1. Packages
  2. Confluent Cloud
  3. API Docs
  4. ByokKey
Confluent v1.47.0 published on Wednesday, Jun 12, 2024 by Pulumi

confluentcloud.ByokKey

Explore with Pulumi AI

confluentcloud logo
Confluent v1.47.0 published on Wednesday, Jun 12, 2024 by Pulumi

    General Availability

    confluentcloud.ByokKey provides a BYOK Key resource that enables creating, editing, and deleting BYOK Key on Confluent Cloud.

    Example Usage

    Example BYOK Key on Azure

    import * as pulumi from "@pulumi/pulumi";
    import * as confluentcloud from "@pulumi/confluentcloud";
    
    const azureKey = new confluentcloud.ByokKey("azure_key", {azure: {
        tenantId: "11111111-1111-1111-1111-111111111111",
        keyVaultId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault",
        keyIdentifier: "https://test-vault.vault.azure.net/keys/test-key",
    }});
    
    import pulumi
    import pulumi_confluentcloud as confluentcloud
    
    azure_key = confluentcloud.ByokKey("azure_key", azure=confluentcloud.ByokKeyAzureArgs(
        tenant_id="11111111-1111-1111-1111-111111111111",
        key_vault_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault",
        key_identifier="https://test-vault.vault.azure.net/keys/test-key",
    ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-confluentcloud/sdk/go/confluentcloud"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := confluentcloud.NewByokKey(ctx, "azure_key", &confluentcloud.ByokKeyArgs{
    			Azure: &confluentcloud.ByokKeyAzureArgs{
    				TenantId:      pulumi.String("11111111-1111-1111-1111-111111111111"),
    				KeyVaultId:    pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault"),
    				KeyIdentifier: pulumi.String("https://test-vault.vault.azure.net/keys/test-key"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using ConfluentCloud = Pulumi.ConfluentCloud;
    
    return await Deployment.RunAsync(() => 
    {
        var azureKey = new ConfluentCloud.ByokKey("azure_key", new()
        {
            Azure = new ConfluentCloud.Inputs.ByokKeyAzureArgs
            {
                TenantId = "11111111-1111-1111-1111-111111111111",
                KeyVaultId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault",
                KeyIdentifier = "https://test-vault.vault.azure.net/keys/test-key",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.confluentcloud.ByokKey;
    import com.pulumi.confluentcloud.ByokKeyArgs;
    import com.pulumi.confluentcloud.inputs.ByokKeyAzureArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var azureKey = new ByokKey("azureKey", ByokKeyArgs.builder()
                .azure(ByokKeyAzureArgs.builder()
                    .tenantId("11111111-1111-1111-1111-111111111111")
                    .keyVaultId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault")
                    .keyIdentifier("https://test-vault.vault.azure.net/keys/test-key")
                    .build())
                .build());
    
        }
    }
    
    resources:
      azureKey:
        type: confluentcloud:ByokKey
        name: azure_key
        properties:
          azure:
            tenantId: 11111111-1111-1111-1111-111111111111
            keyVaultId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/test-vault/providers/Microsoft.KeyVault/vaults/test-vault
            keyIdentifier: https://test-vault.vault.azure.net/keys/test-key
    

    Example BYOK Key on GCP

    import * as pulumi from "@pulumi/pulumi";
    import * as confluentcloud from "@pulumi/confluentcloud";
    
    const gcpKey = new confluentcloud.ByokKey("gcp_key", {gcp: {
        keyId: "projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test",
    }});
    
    import pulumi
    import pulumi_confluentcloud as confluentcloud
    
    gcp_key = confluentcloud.ByokKey("gcp_key", gcp=confluentcloud.ByokKeyGcpArgs(
        key_id="projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test",
    ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-confluentcloud/sdk/go/confluentcloud"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := confluentcloud.NewByokKey(ctx, "gcp_key", &confluentcloud.ByokKeyArgs{
    			Gcp: &confluentcloud.ByokKeyGcpArgs{
    				KeyId: pulumi.String("projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using ConfluentCloud = Pulumi.ConfluentCloud;
    
    return await Deployment.RunAsync(() => 
    {
        var gcpKey = new ConfluentCloud.ByokKey("gcp_key", new()
        {
            Gcp = new ConfluentCloud.Inputs.ByokKeyGcpArgs
            {
                KeyId = "projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.confluentcloud.ByokKey;
    import com.pulumi.confluentcloud.ByokKeyArgs;
    import com.pulumi.confluentcloud.inputs.ByokKeyGcpArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var gcpKey = new ByokKey("gcpKey", ByokKeyArgs.builder()
                .gcp(ByokKeyGcpArgs.builder()
                    .keyId("projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test")
                    .build())
                .build());
    
        }
    }
    
    resources:
      gcpKey:
        type: confluentcloud:ByokKey
        name: gcp_key
        properties:
          gcp:
            keyId: projects/temp-gear-123456/locations/us-central1/keyRings/byok-test/cryptoKeys/byok-test
    

    Getting Started

    The following end-to-end examples might help to get started with confluentcloud.ByokKey resource:

    • dedicated-public-aws-byok-kafka-acls: An example of Encrypting Confluent Cloud Dedicated Kafka Clusters using Self-Managed Keys on AWS.
    • dedicated-public-azure-byok-kafka-acls: An example of Encrypting Confluent Cloud Dedicated Kafka Clusters using Self-Managed Keys on Azure.

    See Confluent Cloud Bring Your Own Key (BYOK) Management API to learn more about Encrypting Confluent Cloud Kafka Clusters using Self-Managed Keys.

    Create ByokKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ByokKey(name: string, args?: ByokKeyArgs, opts?: CustomResourceOptions);
    @overload
    def ByokKey(resource_name: str,
                args: Optional[ByokKeyArgs] = None,
                opts: Optional[ResourceOptions] = None)
    
    @overload
    def ByokKey(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                aws: Optional[ByokKeyAwsArgs] = None,
                azure: Optional[ByokKeyAzureArgs] = None,
                gcp: Optional[ByokKeyGcpArgs] = None)
    func NewByokKey(ctx *Context, name string, args *ByokKeyArgs, opts ...ResourceOption) (*ByokKey, error)
    public ByokKey(string name, ByokKeyArgs? args = null, CustomResourceOptions? opts = null)
    public ByokKey(String name, ByokKeyArgs args)
    public ByokKey(String name, ByokKeyArgs args, CustomResourceOptions options)
    
    type: confluentcloud:ByokKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args ByokKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ByokKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ByokKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ByokKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ByokKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var byokKeyResource = new ConfluentCloud.ByokKey("byokKeyResource", new()
    {
        Aws = new ConfluentCloud.Inputs.ByokKeyAwsArgs
        {
            KeyArn = "string",
            Roles = new[]
            {
                "string",
            },
        },
        Azure = new ConfluentCloud.Inputs.ByokKeyAzureArgs
        {
            KeyIdentifier = "string",
            KeyVaultId = "string",
            TenantId = "string",
            ApplicationId = "string",
        },
        Gcp = new ConfluentCloud.Inputs.ByokKeyGcpArgs
        {
            KeyId = "string",
            SecurityGroup = "string",
        },
    });
    
    example, err := confluentcloud.NewByokKey(ctx, "byokKeyResource", &confluentcloud.ByokKeyArgs{
    	Aws: &confluentcloud.ByokKeyAwsArgs{
    		KeyArn: pulumi.String("string"),
    		Roles: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Azure: &confluentcloud.ByokKeyAzureArgs{
    		KeyIdentifier: pulumi.String("string"),
    		KeyVaultId:    pulumi.String("string"),
    		TenantId:      pulumi.String("string"),
    		ApplicationId: pulumi.String("string"),
    	},
    	Gcp: &confluentcloud.ByokKeyGcpArgs{
    		KeyId:         pulumi.String("string"),
    		SecurityGroup: pulumi.String("string"),
    	},
    })
    
    var byokKeyResource = new ByokKey("byokKeyResource", ByokKeyArgs.builder()
        .aws(ByokKeyAwsArgs.builder()
            .keyArn("string")
            .roles("string")
            .build())
        .azure(ByokKeyAzureArgs.builder()
            .keyIdentifier("string")
            .keyVaultId("string")
            .tenantId("string")
            .applicationId("string")
            .build())
        .gcp(ByokKeyGcpArgs.builder()
            .keyId("string")
            .securityGroup("string")
            .build())
        .build());
    
    byok_key_resource = confluentcloud.ByokKey("byokKeyResource",
        aws=confluentcloud.ByokKeyAwsArgs(
            key_arn="string",
            roles=["string"],
        ),
        azure=confluentcloud.ByokKeyAzureArgs(
            key_identifier="string",
            key_vault_id="string",
            tenant_id="string",
            application_id="string",
        ),
        gcp=confluentcloud.ByokKeyGcpArgs(
            key_id="string",
            security_group="string",
        ))
    
    const byokKeyResource = new confluentcloud.ByokKey("byokKeyResource", {
        aws: {
            keyArn: "string",
            roles: ["string"],
        },
        azure: {
            keyIdentifier: "string",
            keyVaultId: "string",
            tenantId: "string",
            applicationId: "string",
        },
        gcp: {
            keyId: "string",
            securityGroup: "string",
        },
    });
    
    type: confluentcloud:ByokKey
    properties:
        aws:
            keyArn: string
            roles:
                - string
        azure:
            applicationId: string
            keyIdentifier: string
            keyVaultId: string
            tenantId: string
        gcp:
            keyId: string
            securityGroup: string
    

    ByokKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ByokKey resource accepts the following input properties:

    Aws Pulumi.ConfluentCloud.Inputs.ByokKeyAws
    (Optional Configuration Block) supports the following:
    Azure Pulumi.ConfluentCloud.Inputs.ByokKeyAzure
    (Optional Configuration Block) supports the following:
    Gcp Pulumi.ConfluentCloud.Inputs.ByokKeyGcp
    (Optional Configuration Block) supports the following:
    Aws ByokKeyAwsArgs
    (Optional Configuration Block) supports the following:
    Azure ByokKeyAzureArgs
    (Optional Configuration Block) supports the following:
    Gcp ByokKeyGcpArgs
    (Optional Configuration Block) supports the following:
    aws ByokKeyAws
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzure
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcp
    (Optional Configuration Block) supports the following:
    aws ByokKeyAws
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzure
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcp
    (Optional Configuration Block) supports the following:
    aws ByokKeyAwsArgs
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzureArgs
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcpArgs
    (Optional Configuration Block) supports the following:
    aws Property Map
    (Optional Configuration Block) supports the following:
    azure Property Map
    (Optional Configuration Block) supports the following:
    gcp Property Map
    (Optional Configuration Block) supports the following:

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ByokKey resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ByokKey Resource

    Get an existing ByokKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ByokKeyState, opts?: CustomResourceOptions): ByokKey
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aws: Optional[ByokKeyAwsArgs] = None,
            azure: Optional[ByokKeyAzureArgs] = None,
            gcp: Optional[ByokKeyGcpArgs] = None) -> ByokKey
    func GetByokKey(ctx *Context, name string, id IDInput, state *ByokKeyState, opts ...ResourceOption) (*ByokKey, error)
    public static ByokKey Get(string name, Input<string> id, ByokKeyState? state, CustomResourceOptions? opts = null)
    public static ByokKey get(String name, Output<String> id, ByokKeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Aws Pulumi.ConfluentCloud.Inputs.ByokKeyAws
    (Optional Configuration Block) supports the following:
    Azure Pulumi.ConfluentCloud.Inputs.ByokKeyAzure
    (Optional Configuration Block) supports the following:
    Gcp Pulumi.ConfluentCloud.Inputs.ByokKeyGcp
    (Optional Configuration Block) supports the following:
    Aws ByokKeyAwsArgs
    (Optional Configuration Block) supports the following:
    Azure ByokKeyAzureArgs
    (Optional Configuration Block) supports the following:
    Gcp ByokKeyGcpArgs
    (Optional Configuration Block) supports the following:
    aws ByokKeyAws
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzure
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcp
    (Optional Configuration Block) supports the following:
    aws ByokKeyAws
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzure
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcp
    (Optional Configuration Block) supports the following:
    aws ByokKeyAwsArgs
    (Optional Configuration Block) supports the following:
    azure ByokKeyAzureArgs
    (Optional Configuration Block) supports the following:
    gcp ByokKeyGcpArgs
    (Optional Configuration Block) supports the following:
    aws Property Map
    (Optional Configuration Block) supports the following:
    azure Property Map
    (Optional Configuration Block) supports the following:
    gcp Property Map
    (Optional Configuration Block) supports the following:

    Supporting Types

    ByokKeyAws, ByokKeyAwsArgs

    KeyArn string
    The Amazon Resource Name (ARN) of an AWS KMS key.
    Roles List<string>
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment
    KeyArn string
    The Amazon Resource Name (ARN) of an AWS KMS key.
    Roles []string
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment
    keyArn String
    The Amazon Resource Name (ARN) of an AWS KMS key.
    roles List<String>
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment
    keyArn string
    The Amazon Resource Name (ARN) of an AWS KMS key.
    roles string[]
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment
    key_arn str
    The Amazon Resource Name (ARN) of an AWS KMS key.
    roles Sequence[str]
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment
    keyArn String
    The Amazon Resource Name (ARN) of an AWS KMS key.
    roles List<String>
    (Optional List of Strings) The Amazon Resource Names (ARNs) of IAM Roles created for this key-environment

    ByokKeyAzure, ByokKeyAzureArgs

    KeyIdentifier string
    The unique Key Object Identifier URL of an Azure Key Vault key.
    KeyVaultId string
    Key Vault ID containing the key.
    TenantId string
    Tenant ID (uuid) hosting the Key Vault containing the key.
    ApplicationId string
    (Optional String) The Application ID created for this key-environment combination.
    KeyIdentifier string
    The unique Key Object Identifier URL of an Azure Key Vault key.
    KeyVaultId string
    Key Vault ID containing the key.
    TenantId string
    Tenant ID (uuid) hosting the Key Vault containing the key.
    ApplicationId string
    (Optional String) The Application ID created for this key-environment combination.
    keyIdentifier String
    The unique Key Object Identifier URL of an Azure Key Vault key.
    keyVaultId String
    Key Vault ID containing the key.
    tenantId String
    Tenant ID (uuid) hosting the Key Vault containing the key.
    applicationId String
    (Optional String) The Application ID created for this key-environment combination.
    keyIdentifier string
    The unique Key Object Identifier URL of an Azure Key Vault key.
    keyVaultId string
    Key Vault ID containing the key.
    tenantId string
    Tenant ID (uuid) hosting the Key Vault containing the key.
    applicationId string
    (Optional String) The Application ID created for this key-environment combination.
    key_identifier str
    The unique Key Object Identifier URL of an Azure Key Vault key.
    key_vault_id str
    Key Vault ID containing the key.
    tenant_id str
    Tenant ID (uuid) hosting the Key Vault containing the key.
    application_id str
    (Optional String) The Application ID created for this key-environment combination.
    keyIdentifier String
    The unique Key Object Identifier URL of an Azure Key Vault key.
    keyVaultId String
    Key Vault ID containing the key.
    tenantId String
    Tenant ID (uuid) hosting the Key Vault containing the key.
    applicationId String
    (Optional String) The Application ID created for this key-environment combination.

    ByokKeyGcp, ByokKeyGcpArgs

    KeyId string
    The Google Cloud Platform key ID.
    SecurityGroup string
    (Optional String) The Google security group created for this key.
    KeyId string
    The Google Cloud Platform key ID.
    SecurityGroup string
    (Optional String) The Google security group created for this key.
    keyId String
    The Google Cloud Platform key ID.
    securityGroup String
    (Optional String) The Google security group created for this key.
    keyId string
    The Google Cloud Platform key ID.
    securityGroup string
    (Optional String) The Google security group created for this key.
    key_id str
    The Google Cloud Platform key ID.
    security_group str
    (Optional String) The Google security group created for this key.
    keyId String
    The Google Cloud Platform key ID.
    securityGroup String
    (Optional String) The Google security group created for this key.

    Import

    You can import a BYOK Key by using BYOK Key ID. The following example shows how to import a BYOK Key:

    $ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"

    $ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"

    $ pulumi import confluentcloud:index/byokKey:ByokKey aws_key cck-abcde
    

    !> Warning: Do not forget to delete terminal command history afterwards for security purposes.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Confluent Cloud pulumi/pulumi-confluentcloud
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the confluent Terraform Provider.
    confluentcloud logo
    Confluent v1.47.0 published on Wednesday, Jun 12, 2024 by Pulumi