1. Packages
  2. Databricks
  3. API Docs
  4. MwsCustomerManagedKeys
Databricks v1.34.0 published on Tuesday, Mar 5, 2024 by Pulumi

databricks.MwsCustomerManagedKeys

Explore with Pulumi AI

databricks logo
Databricks v1.34.0 published on Tuesday, Mar 5, 2024 by Pulumi

    The following resources are used in the same context:

    • Provisioning Databricks on AWS guide.
    • databricks.MwsCredentials to configure the cross-account role for creation of new workspaces within AWS.
    • databricks.MwsLogDelivery to configure delivery of billable usage logs and audit logs.
    • databricks.MwsNetworks to configure VPC & subnets for new workspaces within AWS.
    • databricks.MwsStorageConfigurations to configure root bucket new workspaces within AWS.
    • databricks.MwsWorkspaces to set up workspaces in E2 architecture on AWS.

    Example Usage

    For AWS

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var current = Aws.GetCallerIdentity.Invoke();
    
        var databricksManagedServicesCmk = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Version = "2012-10-17",
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Enable IAM User Permissions",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for control plane managed services",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Encrypt",
                        "kms:Decrypt",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var managedServicesCustomerManagedKey = new Aws.Kms.Key("managedServicesCustomerManagedKey", new()
        {
            Policy = databricksManagedServicesCmk.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var managedServicesCustomerManagedKeyAlias = new Aws.Kms.Alias("managedServicesCustomerManagedKeyAlias", new()
        {
            TargetKeyId = managedServicesCustomerManagedKey.KeyId,
        });
    
        var managedServices = new Databricks.MwsCustomerManagedKeys("managedServices", new()
        {
            AccountId = databricksAccountId,
            AwsKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysAwsKeyInfoArgs
            {
                KeyArn = managedServicesCustomerManagedKey.Arn,
                KeyAlias = managedServicesCustomerManagedKeyAlias.Name,
            },
            UseCases = new[]
            {
                "MANAGED_SERVICES",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/kms"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    cfg := config.New(ctx, "")
    databricksAccountId := cfg.RequireObject("databricksAccountId")
    current, err := aws.GetCallerIdentity(ctx, nil, nil);
    if err != nil {
    return err
    }
    databricksManagedServicesCmk, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Version: pulumi.StringRef("2012-10-17"),
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("Enable IAM User Permissions"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    current.AccountId,
    },
    },
    },
    Actions: []string{
    "kms:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for control plane managed services"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:Encrypt",
    "kms:Decrypt",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    managedServicesCustomerManagedKey, err := kms.NewKey(ctx, "managedServicesCustomerManagedKey", &kms.KeyArgs{
    Policy: *pulumi.String(databricksManagedServicesCmk.Json),
    })
    if err != nil {
    return err
    }
    managedServicesCustomerManagedKeyAlias, err := kms.NewAlias(ctx, "managedServicesCustomerManagedKeyAlias", &kms.AliasArgs{
    TargetKeyId: managedServicesCustomerManagedKey.KeyId,
    })
    if err != nil {
    return err
    }
    _, err = databricks.NewMwsCustomerManagedKeys(ctx, "managedServices", &databricks.MwsCustomerManagedKeysArgs{
    AccountId: pulumi.Any(databricksAccountId),
    AwsKeyInfo: &databricks.MwsCustomerManagedKeysAwsKeyInfoArgs{
    KeyArn: managedServicesCustomerManagedKey.Arn,
    KeyAlias: managedServicesCustomerManagedKeyAlias.Name,
    },
    UseCases: pulumi.StringArray{
    pulumi.String("MANAGED_SERVICES"),
    },
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.kms.Alias;
    import com.pulumi.aws.kms.AliasArgs;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysAwsKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var current = AwsFunctions.getCallerIdentity();
    
            final var databricksManagedServicesCmk = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .version("2012-10-17")
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Enable IAM User Permissions")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
                            .build())
                        .actions("kms:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for control plane managed services")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:Encrypt",
                            "kms:Decrypt")
                        .resources("*")
                        .build())
                .build());
    
            var managedServicesCustomerManagedKey = new Key("managedServicesCustomerManagedKey", KeyArgs.builder()        
                .policy(databricksManagedServicesCmk.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var managedServicesCustomerManagedKeyAlias = new Alias("managedServicesCustomerManagedKeyAlias", AliasArgs.builder()        
                .targetKeyId(managedServicesCustomerManagedKey.keyId())
                .build());
    
