pulumi-gcp 7.16.0a1711520590__py3-none-any.whl → 7.17.0__py3-none-any.whl

pulumi_gcp/iam/workforce_pool_provider.py

@@ -81,6 +81,11 @@ class WorkforcePoolProviderArgs:
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -209,6 +214,11 @@ class WorkforcePoolProviderArgs:
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -339,6 +349,11 @@ class _WorkforcePoolProviderState:
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -449,6 +464,11 @@ class _WorkforcePoolProviderState:
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -811,6 +831,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -1117,6 +1142,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -1216,6 +1246,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 

pulumi_gcp/iam/workload_identity_pool_provider.py

@@ -74,6 +74,26 @@ class WorkloadIdentityPoolProviderArgs:
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input['WorkloadIdentityPoolProviderAwsArgs'] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -190,6 +210,26 @@ class WorkloadIdentityPoolProviderArgs:
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -341,6 +381,26 @@ class _WorkloadIdentityPoolProviderState:
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input['WorkloadIdentityPoolProviderAwsArgs'] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -450,6 +510,26 @@ class _WorkloadIdentityPoolProviderState:
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -874,6 +954,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input[pulumi.InputType['WorkloadIdentityPoolProviderAwsArgs']] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -1230,6 +1330,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input[pulumi.InputType['WorkloadIdentityPoolProviderAwsArgs']] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -1327,6 +1447,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 

pulumi_gcp/iap/tunnel_dest_group.py

@@ -249,7 +249,7 @@ class TunnelDestGroup(pulumi.CustomResource):
 
         dest_group = gcp.iap.TunnelDestGroup("dest_group",
             region="us-central1",
-            group_name="testgroup_75223",
+            group_name="testgroup_41819",
             cidrs=[
                 "10.1.0.0/16",
                 "192.168.10.0/24",
@@ -337,7 +337,7 @@ class TunnelDestGroup(pulumi.CustomResource):
 
         dest_group = gcp.iap.TunnelDestGroup("dest_group",
             region="us-central1",
-            group_name="testgroup_75223",
+            group_name="testgroup_41819",
             cidrs=[
                 "10.1.0.0/16",
                 "192.168.10.0/24",

pulumi_gcp/kms/_inputs.py

@@ -16,6 +16,7 @@ __all__ = [
     'CryptoKeyVersionAttestationArgs',
     'CryptoKeyVersionAttestationCertChainsArgs',
     'CryptoKeyVersionAttestationExternalProtectionLevelOptionsArgs',
+    'CryptoKeyVersionExternalProtectionLevelOptionsArgs',
     'CryptoKeyVersionTemplateArgs',
     'EkmConnectionServiceResolverArgs',
     'EkmConnectionServiceResolverServerCertificateArgs',
@@ -209,6 +210,9 @@ class CryptoKeyVersionAttestationArgs:
             pulumi.set(__self__, "cert_chains", cert_chains)
         if content is not None:
             pulumi.set(__self__, "content", content)
+        if external_protection_level_options is not None:
+            warnings.warn("""`externalProtectionLevelOptions` is being un-nested from the `attestation` field. Please use the top level `externalProtectionLevelOptions` field instead.""", DeprecationWarning)
+            pulumi.log.warn("""external_protection_level_options is deprecated: `externalProtectionLevelOptions` is being un-nested from the `attestation` field. Please use the top level `externalProtectionLevelOptions` field instead.""")
         if external_protection_level_options is not None:
             pulumi.set(__self__, "external_protection_level_options", external_protection_level_options)
         if format is not None:
@@ -247,6 +251,9 @@ class CryptoKeyVersionAttestationArgs:
         ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
         Structure is documented below.
         """
+        warnings.warn("""`externalProtectionLevelOptions` is being un-nested from the `attestation` field. Please use the top level `externalProtectionLevelOptions` field instead.""", DeprecationWarning)
+        pulumi.log.warn("""external_protection_level_options is deprecated: `externalProtectionLevelOptions` is being un-nested from the `attestation` field. Please use the top level `externalProtectionLevelOptions` field instead.""")
+
         return pulumi.get(self, "external_protection_level_options")
 
     @external_protection_level_options.setter
@@ -361,6 +368,45 @@ class CryptoKeyVersionAttestationExternalProtectionLevelOptionsArgs:
         pulumi.set(self, "external_key_uri", value)
 
 
+@pulumi.input_type
+class CryptoKeyVersionExternalProtectionLevelOptionsArgs:
+    def __init__(__self__, *,
+                 ekm_connection_key_path: Optional[pulumi.Input[str]] = None,
+                 external_key_uri: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] ekm_connection_key_path: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
+        :param pulumi.Input[str] external_key_uri: The URI for an external resource that this CryptoKeyVersion represents.
+        """
+        if ekm_connection_key_path is not None:
+            pulumi.set(__self__, "ekm_connection_key_path", ekm_connection_key_path)
+        if external_key_uri is not None:
+            pulumi.set(__self__, "external_key_uri", external_key_uri)
+
+    @property
+    @pulumi.getter(name="ekmConnectionKeyPath")
+    def ekm_connection_key_path(self) -> Optional[pulumi.Input[str]]:
+        """
+        The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
+        """
+        return pulumi.get(self, "ekm_connection_key_path")
+
+    @ekm_connection_key_path.setter
+    def ekm_connection_key_path(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "ekm_connection_key_path", value)
+
+    @property
+    @pulumi.getter(name="externalKeyUri")
+    def external_key_uri(self) -> Optional[pulumi.Input[str]]:
+        """
+        The URI for an external resource that this CryptoKeyVersion represents.
+        """
+        return pulumi.get(self, "external_key_uri")
+
+    @external_key_uri.setter
+    def external_key_uri(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_key_uri", value)
+
+
 @pulumi.input_type
 class CryptoKeyVersionTemplateArgs:
     def __init__(__self__, *,

pulumi_gcp/kms/crypto_key.py

@@ -17,6 +17,7 @@ __all__ = ['CryptoKeyArgs', 'CryptoKey']
 class CryptoKeyArgs:
     def __init__(__self__, *,
                  key_ring: pulumi.Input[str],
+                 crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -32,6 +33,8 @@ class CryptoKeyArgs:
                
                
                - - -
+        :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+               The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 24 hours.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
@@ -54,6 +57,8 @@ class CryptoKeyArgs:
                Structure is documented below.
         """
         pulumi.set(__self__, "key_ring", key_ring)
+        if crypto_key_backend is not None:
+            pulumi.set(__self__, "crypto_key_backend", crypto_key_backend)
         if destroy_scheduled_duration is not None:
             pulumi.set(__self__, "destroy_scheduled_duration", destroy_scheduled_duration)
         if import_only is not None:
@@ -87,6 +92,19 @@ class CryptoKeyArgs:
     def key_ring(self, value: pulumi.Input[str]):
         pulumi.set(self, "key_ring", value)
 
+    @property
+    @pulumi.getter(name="cryptoKeyBackend")
+    def crypto_key_backend(self) -> Optional[pulumi.Input[str]]:
+        """
+        The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+        The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
+        """
+        return pulumi.get(self, "crypto_key_backend")
+
+    @crypto_key_backend.setter
+    def crypto_key_backend(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "crypto_key_backend", value)
+
     @property
     @pulumi.getter(name="destroyScheduledDuration")
     def destroy_scheduled_duration(self) -> Optional[pulumi.Input[str]]:
@@ -199,6 +217,7 @@ class CryptoKeyArgs:
 @pulumi.input_type
 class _CryptoKeyState:
     def __init__(__self__, *,
+                 crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
@@ -213,6 +232,8 @@ class _CryptoKeyState:
                  version_template: Optional[pulumi.Input['CryptoKeyVersionTemplateArgs']] = None):
         """
         Input properties used for looking up and filtering CryptoKey resources.
+        :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+               The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 24 hours.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
@@ -245,6 +266,8 @@ class _CryptoKeyState:
         :param pulumi.Input['CryptoKeyVersionTemplateArgs'] version_template: A template describing settings for new crypto key versions.
                Structure is documented below.
         """
+        if crypto_key_backend is not None:
+            pulumi.set(__self__, "crypto_key_backend", crypto_key_backend)
         if destroy_scheduled_duration is not None:
             pulumi.set(__self__, "destroy_scheduled_duration", destroy_scheduled_duration)
         if effective_labels is not None:
@@ -270,6 +293,19 @@ class _CryptoKeyState:
         if version_template is not None:
             pulumi.set(__self__, "version_template", version_template)
 
+    @property
+    @pulumi.getter(name="cryptoKeyBackend")
+    def crypto_key_backend(self) -> Optional[pulumi.Input[str]]:
+        """
+        The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+        The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
+        """
+        return pulumi.get(self, "crypto_key_backend")
+
+    @crypto_key_backend.setter
+    def crypto_key_backend(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "crypto_key_backend", value)
+
     @property
     @pulumi.getter(name="destroyScheduledDuration")
     def destroy_scheduled_duration(self) -> Optional[pulumi.Input[str]]:
@@ -439,6 +475,7 @@ class CryptoKey(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
@@ -525,6 +562,8 @@ class CryptoKey(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+               The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 24 hours.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
@@ -646,6 +685,7 @@ class CryptoKey(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
@@ -664,6 +704,7 @@ class CryptoKey(pulumi.CustomResource):
                 raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
             __props__ = CryptoKeyArgs.__new__(CryptoKeyArgs)
 
+            __props__.__dict__["crypto_key_backend"] = crypto_key_backend
             __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
             __props__.__dict__["import_only"] = import_only
             if key_ring is None and not opts.urn:
@@ -690,6 +731,7 @@ class CryptoKey(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
+            crypto_key_backend: Optional[pulumi.Input[str]] = None,
             destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
             effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             import_only: Optional[pulumi.Input[bool]] = None,
@@ -709,6 +751,8 @@ class CryptoKey(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+               The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 24 hours.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
@@ -745,6 +789,7 @@ class CryptoKey(pulumi.CustomResource):
 
         __props__ = _CryptoKeyState.__new__(_CryptoKeyState)
 
+        __props__.__dict__["crypto_key_backend"] = crypto_key_backend
         __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
         __props__.__dict__["effective_labels"] = effective_labels
         __props__.__dict__["import_only"] = import_only
@@ -759,6 +804,15 @@ class CryptoKey(pulumi.CustomResource):
         __props__.__dict__["version_template"] = version_template
         return CryptoKey(resource_name, opts=opts, __props__=__props__)
 
+    @property
+    @pulumi.getter(name="cryptoKeyBackend")
+    def crypto_key_backend(self) -> pulumi.Output[str]:
+        """
+        The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
+        The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
+        """
+        return pulumi.get(self, "crypto_key_backend")
+
     @property
     @pulumi.getter(name="destroyScheduledDuration")
     def destroy_scheduled_duration(self) -> pulumi.Output[str]: