pulumi-gcp 7.8.0a1706805960__py3-none-any.whl → 7.8.0a1706829616__py3-none-any.whl

pulumi_gcp/gkehub/outputs.py

@@ -1303,6 +1303,7 @@ class FeatureMembershipConfigmanagementConfigSync(dict):
                  source_format: Optional[str] = None):
         """
         :param 'FeatureMembershipConfigmanagementConfigSyncGitArgs' git: (Optional) Structure is documented below.
+        :param str metrics_gcp_service_account_email: The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring. The GSA should have the Monitoring Metric Writer(roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA.
         :param 'FeatureMembershipConfigmanagementConfigSyncOciArgs' oci: (Optional) Supported from ACM versions 1.12.0 onwards. Structure is documented below.
                
                Use either `git` or `oci` config option.
@@ -1331,6 +1332,9 @@ class FeatureMembershipConfigmanagementConfigSync(dict):
     @property
     @pulumi.getter(name="metricsGcpServiceAccountEmail")
     def metrics_gcp_service_account_email(self) -> Optional[str]:
+        """
+        The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring. The GSA should have the Monitoring Metric Writer(roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA.
+        """
         return pulumi.get(self, "metrics_gcp_service_account_email")
 
     @property
@@ -1820,6 +1824,7 @@ class FeatureMembershipMesh(dict):
                  control_plane: Optional[str] = None,
                  management: Optional[str] = None):
         """
+        :param str control_plane: **DEPRECATED** Whether to automatically manage Service Mesh control planes. Possible values: CONTROL_PLANE_MANAGEMENT_UNSPECIFIED, AUTOMATIC, MANUAL
         :param str management: Whether to automatically manage Service Mesh. Can either be `MANAGEMENT_AUTOMATIC` or `MANAGEMENT_MANUAL`.
         """
         if control_plane is not None:
@@ -1830,6 +1835,9 @@ class FeatureMembershipMesh(dict):
     @property
     @pulumi.getter(name="controlPlane")
     def control_plane(self) -> Optional[str]:
+        """
+        **DEPRECATED** Whether to automatically manage Service Mesh control planes. Possible values: CONTROL_PLANE_MANAGEMENT_UNSPECIFIED, AUTOMATIC, MANUAL
+        """
         warnings.warn("""Deprecated in favor of the `management` field""", DeprecationWarning)
         pulumi.log.warn("""control_plane is deprecated: Deprecated in favor of the `management` field""")
 

pulumi_gcp/iam/outputs.py

@@ -1058,11 +1058,17 @@ class GetTestablePermissionsPermissionResult(dict):
 class GetWorkloadIdentityPoolProviderAwResult(dict):
     def __init__(__self__, *,
                  account_id: str):
+        """
+        :param str account_id: The AWS account ID.
+        """
         pulumi.set(__self__, "account_id", account_id)
 
     @property
     @pulumi.getter(name="accountId")
     def account_id(self) -> str:
+        """
+        The AWS account ID.
+        """
         return pulumi.get(self, "account_id")
 
 
@@ -1072,6 +1078,44 @@ class GetWorkloadIdentityPoolProviderOidcResult(dict):
                  allowed_audiences: Sequence[str],
                  issuer_uri: str,
                  jwks_json: str):
+        """
+        :param Sequence[str] allowed_audiences: Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange
+               requests are rejected if the token audience does not match one of the configured
+               values. Each audience may be at most 256 characters. A maximum of 10 audiences may
+               be configured.
+               
+               If this list is empty, the OIDC token audience must be equal to the full canonical
+               resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
+               For example:
+               '''
+               //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               '''
+        :param str issuer_uri: The OIDC issuer URL.
+        :param str jwks_json: OIDC JWKs in JSON String format. For details on definition of a
+               JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
+               use the 'jwks_uri' from the discovery document fetched from the
+               .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric
+               keys are supported. The JWK must use following format and include only
+               the following fields:
+               '''
+               {
+                 "keys": [
+                   {
+                         "kty": "RSA/EC",
+                         "alg": "<algorithm>",
+                         "use": "sig",
+                         "kid": "<key-id>",
+                         "n": "",
+                         "e": "",
+                         "x": "",
+                         "y": "",
+                         "crv": ""
+                   }
+                 ]
+               }
+               '''
+        """
         pulumi.set(__self__, "allowed_audiences", allowed_audiences)
         pulumi.set(__self__, "issuer_uri", issuer_uri)
         pulumi.set(__self__, "jwks_json", jwks_json)
@@ -1079,16 +1123,58 @@ class GetWorkloadIdentityPoolProviderOidcResult(dict):
     @property
     @pulumi.getter(name="allowedAudiences")
     def allowed_audiences(self) -> Sequence[str]:
+        """
+        Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange
+        requests are rejected if the token audience does not match one of the configured
+        values. Each audience may be at most 256 characters. A maximum of 10 audiences may
+        be configured.
+
+        If this list is empty, the OIDC token audience must be equal to the full canonical
+        resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
+        For example:
+        '''
+        //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        '''
+        """
         return pulumi.get(self, "allowed_audiences")
 
     @property
     @pulumi.getter(name="issuerUri")
     def issuer_uri(self) -> str:
+        """
+        The OIDC issuer URL.
+        """
         return pulumi.get(self, "issuer_uri")
 
     @property
     @pulumi.getter(name="jwksJson")
     def jwks_json(self) -> str:
+        """
+        OIDC JWKs in JSON String format. For details on definition of a
+        JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
+        use the 'jwks_uri' from the discovery document fetched from the
+        .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric
+        keys are supported. The JWK must use following format and include only
+        the following fields:
+        '''
+        {
+          "keys": [
+            {
+                  "kty": "RSA/EC",
+                  "alg": "<algorithm>",
+                  "use": "sig",
+                  "kid": "<key-id>",
+                  "n": "",
+                  "e": "",
+                  "x": "",
+                  "y": "",
+                  "crv": ""
+            }
+          ]
+        }
+        '''
+        """
         return pulumi.get(self, "jwks_json")
 
 
@@ -1096,11 +1182,17 @@ class GetWorkloadIdentityPoolProviderOidcResult(dict):
 class GetWorkloadIdentityPoolProviderSamlResult(dict):
     def __init__(__self__, *,
                  idp_metadata_xml: str):
+        """
+        :param str idp_metadata_xml: SAML Identity provider configuration metadata xml doc.
+        """
         pulumi.set(__self__, "idp_metadata_xml", idp_metadata_xml)
 
     @property
     @pulumi.getter(name="idpMetadataXml")
     def idp_metadata_xml(self) -> str:
+        """
+        SAML Identity provider configuration metadata xml doc.
+        """
         return pulumi.get(self, "idp_metadata_xml")
 
 

pulumi_gcp/kms/outputs.py

@@ -569,6 +569,7 @@ class GetKMSCryptoKeyPrimaryResult(dict):
         """
         :param str name: The CryptoKey's name.
                A CryptoKey’s name belonging to the specified Google Cloud Platform KeyRing and match the regular expression `[a-zA-Z0-9_-]{1,63}`
+        :param str state: The current state of the CryptoKeyVersion.
         """
         pulumi.set(__self__, "name", name)
         pulumi.set(__self__, "state", state)
@@ -585,6 +586,9 @@ class GetKMSCryptoKeyPrimaryResult(dict):
     @property
     @pulumi.getter
     def state(self) -> str:
+        """
+        The current state of the CryptoKeyVersion.
+        """
         return pulumi.get(self, "state")
 
 
@@ -622,17 +626,29 @@ class GetKMSCryptoKeyVersionTemplateResult(dict):
     def __init__(__self__, *,
                  algorithm: str,
                  protection_level: str):
+        """
+        :param str algorithm: The algorithm to use when creating a version based on this template.
+               See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.
+        :param str protection_level: The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
+        """
         pulumi.set(__self__, "algorithm", algorithm)
         pulumi.set(__self__, "protection_level", protection_level)
 
     @property
     @pulumi.getter
     def algorithm(self) -> str:
+        """
+        The algorithm to use when creating a version based on this template.
+        See the [algorithm reference](https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm) for possible inputs.
+        """
         return pulumi.get(self, "algorithm")
 
     @property
     @pulumi.getter(name="protectionLevel")
     def protection_level(self) -> str:
+        """
+        The protection level to use when creating a version based on this template. Possible values include "SOFTWARE", "HSM", "EXTERNAL", "EXTERNAL_VPC". Defaults to "SOFTWARE".
+        """
         return pulumi.get(self, "protection_level")
 
 

pulumi_gcp/logging/_inputs.py

@@ -43,7 +43,22 @@ class BillingAccountBucketConfigCmekSettingsArgs:
                  name: Optional[pulumi.Input[str]] = None,
                  service_account_id: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param pulumi.Input[str] kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param pulumi.Input[str] name: The resource name of the bucket. For example: "projects/my-project-id/locations/my-location/buckets/my-bucket-id"
+        :param pulumi.Input[str] service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -56,6 +71,14 @@ class BillingAccountBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> pulumi.Input[str]:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @kms_key_name.setter
@@ -65,6 +88,14 @@ class BillingAccountBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @kms_key_version_name.setter
@@ -86,6 +117,11 @@ class BillingAccountBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")
 
     @service_account_id.setter
@@ -239,7 +275,22 @@ class FolderBucketConfigCmekSettingsArgs:
                  name: Optional[pulumi.Input[str]] = None,
                  service_account_id: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param pulumi.Input[str] kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param pulumi.Input[str] name: The resource name of the bucket. For example: "folders/my-folder-id/locations/my-location/buckets/my-bucket-id"
+        :param pulumi.Input[str] service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -252,6 +303,14 @@ class FolderBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> pulumi.Input[str]:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @kms_key_name.setter
@@ -261,6 +320,14 @@ class FolderBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @kms_key_version_name.setter
@@ -282,6 +349,11 @@ class FolderBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")
 
     @service_account_id.setter
@@ -828,7 +900,22 @@ class OrganizationBucketConfigCmekSettingsArgs:
                  name: Optional[pulumi.Input[str]] = None,
                  service_account_id: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param pulumi.Input[str] kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param pulumi.Input[str] name: The resource name of the bucket. For example: "organizations/my-organization-id/locations/my-location/buckets/my-bucket-id"
+        :param pulumi.Input[str] service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -841,6 +928,14 @@ class OrganizationBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> pulumi.Input[str]:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @kms_key_name.setter
@@ -850,6 +945,14 @@ class OrganizationBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @kms_key_version_name.setter
@@ -871,6 +974,11 @@ class OrganizationBucketConfigCmekSettingsArgs:
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")
 
     @service_account_id.setter

pulumi_gcp/logging/outputs.py

@@ -67,7 +67,22 @@ class BillingAccountBucketConfigCmekSettings(dict):
                  name: Optional[str] = None,
                  service_account_id: Optional[str] = None):
         """
+        :param str kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param str kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param str name: The resource name of the bucket. For example: "projects/my-project-id/locations/my-location/buckets/my-bucket-id"
+        :param str service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -80,11 +95,27 @@ class BillingAccountBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> str:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[str]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @property
@@ -98,6 +129,11 @@ class BillingAccountBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[str]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")
 
 
@@ -274,7 +310,22 @@ class FolderBucketConfigCmekSettings(dict):
                  name: Optional[str] = None,
                  service_account_id: Optional[str] = None):
         """
+        :param str kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param str kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param str name: The resource name of the bucket. For example: "folders/my-folder-id/locations/my-location/buckets/my-bucket-id"
+        :param str service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -287,11 +338,27 @@ class FolderBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> str:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[str]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @property
@@ -305,6 +372,11 @@ class FolderBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[str]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")
 
 
@@ -910,7 +982,22 @@ class OrganizationBucketConfigCmekSettings(dict):
                  name: Optional[str] = None,
                  service_account_id: Optional[str] = None):
         """
+        :param str kms_key_name: The resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+               To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+               The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        :param str kms_key_version_name: The CryptoKeyVersion resource name for the configured Cloud KMS key.
+               KMS key name format:
+               "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+               For example:
+               "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+               This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
         :param str name: The resource name of the bucket. For example: "organizations/my-organization-id/locations/my-location/buckets/my-bucket-id"
+        :param str service_account_id: The service account associated with a project for which CMEK will apply.
+               Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+               See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
         """
         pulumi.set(__self__, "kms_key_name", kms_key_name)
         if kms_key_version_name is not None:
@@ -923,11 +1010,27 @@ class OrganizationBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="kmsKeyName")
     def kms_key_name(self) -> str:
+        """
+        The resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]"
+        To enable CMEK for the bucket, set this field to a valid kmsKeyName for which the associated service account has the required cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key.
+        The Cloud KMS key used by the bucket can be updated by changing the kmsKeyName to a new valid key name. Encryption operations that are in progress will be completed with the key that was in use when they started. Decryption operations will be completed using the key that was used at the time of encryption unless access to that key has been revoked.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "kms_key_name")
 
     @property
     @pulumi.getter(name="kmsKeyVersionName")
     def kms_key_version_name(self) -> Optional[str]:
+        """
+        The CryptoKeyVersion resource name for the configured Cloud KMS key.
+        KMS key name format:
+        "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[VERSION]"
+        For example:
+        "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key/cryptoKeyVersions/1"
+        This is a read-only field used to convey the specific configured CryptoKeyVersion of kms_key that has been configured. It will be populated in cases where the CMEK settings are bound to a single key version.
+        """
         return pulumi.get(self, "kms_key_version_name")
 
     @property
@@ -941,6 +1044,11 @@ class OrganizationBucketConfigCmekSettings(dict):
     @property
     @pulumi.getter(name="serviceAccountId")
     def service_account_id(self) -> Optional[str]:
+        """
+        The service account associated with a project for which CMEK will apply.
+        Before enabling CMEK for a logging bucket, you must first assign the cloudkms.cryptoKeyEncrypterDecrypter role to the service account associated with the project for which CMEK will apply. Use [v2.getCmekSettings](https://cloud.google.com/logging/docs/reference/v2/rest/v2/TopLevel/getCmekSettings#google.logging.v2.ConfigServiceV2.GetCmekSettings) to obtain the service account ID.
+        See [Enabling CMEK for Logging Buckets](https://cloud.google.com/logging/docs/routing/managed-encryption-storage) for more information.
+        """
         return pulumi.get(self, "service_account_id")