pulumi-gcp 7.31.0a1720850808__py3-none-any.whl → 7.32.0__py3-none-any.whl

pulumi_gcp/kms/crypto_key.py

@@ -25,6 +25,7 @@ class CryptoKeyArgs:
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  purpose: Optional[pulumi.Input[str]] = None,
@@ -41,8 +42,17 @@ class CryptoKeyArgs:
         :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
                The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-               If not specified at creation time, the default duration is 24 hours.
+               If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs'] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] labels: Labels with user-defined metadata to apply to this resource.
                
                **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
@@ -69,6 +79,8 @@ class CryptoKeyArgs:
             pulumi.set(__self__, "destroy_scheduled_duration", destroy_scheduled_duration)
         if import_only is not None:
             pulumi.set(__self__, "import_only", import_only)
+        if key_access_justifications_policy is not None:
+            pulumi.set(__self__, "key_access_justifications_policy", key_access_justifications_policy)
         if labels is not None:
             pulumi.set(__self__, "labels", labels)
         if name is not None:
@@ -116,7 +128,7 @@ class CryptoKeyArgs:
     def destroy_scheduled_duration(self) -> Optional[pulumi.Input[str]]:
         """
         The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-        If not specified at creation time, the default duration is 24 hours.
+        If not specified at creation time, the default duration is 30 days.
         """
         return pulumi.get(self, "destroy_scheduled_duration")
 
@@ -136,6 +148,26 @@ class CryptoKeyArgs:
     def import_only(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "import_only", value)
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
+    @key_access_justifications_policy.setter
+    def key_access_justifications_policy(self, value: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]):
+        pulumi.set(self, "key_access_justifications_policy", value)
+
     @property
     @pulumi.getter
     def labels(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
@@ -228,6 +260,7 @@ class _CryptoKeyState:
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -242,9 +275,18 @@ class _CryptoKeyState:
         :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
                The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-               If not specified at creation time, the default duration is 24 hours.
+               If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs'] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -282,6 +324,8 @@ class _CryptoKeyState:
             pulumi.set(__self__, "effective_labels", effective_labels)
         if import_only is not None:
             pulumi.set(__self__, "import_only", import_only)
+        if key_access_justifications_policy is not None:
+            pulumi.set(__self__, "key_access_justifications_policy", key_access_justifications_policy)
         if key_ring is not None:
             pulumi.set(__self__, "key_ring", key_ring)
         if labels is not None:
@@ -319,7 +363,7 @@ class _CryptoKeyState:
     def destroy_scheduled_duration(self) -> Optional[pulumi.Input[str]]:
         """
         The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-        If not specified at creation time, the default duration is 24 hours.
+        If not specified at creation time, the default duration is 30 days.
         """
         return pulumi.get(self, "destroy_scheduled_duration")
 
@@ -351,6 +395,26 @@ class _CryptoKeyState:
     def import_only(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "import_only", value)
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
+    @key_access_justifications_policy.setter
+    def key_access_justifications_policy(self, value: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]):
+        pulumi.set(self, "key_access_justifications_policy", value)
+
     @property
     @pulumi.getter(name="keyRing")
     def key_ring(self) -> Optional[pulumi.Input[str]]:
@@ -487,6 +551,7 @@ class CryptoKey(pulumi.CustomResource):
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -568,8 +633,17 @@ class CryptoKey(pulumi.CustomResource):
         :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
                The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-               If not specified at creation time, the default duration is 24 hours.
+               If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -686,6 +760,7 @@ class CryptoKey(pulumi.CustomResource):
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -705,6 +780,7 @@ class CryptoKey(pulumi.CustomResource):
             __props__.__dict__["crypto_key_backend"] = crypto_key_backend
             __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
             __props__.__dict__["import_only"] = import_only
+            __props__.__dict__["key_access_justifications_policy"] = key_access_justifications_policy
             if key_ring is None and not opts.urn:
                 raise TypeError("Missing required property 'key_ring'")
             __props__.__dict__["key_ring"] = key_ring
@@ -733,6 +809,7 @@ class CryptoKey(pulumi.CustomResource):
             destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
             effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             import_only: Optional[pulumi.Input[bool]] = None,
+            key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
             key_ring: Optional[pulumi.Input[str]] = None,
             labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             name: Optional[pulumi.Input[str]] = None,
@@ -752,9 +829,18 @@ class CryptoKey(pulumi.CustomResource):
         :param pulumi.Input[str] crypto_key_backend: The resource name of the backend environment associated with all CryptoKeyVersions within this CryptoKey.
                The resource name is in the format "projects/*/locations/*/ekmConnections/*" and only applies to "EXTERNAL_VPC" keys.
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-               If not specified at creation time, the default duration is 24 hours.
+               If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -792,6 +878,7 @@ class CryptoKey(pulumi.CustomResource):
         __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
         __props__.__dict__["effective_labels"] = effective_labels
         __props__.__dict__["import_only"] = import_only
+        __props__.__dict__["key_access_justifications_policy"] = key_access_justifications_policy
         __props__.__dict__["key_ring"] = key_ring
         __props__.__dict__["labels"] = labels
         __props__.__dict__["name"] = name
@@ -817,7 +904,7 @@ class CryptoKey(pulumi.CustomResource):
     def destroy_scheduled_duration(self) -> pulumi.Output[str]:
         """
         The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
-        If not specified at creation time, the default duration is 24 hours.
+        If not specified at creation time, the default duration is 30 days.
         """
         return pulumi.get(self, "destroy_scheduled_duration")
 
@@ -837,6 +924,22 @@ class CryptoKey(pulumi.CustomResource):
         """
         return pulumi.get(self, "import_only")
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> pulumi.Output['outputs.CryptoKeyKeyAccessJustificationsPolicy']:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
     @property
     @pulumi.getter(name="keyRing")
     def key_ring(self) -> pulumi.Output[str]:

pulumi_gcp/kms/get_crypto_keys.py

@@ -0,0 +1,143 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+from . import outputs
+
+__all__ = [
+    'GetCryptoKeysResult',
+    'AwaitableGetCryptoKeysResult',
+    'get_crypto_keys',
+    'get_crypto_keys_output',
+]
+
+@pulumi.output_type
+class GetCryptoKeysResult:
+    """
+    A collection of values returned by getCryptoKeys.
+    """
+    def __init__(__self__, filter=None, id=None, key_ring=None, keys=None):
+        if filter and not isinstance(filter, str):
+            raise TypeError("Expected argument 'filter' to be a str")
+        pulumi.set(__self__, "filter", filter)
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if key_ring and not isinstance(key_ring, str):
+            raise TypeError("Expected argument 'key_ring' to be a str")
+        pulumi.set(__self__, "key_ring", key_ring)
+        if keys and not isinstance(keys, list):
+            raise TypeError("Expected argument 'keys' to be a list")
+        pulumi.set(__self__, "keys", keys)
+
+    @property
+    @pulumi.getter
+    def filter(self) -> Optional[str]:
+        return pulumi.get(self, "filter")
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter(name="keyRing")
+    def key_ring(self) -> str:
+        return pulumi.get(self, "key_ring")
+
+    @property
+    @pulumi.getter
+    def keys(self) -> Sequence['outputs.GetCryptoKeysKeyResult']:
+        """
+        A list of all the retrieved keys from the provided key ring. This list is influenced by the provided filter argument.
+        """
+        return pulumi.get(self, "keys")
+
+
+class AwaitableGetCryptoKeysResult(GetCryptoKeysResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetCryptoKeysResult(
+            filter=self.filter,
+            id=self.id,
+            key_ring=self.key_ring,
+            keys=self.keys)
+
+
+def get_crypto_keys(filter: Optional[str] = None,
+                    key_ring: Optional[str] = None,
+                    opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetCryptoKeysResult:
+    """
+    Provides access to all Google Cloud Platform KMS CryptoKeys in a given KeyRing. For more information see
+    [the official documentation](https://cloud.google.com/kms/docs/object-hierarchy#key)
+    and
+    [API](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys).
+
+    A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a
+    Google Cloud KMS KeyRing.
+
+
+    :param str filter: The filter argument is used to add a filter query parameter that limits which keys are retrieved by the data source: ?filter={{filter}}. When no value is provided there is no filtering.
+           
+           Example filter values if filtering on name. Note: names take the form projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}.
+           
+           * `"name:my-key-"` will retrieve keys that contain "my-key-" anywhere in their name.
+           * `"name=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key-1"` will only retrieve a key with that exact name.
+           
+           [See the documentation about using filters](https://cloud.google.com/kms/docs/sorting-and-filtering)
+    :param str key_ring: The key ring that the keys belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.,
+    """
+    __args__ = dict()
+    __args__['filter'] = filter
+    __args__['keyRing'] = key_ring
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('gcp:kms/getCryptoKeys:getCryptoKeys', __args__, opts=opts, typ=GetCryptoKeysResult).value
+
+    return AwaitableGetCryptoKeysResult(
+        filter=pulumi.get(__ret__, 'filter'),
+        id=pulumi.get(__ret__, 'id'),
+        key_ring=pulumi.get(__ret__, 'key_ring'),
+        keys=pulumi.get(__ret__, 'keys'))
+
+
+@_utilities.lift_output_func(get_crypto_keys)
+def get_crypto_keys_output(filter: Optional[pulumi.Input[Optional[str]]] = None,
+                           key_ring: Optional[pulumi.Input[str]] = None,
+                           opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetCryptoKeysResult]:
+    """
+    Provides access to all Google Cloud Platform KMS CryptoKeys in a given KeyRing. For more information see
+    [the official documentation](https://cloud.google.com/kms/docs/object-hierarchy#key)
+    and
+    [API](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys).
+
+    A CryptoKey is an interface to key material which can be used to encrypt and decrypt data. A CryptoKey belongs to a
+    Google Cloud KMS KeyRing.
+
+
+    :param str filter: The filter argument is used to add a filter query parameter that limits which keys are retrieved by the data source: ?filter={{filter}}. When no value is provided there is no filtering.
+           
+           Example filter values if filtering on name. Note: names take the form projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}.
+           
+           * `"name:my-key-"` will retrieve keys that contain "my-key-" anywhere in their name.
+           * `"name=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key-1"` will only retrieve a key with that exact name.
+           
+           [See the documentation about using filters](https://cloud.google.com/kms/docs/sorting-and-filtering)
+    :param str key_ring: The key ring that the keys belongs to. Format: 'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'.,
+    """
+    ...

pulumi_gcp/kms/get_key_rings.py

@@ -0,0 +1,119 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+from . import outputs
+
+__all__ = [
+    'GetKeyRingsResult',
+    'AwaitableGetKeyRingsResult',
+    'get_key_rings',
+    'get_key_rings_output',
+]
+
+@pulumi.output_type
+class GetKeyRingsResult:
+    """
+    A collection of values returned by getKeyRings.
+    """
+    def __init__(__self__, filter=None, id=None, key_rings=None, location=None, project=None):
+        if filter and not isinstance(filter, str):
+            raise TypeError("Expected argument 'filter' to be a str")
+        pulumi.set(__self__, "filter", filter)
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if key_rings and not isinstance(key_rings, list):
+            raise TypeError("Expected argument 'key_rings' to be a list")
+        pulumi.set(__self__, "key_rings", key_rings)
+        if location and not isinstance(location, str):
+            raise TypeError("Expected argument 'location' to be a str")
+        pulumi.set(__self__, "location", location)
+        if project and not isinstance(project, str):
+            raise TypeError("Expected argument 'project' to be a str")
+        pulumi.set(__self__, "project", project)
+
+    @property
+    @pulumi.getter
+    def filter(self) -> Optional[str]:
+        return pulumi.get(self, "filter")
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter(name="keyRings")
+    def key_rings(self) -> Sequence['outputs.GetKeyRingsKeyRingResult']:
+        return pulumi.get(self, "key_rings")
+
+    @property
+    @pulumi.getter
+    def location(self) -> str:
+        return pulumi.get(self, "location")
+
+    @property
+    @pulumi.getter
+    def project(self) -> Optional[str]:
+        return pulumi.get(self, "project")
+
+
+class AwaitableGetKeyRingsResult(GetKeyRingsResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetKeyRingsResult(
+            filter=self.filter,
+            id=self.id,
+            key_rings=self.key_rings,
+            location=self.location,
+            project=self.project)
+
+
+def get_key_rings(filter: Optional[str] = None,
+                  location: Optional[str] = None,
+                  project: Optional[str] = None,
+                  opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetKeyRingsResult:
+    """
+    Use this data source to access information about an existing resource.
+    """
+    __args__ = dict()
+    __args__['filter'] = filter
+    __args__['location'] = location
+    __args__['project'] = project
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('gcp:kms/getKeyRings:getKeyRings', __args__, opts=opts, typ=GetKeyRingsResult).value
+
+    return AwaitableGetKeyRingsResult(
+        filter=pulumi.get(__ret__, 'filter'),
+        id=pulumi.get(__ret__, 'id'),
+        key_rings=pulumi.get(__ret__, 'key_rings'),
+        location=pulumi.get(__ret__, 'location'),
+        project=pulumi.get(__ret__, 'project'))
+
+
+@_utilities.lift_output_func(get_key_rings)
+def get_key_rings_output(filter: Optional[pulumi.Input[Optional[str]]] = None,
+                         location: Optional[pulumi.Input[str]] = None,
+                         project: Optional[pulumi.Input[Optional[str]]] = None,
+                         opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetKeyRingsResult]:
+    """
+    Use this data source to access information about an existing resource.
+    """
+    ...

pulumi_gcp/kms/get_kms_crypto_key.py

@@ -27,7 +27,7 @@ class GetKMSCryptoKeyResult:
     """
     A collection of values returned by getKMSCryptoKey.
     """
-    def __init__(__self__, crypto_key_backend=None, destroy_scheduled_duration=None, effective_labels=None, id=None, import_only=None, key_ring=None, labels=None, name=None, primaries=None, pulumi_labels=None, purpose=None, rotation_period=None, skip_initial_version_creation=None, version_templates=None):
+    def __init__(__self__, crypto_key_backend=None, destroy_scheduled_duration=None, effective_labels=None, id=None, import_only=None, key_access_justifications_policies=None, key_ring=None, labels=None, name=None, primaries=None, pulumi_labels=None, purpose=None, rotation_period=None, skip_initial_version_creation=None, version_templates=None):
         if crypto_key_backend and not isinstance(crypto_key_backend, str):
             raise TypeError("Expected argument 'crypto_key_backend' to be a str")
         pulumi.set(__self__, "crypto_key_backend", crypto_key_backend)
@@ -43,6 +43,9 @@ class GetKMSCryptoKeyResult:
         if import_only and not isinstance(import_only, bool):
             raise TypeError("Expected argument 'import_only' to be a bool")
         pulumi.set(__self__, "import_only", import_only)
+        if key_access_justifications_policies and not isinstance(key_access_justifications_policies, list):
+            raise TypeError("Expected argument 'key_access_justifications_policies' to be a list")
+        pulumi.set(__self__, "key_access_justifications_policies", key_access_justifications_policies)
         if key_ring and not isinstance(key_ring, str):
             raise TypeError("Expected argument 'key_ring' to be a str")
         pulumi.set(__self__, "key_ring", key_ring)
@@ -99,6 +102,11 @@ class GetKMSCryptoKeyResult:
     def import_only(self) -> bool:
         return pulumi.get(self, "import_only")
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicies")
+    def key_access_justifications_policies(self) -> Sequence['outputs.GetKMSCryptoKeyKeyAccessJustificationsPolicyResult']:
+        return pulumi.get(self, "key_access_justifications_policies")
+
     @property
     @pulumi.getter(name="keyRing")
     def key_ring(self) -> str:
@@ -164,6 +172,7 @@ class AwaitableGetKMSCryptoKeyResult(GetKMSCryptoKeyResult):
             effective_labels=self.effective_labels,
             id=self.id,
             import_only=self.import_only,
+            key_access_justifications_policies=self.key_access_justifications_policies,
             key_ring=self.key_ring,
             labels=self.labels,
             name=self.name,
@@ -216,6 +225,7 @@ def get_kms_crypto_key(key_ring: Optional[str] = None,
         effective_labels=pulumi.get(__ret__, 'effective_labels'),
         id=pulumi.get(__ret__, 'id'),
         import_only=pulumi.get(__ret__, 'import_only'),
+        key_access_justifications_policies=pulumi.get(__ret__, 'key_access_justifications_policies'),
         key_ring=pulumi.get(__ret__, 'key_ring'),
         labels=pulumi.get(__ret__, 'labels'),
         name=pulumi.get(__ret__, 'name'),