            var managedServices = new MwsCustomerManagedKeys("managedServices", MwsCustomerManagedKeysArgs.builder()        
                .accountId(databricksAccountId)
                .awsKeyInfo(MwsCustomerManagedKeysAwsKeyInfoArgs.builder()
                    .keyArn(managedServicesCustomerManagedKey.arn())
                    .keyAlias(managedServicesCustomerManagedKeyAlias.name())
                    .build())
                .useCases("MANAGED_SERVICES")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    databricks_account_id = config.require_object("databricksAccountId")
    current = aws.get_caller_identity()
    databricks_managed_services_cmk = aws.iam.get_policy_document(version="2012-10-17",
        statements=[
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Enable IAM User Permissions",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=[current.account_id],
                )],
                actions=["kms:*"],
                resources=["*"],
            ),
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Allow Databricks to use KMS key for control plane managed services",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=["arn:aws:iam::414351767826:root"],
                )],
                actions=[
                    "kms:Encrypt",
                    "kms:Decrypt",
                ],
                resources=["*"],
            ),
        ])
    managed_services_customer_managed_key = aws.kms.Key("managedServicesCustomerManagedKey", policy=databricks_managed_services_cmk.json)
    managed_services_customer_managed_key_alias = aws.kms.Alias("managedServicesCustomerManagedKeyAlias", target_key_id=managed_services_customer_managed_key.key_id)
    managed_services = databricks.MwsCustomerManagedKeys("managedServices",
        account_id=databricks_account_id,
        aws_key_info=databricks.MwsCustomerManagedKeysAwsKeyInfoArgs(
            key_arn=managed_services_customer_managed_key.arn,
            key_alias=managed_services_customer_managed_key_alias.name,
        ),
        use_cases=["MANAGED_SERVICES"])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    const databricksAccountId = config.requireObject("databricksAccountId");
    const current = aws.getCallerIdentity({});
    const databricksManagedServicesCmk = current.then(current => aws.iam.getPolicyDocument({
        version: "2012-10-17",
        statements: [
            {
                sid: "Enable IAM User Permissions",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [current.accountId],
                }],
                actions: ["kms:*"],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for control plane managed services",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:Encrypt",
                    "kms:Decrypt",
                ],
                resources: ["*"],
            },
        ],
    }));
    const managedServicesCustomerManagedKey = new aws.kms.Key("managedServicesCustomerManagedKey", {policy: databricksManagedServicesCmk.then(databricksManagedServicesCmk => databricksManagedServicesCmk.json)});
    const managedServicesCustomerManagedKeyAlias = new aws.kms.Alias("managedServicesCustomerManagedKeyAlias", {targetKeyId: managedServicesCustomerManagedKey.keyId});
    const managedServices = new databricks.MwsCustomerManagedKeys("managedServices", {
        accountId: databricksAccountId,
        awsKeyInfo: {
            keyArn: managedServicesCustomerManagedKey.arn,
            keyAlias: managedServicesCustomerManagedKeyAlias.name,
        },
        useCases: ["MANAGED_SERVICES"],
    });
    
    configuration:
      databricksAccountId:
        type: dynamic
    resources:
      managedServicesCustomerManagedKey:
        type: aws:kms:Key
        properties:
          policy: ${databricksManagedServicesCmk.json}
      managedServicesCustomerManagedKeyAlias:
        type: aws:kms:Alias
        properties:
          targetKeyId: ${managedServicesCustomerManagedKey.keyId}
      managedServices:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          awsKeyInfo:
            keyArn: ${managedServicesCustomerManagedKey.arn}
            keyAlias: ${managedServicesCustomerManagedKeyAlias.name}
          useCases:
            - MANAGED_SERVICES
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      databricksManagedServicesCmk:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            version: 2012-10-17
            statements:
              - sid: Enable IAM User Permissions
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${current.accountId}
                actions:
                  - kms:*
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for control plane managed services
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:Encrypt
                  - kms:Decrypt
                resources:
                  - '*'
    

    For GCP

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var cmekResourceId = config.RequireObject<dynamic>("cmekResourceId");
        var managedServices = new Databricks.MwsCustomerManagedKeys("managedServices", new()
        {
            AccountId = databricksAccountId,
            GcpKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysGcpKeyInfoArgs
            {
                KmsKeyId = cmekResourceId,
            },
            UseCases = new[]
            {
                "MANAGED_SERVICES",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		cfg := config.New(ctx, "")
    		databricksAccountId := cfg.RequireObject("databricksAccountId")
    		cmekResourceId := cfg.RequireObject("cmekResourceId")
    		_, err := databricks.NewMwsCustomerManagedKeys(ctx, "managedServices", &databricks.MwsCustomerManagedKeysArgs{
    			AccountId: pulumi.Any(databricksAccountId),
    			GcpKeyInfo: &databricks.MwsCustomerManagedKeysGcpKeyInfoArgs{
    				KmsKeyId: pulumi.Any(cmekResourceId),
    			},
    			UseCases: pulumi.StringArray{
    				pulumi.String("MANAGED_SERVICES"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysGcpKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var cmekResourceId = config.get("cmekResourceId");
            var managedServices = new MwsCustomerManagedKeys("managedServices", MwsCustomerManagedKeysArgs.builder()        
                .accountId(databricksAccountId)
                .gcpKeyInfo(MwsCustomerManagedKeysGcpKeyInfoArgs.builder()
                    .kmsKeyId(cmekResourceId)
                    .build())
                .useCases("MANAGED_SERVICES")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    databricks_account_id = config.require_object("databricksAccountId")
    cmek_resource_id = config.require_object("cmekResourceId")
    managed_services = databricks.MwsCustomerManagedKeys("managedServices",
        account_id=databricks_account_id,
        gcp_key_info=databricks.MwsCustomerManagedKeysGcpKeyInfoArgs(
            kms_key_id=cmek_resource_id,
        ),
        use_cases=["MANAGED_SERVICES"])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    const databricksAccountId = config.requireObject("databricksAccountId");
    const cmekResourceId = config.requireObject("cmekResourceId");
    const managedServices = new databricks.MwsCustomerManagedKeys("managedServices", {
        accountId: databricksAccountId,
        gcpKeyInfo: {
            kmsKeyId: cmekResourceId,
        },
        useCases: ["MANAGED_SERVICES"],
    });
    
    configuration:
      databricksAccountId:
        type: dynamic
      cmekResourceId:
        type: dynamic
    resources:
      managedServices:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          gcpKeyInfo:
            kmsKeyId: ${cmekResourceId}
          useCases:
            - MANAGED_SERVICES
    

    For AWS

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var databricksCrossAccountRole = config.RequireObject<dynamic>("databricksCrossAccountRole");
        var databricksStorageCmk = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Version = "2012-10-17",
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Enable IAM User Permissions",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                data.Aws_caller_identity.Current.Account_id,
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for DBFS",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey*",
                        "kms:DescribeKey",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for DBFS (Grants)",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:CreateGrant",
                        "kms:ListGrants",
                        "kms:RevokeGrant",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "Bool",
                            Variable = "kms:GrantIsForAWSResource",
                            Values = new[]
                            {
                                "true",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for EBS",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                databricksCrossAccountRole,
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Decrypt",
                        "kms:GenerateDataKey*",
                        "kms:CreateGrant",
                        "kms:DescribeKey",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringLike",
                            Variable = "kms:ViaService",
                            Values = new[]
                            {
                                "ec2.*.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
        var storageCustomerManagedKey = new Aws.Kms.Key("storageCustomerManagedKey", new()
        {
            Policy = databricksStorageCmk.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var storageCustomerManagedKeyAlias = new Aws.Kms.Alias("storageCustomerManagedKeyAlias", new()
        {
            TargetKeyId = storageCustomerManagedKey.KeyId,
        });
    
        var storage = new Databricks.MwsCustomerManagedKeys("storage", new()
        {
            AccountId = databricksAccountId,
            AwsKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysAwsKeyInfoArgs
            {
                KeyArn = storageCustomerManagedKey.Arn,
                KeyAlias = storageCustomerManagedKeyAlias.Name,
            },
            UseCases = new[]
            {
                "STORAGE",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/kms"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    cfg := config.New(ctx, "")
    databricksAccountId := cfg.RequireObject("databricksAccountId")
    databricksCrossAccountRole := cfg.RequireObject("databricksCrossAccountRole")
    databricksStorageCmk, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Version: pulumi.StringRef("2012-10-17"),
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("Enable IAM User Permissions"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    data.Aws_caller_identity.Current.Account_id,
    },
    },
    },
    Actions: []string{
    "kms:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for DBFS"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for DBFS (Grants)"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:CreateGrant",
    "kms:ListGrants",
    "kms:RevokeGrant",
    },
    Resources: []string{
    "*",
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "Bool",
    Variable: "kms:GrantIsForAWSResource",
    Values: []string{
    "true",
    },
    },
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for EBS"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    databricksCrossAccountRole,
    },
    },
    },
    Actions: []string{
    "kms:Decrypt",
    "kms:GenerateDataKey*",
    "kms:CreateGrant",
    "kms:DescribeKey",
    },
    Resources: []string{
    "*",
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "ForAnyValue:StringLike",
    Variable: "kms:ViaService",
    Values: []string{
    "ec2.*.amazonaws.com",
    },
    },
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    storageCustomerManagedKey, err := kms.NewKey(ctx, "storageCustomerManagedKey", &kms.KeyArgs{
    Policy: *pulumi.String(databricksStorageCmk.Json),
    })
    if err != nil {
    return err
    }
    storageCustomerManagedKeyAlias, err := kms.NewAlias(ctx, "storageCustomerManagedKeyAlias", &kms.AliasArgs{
    TargetKeyId: storageCustomerManagedKey.KeyId,
    })
    if err != nil {
    return err
    }
    _, err = databricks.NewMwsCustomerManagedKeys(ctx, "storage", &databricks.MwsCustomerManagedKeysArgs{
    AccountId: pulumi.Any(databricksAccountId),
    AwsKeyInfo: &databricks.MwsCustomerManagedKeysAwsKeyInfoArgs{
    KeyArn: storageCustomerManagedKey.Arn,
    KeyAlias: storageCustomerManagedKeyAlias.Name,
    },
    UseCases: pulumi.StringArray{
    pulumi.String("STORAGE"),
    },
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.kms.Alias;
    import com.pulumi.aws.kms.AliasArgs;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysAwsKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var databricksCrossAccountRole = config.get("databricksCrossAccountRole");
            final var databricksStorageCmk = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .version("2012-10-17")
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Enable IAM User Permissions")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(data.aws_caller_identity().current().account_id())
                            .build())
                        .actions("kms:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for DBFS")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:Encrypt",
                            "kms:Decrypt",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey*",
                            "kms:DescribeKey")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for DBFS (Grants)")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:CreateGrant",
                            "kms:ListGrants",
                            "kms:RevokeGrant")
                        .resources("*")
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("Bool")
                            .variable("kms:GrantIsForAWSResource")
                            .values("true")
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for EBS")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(databricksCrossAccountRole)
                            .build())
                        .actions(                    
                            "kms:Decrypt",
                            "kms:GenerateDataKey*",
                            "kms:CreateGrant",
                            "kms:DescribeKey")
                        .resources("*")
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringLike")
                            .variable("kms:ViaService")
                            .values("ec2.*.amazonaws.com")
                            .build())
                        .build())
                .build());
    
            var storageCustomerManagedKey = new Key("storageCustomerManagedKey", KeyArgs.builder()        
                .policy(databricksStorageCmk.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var storageCustomerManagedKeyAlias = new Alias("storageCustomerManagedKeyAlias", AliasArgs.builder()        
                .targetKeyId(storageCustomerManagedKey.keyId())
                .build());
    
            var storage = new MwsCustomerManagedKeys("storage", MwsCustomerManagedKeysArgs.builder()        
                .accountId(databricksAccountId)
                .awsKeyInfo(MwsCustomerManagedKeysAwsKeyInfoArgs.builder()
                    .keyArn(storageCustomerManagedKey.arn())
                    .keyAlias(storageCustomerManagedKeyAlias.name())
                    .build())
                .useCases("STORAGE")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    databricks_account_id = config.require_object("databricksAccountId")
    databricks_cross_account_role = config.require_object("databricksCrossAccountRole")
    databricks_storage_cmk = aws.iam.get_policy_document(version="2012-10-17",
        statements=[
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Enable IAM User Permissions",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=[data["aws_caller_identity"]["current"]["account_id"]],
                )],
                actions=["kms:*"],
                resources=["*"],
            ),
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Allow Databricks to use KMS key for DBFS",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=["arn:aws:iam::414351767826:root"],
                )],
                actions=[
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey",
                ],
                resources=["*"],
            ),
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Allow Databricks to use KMS key for DBFS (Grants)",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=["arn:aws:iam::414351767826:root"],
                )],
                actions=[
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant",
                ],
                resources=["*"],
                conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="Bool",
                    variable="kms:GrantIsForAWSResource",
                    values=["true"],
                )],
            ),
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="Allow Databricks to use KMS key for EBS",
                effect="Allow",
                principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    type="AWS",
                    identifiers=[databricks_cross_account_role],
                )],
                actions=[
                    "kms:Decrypt",
                    "kms:GenerateDataKey*",
                    "kms:CreateGrant",
                    "kms:DescribeKey",
                ],
                resources=["*"],
                conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="ForAnyValue:StringLike",
                    variable="kms:ViaService",
                    values=["ec2.*.amazonaws.com"],
                )],
            ),
        ])
    storage_customer_managed_key = aws.kms.Key("storageCustomerManagedKey", policy=databricks_storage_cmk.json)
    storage_customer_managed_key_alias = aws.kms.Alias("storageCustomerManagedKeyAlias", target_key_id=storage_customer_managed_key.key_id)
    storage = databricks.MwsCustomerManagedKeys("storage",
        account_id=databricks_account_id,
        aws_key_info=databricks.MwsCustomerManagedKeysAwsKeyInfoArgs(
            key_arn=storage_customer_managed_key.arn,
            key_alias=storage_customer_managed_key_alias.name,
        ),
        use_cases=["STORAGE"])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    const databricksAccountId = config.requireObject("databricksAccountId");
    const databricksCrossAccountRole = config.requireObject("databricksCrossAccountRole");
    const databricksStorageCmk = aws.iam.getPolicyDocument({
        version: "2012-10-17",
        statements: [
            {
                sid: "Enable IAM User Permissions",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [data.aws_caller_identity.current.account_id],
                }],
                actions: ["kms:*"],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for DBFS",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey",
                ],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for DBFS (Grants)",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant",
                ],
                resources: ["*"],
                conditions: [{
                    test: "Bool",
                    variable: "kms:GrantIsForAWSResource",
                    values: ["true"],
                }],
            },
            {
                sid: "Allow Databricks to use KMS key for EBS",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [databricksCrossAccountRole],
                }],
                actions: [
                    "kms:Decrypt",
                    "kms:GenerateDataKey*",
                    "kms:CreateGrant",
                    "kms:DescribeKey",
                ],
                resources: ["*"],
                conditions: [{
                    test: "ForAnyValue:StringLike",
                    variable: "kms:ViaService",
                    values: ["ec2.*.amazonaws.com"],
                }],
            },
        ],
    });
    const storageCustomerManagedKey = new aws.kms.Key("storageCustomerManagedKey", {policy: databricksStorageCmk.then(databricksStorageCmk => databricksStorageCmk.json)});
    const storageCustomerManagedKeyAlias = new aws.kms.Alias("storageCustomerManagedKeyAlias", {targetKeyId: storageCustomerManagedKey.keyId});
    const storage = new databricks.MwsCustomerManagedKeys("storage", {
        accountId: databricksAccountId,
        awsKeyInfo: {
            keyArn: storageCustomerManagedKey.arn,
            keyAlias: storageCustomerManagedKeyAlias.name,
        },
        useCases: ["STORAGE"],
    });
    
    configuration:
      databricksAccountId:
        type: dynamic
      databricksCrossAccountRole:
        type: dynamic
    resources:
      storageCustomerManagedKey:
        type: aws:kms:Key
        properties:
          policy: ${databricksStorageCmk.json}
      storageCustomerManagedKeyAlias:
        type: aws:kms:Alias
        properties:
          targetKeyId: ${storageCustomerManagedKey.keyId}
      storage:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          awsKeyInfo:
            keyArn: ${storageCustomerManagedKey.arn}
            keyAlias: ${storageCustomerManagedKeyAlias.name}
          useCases:
            - STORAGE
    variables:
      databricksStorageCmk:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            version: 2012-10-17
            statements:
              - sid: Enable IAM User Permissions
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${data.aws_caller_identity.current.account_id}
                actions:
                  - kms:*
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for DBFS
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:ReEncrypt*
                  - kms:GenerateDataKey*
                  - kms:DescribeKey
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for DBFS (Grants)
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:CreateGrant
                  - kms:ListGrants
                  - kms:RevokeGrant
                resources:
                  - '*'
                conditions:
                  - test: Bool
                    variable: kms:GrantIsForAWSResource
                    values:
                      - 'true'
              - sid: Allow Databricks to use KMS key for EBS
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${databricksCrossAccountRole}
                actions:
                  - kms:Decrypt
                  - kms:GenerateDataKey*
                  - kms:CreateGrant
                  - kms:DescribeKey
                resources:
                  - '*'
                conditions:
                  - test: ForAnyValue:StringLike
                    variable: kms:ViaService
                    values:
                      - ec2.*.amazonaws.com
    

    For GCP

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var cmekResourceId = config.RequireObject<dynamic>("cmekResourceId");
        var storage = new Databricks.MwsCustomerManagedKeys("storage", new()
        {
            AccountId = databricksAccountId,
            GcpKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysGcpKeyInfoArgs
            {
                KmsKeyId = cmekResourceId,
            },
            UseCases = new[]
            {
                "STORAGE",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		cfg := config.New(ctx, "")
    		databricksAccountId := cfg.RequireObject("databricksAccountId")
    		cmekResourceId := cfg.RequireObject("cmekResourceId")
    		_, err := databricks.NewMwsCustomerManagedKeys(ctx, "storage", &databricks.MwsCustomerManagedKeysArgs{
    			AccountId: pulumi.Any(databricksAccountId),
    			GcpKeyInfo: &databricks.MwsCustomerManagedKeysGcpKeyInfoArgs{
    				KmsKeyId: pulumi.Any(cmekResourceId),
    			},
    			UseCases: pulumi.StringArray{
    				pulumi.String("STORAGE"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysGcpKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var cmekResourceId = config.get("cmekResourceId");
            var storage = new MwsCustomerManagedKeys("storage", MwsCustomerManagedKeysArgs.builder()        
                .accountId(databricksAccountId)
                .gcpKeyInfo(MwsCustomerManagedKeysGcpKeyInfoArgs.builder()
                    .kmsKeyId(cmekResourceId)
                    .build())
                .useCases("STORAGE")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    databricks_account_id = config.require_object("databricksAccountId")
    cmek_resource_id = config.require_object("cmekResourceId")
    storage = databricks.MwsCustomerManagedKeys("storage",
        account_id=databricks_account_id,
        gcp_key_info=databricks.MwsCustomerManagedKeysGcpKeyInfoArgs(
            kms_key_id=cmek_resource_id,
        ),
        use_cases=["STORAGE"])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    const databricksAccountId = config.requireObject("databricksAccountId");
    const cmekResourceId = config.requireObject("cmekResourceId");
    const storage = new databricks.MwsCustomerManagedKeys("storage", {
        accountId: databricksAccountId,
        gcpKeyInfo: {
            kmsKeyId: cmekResourceId,
        },
        useCases: ["STORAGE"],
    });
    
    configuration:
      databricksAccountId:
        type: dynamic
      cmekResourceId:
        type: dynamic
    resources:
      storage:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          gcpKeyInfo:
            kmsKeyId: ${cmekResourceId}
          useCases:
            - STORAGE
    

    Create MwsCustomerManagedKeys Resource

    new MwsCustomerManagedKeys(name: string, args: MwsCustomerManagedKeysArgs, opts?: CustomResourceOptions);
    @overload
    def MwsCustomerManagedKeys(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               account_id: Optional[str] = None,
                               aws_key_info: Optional[MwsCustomerManagedKeysAwsKeyInfoArgs] = None,
                               creation_time: Optional[int] = None,
                               customer_managed_key_id: Optional[str] = None,
                               gcp_key_info: Optional[MwsCustomerManagedKeysGcpKeyInfoArgs] = None,
                               use_cases: Optional[Sequence[str]] = None)
    @overload
    def MwsCustomerManagedKeys(resource_name: str,
                               args: MwsCustomerManagedKeysArgs,
                               opts: Optional[ResourceOptions] = None)
    func NewMwsCustomerManagedKeys(ctx *Context, name string, args MwsCustomerManagedKeysArgs, opts ...ResourceOption) (*MwsCustomerManagedKeys, error)
    public MwsCustomerManagedKeys(string name, MwsCustomerManagedKeysArgs args, CustomResourceOptions? opts = null)
    public MwsCustomerManagedKeys(String name, MwsCustomerManagedKeysArgs args)
    public MwsCustomerManagedKeys(String name, MwsCustomerManagedKeysArgs args, CustomResourceOptions options)
    
    type: databricks:MwsCustomerManagedKeys
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    MwsCustomerManagedKeys Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The MwsCustomerManagedKeys resource accepts the following input properties:

    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    UseCases List<string>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    UseCases []string
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Integer
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId string
    Account Id that could be found in the top right corner of Accounts Console
    useCases string[]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId string
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    account_id str
    Account Id that could be found in the top right corner of Accounts Console
    use_cases Sequence[str]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    aws_key_info MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    creation_time int
    (Integer) Time in epoch milliseconds when the customer key was created.
    customer_managed_key_id str
    (String) ID of the encryption key configuration object.
    gcp_key_info MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    awsKeyInfo Property Map
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo Property Map
    This field is a block and is documented below. This conflicts with aws_key_info

    Outputs

    All input properties are implicitly available as output properties. Additionally, the MwsCustomerManagedKeys resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing MwsCustomerManagedKeys Resource

    Get an existing MwsCustomerManagedKeys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: MwsCustomerManagedKeysState, opts?: CustomResourceOptions): MwsCustomerManagedKeys
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            account_id: Optional[str] = None,
            aws_key_info: Optional[MwsCustomerManagedKeysAwsKeyInfoArgs] = None,
            creation_time: Optional[int] = None,
            customer_managed_key_id: Optional[str] = None,
            gcp_key_info: Optional[MwsCustomerManagedKeysGcpKeyInfoArgs] = None,
            use_cases: Optional[Sequence[str]] = None) -> MwsCustomerManagedKeys
    func GetMwsCustomerManagedKeys(ctx *Context, name string, id IDInput, state *MwsCustomerManagedKeysState, opts ...ResourceOption) (*MwsCustomerManagedKeys, error)
    public static MwsCustomerManagedKeys Get(string name, Input<string> id, MwsCustomerManagedKeysState? state, CustomResourceOptions? opts = null)
    public static MwsCustomerManagedKeys get(String name, Output<String> id, MwsCustomerManagedKeysState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    UseCases List<string>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    UseCases []string
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Integer
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    accountId string
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId string
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases string[]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    account_id str
    Account Id that could be found in the top right corner of Accounts Console
    aws_key_info MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    creation_time int
    (Integer) Time in epoch milliseconds when the customer key was created.
    customer_managed_key_id str
    (String) ID of the encryption key configuration object.
    gcp_key_info MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    use_cases Sequence[str]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo Property Map
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo Property Map
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    Supporting Types

    MwsCustomerManagedKeysAwsKeyInfo, MwsCustomerManagedKeysAwsKeyInfoArgs

    KeyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    KeyAlias string
    The AWS KMS key alias.
    KeyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    KeyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    KeyAlias string
    The AWS KMS key alias.
    KeyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn String
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias String
    The AWS KMS key alias.
    keyRegion String
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias string
    The AWS KMS key alias.
    keyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    key_arn str
    The AWS KMS key's Amazon Resource Name (ARN).
    key_alias str
    The AWS KMS key alias.
    key_region str
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn String
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias String
    The AWS KMS key alias.
    keyRegion String
    (Computed) The AWS region in which KMS key is deployed to. This is not required.

    MwsCustomerManagedKeysGcpKeyInfo, MwsCustomerManagedKeysGcpKeyInfoArgs

    KmsKeyId string
    The GCP KMS key's resource name.
    KmsKeyId string
    The GCP KMS key's resource name.
    kmsKeyId String
    The GCP KMS key's resource name.
    kmsKeyId string
    The GCP KMS key's resource name.
    kms_key_id str
    The GCP KMS key's resource name.
    kmsKeyId String
    The GCP KMS key's resource name.

    Import

    -> Note Importing this resource is not currently supported.

    Package Details

    Repository
    databricks pulumi/pulumi-databricks
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the databricks Terraform Provider.
    databricks logo
    Databricks v1.34.0 published on Tuesday, Mar 5, 2024 by Pulumi