github.com/pulumi/pulumi-aws/sdk/v6@v6.32.0/go/aws/kms/keyPolicy.go

// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***

package kms

import (
	"context"
	"reflect"

	"errors"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/internal"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// Attaches a policy to a KMS Key.
//
// ## Example Usage
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"encoding/json"
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
//				Description: pulumi.String("example"),
//			})
//			if err != nil {
//				return err
//			}
//			tmpJSON0, err := json.Marshal(map[string]interface{}{
//				"Id": "example",
//				"Statement": []map[string]interface{}{
//					map[string]interface{}{
//						"Action": "kms:*",
//						"Effect": "Allow",
//						"Principal": map[string]interface{}{
//							"AWS": "*",
//						},
//						"Resource": "*",
//						"Sid":      "Enable IAM User Permissions",
//					},
//				},
//				"Version": "2012-10-17",
//			})
//			if err != nil {
//				return err
//			}
//			json0 := string(tmpJSON0)
//			_, err = kms.NewKeyPolicy(ctx, "example", &kms.KeyPolicyArgs{
//				KeyId:  example.ID(),
//				Policy: pulumi.String(json0),
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ## Import
//
// Using `pulumi import`, import KMS Key Policies using the `key_id`. For example:
//
// ```sh
// $ pulumi import aws:kms/keyPolicy:KeyPolicy a 1234abcd-12ab-34cd-56ef-1234567890ab
// ```
type KeyPolicy struct {
	pulumi.CustomResourceState

	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrOutput `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringOutput `pulumi:"keyId"`
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringOutput `pulumi:"policy"`
}

// NewKeyPolicy registers a new resource with the given unique name, arguments, and options.
func NewKeyPolicy(ctx *pulumi.Context,
	name string, args *KeyPolicyArgs, opts ...pulumi.ResourceOption) (*KeyPolicy, error) {
	if args == nil {
		return nil, errors.New("missing one or more required arguments")
	}

	if args.KeyId == nil {
		return nil, errors.New("invalid value for required argument 'KeyId'")
	}
	if args.Policy == nil {
		return nil, errors.New("invalid value for required argument 'Policy'")
	}
	opts = internal.PkgResourceDefaultOpts(opts)
	var resource KeyPolicy
	err := ctx.RegisterResource("aws:kms/keyPolicy:KeyPolicy", name, args, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// GetKeyPolicy gets an existing KeyPolicy resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetKeyPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *KeyPolicyState, opts ...pulumi.ResourceOption) (*KeyPolicy, error) {
	var resource KeyPolicy
	err := ctx.ReadResource("aws:kms/keyPolicy:KeyPolicy", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// Input properties used for looking up and filtering KeyPolicy resources.
type keyPolicyState struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck *bool `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The ID of the KMS Key to attach the policy.
	KeyId *string `pulumi:"keyId"`
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy *string `pulumi:"policy"`
}

type KeyPolicyState struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringPtrInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringPtrInput
}

func (KeyPolicyState) ElementType() reflect.Type {
	return reflect.TypeOf((*keyPolicyState)(nil)).Elem()
}

type keyPolicyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck *bool `pulumi:"bypassPolicyLockoutSafetyCheck"`
	// The ID of the KMS Key to attach the policy.
	KeyId string `pulumi:"keyId"`
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy string `pulumi:"policy"`
}

// The set of arguments for constructing a KeyPolicy resource.
type KeyPolicyArgs struct {
	// A flag to indicate whether to bypass the key policy lockout safety check.
	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
	// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
	BypassPolicyLockoutSafetyCheck pulumi.BoolPtrInput
	// The ID of the KMS Key to attach the policy.
	KeyId pulumi.StringInput
	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
	//
	// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
	Policy pulumi.StringInput
}

func (KeyPolicyArgs) ElementType() reflect.Type {
	return reflect.TypeOf((*keyPolicyArgs)(nil)).Elem()
}

type KeyPolicyInput interface {
	pulumi.Input

	ToKeyPolicyOutput() KeyPolicyOutput
	ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput
}

func (*KeyPolicy) ElementType() reflect.Type {
	return reflect.TypeOf((**KeyPolicy)(nil)).Elem()
}

func (i *KeyPolicy) ToKeyPolicyOutput() KeyPolicyOutput {
	return i.ToKeyPolicyOutputWithContext(context.Background())
}

func (i *KeyPolicy) ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput {
	return pulumi.ToOutputWithContext(ctx, i).(KeyPolicyOutput)
}

// KeyPolicyArrayInput is an input type that accepts KeyPolicyArray and KeyPolicyArrayOutput values.
// You can construct a concrete instance of `KeyPolicyArrayInput` via:
//
//	KeyPolicyArray{ KeyPolicyArgs{...} }
type KeyPolicyArrayInput interface {
	pulumi.Input

	ToKeyPolicyArrayOutput() KeyPolicyArrayOutput
	ToKeyPolicyArrayOutputWithContext(context.Context) KeyPolicyArrayOutput
}

type KeyPolicyArray []KeyPolicyInput

func (KeyPolicyArray) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*KeyPolicy)(nil)).Elem()
}

func (i KeyPolicyArray) ToKeyPolicyArrayOutput() KeyPolicyArrayOutput {
	return i.ToKeyPolicyArrayOutputWithContext(context.Background())
}

func (i KeyPolicyArray) ToKeyPolicyArrayOutputWithContext(ctx context.Context) KeyPolicyArrayOutput {
	return pulumi.ToOutputWithContext(ctx, i).(KeyPolicyArrayOutput)
}

// KeyPolicyMapInput is an input type that accepts KeyPolicyMap and KeyPolicyMapOutput values.
// You can construct a concrete instance of `KeyPolicyMapInput` via:
//
//	KeyPolicyMap{ "key": KeyPolicyArgs{...} }
type KeyPolicyMapInput interface {
	pulumi.Input

	ToKeyPolicyMapOutput() KeyPolicyMapOutput
	ToKeyPolicyMapOutputWithContext(context.Context) KeyPolicyMapOutput
}

type KeyPolicyMap map[string]KeyPolicyInput

func (KeyPolicyMap) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*KeyPolicy)(nil)).Elem()
}

func (i KeyPolicyMap) ToKeyPolicyMapOutput() KeyPolicyMapOutput {
	return i.ToKeyPolicyMapOutputWithContext(context.Background())
}

func (i KeyPolicyMap) ToKeyPolicyMapOutputWithContext(ctx context.Context) KeyPolicyMapOutput {
	return pulumi.ToOutputWithContext(ctx, i).(KeyPolicyMapOutput)
}

type KeyPolicyOutput struct{ *pulumi.OutputState }

func (KeyPolicyOutput) ElementType() reflect.Type {
	return reflect.TypeOf((**KeyPolicy)(nil)).Elem()
}

func (o KeyPolicyOutput) ToKeyPolicyOutput() KeyPolicyOutput {
	return o
}

func (o KeyPolicyOutput) ToKeyPolicyOutputWithContext(ctx context.Context) KeyPolicyOutput {
	return o
}

// A flag to indicate whether to bypass the key policy lockout safety check.
// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. If this value is set, and the resource is destroyed, a warning will be shown, and the resource will be removed from state.
// For more information, refer to the scenario in the [Default Key Policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the _AWS Key Management Service Developer Guide_.
func (o KeyPolicyOutput) BypassPolicyLockoutSafetyCheck() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *KeyPolicy) pulumi.BoolPtrOutput { return v.BypassPolicyLockoutSafetyCheck }).(pulumi.BoolPtrOutput)
}

// The ID of the KMS Key to attach the policy.
func (o KeyPolicyOutput) KeyId() pulumi.StringOutput {
	return o.ApplyT(func(v *KeyPolicy) pulumi.StringOutput { return v.KeyId }).(pulumi.StringOutput)
}

// A valid policy JSON document. Although this is a key policy, not an IAM policy, an `iam.getPolicyDocument`, in the form that designates a principal, can be used. For more information about building policy documents, see the AWS IAM Policy Document Guide.
//
// > **NOTE:** Note: All KMS keys must have a key policy. If a key policy is not specified, or this resource is destroyed, AWS gives the KMS key a [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
func (o KeyPolicyOutput) Policy() pulumi.StringOutput {
	return o.ApplyT(func(v *KeyPolicy) pulumi.StringOutput { return v.Policy }).(pulumi.StringOutput)
}

type KeyPolicyArrayOutput struct{ *pulumi.OutputState }

func (KeyPolicyArrayOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*KeyPolicy)(nil)).Elem()
}

func (o KeyPolicyArrayOutput) ToKeyPolicyArrayOutput() KeyPolicyArrayOutput {
	return o
}

func (o KeyPolicyArrayOutput) ToKeyPolicyArrayOutputWithContext(ctx context.Context) KeyPolicyArrayOutput {
	return o
}

func (o KeyPolicyArrayOutput) Index(i pulumi.IntInput) KeyPolicyOutput {
	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *KeyPolicy {
		return vs[0].([]*KeyPolicy)[vs[1].(int)]
	}).(KeyPolicyOutput)
}

type KeyPolicyMapOutput struct{ *pulumi.OutputState }

func (KeyPolicyMapOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*KeyPolicy)(nil)).Elem()
}

func (o KeyPolicyMapOutput) ToKeyPolicyMapOutput() KeyPolicyMapOutput {
	return o
}

func (o KeyPolicyMapOutput) ToKeyPolicyMapOutputWithContext(ctx context.Context) KeyPolicyMapOutput {
	return o
}

func (o KeyPolicyMapOutput) MapIndex(k pulumi.StringInput) KeyPolicyOutput {
	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *KeyPolicy {
		return vs[0].(map[string]*KeyPolicy)[vs[1].(string)]
	}).(KeyPolicyOutput)
}

func init() {
	pulumi.RegisterInputType(reflect.TypeOf((*KeyPolicyInput)(nil)).Elem(), &KeyPolicy{})
	pulumi.RegisterInputType(reflect.TypeOf((*KeyPolicyArrayInput)(nil)).Elem(), KeyPolicyArray{})
	pulumi.RegisterInputType(reflect.TypeOf((*KeyPolicyMapInput)(nil)).Elem(), KeyPolicyMap{})
	pulumi.RegisterOutputType(KeyPolicyOutput{})
	pulumi.RegisterOutputType(KeyPolicyArrayOutput{})
	pulumi.RegisterOutputType(KeyPolicyMapOutput{})
}