi.String("example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
Description = "example",
Tags =
{
{ "Name", "example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.description("example")
.tags(Map.of("Name", "example"))
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
description: example
tags:
Name: example
The instance resource itself is minimal. The description property provides human-readable context, and tags enable organization and cost allocation. The instance serves as the container; trust providers and endpoints are configured separately.
Enable FIPS compliance for government workloads
Government and regulated workloads often require FIPS 140-2 validated cryptographic modules.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {fipsEnabled: true});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example", fips_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
FipsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
FipsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.fipsEnabled(true)
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
fipsEnabled: true
The fipsEnabled property activates FIPS-validated cryptography for all operations on this instance. This property is immutable; you cannot change it after instance creation. If you need to switch FIPS mode, you must create a new instance.
Configure custom subdomains for CIDR endpoints
Organizations that need branded or predictable DNS names for their endpoints can specify a custom subdomain.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {cidrEndpointsCustomSubdomain: "test.example.com"});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example", cidr_endpoints_custom_subdomain="test.example.com")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
CidrEndpointsCustomSubdomain: pulumi.String("test.example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
CidrEndpointsCustomSubdomain = "test.example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.cidrEndpointsCustomSubdomain("test.example.com")
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
cidrEndpointsCustomSubdomain: test.example.com
The cidrEndpointsCustomSubdomain property sets the DNS subdomain for CIDR-based endpoints attached to this instance. You must own and control the specified domain. The nameServers output provides the DNS servers to configure in your domain’s NS records.
Beyond these examples
These snippets focus on specific instance-level features: instance creation with metadata, FIPS compliance configuration, and custom subdomain assignment. They’re intentionally minimal rather than complete Verified Access deployments.
The examples may reference pre-existing infrastructure such as AWS provider with configured region, and DNS domain ownership for custom subdomains. They focus on configuring the instance rather than provisioning trust providers or endpoints.
To keep things focused, common Verified Access patterns are omitted, including:
- Trust provider attachment (verifiedAccessTrustProviders output only)
- Access group and endpoint configuration
- Policy and authorization rules
- Integration with identity providers
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in access control modules. See the Verified Access Instance resource reference for all available configuration options.
Let's create AWS Verified Access Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
fipsEnabled is immutable. Changing FIPS support requires recreating the instance.fipsEnabled to true during instance creation.CIDR Endpoints & Networking
cidrEndpointsCustomSubdomain to your desired subdomain, such as test.example.com.region property, which defaults to your provider configuration.