import * as pulumi from "@pulumi/pulumi"; import * as inputs from "./types/input"; import * as outputs from "./types/output"; /** * ## Example Usage * * > If you've used the resource before, please add `useCases = ["MANAGED_SERVICES"]` to keep the previous behaviour. * * ### Customer-managed key for managed services * * You must configure this during workspace creation * * ### For AWS * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/ * const databricksAccountId = config.requireObject("databricksAccountId"); * const current = aws.getCallerIdentity({}); * const databricksManagedServicesCmk = current.then(current => aws.iam.getPolicyDocument({ * version: "2012-10-17", * statements: [ * { * sid: "Enable IAM User Permissions", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [current.accountId], * }], * actions: ["kms:*"], * resources: ["*"], * }, * { * sid: "Allow Databricks to use KMS key for control plane managed services", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: ["arn:aws:iam::414351767826:root"], * }], * actions: [ * "kms:Encrypt", * "kms:Decrypt", * ], * resources: ["*"], * }, * ], * })); * const managedServicesCustomerManagedKey = new aws.kms.Key("managed_services_customer_managed_key", {policy: databricksManagedServicesCmk.then(databricksManagedServicesCmk => databricksManagedServicesCmk.json)}); * const managedServicesCustomerManagedKeyAlias = new aws.kms.Alias("managed_services_customer_managed_key_alias", { * name: "alias/managed-services-customer-managed-key-alias", * targetKeyId: managedServicesCustomerManagedKey.keyId, * }); * const managedServices = new databricks.MwsCustomerManagedKeys("managed_services", { * accountId: databricksAccountId, * awsKeyInfo: { * keyArn: managedServicesCustomerManagedKey.arn, * keyAlias: managedServicesCustomerManagedKeyAlias.name, * }, * useCases: ["MANAGED_SERVICES"], * }); * ``` * * ### For GCP * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/ * const databricksAccountId = config.requireObject("databricksAccountId"); * // Id of a google_kms_crypto_key * const cmekResourceId = config.requireObject("cmekResourceId"); * const managedServices = new databricks.MwsCustomerManagedKeys("managed_services", { * accountId: databricksAccountId, * gcpKeyInfo: { * kmsKeyId: cmekResourceId, * }, * useCases: ["MANAGED_SERVICES"], * }); * ``` * * ### Customer-managed key for workspace storage * * ### For AWS * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/ * const databricksAccountId = config.requireObject("databricksAccountId"); * // AWS ARN for the Databricks cross account role * const databricksCrossAccountRole = config.requireObject("databricksCrossAccountRole"); * const current = aws.getCallerIdentity({}); * const databricksStorageCmk = current.then(current => aws.iam.getPolicyDocument({ * version: "2012-10-17", * statements: [ * { * sid: "Enable IAM User Permissions", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [current.accountId], * }], * actions: ["kms:*"], * resources: ["*"], * }, * { * sid: "Allow Databricks to use KMS key for DBFS", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: ["arn:aws:iam::414351767826:root"], * }], * actions: [ * "kms:Encrypt", * "kms:Decrypt", * "kms:ReEncrypt*", * "kms:GenerateDataKey*", * "kms:DescribeKey", * ], * resources: ["*"], * }, * { * sid: "Allow Databricks to use KMS key for DBFS (Grants)", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: ["arn:aws:iam::414351767826:root"], * }], * actions: [ * "kms:CreateGrant", * "kms:ListGrants", * "kms:RevokeGrant", * ], * resources: ["*"], * conditions: [{ * test: "Bool", * variable: "kms:GrantIsForAWSResource", * values: ["true"], * }], * }, * { * sid: "Allow Databricks to use KMS key for EBS", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [databricksCrossAccountRole], * }], * actions: [ * "kms:Decrypt", * "kms:GenerateDataKey*", * "kms:CreateGrant", * "kms:DescribeKey", * ], * resources: ["*"], * conditions: [{ * test: "ForAnyValue:StringLike", * variable: "kms:ViaService", * values: ["ec2.*.amazonaws.com"], * }], * }, * ], * })); * const storageCustomerManagedKey = new aws.kms.Key("storage_customer_managed_key", {policy: databricksStorageCmk.then(databricksStorageCmk => databricksStorageCmk.json)}); * const storageCustomerManagedKeyAlias = new aws.kms.Alias("storage_customer_managed_key_alias", { * name: "alias/storage-customer-managed-key-alias", * targetKeyId: storageCustomerManagedKey.keyId, * }); * const storage = new databricks.MwsCustomerManagedKeys("storage", { * accountId: databricksAccountId, * awsKeyInfo: { * keyArn: storageCustomerManagedKey.arn, * keyAlias: storageCustomerManagedKeyAlias.name, * }, * useCases: ["STORAGE"], * }); * ``` * * ### For GCP * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/ * const databricksAccountId = config.requireObject("databricksAccountId"); * // Id of a google_kms_crypto_key * const cmekResourceId = config.requireObject("cmekResourceId"); * const storage = new databricks.MwsCustomerManagedKeys("storage", { * accountId: databricksAccountId, * gcpKeyInfo: { * kmsKeyId: cmekResourceId, * }, * useCases: ["STORAGE"], * }); * ``` * * ## Related Resources * * The following resources are used in the same context: * * * Provisioning Databricks on AWS guide. * * databricks.MwsCredentials to configure the cross-account role for creation of new workspaces within AWS. * * databricks.MwsLogDelivery to configure delivery of [billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) and [audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html). * * databricks.MwsNetworks to [configure VPC](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html) & subnets for new workspaces within AWS. * * databricks.MwsStorageConfigurations to configure root bucket new workspaces within AWS. * * databricks.MwsWorkspaces to set up [AWS and GCP workspaces](https://docs.databricks.com/getting-started/overview.html#e2-architecture-1). * * ## Import * * This resource can be imported by Databricks account ID and customer managed key ID. * * ```sh * $ pulumi import databricks:index/mwsCustomerManagedKeys:MwsCustomerManagedKeys this '/' * ``` * * ~> This resource does not support updates. If your configuration does not match the existing resource, * * the next `pulumi up` will cause the resource to be destroyed and recreated. After importing, * * verify that the configuration matches the existing resource by running `pulumi preview`. */ export declare class MwsCustomerManagedKeys extends pulumi.CustomResource { /** * Get an existing MwsCustomerManagedKeys resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: MwsCustomerManagedKeysState, opts?: pulumi.CustomResourceOptions): MwsCustomerManagedKeys; /** * Returns true if the given object is an instance of MwsCustomerManagedKeys. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is MwsCustomerManagedKeys; /** * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/) */ readonly accountId: pulumi.Output; /** * This field is a block and is documented below. This conflicts with `gcpKeyInfo` */ readonly awsKeyInfo: pulumi.Output; /** * (Integer) Time in epoch milliseconds when the customer key was created. */ readonly creationTime: pulumi.Output; /** * (String) ID of the encryption key configuration object. */ readonly customerManagedKeyId: pulumi.Output; /** * This field is a block and is documented below. This conflicts with `awsKeyInfo` */ readonly gcpKeyInfo: pulumi.Output; /** * *(since v0.3.4)* List of use cases for which this key will be used. *If you've used the resource before, please add `useCases = ["MANAGED_SERVICES"]` to keep the previous behaviour.* Possible values are: * * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane * * `STORAGE` - for encryption of the DBFS Storage & Cluster EBS Volumes */ readonly useCases: pulumi.Output; /** * Create a MwsCustomerManagedKeys resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: MwsCustomerManagedKeysArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering MwsCustomerManagedKeys resources. */ export interface MwsCustomerManagedKeysState { /** * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/) */ accountId?: pulumi.Input; /** * This field is a block and is documented below. This conflicts with `gcpKeyInfo` */ awsKeyInfo?: pulumi.Input; /** * (Integer) Time in epoch milliseconds when the customer key was created. */ creationTime?: pulumi.Input; /** * (String) ID of the encryption key configuration object. */ customerManagedKeyId?: pulumi.Input; /** * This field is a block and is documented below. This conflicts with `awsKeyInfo` */ gcpKeyInfo?: pulumi.Input; /** * *(since v0.3.4)* List of use cases for which this key will be used. *If you've used the resource before, please add `useCases = ["MANAGED_SERVICES"]` to keep the previous behaviour.* Possible values are: * * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane * * `STORAGE` - for encryption of the DBFS Storage & Cluster EBS Volumes */ useCases?: pulumi.Input[]>; } /** * The set of arguments for constructing a MwsCustomerManagedKeys resource. */ export interface MwsCustomerManagedKeysArgs { /** * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/) */ accountId: pulumi.Input; /** * This field is a block and is documented below. This conflicts with `gcpKeyInfo` */ awsKeyInfo?: pulumi.Input; /** * (Integer) Time in epoch milliseconds when the customer key was created. */ creationTime?: pulumi.Input; /** * (String) ID of the encryption key configuration object. */ customerManagedKeyId?: pulumi.Input; /** * This field is a block and is documented below. This conflicts with `awsKeyInfo` */ gcpKeyInfo?: pulumi.Input; /** * *(since v0.3.4)* List of use cases for which this key will be used. *If you've used the resource before, please add `useCases = ["MANAGED_SERVICES"]` to keep the previous behaviour.* Possible values are: * * `MANAGED_SERVICES` - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane * * `STORAGE` - for encryption of the DBFS Storage & Cluster EBS Volumes */ useCases: pulumi.Input[]>; }