1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. getPolicyDocument
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

vault.getPolicyDocument

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

    This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const examplePolicyDocument = vault.getPolicyDocument({
        rules: [{
            path: "secret/*",
            capabilities: [
                "create",
                "read",
                "update",
                "delete",
                "list",
            ],
            description: "allow all on secrets",
        }],
    });
    const examplePolicy = new vault.Policy("examplePolicy", {policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.hcl)});
    
    import pulumi
    import pulumi_vault as vault
    
    example_policy_document = vault.get_policy_document(rules=[vault.GetPolicyDocumentRuleArgs(
        path="secret/*",
        capabilities=[
            "create",
            "read",
            "update",
            "delete",
            "list",
        ],
        description="allow all on secrets",
    )])
    example_policy = vault.Policy("examplePolicy", policy=example_policy_document.hcl)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		examplePolicyDocument, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
    			Rules: []vault.GetPolicyDocumentRule{
    				{
    					Path: "secret/*",
    					Capabilities: []string{
    						"create",
    						"read",
    						"update",
    						"delete",
    						"list",
    					},
    					Description: pulumi.StringRef("allow all on secrets"),
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = vault.NewPolicy(ctx, "examplePolicy", &vault.PolicyArgs{
    			Policy: pulumi.String(examplePolicyDocument.Hcl),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var examplePolicyDocument = Vault.GetPolicyDocument.Invoke(new()
        {
            Rules = new[]
            {
                new Vault.Inputs.GetPolicyDocumentRuleInputArgs
                {
                    Path = "secret/*",
                    Capabilities = new[]
                    {
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list",
                    },
                    Description = "allow all on secrets",
                },
            },
        });
    
        var examplePolicy = new Vault.Policy("examplePolicy", new()
        {
            PolicyContents = examplePolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Hcl),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.VaultFunctions;
    import com.pulumi.vault.inputs.GetPolicyDocumentArgs;
    import com.pulumi.vault.Policy;
    import com.pulumi.vault.PolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var examplePolicyDocument = VaultFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .rules(GetPolicyDocumentRuleArgs.builder()
                    .path("secret/*")
                    .capabilities(                
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list")
                    .description("allow all on secrets")
                    .build())
                .build());
    
            var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()        
                .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.hcl()))
                .build());
    
        }
    }
    
    resources:
      examplePolicy:
        type: vault:Policy
        properties:
          policy: ${examplePolicyDocument.hcl}
    variables:
      examplePolicyDocument:
        fn::invoke:
          Function: vault:getPolicyDocument
          Arguments:
            rules:
              - path: secret/*
                capabilities:
                  - create
                  - read
                  - update
                  - delete
                  - list
                description: allow all on secrets
    

    Using getPolicyDocument

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
    function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>
    def get_policy_document(namespace: Optional[str] = None,
                            rules: Optional[Sequence[GetPolicyDocumentRule]] = None,
                            opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
    def get_policy_document_output(namespace: Optional[pulumi.Input[str]] = None,
                            rules: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentRuleArgs]]]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]
    func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
    func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput

    > Note: This function is named GetPolicyDocument in the Go SDK.

    public static class GetPolicyDocument 
    {
        public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
        public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: vault:index/getPolicyDocument:getPolicyDocument
      arguments:
        # arguments dictionary

    The following arguments are supported:

    getPolicyDocument Result

    The following output properties are available:

    Hcl string
    The above arguments serialized as a standard Vault HCL policy document.
    Id string
    The provider-assigned unique ID for this managed resource.
    Rules List<GetPolicyDocumentRule>
    Namespace string
    Hcl string
    The above arguments serialized as a standard Vault HCL policy document.
    Id string
    The provider-assigned unique ID for this managed resource.
    Rules []GetPolicyDocumentRule
    Namespace string
    hcl String
    The above arguments serialized as a standard Vault HCL policy document.
    id String
    The provider-assigned unique ID for this managed resource.
    rules List<GetPolicyDocumentRule>
    namespace String
    hcl string
    The above arguments serialized as a standard Vault HCL policy document.
    id string
    The provider-assigned unique ID for this managed resource.
    rules GetPolicyDocumentRule[]
    namespace string
    hcl str
    The above arguments serialized as a standard Vault HCL policy document.
    id str
    The provider-assigned unique ID for this managed resource.
    rules Sequence[GetPolicyDocumentRule]
    namespace str
    hcl String
    The above arguments serialized as a standard Vault HCL policy document.
    id String
    The provider-assigned unique ID for this managed resource.
    rules List<Property Map>
    namespace String

    Supporting Types

    GetPolicyDocumentRule

    Capabilities List<string>
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    Path string
    A path in Vault that this rule applies to.
    AllowedParameters List<GetPolicyDocumentRuleAllowedParameter>
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    DeniedParameters List<GetPolicyDocumentRuleDeniedParameter>
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    Description string
    Description of the rule. Will be added as a comment to rendered rule.
    MaxWrappingTtl string
    The maximum allowed TTL that clients can specify for a wrapped response.
    MinWrappingTtl string
    The minimum allowed TTL that clients can specify for a wrapped response.
    RequiredParameters List<string>
    A list of parameters that must be specified.
    Capabilities []string
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    Path string
    A path in Vault that this rule applies to.
    AllowedParameters []GetPolicyDocumentRuleAllowedParameter
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    DeniedParameters []GetPolicyDocumentRuleDeniedParameter
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    Description string
    Description of the rule. Will be added as a comment to rendered rule.
    MaxWrappingTtl string
    The maximum allowed TTL that clients can specify for a wrapped response.
    MinWrappingTtl string
    The minimum allowed TTL that clients can specify for a wrapped response.
    RequiredParameters []string
    A list of parameters that must be specified.
    capabilities List<String>
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    path String
    A path in Vault that this rule applies to.
    allowedParameters List<GetPolicyDocumentRuleAllowedParameter>
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    deniedParameters List<GetPolicyDocumentRuleDeniedParameter>
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    description String
    Description of the rule. Will be added as a comment to rendered rule.
    maxWrappingTtl String
    The maximum allowed TTL that clients can specify for a wrapped response.
    minWrappingTtl String
    The minimum allowed TTL that clients can specify for a wrapped response.
    requiredParameters List<String>
    A list of parameters that must be specified.
    capabilities string[]
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    path string
    A path in Vault that this rule applies to.
    allowedParameters GetPolicyDocumentRuleAllowedParameter[]
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    deniedParameters GetPolicyDocumentRuleDeniedParameter[]
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    description string
    Description of the rule. Will be added as a comment to rendered rule.
    maxWrappingTtl string
    The maximum allowed TTL that clients can specify for a wrapped response.
    minWrappingTtl string
    The minimum allowed TTL that clients can specify for a wrapped response.
    requiredParameters string[]
    A list of parameters that must be specified.
    capabilities Sequence[str]
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    path str
    A path in Vault that this rule applies to.
    allowed_parameters Sequence[GetPolicyDocumentRuleAllowedParameter]
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    denied_parameters Sequence[GetPolicyDocumentRuleDeniedParameter]
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    description str
    Description of the rule. Will be added as a comment to rendered rule.
    max_wrapping_ttl str
    The maximum allowed TTL that clients can specify for a wrapped response.
    min_wrapping_ttl str
    The minimum allowed TTL that clients can specify for a wrapped response.
    required_parameters Sequence[str]
    A list of parameters that must be specified.
    capabilities List<String>
    A list of capabilities that this rule apply to path. For example, ["read", "write"].
    path String
    A path in Vault that this rule applies to.
    allowedParameters List<Property Map>
    Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
    deniedParameters List<Property Map>
    Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
    description String
    Description of the rule. Will be added as a comment to rendered rule.
    maxWrappingTtl String
    The maximum allowed TTL that clients can specify for a wrapped response.
    minWrappingTtl String
    The minimum allowed TTL that clients can specify for a wrapped response.
    requiredParameters List<String>
    A list of parameters that must be specified.

    GetPolicyDocumentRuleAllowedParameter

    Key string
    name of permitted or denied parameter.
    Values List<string>
    list of values what are permitted or denied by policy rule.
    Key string
    name of permitted or denied parameter.
    Values []string
    list of values what are permitted or denied by policy rule.
    key String
    name of permitted or denied parameter.
    values List<String>
    list of values what are permitted or denied by policy rule.
    key string
    name of permitted or denied parameter.
    values string[]
    list of values what are permitted or denied by policy rule.
    key str
    name of permitted or denied parameter.
    values Sequence[str]
    list of values what are permitted or denied by policy rule.
    key String
    name of permitted or denied parameter.
    values List<String>
    list of values what are permitted or denied by policy rule.

    GetPolicyDocumentRuleDeniedParameter

    Key string
    name of permitted or denied parameter.
    Values List<string>
    list of values what are permitted or denied by policy rule.
    Key string
    name of permitted or denied parameter.
    Values []string
    list of values what are permitted or denied by policy rule.
    key String
    name of permitted or denied parameter.
    values List<String>
    list of values what are permitted or denied by policy rule.
    key string
    name of permitted or denied parameter.
    values string[]
    list of values what are permitted or denied by policy rule.
    key str
    name of permitted or denied parameter.
    values Sequence[str]
    list of values what are permitted or denied by policy rule.
    key String
    name of permitted or denied parameter.
    values List<String>
    list of values what are permitted or denied by policy rule.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi