pulumi-gcp 7.31.0a1721039192__py3-none-any.whl → 7.32.0__py3-none-any.whl

pulumi_gcp/compute/target_instance.py

@@ -452,7 +452,7 @@ class TargetInstance(pulumi.CustomResource):
         import pulumi_gcp as gcp
 
         target_vm = gcp.compute.get_network(name="default")
-        vmimage = gcp.compute.get_image(family="debian-10",
+        vmimage = gcp.compute.get_image(family="debian-12",
             project="debian-cloud")
         target_vm_instance = gcp.compute.Instance("target-vm",
             name="custom-network-target-vm",
@@ -642,7 +642,7 @@ class TargetInstance(pulumi.CustomResource):
         import pulumi_gcp as gcp
 
         target_vm = gcp.compute.get_network(name="default")
-        vmimage = gcp.compute.get_image(family="debian-10",
+        vmimage = gcp.compute.get_image(family="debian-12",
             project="debian-cloud")
         target_vm_instance = gcp.compute.Instance("target-vm",
             name="custom-network-target-vm",

pulumi_gcp/config/__init__.pyi

@@ -319,6 +319,8 @@ serviceNetworkingCustomEndpoint: Optional[str]
 
 serviceUsageCustomEndpoint: Optional[str]
 
+siteVerificationCustomEndpoint: Optional[str]
+
 skipRegionValidation: bool
 
 sourceRepoCustomEndpoint: Optional[str]

pulumi_gcp/config/vars.py

@@ -629,6 +629,10 @@ class _ExportableConfig(types.ModuleType):
     def service_usage_custom_endpoint(self) -> Optional[str]:
         return __config__.get('serviceUsageCustomEndpoint')
 
+    @property
+    def site_verification_custom_endpoint(self) -> Optional[str]:
+        return __config__.get('siteVerificationCustomEndpoint')
+
     @property
     def skip_region_validation(self) -> bool:
         return __config__.get_bool('skipRegionValidation') or (_utilities.get_env_bool('PULUMI_GCP_SKIP_REGION_VALIDATION') or False)

pulumi_gcp/gkehub/__init__.py

@@ -12,6 +12,7 @@ from .feature_iam_policy import *
 from .feature_membership import *
 from .fleet import *
 from .get_feature_iam_policy import *
+from .get_membership_binding import *
 from .get_membership_iam_policy import *
 from .get_scope_iam_policy import *
 from .membership import *

pulumi_gcp/gkehub/get_membership_binding.py

@@ -0,0 +1,222 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+from . import outputs
+
+__all__ = [
+    'GetMembershipBindingResult',
+    'AwaitableGetMembershipBindingResult',
+    'get_membership_binding',
+    'get_membership_binding_output',
+]
+
+@pulumi.output_type
+class GetMembershipBindingResult:
+    """
+    A collection of values returned by getMembershipBinding.
+    """
+    def __init__(__self__, create_time=None, delete_time=None, effective_labels=None, id=None, labels=None, location=None, membership_binding_id=None, membership_id=None, name=None, project=None, pulumi_labels=None, scope=None, states=None, uid=None, update_time=None):
+        if create_time and not isinstance(create_time, str):
+            raise TypeError("Expected argument 'create_time' to be a str")
+        pulumi.set(__self__, "create_time", create_time)
+        if delete_time and not isinstance(delete_time, str):
+            raise TypeError("Expected argument 'delete_time' to be a str")
+        pulumi.set(__self__, "delete_time", delete_time)
+        if effective_labels and not isinstance(effective_labels, dict):
+            raise TypeError("Expected argument 'effective_labels' to be a dict")
+        pulumi.set(__self__, "effective_labels", effective_labels)
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if labels and not isinstance(labels, dict):
+            raise TypeError("Expected argument 'labels' to be a dict")
+        pulumi.set(__self__, "labels", labels)
+        if location and not isinstance(location, str):
+            raise TypeError("Expected argument 'location' to be a str")
+        pulumi.set(__self__, "location", location)
+        if membership_binding_id and not isinstance(membership_binding_id, str):
+            raise TypeError("Expected argument 'membership_binding_id' to be a str")
+        pulumi.set(__self__, "membership_binding_id", membership_binding_id)
+        if membership_id and not isinstance(membership_id, str):
+            raise TypeError("Expected argument 'membership_id' to be a str")
+        pulumi.set(__self__, "membership_id", membership_id)
+        if name and not isinstance(name, str):
+            raise TypeError("Expected argument 'name' to be a str")
+        pulumi.set(__self__, "name", name)
+        if project and not isinstance(project, str):
+            raise TypeError("Expected argument 'project' to be a str")
+        pulumi.set(__self__, "project", project)
+        if pulumi_labels and not isinstance(pulumi_labels, dict):
+            raise TypeError("Expected argument 'pulumi_labels' to be a dict")
+        pulumi.set(__self__, "pulumi_labels", pulumi_labels)
+        if scope and not isinstance(scope, str):
+            raise TypeError("Expected argument 'scope' to be a str")
+        pulumi.set(__self__, "scope", scope)
+        if states and not isinstance(states, list):
+            raise TypeError("Expected argument 'states' to be a list")
+        pulumi.set(__self__, "states", states)
+        if uid and not isinstance(uid, str):
+            raise TypeError("Expected argument 'uid' to be a str")
+        pulumi.set(__self__, "uid", uid)
+        if update_time and not isinstance(update_time, str):
+            raise TypeError("Expected argument 'update_time' to be a str")
+        pulumi.set(__self__, "update_time", update_time)
+
+    @property
+    @pulumi.getter(name="createTime")
+    def create_time(self) -> str:
+        return pulumi.get(self, "create_time")
+
+    @property
+    @pulumi.getter(name="deleteTime")
+    def delete_time(self) -> str:
+        return pulumi.get(self, "delete_time")
+
+    @property
+    @pulumi.getter(name="effectiveLabels")
+    def effective_labels(self) -> Mapping[str, str]:
+        return pulumi.get(self, "effective_labels")
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter
+    def labels(self) -> Mapping[str, str]:
+        return pulumi.get(self, "labels")
+
+    @property
+    @pulumi.getter
+    def location(self) -> str:
+        return pulumi.get(self, "location")
+
+    @property
+    @pulumi.getter(name="membershipBindingId")
+    def membership_binding_id(self) -> str:
+        return pulumi.get(self, "membership_binding_id")
+
+    @property
+    @pulumi.getter(name="membershipId")
+    def membership_id(self) -> str:
+        return pulumi.get(self, "membership_id")
+
+    @property
+    @pulumi.getter
+    def name(self) -> str:
+        return pulumi.get(self, "name")
+
+    @property
+    @pulumi.getter
+    def project(self) -> Optional[str]:
+        return pulumi.get(self, "project")
+
+    @property
+    @pulumi.getter(name="pulumiLabels")
+    def pulumi_labels(self) -> Mapping[str, str]:
+        return pulumi.get(self, "pulumi_labels")
+
+    @property
+    @pulumi.getter
+    def scope(self) -> str:
+        return pulumi.get(self, "scope")
+
+    @property
+    @pulumi.getter
+    def states(self) -> Sequence['outputs.GetMembershipBindingStateResult']:
+        return pulumi.get(self, "states")
+
+    @property
+    @pulumi.getter
+    def uid(self) -> str:
+        return pulumi.get(self, "uid")
+
+    @property
+    @pulumi.getter(name="updateTime")
+    def update_time(self) -> str:
+        return pulumi.get(self, "update_time")
+
+
+class AwaitableGetMembershipBindingResult(GetMembershipBindingResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetMembershipBindingResult(
+            create_time=self.create_time,
+            delete_time=self.delete_time,
+            effective_labels=self.effective_labels,
+            id=self.id,
+            labels=self.labels,
+            location=self.location,
+            membership_binding_id=self.membership_binding_id,
+            membership_id=self.membership_id,
+            name=self.name,
+            project=self.project,
+            pulumi_labels=self.pulumi_labels,
+            scope=self.scope,
+            states=self.states,
+            uid=self.uid,
+            update_time=self.update_time)
+
+
+def get_membership_binding(location: Optional[str] = None,
+                           membership_binding_id: Optional[str] = None,
+                           membership_id: Optional[str] = None,
+                           project: Optional[str] = None,
+                           opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetMembershipBindingResult:
+    """
+    Use this data source to access information about an existing resource.
+    """
+    __args__ = dict()
+    __args__['location'] = location
+    __args__['membershipBindingId'] = membership_binding_id
+    __args__['membershipId'] = membership_id
+    __args__['project'] = project
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('gcp:gkehub/getMembershipBinding:getMembershipBinding', __args__, opts=opts, typ=GetMembershipBindingResult).value
+
+    return AwaitableGetMembershipBindingResult(
+        create_time=pulumi.get(__ret__, 'create_time'),
+        delete_time=pulumi.get(__ret__, 'delete_time'),
+        effective_labels=pulumi.get(__ret__, 'effective_labels'),
+        id=pulumi.get(__ret__, 'id'),
+        labels=pulumi.get(__ret__, 'labels'),
+        location=pulumi.get(__ret__, 'location'),
+        membership_binding_id=pulumi.get(__ret__, 'membership_binding_id'),
+        membership_id=pulumi.get(__ret__, 'membership_id'),
+        name=pulumi.get(__ret__, 'name'),
+        project=pulumi.get(__ret__, 'project'),
+        pulumi_labels=pulumi.get(__ret__, 'pulumi_labels'),
+        scope=pulumi.get(__ret__, 'scope'),
+        states=pulumi.get(__ret__, 'states'),
+        uid=pulumi.get(__ret__, 'uid'),
+        update_time=pulumi.get(__ret__, 'update_time'))
+
+
+@_utilities.lift_output_func(get_membership_binding)
+def get_membership_binding_output(location: Optional[pulumi.Input[str]] = None,
+                                  membership_binding_id: Optional[pulumi.Input[str]] = None,
+                                  membership_id: Optional[pulumi.Input[str]] = None,
+                                  project: Optional[pulumi.Input[Optional[str]]] = None,
+                                  opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetMembershipBindingResult]:
+    """
+    Use this data source to access information about an existing resource.
+    """
+    ...

pulumi_gcp/gkehub/outputs.py

@@ -88,6 +88,7 @@ __all__ = [
     'ScopeRbacRoleBindingRole',
     'ScopeRbacRoleBindingState',
     'ScopeState',
+    'GetMembershipBindingStateResult',
 ]
 
 @pulumi.output_type
@@ -3588,3 +3589,21 @@ class ScopeState(dict):
         return pulumi.get(self, "code")
 
 
+@pulumi.output_type
+class GetMembershipBindingStateResult(dict):
+    def __init__(__self__, *,
+                 code: str):
+        """
+        :param str code: Code describes the state of a MembershipBinding resource.
+        """
+        pulumi.set(__self__, "code", code)
+
+    @property
+    @pulumi.getter
+    def code(self) -> str:
+        """
+        Code describes the state of a MembershipBinding resource.
+        """
+        return pulumi.get(self, "code")
+
+

pulumi_gcp/iap/client.py

@@ -25,7 +25,7 @@ class ClientArgs:
         The set of arguments for constructing a Client resource.
         :param pulumi.Input[str] brand: Identifier of the brand to which this client
                is attached to. The format is
-               `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+               `projects/{project_number}/brands/{brand_id}`.
                
                
                - - -
@@ -40,7 +40,7 @@ class ClientArgs:
         """
         Identifier of the brand to which this client
         is attached to. The format is
-        `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+        `projects/{project_number}/brands/{brand_id}`.
 
 
         - - -
@@ -75,7 +75,7 @@ class _ClientState:
         Input properties used for looking up and filtering Client resources.
         :param pulumi.Input[str] brand: Identifier of the brand to which this client
                is attached to. The format is
-               `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+               `projects/{project_number}/brands/{brand_id}`.
                
                
                - - -
@@ -99,7 +99,7 @@ class _ClientState:
         """
         Identifier of the brand to which this client
         is attached to. The format is
-        `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+        `projects/{project_number}/brands/{brand_id}`.
 
 
         - - -
@@ -215,7 +215,7 @@ class Client(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] brand: Identifier of the brand to which this client
                is attached to. The format is
-               `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+               `projects/{project_number}/brands/{brand_id}`.
                
                
                - - -
@@ -341,7 +341,7 @@ class Client(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] brand: Identifier of the brand to which this client
                is attached to. The format is
-               `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+               `projects/{project_number}/brands/{brand_id}`.
                
                
                - - -
@@ -366,7 +366,7 @@ class Client(pulumi.CustomResource):
         """
         Identifier of the brand to which this client
         is attached to. The format is
-        `projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}`.
+        `projects/{project_number}/brands/{brand_id}`.
 
 
         - - -

pulumi_gcp/kms/_inputs.py

@@ -19,6 +19,8 @@ __all__ = [
     'CryptoKeyIAMBindingConditionArgsDict',
     'CryptoKeyIAMMemberConditionArgs',
     'CryptoKeyIAMMemberConditionArgsDict',
+    'CryptoKeyKeyAccessJustificationsPolicyArgs',
+    'CryptoKeyKeyAccessJustificationsPolicyArgsDict',
     'CryptoKeyPrimaryArgs',
     'CryptoKeyPrimaryArgsDict',
     'CryptoKeyVersionAttestationArgs',
@@ -211,6 +213,44 @@ class CryptoKeyIAMMemberConditionArgs:
         pulumi.set(self, "description", value)
 
 
+if not MYPY:
+    class CryptoKeyKeyAccessJustificationsPolicyArgsDict(TypedDict):
+        allowed_access_reasons: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        The list of allowed reasons for access to this CryptoKey. Zero allowed
+        access reasons means all encrypt, decrypt, and sign operations for
+        this CryptoKey will fail.
+        """
+elif False:
+    CryptoKeyKeyAccessJustificationsPolicyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class CryptoKeyKeyAccessJustificationsPolicyArgs:
+    def __init__(__self__, *,
+                 allowed_access_reasons: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_access_reasons: The list of allowed reasons for access to this CryptoKey. Zero allowed
+               access reasons means all encrypt, decrypt, and sign operations for
+               this CryptoKey will fail.
+        """
+        if allowed_access_reasons is not None:
+            pulumi.set(__self__, "allowed_access_reasons", allowed_access_reasons)
+
+    @property
+    @pulumi.getter(name="allowedAccessReasons")
+    def allowed_access_reasons(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        The list of allowed reasons for access to this CryptoKey. Zero allowed
+        access reasons means all encrypt, decrypt, and sign operations for
+        this CryptoKey will fail.
+        """
+        return pulumi.get(self, "allowed_access_reasons")
+
+    @allowed_access_reasons.setter
+    def allowed_access_reasons(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_access_reasons", value)
+
+
 if not MYPY:
     class CryptoKeyPrimaryArgsDict(TypedDict):
         name: NotRequired[pulumi.Input[str]]

pulumi_gcp/kms/crypto_key.py

@@ -25,6 +25,7 @@ class CryptoKeyArgs:
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  purpose: Optional[pulumi.Input[str]] = None,
@@ -43,6 +44,15 @@ class CryptoKeyArgs:
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs'] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] labels: Labels with user-defined metadata to apply to this resource.
                
                **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
@@ -69,6 +79,8 @@ class CryptoKeyArgs:
             pulumi.set(__self__, "destroy_scheduled_duration", destroy_scheduled_duration)
         if import_only is not None:
             pulumi.set(__self__, "import_only", import_only)
+        if key_access_justifications_policy is not None:
+            pulumi.set(__self__, "key_access_justifications_policy", key_access_justifications_policy)
         if labels is not None:
             pulumi.set(__self__, "labels", labels)
         if name is not None:
@@ -136,6 +148,26 @@ class CryptoKeyArgs:
     def import_only(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "import_only", value)
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
+    @key_access_justifications_policy.setter
+    def key_access_justifications_policy(self, value: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]):
+        pulumi.set(self, "key_access_justifications_policy", value)
+
     @property
     @pulumi.getter
     def labels(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
@@ -228,6 +260,7 @@ class _CryptoKeyState:
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -245,6 +278,15 @@ class _CryptoKeyState:
                If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs'] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -282,6 +324,8 @@ class _CryptoKeyState:
             pulumi.set(__self__, "effective_labels", effective_labels)
         if import_only is not None:
             pulumi.set(__self__, "import_only", import_only)
+        if key_access_justifications_policy is not None:
+            pulumi.set(__self__, "key_access_justifications_policy", key_access_justifications_policy)
         if key_ring is not None:
             pulumi.set(__self__, "key_ring", key_ring)
         if labels is not None:
@@ -351,6 +395,26 @@ class _CryptoKeyState:
     def import_only(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "import_only", value)
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
+    @key_access_justifications_policy.setter
+    def key_access_justifications_policy(self, value: Optional[pulumi.Input['CryptoKeyKeyAccessJustificationsPolicyArgs']]):
+        pulumi.set(self, "key_access_justifications_policy", value)
+
     @property
     @pulumi.getter(name="keyRing")
     def key_ring(self) -> Optional[pulumi.Input[str]]:
@@ -487,6 +551,7 @@ class CryptoKey(pulumi.CustomResource):
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -570,6 +635,15 @@ class CryptoKey(pulumi.CustomResource):
         :param pulumi.Input[str] destroy_scheduled_duration: The period of time that versions of this key spend in the DESTROY_SCHEDULED state before transitioning to DESTROYED.
                If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -686,6 +760,7 @@ class CryptoKey(pulumi.CustomResource):
                  crypto_key_backend: Optional[pulumi.Input[str]] = None,
                  destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
                  import_only: Optional[pulumi.Input[bool]] = None,
+                 key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
                  key_ring: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  name: Optional[pulumi.Input[str]] = None,
@@ -705,6 +780,7 @@ class CryptoKey(pulumi.CustomResource):
             __props__.__dict__["crypto_key_backend"] = crypto_key_backend
             __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
             __props__.__dict__["import_only"] = import_only
+            __props__.__dict__["key_access_justifications_policy"] = key_access_justifications_policy
             if key_ring is None and not opts.urn:
                 raise TypeError("Missing required property 'key_ring'")
             __props__.__dict__["key_ring"] = key_ring
@@ -733,6 +809,7 @@ class CryptoKey(pulumi.CustomResource):
             destroy_scheduled_duration: Optional[pulumi.Input[str]] = None,
             effective_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             import_only: Optional[pulumi.Input[bool]] = None,
+            key_access_justifications_policy: Optional[pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']]] = None,
             key_ring: Optional[pulumi.Input[str]] = None,
             labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             name: Optional[pulumi.Input[str]] = None,
@@ -755,6 +832,15 @@ class CryptoKey(pulumi.CustomResource):
                If not specified at creation time, the default duration is 30 days.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] effective_labels: All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
         :param pulumi.Input[bool] import_only: Whether this key may contain imported versions only.
+        :param pulumi.Input[Union['CryptoKeyKeyAccessJustificationsPolicyArgs', 'CryptoKeyKeyAccessJustificationsPolicyArgsDict']] key_access_justifications_policy: The policy used for Key Access Justifications Policy Enforcement. If this
+               field is present and this key is enrolled in Key Access Justifications
+               Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+               sign operations, and the operation will fail if rejected by the policy. The
+               policy is defined by specifying zero or more allowed justification codes.
+               https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+               By default, this field is absent, and all justification codes are allowed.
+               This field is currently in beta and is subject to change.
+               Structure is documented below.
         :param pulumi.Input[str] key_ring: The KeyRing that this key belongs to.
                Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`.
                
@@ -792,6 +878,7 @@ class CryptoKey(pulumi.CustomResource):
         __props__.__dict__["destroy_scheduled_duration"] = destroy_scheduled_duration
         __props__.__dict__["effective_labels"] = effective_labels
         __props__.__dict__["import_only"] = import_only
+        __props__.__dict__["key_access_justifications_policy"] = key_access_justifications_policy
         __props__.__dict__["key_ring"] = key_ring
         __props__.__dict__["labels"] = labels
         __props__.__dict__["name"] = name
@@ -837,6 +924,22 @@ class CryptoKey(pulumi.CustomResource):
         """
         return pulumi.get(self, "import_only")
 
+    @property
+    @pulumi.getter(name="keyAccessJustificationsPolicy")
+    def key_access_justifications_policy(self) -> pulumi.Output['outputs.CryptoKeyKeyAccessJustificationsPolicy']:
+        """
+        The policy used for Key Access Justifications Policy Enforcement. If this
+        field is present and this key is enrolled in Key Access Justifications
+        Policy Enforcement, the policy will be evaluated in encrypt, decrypt, and
+        sign operations, and the operation will fail if rejected by the policy. The
+        policy is defined by specifying zero or more allowed justification codes.
+        https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
+        By default, this field is absent, and all justification codes are allowed.
+        This field is currently in beta and is subject to change.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "key_access_justifications_policy")
+
     @property
     @pulumi.getter(name="keyRing")
     def key_ring(self) -> pulumi.Output[str]: